[PATCH] iommu/amd: Fix undefined behavior in devid_write debugfs function

Next message: Christophe Leroy (CS GROUP): "Re: [PATCH 17/29] crypto: talitos/aead - Use macro for algorithm definitions"
Previous message: Luiz Capitulino: "Re: [PATCH v5 07/14] mm: shmem: allow THP support determination at folio allocation time"
Next in thread: Ankit Soni: "Re: [PATCH] iommu/amd: Fix undefined behavior in devid_write debugfs function"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: lirongqing

Date: Mon Jun 01 2026 - 08:21:36 EST

From: Li RongQing <lirongqing@xxxxxxxxx>

When for_each_pci_segment() loop completes without finding a matching
segment, the pci_seg pointer is not NULL but points to an invalid memory
location (the list head). Accessing pci_seg->id after the loop causes
undefined behavior.

Fix this by handling the successful case inside the loop and returning
-EINVAL after the loop if no matching segment is found.

Fixes: 2e98940f123d9 ("iommu/amd: Add support for device id user input")
Signed-off-by: Li RongQing <lirongqing@xxxxxxxxx>
---
drivers/iommu/amd/debugfs.c | 12 +++---------
1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/drivers/iommu/amd/debugfs.c b/drivers/iommu/amd/debugfs.c
index 4c53b63..5c573ec 100644
--- a/drivers/iommu/amd/debugfs.c
+++ b/drivers/iommu/amd/debugfs.c
@@ -176,19 +176,13 @@ static ssize_t devid_write(struct file *filp, const char __user *ubuf,
kfree(srcid_ptr);
return -ENODEV;
}
- break;
- }
-
- if (pci_seg->id != seg) {
+ sbdf = PCI_SEG_DEVID_TO_SBDF(seg, devid);
kfree(srcid_ptr);
- return -EINVAL;
+ return cnt;
}

- sbdf = PCI_SEG_DEVID_TO_SBDF(seg, devid);
-
kfree(srcid_ptr);
-
- return cnt;
+ return -EINVAL;
}

static int devid_show(struct seq_file *m, void *unused)
--
2.9.4