[luxis1999-dev-iommu:iommufd-vfio-v5.16-rc1 29/32] drivers/iommufd/iommufd.c:339 iommufd_process_dma_op() warn: unsigned 'dma.ioas' is never less than zero.

From: kernel test robot
Date: Thu Nov 04 2021 - 23:06:31 EST

Next message: Xin Ji: "Re: [PATCH v12 0/4] Add MIPI rx DPI support"
Previous message: kernel test robot: "Re: [PATCH] rtc: pcf85063: add i2c_device_id name matching support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

tree: https://github.com/luxis1999/dev-iommu iommufd-vfio-v5.16-rc1
head: 0c6c7bdb5b3f7d4c8e6b03d34a59ac6bf3d02539
commit: 465aafaf97510d09bd68700c80ed3bb87db45077 [29/32] iommufd: Add IOMMU_IOAS_[UN]MAP_DMA
config: x86_64-randconfig-m001-20211105 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@xxxxxxxxx>

New smatch warnings:
drivers/iommufd/iommufd.c:339 iommufd_process_dma_op() warn: unsigned 'dma.ioas' is never less than zero.

Old smatch warnings:
drivers/iommufd/iommufd.c:210 iommufd_ioas_alloc() error: dereferencing freed memory 'ioas'

vim +339 drivers/iommufd/iommufd.c

325
326 static int iommufd_process_dma_op(struct iommufd_ctx *ictx,
327 unsigned long arg, bool map)
328 {
329 struct iommu_ioas_dma_op dma;
330 unsigned long minsz;
331 struct iommufd_ioas *ioas = NULL;
332 int ret;
333
334 minsz = offsetofend(struct iommu_ioas_dma_op, padding);
335
336 if (copy_from_user(&dma, (void __user *)arg, minsz))
337 return -EFAULT;
338
> 339 if (dma.argsz < minsz || dma.flags || dma.ioas < 0)
340 return -EINVAL;
341
342 ioas = ioasid_get_ioas(ictx, dma.ioas);
343 if (!ioas) {
344 pr_err_ratelimited("unkonwn IOASID %u\n", dma.ioas);
345 return -EINVAL;
346 }
347
348 down_read(&ioas->device_lock);
349
350 /*
351 * Needs to block map/unmap request from userspace before IOAS
352 * is attached to any device.
353 */
354 if (xa_empty(&ioas->device)) {
355 ret = -EINVAL;
356 goto out;
357 }
358
359 if (map)
360 ret = vfio_iommu_type1_map_dma(ioas->vfio_iommu, arg + minsz);
361 else
362 ret = vfio_iommu_type1_unmap_dma(ioas->vfio_iommu, arg + minsz);
363 out:
364 up_read(&ioas->device_lock);
365 ioas_put(ioas);
366
367 return ret;
368 };
369

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx

Attachment: .config.gz
Description: application/gzip

Next message: Xin Ji: "Re: [PATCH v12 0/4] Add MIPI rx DPI support"
Previous message: kernel test robot: "Re: [PATCH] rtc: pcf85063: add i2c_device_id name matching support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]