From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 22 Aug 2025 13:46:36 +0000 (+0200)
Subject: 6.16-stable patches
X-Git-Tag: v6.16.3~40
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=45d934eaa8efd1598f0a0b10efcf91b29cbff439;p=thirdparty%2Fkernel%2Fstable-queue.git

6.16-stable patches

added patches:
	iommu-riscv-prevent-null-deref-in-iova_to_phys.patch
---

diff --git a/queue-6.16/iommu-riscv-prevent-null-deref-in-iova_to_phys.patch b/queue-6.16/iommu-riscv-prevent-null-deref-in-iova_to_phys.patch
new file mode 100644
index 0000000000..3d4f45f089
--- /dev/null
+++ b/queue-6.16/iommu-riscv-prevent-null-deref-in-iova_to_phys.patch
@@ -0,0 +1,38 @@
+From 99d4d1a070870aa08163af8ce0522992b7f35d8c Mon Sep 17 00:00:00 2001
+From: XianLiang Huang <huangxianliang@lanxincomputing.com>
+Date: Wed, 20 Aug 2025 15:22:48 +0800
+Subject: iommu/riscv: prevent NULL deref in iova_to_phys
+
+From: XianLiang Huang <huangxianliang@lanxincomputing.com>
+
+commit 99d4d1a070870aa08163af8ce0522992b7f35d8c upstream.
+
+The riscv_iommu_pte_fetch() function returns either NULL for
+unmapped/never-mapped iova, or a valid leaf pte pointer that
+requires no further validation.
+
+riscv_iommu_iova_to_phys() failed to handle NULL returns.
+Prevent null pointer dereference in
+riscv_iommu_iova_to_phys(), and remove the pte validation.
+
+Fixes: 488ffbf18171 ("iommu/riscv: Paging domain support")
+Cc: Tomasz Jeznach <tjeznach@rivosinc.com>
+Signed-off-by: XianLiang Huang <huangxianliang@lanxincomputing.com>
+Link: https://lore.kernel.org/r/20250820072248.312-1-huangxianliang@lanxincomputing.com
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/riscv/iommu.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/riscv/iommu.c
++++ b/drivers/iommu/riscv/iommu.c
+@@ -1283,7 +1283,7 @@ static phys_addr_t riscv_iommu_iova_to_p
+ 	unsigned long *ptr;
+ 
+ 	ptr = riscv_iommu_pte_fetch(domain, iova, &pte_size);
+-	if (_io_pte_none(*ptr) || !_io_pte_present(*ptr))
++	if (!ptr)
+ 		return 0;
+ 
+ 	return pfn_to_phys(__page_val_to_pfn(*ptr)) | (iova & (pte_size - 1));
diff --git a/queue-6.16/series b/queue-6.16/series
index b15d6d0122..6548ecbd78 100644
--- a/queue-6.16/series
+++ b/queue-6.16/series
@@ -227,3 +227,4 @@ xfs-remove-unused-label-in-xfs_dax_notify_dev_failure.patch
 erofs-fix-build-error-with-config_erofs_fs_zip_accel-y.patch
 erofs-do-not-select-tristate-symbols-from-bool-symbols.patch
 crypto-acomp-fix-cfi-failure-due-to-type-punning.patch
+iommu-riscv-prevent-null-deref-in-iova_to_phys.patch