Xen project Mailing List

Re: [PATCH 1/2] xen/arm: smmuv3: fix UB during deassign

From: Bertrand Marquis <Bertrand.Marquis@xxxxxxx>

Date: Fri, 25 Jul 2025 06:15:55 +0000

Accept-language: en-GB, en-US

Arc-authentication-results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 4.158.2.129) smtp.rcpttodomain=proton.me smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=arm.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none

Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Dbd7ADuE/9vpvNqD5fal8x0ZfY3Jn9bqL55FvEL/LJ0=; b=A0Im3hGwJPLIAq1+i8fTpUY2QBOEbm6iNI5ZcipsXo2Nb+J/+g8ZXRyq8ljU3UyasQG2c/Pm9l+XzL11WfTBOPh8CbdFpf56nYV0bVexixJ6dlDyDHxSRZc9d8XvwL/GlQWJ2JPK9ILtq+is0ICUgMBlOgT0WNks8xLEMSBNT7RJJt9QZ6q4ZdCbePmhXjG4PCSRdjLV5FjBFADC1DtAp50PVAlUViWwLSVqlY3tXhJNgsEBpWKXPW6Rlc8v3GXYO6oF3ppvUksrol+pSHU8JE/YwwvE5GUN/jupaCqYWAtoUnXb8uj29OHhl/5kyjym82gKw3v6Odbz8gPPBgN5Gg==

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Dbd7ADuE/9vpvNqD5fal8x0ZfY3Jn9bqL55FvEL/LJ0=; b=XRJgwqmP98o6cC2dpZDrTnGYZWaj/OkeTO30ZQF53/FxR3UUiSi4BeSPsqI8vst/YbnhbnwS5e8Gu8C84msGIRtW7fkXr56LQoi1Qy1eoQM3idHMv4pImIyAlXAhws29Y31hDDVcR4BRDvPxJgmOWankxmEV3Y7jhMMtzc4oKG1DCiJdN2vEy76V7h9s9F6eY/ik7DHUfb3NEVLm5zmvvAdFVrTPdCC3go2p5M1+20GMGi1Zzoh+Z9EDkMv6UWRyuGUFAZ89AVfv3sDUQLxDW0j0ViUsOOxck5bIPyo5SYhkIsXvK/QOPvrOPgbflj9zHbyLs32GiIEIB7g0pSuihg==

Arc-seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=O4wY9/AwkItQJ9/WXVSyYL5w+zkX7Gvh0UYv5ZMddrq/J1++gsGxK+PaHOQpwjT2E6cevg/8CbSC0ufB8MJ4T2Xzr7vxGV/fs1C7jMS7pwW/I92vPBcOZi5AOYtleZ9EApwCk+JajEDms5eBg8n984jAEoFoTkIUReIvgo3XVXszMIMgZGzoynfcjMbu34jC+gl0UUBKoxh3flK9ZYBrHtZT+quPdYjCyKWCHhUNktneT1nv6IukUUPvYlVsGi+q0LqkNn3A5xfVszur7AsHpVeYZBkizhe4901YG5q0c+gpYPeCv+986ZEGRmqOEGcvC1dc6MpgnDJac2T/Gzs0gg==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=meWSv2gQXe6uBJNDj+X7fty4aEZOQ/gX8V55LGMTYtXeyLuKrbhfvcRtfPrp2qVmbbQ+xqz3s9pzdBLB+ocTDqswXjCpTArR519b3Ewh119xVozElxeoVcUib+jv//egsLk4VzL73Ih4N2YUk/8NCQDwT+bZIZWlWN1j6PJ4Re9DeKrX5C+MfycobKsfJF3+CfX0+Wn+37Gi8k9hSNqHJH/A+7UBJbp39QYDjy4k5TqIOU8SgQqygchqVUaiPC3xWQGGJkYJtczZB4/sOCVB0rNBvHgAiILqA9XsPtqeL9DdKye3def4lwzXVYpIkmNknVn1lYt81K5L4H+IW2PlWg==

Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;

Cc: Stewart Hildebrand <stewart.hildebrand@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Rahul Singh <Rahul.Singh@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>

Delivery-date: Fri, 25 Jul 2025 06:20:59 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Nodisclaimer: true

