1. Patchew
  2. linux
  3. View series

[PATCH] iommu: amd: Fix uninitialized dev_data on probe failure

Rakuram Eswaran posted 1 patch 1 month, 2 weeks ago 
drivers/iommu/amd/iommu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] iommu: amd: Fix uninitialized dev_data on probe failure
Posted by Rakuram Eswaran 1 month, 2 weeks ago 
amd_iommu_probe_device() may jump to the out_err path when
iommu_init_device() fails. In that case, dev_data has not been
initialized yet, but the out_err path unconditionally dereferences
dev_data, leading to an uninitialized pointer dereference.

The IOMMU core explicitly allows ->probe_device() callbacks to
return ERR_PTR() on failure. Return immediately when device
initialization fails instead of falling through the shared error
path, which assumes that per-device IOMMU state exists.

This avoids dereferencing dev_data on error paths where the device
was not successfully initialized.

Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202512191724.meqJENXe-lkp@intel.com/
Signed-off-by: Rakuram Eswaran <rakuram.e96@gmail.com>
---
Testing note:
Compile tested only.

Build and Analysis:
This patch was compiled against the configuration file reported by
0day CI in the above link (config: x86_64-randconfig-r073-20251215)
using gcc version 15.2.0 (Ubuntu 15.2.0-4ubuntu4).

Static analysis was performed with Smatch to ensure the reported warning
no longer reproduces after applying this fix.

Command using for testing:
~/project/smatch/smatch_scripts/kchecker ./drivers/iommu/amd/iommu.c

 drivers/iommu/amd/iommu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
index 5d45795c367a..075125f0f52b 100644
--- a/drivers/iommu/amd/iommu.c
+++ b/drivers/iommu/amd/iommu.c
@@ -2426,7 +2426,7 @@ static struct iommu_device *amd_iommu_probe_device(struct device *dev)
 		dev_err(dev, "Failed to initialize - trying to proceed anyway\n");
 		iommu_dev = ERR_PTR(ret);
 		iommu_ignore_device(iommu, dev);
-		goto out_err;
+		return iommu_dev;
 	}
 
 	amd_iommu_set_pci_msi_domain(dev, iommu);
-- 
2.51.0
Re: [PATCH] iommu: amd: Fix uninitialized dev_data on probe failure
Posted by Jörg Rödel 4 weeks, 1 day ago 
On Sun, Dec 21, 2025 at 11:04:16PM +0530, Rakuram Eswaran wrote:
> diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
> index 5d45795c367a..075125f0f52b 100644
> --- a/drivers/iommu/amd/iommu.c
> +++ b/drivers/iommu/amd/iommu.c
> @@ -2426,7 +2426,7 @@ static struct iommu_device *amd_iommu_probe_device(struct device *dev)
>  		dev_err(dev, "Failed to initialize - trying to proceed anyway\n");
>  		iommu_dev = ERR_PTR(ret);
>  		iommu_ignore_device(iommu, dev);
> -		goto out_err;
> +		return iommu_dev;
>  	}

This is not the right fix. It makes the function omit further initialization
steps which are needed event when iommu_init_device() fails (which it only does
on out-of-memory).

The right fix is to initialize dev_data to NULL and check for that value before
dereferencing it further down to keep the current logic.

-Joerg
Re: [PATCH] iommu: amd: Fix uninitialized dev_data on probe failure
Posted by Vasant Hegde 3 weeks, 6 days ago 
On 1/10/2026 3:39 PM, Jörg Rödel wrote:
> On Sun, Dec 21, 2025 at 11:04:16PM +0530, Rakuram Eswaran wrote:
>> diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
>> index 5d45795c367a..075125f0f52b 100644
>> --- a/drivers/iommu/amd/iommu.c
>> +++ b/drivers/iommu/amd/iommu.c
>> @@ -2426,7 +2426,7 @@ static struct iommu_device *amd_iommu_probe_device(struct device *dev)
>>  		dev_err(dev, "Failed to initialize - trying to proceed anyway\n");
>>  		iommu_dev = ERR_PTR(ret);
>>  		iommu_ignore_device(iommu, dev);
>> -		goto out_err;
>> +		return iommu_dev;
>>  	}
> 
> This is not the right fix. It makes the function omit further initialization
> steps which are needed event when iommu_init_device() fails (which it only does
> on out-of-memory).
> 
> The right fix is to initialize dev_data to NULL and check for that value before
> dereferencing it further down to keep the current logic.

Ack. I think this function needs rewrite. PCIe device capability
check/enablement is scattered between this one and iommu_init_device(). I will
fix it as part of other PASID related fixes/cleanups.

I think for now below fix is good enough.

@Rakuram, @Joerg, let me know if you want me to send proper patch?


Fixes: 19e5cc156c ("iommu/amd: Enable support for up to 2K interrupts per function")

---
diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
index e46a63c85337..87bba1d31a6c 100644
--- a/drivers/iommu/amd/iommu.c
+++ b/drivers/iommu/amd/iommu.c
@@ -2983,8 +2983,6 @@ static struct iommu_device *amd_iommu_probe_device(struct
device *dev)
 		goto out_err;
 	}

-out_err:
-
 	iommu_completion_wait(iommu);

 	if (FEATURE_NUM_INT_REMAP_SUP_2K(amd_iommu_efr2))
@@ -2995,6 +2993,7 @@ static struct iommu_device *amd_iommu_probe_device(struct
device *dev)
 	if (dev_is_pci(dev))
 		pci_prepare_ats(to_pci_dev(dev), PAGE_SHIFT);

+out_err:
 	return iommu_dev;
 }



-Vasant

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.