Commit 7a089c5d authored Dec 17, 2025 by Jason Gunthorpe Committed by Joerg Roedel Dec 18, 2025

iommupt: Return ERR_PTR from _table_alloc()

syzkaller noticed that with fault injection a failure inside
iommu_alloc_pages_node_sz() oops's in PT_FEAT_DMA_INCOHERENT because it goes
on to make NULL incoherent. Closer inspection shows the return value has
become confused, the alloc routines on the iommupt side expect ERR_PTR while
iommu_alloc_pages_node_sz() returns NULL.

Error out early to fix both issues.

Fixes: aefd967d ("iommupt: Use the incoherent start/stop functions for PT_FEAT_DMA_INCOHERENT")
Fixes: dcd6a011 ("iommupt: Add map_pages op")
Fixes: cdb39d91 ("iommupt: Add the basic structure of the iommu implementation")
Reported-by: <syzbot+e06bb7478e687f235ad7@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/all/693a39de.050a0220.4004e.02ce.GAE@google.com/

Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>

parent 8f0b4cce

drivers/iommu/generic_pt/iommu_pt.h

+3 −0

Original line number	Diff line number	Diff line
		@@ -372,6 +372,9 @@ static inline struct pt_table_p _table_alloc(struct pt_common common,

		table_mem = iommu_alloc_pages_node_sz(iommu_table->nid, gfp,
		log2_to_int(lg2sz));
		if (!table_mem)
		return ERR_PTR(-ENOMEM);

		if (pt_feature(common, PT_FEAT_DMA_INCOHERENT) &&
		mode == ALLOC_NORMAL) {
		int ret = iommu_pages_start_incoherent(