Thread-index: AQHb/CTBUeABU74FEkyJ7zHVeZJ647RAdBmAgAHquoA=

Thread-topic: [PATCH 1/2] xen/arm: smmuv3: fix UB during deassign

Hi, > On 24 Jul 2025, at 02:59, dmkhn@xxxxxxxxx wrote: > > On Wed, Jul 23, 2025 at 06:54:19PM -0400, Stewart Hildebrand wrote: >> In arm_smmu_deassign_dev(), the return value from to_smmu_domain() is >> NULL-checked. However, the implementation of to_smmu_domain() is a >> container_of lookup, so the return value is unlikely to ever be NULL. In >> case of a NULL argument to to_smmu_domain(), we will attempt to >> dereference the non-NULL return value and encounter undefined behavior >> and a crash: >> >> $ xl pci-assignable-remove 00:01.0 >> (XEN) >> ================================================================================ >> (XEN) UBSAN: Undefined behaviour in drivers/passthrough/arm/smmu-v3.c:221:9 >> (XEN) applying non-zero offset ffffffffffffffc0 to null pointer >> (XEN) Xen WARN at common/ubsan/ubsan.c:174 >> (XEN) ----[ Xen-4.21-unstable arm64 debug=y ubsan=y Tainted: C ]---- >> ... >> (XEN) Xen call trace: >> (XEN) [<00000a0000350b2c>] ubsan.c#ubsan_epilogue+0x14/0xf0 (PC) >> (XEN) [<00000a00003523e0>] __ubsan_handle_pointer_overflow+0x94/0x13c (LR) >> (XEN) [<00000a00003523e0>] __ubsan_handle_pointer_overflow+0x94/0x13c >> (XEN) [<00000a0000392f9c>] smmu-v3.c#to_smmu_domain+0x3c/0x40 >> (XEN) [<00000a000039e428>] smmu-v3.c#arm_smmu_deassign_dev+0x54/0x43c >> (XEN) [<00000a00003a0300>] smmu-v3.c#arm_smmu_reassign_dev+0x74/0xc8 >> (XEN) [<00000a00003a7040>] pci.c#deassign_device+0x5fc/0xe0c >> (XEN) [<00000a00003ade7c>] iommu_do_pci_domctl+0x7b4/0x90c >> (XEN) [<00000a00003a34c0>] iommu_do_domctl+0x58/0xf4 >> (XEN) [<00000a00002ca66c>] do_domctl+0x2690/0x2a04 >> (XEN) [<00000a0000454d88>] traps.c#do_trap_hypercall+0xcf4/0x15b0 >> (XEN) [<00000a0000458588>] do_trap_guest_sync+0xa88/0xdd8 >> (XEN) [<00000a00003f8480>] entry.o#guest_sync_slowpath+0xa8/0xd8 >> (XEN) >> (XEN) >> ================================================================================ >> (XEN) Data Abort Trap. Syndrome=0x4 >> (XEN) Walking Hypervisor VA 0xfffffffffffffff8 on CPU1 via TTBR >> 0x00000000406d0000 >> (XEN) 0TH[0x1ff] = 0x0 >> (XEN) CPU1: Unexpected Trap: Data Abort >> (XEN) ----[ Xen-4.21-unstable arm64 debug=y ubsan=y Tainted: C ]---- >> ... >> (XEN) Xen call trace: >> (XEN) [<00000a000039e494>] smmu-v3.c#arm_smmu_deassign_dev+0xc0/0x43c (PC) >> (XEN) [<00000a000039e428>] smmu-v3.c#arm_smmu_deassign_dev+0x54/0x43c (LR) >> (XEN) [<00000a00003a0300>] smmu-v3.c#arm_smmu_reassign_dev+0x74/0xc8 >> (XEN) [<00000a00003a7040>] pci.c#deassign_device+0x5fc/0xe0c >> (XEN) [<00000a00003ade7c>] iommu_do_pci_domctl+0x7b4/0x90c >> (XEN) [<00000a00003a34c0>] iommu_do_domctl+0x58/0xf4 >> (XEN) [<00000a00002ca66c>] do_domctl+0x2690/0x2a04 >> (XEN) [<00000a0000454d88>] traps.c#do_trap_hypercall+0xcf4/0x15b0 >> (XEN) [<00000a0000458588>] do_trap_guest_sync+0xa88/0xdd8 >> (XEN) [<00000a00003f8480>] entry.o#guest_sync_slowpath+0xa8/0xd8 >> >> Fix by changing to_smmu_domain() to return NULL in case of a NULL >> argument. >> >> Fixes: 452ddbe3592b ("xen/arm: smmuv3: Add support for SMMUv3 driver") >> Signed-off-by: Stewart Hildebrand <stewart.hildebrand@xxxxxxx> >> --- >> I'm unsure if that's the right Fixes: tag since I'm not sure if it can >> be triggered prior to 63919fc4d1ca ("xen/arm: smmuv3: Add PCI devices >> support for SMMUv3"). >> --- >> xen/drivers/passthrough/arm/smmu-v3.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/xen/drivers/passthrough/arm/smmu-v3.c >> b/xen/drivers/passthrough/arm/smmu-v3.c >> index 58f3331520df..db08d3c04269 100644 >> --- a/xen/drivers/passthrough/arm/smmu-v3.c >> +++ b/xen/drivers/passthrough/arm/smmu-v3.c >> @@ -218,6 +218,9 @@ static struct arm_smmu_option_prop arm_smmu_options[] = { >> >> static struct arm_smmu_domain *to_smmu_domain(struct iommu_domain *dom) >> { >> + if ( !dom ) >> + return NULL; >> + >> return container_of(dom, struct arm_smmu_domain, domain); > > I think positive case first will be more readable. > E.g.: > > if ( dom ) > return container_of(dom, struct arm_smmu_domain, domain); > > return NULL; > Exiting early on error case instead of doing the handling inside a if sounds cleaner to me. If more needs to be done inside the function then exiting early will make things easier. It does not really matter now but might in the future hence why i acked the original version instead of your suggestion. Regards Bertrand >> } >> >> >> base-commit: 5c798ac8854af3528a78ca5a622c9ea68399809b >> -- >> 2.50.1

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.