Commit d769711f authored Apr 24, 2026 by Nicolin Chen Committed by Joerg Roedel May 11, 2026

iommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done()



Local sashiko review pointed it out that group->domain could be NULL when
a default domain fails to allocate during the first probe, which can crash
at domain->ops->attach_dev dereference in __iommu_attach_device() invoked
by pci_dev_reset_iommu_done().

pci_dev_reset_iommu_prepare() is fine as an old_domain pointer can be NULL.

Skip the re-attach in pci_dev_reset_iommu_done() to fix the bug.

Fixes: c279e839 ("iommu: Introduce pci_dev_reset_iommu_prepare/done()")
Cc: stable@vger.kernel.org
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>

parent 07d0f496

drivers/iommu/iommu.c

+7 −2

Original line number	Diff line number	Diff line
		@@ -4073,8 +4073,13 @@ void pci_dev_reset_iommu_done(struct pci_dev *pdev)
		if (WARN_ON(!group->blocking_domain))
		return;

		/* Re-attach RID domain back to group->domain */
		if (group->domain != group->blocking_domain) {
		/*
		* Re-attach RID domain back to group->domain
		*
		* Leave the device parked in the blocking_domain if group->domain isn't
		* initialized yet
		*/
		if (group->domain && group->domain != group->blocking_domain) {
		WARN_ON(__iommu_attach_device(group->domain, &pdev->dev,
		group->blocking_domain));
		}