6.16-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Fri, 22 Aug 2025 13:46:36 +0000 (15:46 +0200)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Fri, 22 Aug 2025 13:46:36 +0000 (15:46 +0200)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 22 Aug 2025 13:46:36 +0000 (15:46 +0200)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 22 Aug 2025 13:46:36 +0000 (15:46 +0200)
diff --git a/queue-6.16/iommu-riscv-prevent-null-deref-in-iova_to_phys.patch b/queue-6.16/iommu-riscv-prevent-null-deref-in-iova_to_phys.patch

new file mode 100644 (file)

index 0000000..3d4f45f
--- /dev/null
+++ b/queue-6.16/iommu-riscv-prevent-null-deref-in-iova_to_phys.patch
@@ -0,0 +1,38 @@
+From 99d4d1a070870aa08163af8ce0522992b7f35d8c Mon Sep 17 00:00:00 2001
+From: XianLiang Huang <huangxianliang@lanxincomputing.com>
+Date: Wed, 20 Aug 2025 15:22:48 +0800
+Subject: iommu/riscv: prevent NULL deref in iova_to_phys
+
+From: XianLiang Huang <huangxianliang@lanxincomputing.com>
+
+commit 99d4d1a070870aa08163af8ce0522992b7f35d8c upstream.
+
+The riscv_iommu_pte_fetch() function returns either NULL for
+unmapped/never-mapped iova, or a valid leaf pte pointer that
+requires no further validation.
+
+riscv_iommu_iova_to_phys() failed to handle NULL returns.
+Prevent null pointer dereference in
+riscv_iommu_iova_to_phys(), and remove the pte validation.
+
+Fixes: 488ffbf18171 ("iommu/riscv: Paging domain support")
+Cc: Tomasz Jeznach <tjeznach@rivosinc.com>
+Signed-off-by: XianLiang Huang <huangxianliang@lanxincomputing.com>
+Link: https://lore.kernel.org/r/20250820072248.312-1-huangxianliang@lanxincomputing.com
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/riscv/iommu.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/riscv/iommu.c
++++ b/drivers/iommu/riscv/iommu.c
+@@ -1283,7 +1283,7 @@ static phys_addr_t riscv_iommu_iova_to_p
+       unsigned long *ptr;
+ 
+       ptr = riscv_iommu_pte_fetch(domain, iova, &pte_size);
+-      if (_io_pte_none(*ptr) || !_io_pte_present(*ptr))
++      if (!ptr)
+               return 0;
+ 
+       return pfn_to_phys(__page_val_to_pfn(*ptr)) | (iova & (pte_size - 1));
diff --git a/queue-6.16/series b/queue-6.16/series

index b15d6d012232d50fc3be7ee1ed8d4c0f7a49fc5d..6548ecbd782f949920d1923c10cc7ed1ef645dd8 100644 (file)
--- a/queue-6.16/series
+++ b/queue-6.16/series
@@ -227,3 +227,4 @@ xfs-remove-unused-label-in-xfs_dax_notify_dev_failure.patch
  erofs-fix-build-error-with-config_erofs_fs_zip_accel-y.patch
  erofs-do-not-select-tristate-symbols-from-bool-symbols.patch
  crypto-acomp-fix-cfi-failure-due-to-type-punning.patch
+iommu-riscv-prevent-null-deref-in-iova_to_phys.patch
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 22 Aug 2025 13:46:36 +0000 (15:46 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 22 Aug 2025 13:46:36 +0000 (15:46 +0200)
queue-6.16/iommu-riscv-prevent-null-deref-in-iova_to_phys.patch	[new file with mode: 0644]	patch \| blob
queue-6.16/series		patch \| blob \| blame \| history