1. Patchew
  2. linux
  3. View series

[PATCH] iommu/amd: Fix undefined behavior in devid_write debugfs function

lirongqing posted 1 patch 6 days, 17 hours ago 
drivers/iommu/amd/debugfs.c | 12 +++---------
1 file changed, 3 insertions(+), 9 deletions(-)
[PATCH] iommu/amd: Fix undefined behavior in devid_write debugfs function
Posted by lirongqing 6 days, 17 hours ago 
From: Li RongQing <lirongqing@baidu.com>

When for_each_pci_segment() loop completes without finding a matching
segment, the pci_seg pointer is not NULL but points to an invalid memory
location (the list head). Accessing pci_seg->id after the loop causes
undefined behavior.

Fix this by handling the successful case inside the loop and returning
-EINVAL after the loop if no matching segment is found.

Fixes: 2e98940f123d9 ("iommu/amd: Add support for device id user input")
Signed-off-by: Li RongQing <lirongqing@baidu.com>
---
 drivers/iommu/amd/debugfs.c | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/drivers/iommu/amd/debugfs.c b/drivers/iommu/amd/debugfs.c
index 4c53b63..5c573ec 100644
--- a/drivers/iommu/amd/debugfs.c
+++ b/drivers/iommu/amd/debugfs.c
@@ -176,19 +176,13 @@ static ssize_t devid_write(struct file *filp, const char __user *ubuf,
 			kfree(srcid_ptr);
 			return -ENODEV;
 		}
-		break;
-	}
-
-	if (pci_seg->id != seg) {
+		sbdf = PCI_SEG_DEVID_TO_SBDF(seg, devid);
 		kfree(srcid_ptr);
-		return -EINVAL;
+		return cnt;
 	}
 
-	sbdf = PCI_SEG_DEVID_TO_SBDF(seg, devid);
-
 	kfree(srcid_ptr);
-
-	return cnt;
+	return -EINVAL;
 }
 
 static int devid_show(struct seq_file *m, void *unused)
-- 
2.9.4
Re: [PATCH] iommu/amd: Fix undefined behavior in devid_write debugfs function
Posted by Ankit Soni 6 days ago 
On Mon, Jun 01, 2026 at 08:12:40AM -0400, lirongqing wrote:
> From: Li RongQing <lirongqing@baidu.com>
> 
> When for_each_pci_segment() loop completes without finding a matching
> segment, the pci_seg pointer is not NULL but points to an invalid memory
> location (the list head). Accessing pci_seg->id after the loop causes
> undefined behavior.
> 
> Fix this by handling the successful case inside the loop and returning
> -EINVAL after the loop if no matching segment is found.
> 
> Fixes: 2e98940f123d9 ("iommu/amd: Add support for device id user input")
> Signed-off-by: Li RongQing <lirongqing@baidu.com>

Hi,

Thanks for the fix. Looks good to me.

Reviewed-by: Ankit Soni <Ankit.Soni@amd.com>

> ---
>  drivers/iommu/amd/debugfs.c | 12 +++---------
>  1 file changed, 3 insertions(+), 9 deletions(-)
> 
> diff --git a/drivers/iommu/amd/debugfs.c b/drivers/iommu/amd/debugfs.c
> index 4c53b63..5c573ec 100644
> --- a/drivers/iommu/amd/debugfs.c
> +++ b/drivers/iommu/amd/debugfs.c
> @@ -176,19 +176,13 @@ static ssize_t devid_write(struct file *filp, const char __user *ubuf,
>  			kfree(srcid_ptr);
>  			return -ENODEV;
>  		}
> -		break;
> -	}
> -
> -	if (pci_seg->id != seg) {
> +		sbdf = PCI_SEG_DEVID_TO_SBDF(seg, devid);
>  		kfree(srcid_ptr);
> -		return -EINVAL;
> +		return cnt;
>  	}
>  
> -	sbdf = PCI_SEG_DEVID_TO_SBDF(seg, devid);
> -
>  	kfree(srcid_ptr);
> -
> -	return cnt;
> +	return -EINVAL;
>  }
>  
>  static int devid_show(struct seq_file *m, void *unused)
> -- 
> 2.9.4
>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.