[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v2 1/2] xen/arm: smmuv3: fix UB during deassign

  • To: <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Stewart Hildebrand <stewart.hildebrand@xxxxxxx>
  • Date: Fri, 25 Jul 2025 13:45:50 -0400
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VLTKQ9EqC0gesyZb4luBKMQHCoaaos+HDVJAG2gAw6U=; b=Pc3b0JjrjPwu3OxRUX7S1RdWF5IzvML29HbGiCu/TGM3s3nyladXQ+6G7HzHVzoe1XtL3L58UR4axZBEHHA8hpg2br+kYZBvKo+iKOFSgIAvu+pt6yTXNKZIH37gX2YAyFsw/FNuwEuuN1m3r/k0yz0YClQ3s86jbLG1vbPQ47R5h5YG5+4bgcebVj/9BJVd1M2vl1mb9hTBjNkuygVlzxdIXZjYeqbdepdkfCuJnGYMQ5lzoril4Ogy/Q636debGTRTK4Tj3rULBjqWAHRWkk01/pKEmJ/vpCcxRoJk4hAqpRgPZF+xMHV2zb0qcrrWi6naHstn+zvzVRraTQUNWA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=uIO03VE8nKZzlWIv65DZp2hjMeeG/jZCBILwRS7RqqeItlR7iJKbQ95WrPvwZjSwefdoQyvYg1/3xqiE5Ug9fACWWdAdlgCOwgaD6R1wfRVbgj7/8m8AlHmLEsUAbv2xdA9zSCbPmRNP2tiMkgei9cp3VrKbJAEJutM5U06MWfS4lBddRNaPUePNmWKHMM699lpLyeyFlR4DMmUpHsUmUDvf9G6P4oLj36w2cjg7kswOoHcaeCvOV7l2H8cJ0kxcgjL+vdLZ4EGNUsQoi0BAC/3R/cxo2jTBVLP2eIV+8/JEHGVrvqvXBkINDIl2gutqkV48nvAI9DZ2oGkltrpopg==
  • Cc: Stewart Hildebrand <stewart.hildebrand@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Rahul Singh <rahul.singh@xxxxxxx>, "Stefano Stabellini" <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, "Michal Orzel" <michal.orzel@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>
  • Delivery-date: Fri, 25 Jul 2025 17:46:11 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
In arm_smmu_deassign_dev(), the return value from to_smmu_domain() is
NULL-checked. However, the implementation of to_smmu_domain() is a
container_of lookup, so the return value is unlikely to ever be NULL. In
case of a NULL argument to to_smmu_domain(), we will attempt to
dereference the non-NULL return value and encounter undefined behavior
and a crash:

$ xl pci-assignable-remove 00:01.0
(XEN) 
================================================================================
(XEN) UBSAN: Undefined behaviour in drivers/passthrough/arm/smmu-v3.c:221:9
(XEN) applying non-zero offset ffffffffffffffc0 to null pointer
(XEN) Xen WARN at common/ubsan/ubsan.c:174
(XEN) ----[ Xen-4.21-unstable  arm64  debug=y ubsan=y  Tainted:   C    ]----
...
(XEN) Xen call trace:
(XEN)    [<00000a0000350b2c>] ubsan.c#ubsan_epilogue+0x14/0xf0 (PC)
(XEN)    [<00000a00003523e0>] __ubsan_handle_pointer_overflow+0x94/0x13c (LR)
(XEN)    [<00000a00003523e0>] __ubsan_handle_pointer_overflow+0x94/0x13c
(XEN)    [<00000a0000392f9c>] smmu-v3.c#to_smmu_domain+0x3c/0x40
(XEN)    [<00000a000039e428>] smmu-v3.c#arm_smmu_deassign_dev+0x54/0x43c
(XEN)    [<00000a00003a0300>] smmu-v3.c#arm_smmu_reassign_dev+0x74/0xc8
(XEN)    [<00000a00003a7040>] pci.c#deassign_device+0x5fc/0xe0c
(XEN)    [<00000a00003ade7c>] iommu_do_pci_domctl+0x7b4/0x90c
(XEN)    [<00000a00003a34c0>] iommu_do_domctl+0x58/0xf4
(XEN)    [<00000a00002ca66c>] do_domctl+0x2690/0x2a04
(XEN)    [<00000a0000454d88>] traps.c#do_trap_hypercall+0xcf4/0x15b0
(XEN)    [<00000a0000458588>] do_trap_guest_sync+0xa88/0xdd8
(XEN)    [<00000a00003f8480>] entry.o#guest_sync_slowpath+0xa8/0xd8
(XEN)
(XEN) 
================================================================================
(XEN) Data Abort Trap. Syndrome=0x4
(XEN) Walking Hypervisor VA 0xfffffffffffffff8 on CPU1 via TTBR 
0x00000000406d0000
(XEN) 0TH[0x1ff] = 0x0
(XEN) CPU1: Unexpected Trap: Data Abort
(XEN) ----[ Xen-4.21-unstable  arm64  debug=y ubsan=y  Tainted:   C    ]----
...
(XEN) Xen call trace:
(XEN)    [<00000a000039e494>] smmu-v3.c#arm_smmu_deassign_dev+0xc0/0x43c (PC)
(XEN)    [<00000a000039e428>] smmu-v3.c#arm_smmu_deassign_dev+0x54/0x43c (LR)
(XEN)    [<00000a00003a0300>] smmu-v3.c#arm_smmu_reassign_dev+0x74/0xc8
(XEN)    [<00000a00003a7040>] pci.c#deassign_device+0x5fc/0xe0c
(XEN)    [<00000a00003ade7c>] iommu_do_pci_domctl+0x7b4/0x90c
(XEN)    [<00000a00003a34c0>] iommu_do_domctl+0x58/0xf4
(XEN)    [<00000a00002ca66c>] do_domctl+0x2690/0x2a04
(XEN)    [<00000a0000454d88>] traps.c#do_trap_hypercall+0xcf4/0x15b0
(XEN)    [<00000a0000458588>] do_trap_guest_sync+0xa88/0xdd8
(XEN)    [<00000a00003f8480>] entry.o#guest_sync_slowpath+0xa8/0xd8

Fix by changing to_smmu_domain() to return NULL in case of a NULL
argument.

Fixes: 452ddbe3592b ("xen/arm: smmuv3: Add support for SMMUv3 driver")
Signed-off-by: Stewart Hildebrand <stewart.hildebrand@xxxxxxx>
Acked-by: Bertrand Marquis <bertrand.marquis@xxxxxxx>
---
v1->v2:
* add Bertrand's A-b

I'm unsure if that's the right Fixes: tag since I'm not sure if it can
be triggered prior to 63919fc4d1ca ("xen/arm: smmuv3: Add PCI devices
support for SMMUv3").
---
 xen/drivers/passthrough/arm/smmu-v3.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/xen/drivers/passthrough/arm/smmu-v3.c 
b/xen/drivers/passthrough/arm/smmu-v3.c
index 58f3331520df..db08d3c04269 100644
--- a/xen/drivers/passthrough/arm/smmu-v3.c
+++ b/xen/drivers/passthrough/arm/smmu-v3.c
@@ -218,6 +218,9 @@ static struct arm_smmu_option_prop arm_smmu_options[] = {
 
 static struct arm_smmu_domain *to_smmu_domain(struct iommu_domain *dom)
 {
+       if ( !dom )
+               return NULL;
+
        return container_of(dom, struct arm_smmu_domain, domain);
 }
 

base-commit: 6cd9b9226c65c962b0f0e040e7d3d5c4053f8e06
-- 
2.50.1

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.