Re: [PATCH] crypto: qat - add missing INIT_LIST_HEAD in probe()

Giovanni Cabiddu <giovanni.cabiddu@xxxxxxxxx> · Mon, 14 Jul 2025 08:39:37 +0100

On Mon, Jul 14, 2025 at 08:13:13AM +0100, Giovanni Cabiddu wrote:
> From: Shwethax Shetty <shwethax.shetty@xxxxxxxxx>
> 
> If a list is not properly initialized before use, traversing it can lead
> to undefined behavior, including NULL pointer dereferences. In this
> case, the `adf_ctl_stop_devices()` function attempts to iterate over a
> list to retrieve `accel_dev`, but if the list hasn't been initialized,
> it may result in a kernel panic.
> 
> This issue was observed during testing, with the following stack trace:
> 
>     BUG: kernel NULL pointer dereference, address: 0000000000000214
>     RIP: 0010:adf_ctl_stop_devices+0x65/0x240 [intel_qat]
>     4xxx 0000:86:00.0: pci_iomap_range() calls ioremap_driver_hardened()
>     ? __die+0x24/0x70
>     ? page_fault_oops+0x82/0x160
>     ? do_user_addr_fault+0x65/0x690
>     ? exc_page_fault+0x78/0x170
>     4xxx 0000:86:00.0: pci_iomap_range() calls ioremap_driver_hardened()
>     ? asm_exc_page_fault+0x26/0x30
>     ? adf_ctl_stop_devices+0x65/0x240 [intel_qat]
>     4xxx 0000:86:00.0: pci_iomap_range() calls ioremap_driver_hardened()
>     ? adf_ctl_stop_devices+0x65/0x240 [intel_qat]
>     adf_ctl_ioctl+0x6a9/0x790 [intel_qat]
> 
> To prevent this, add the missing `INIT_LIST_HEAD()` in `adf_probe()` to
> ensure the list is correctly initialized before use.
> 
> Fixes: 7afa232e76ce ("crypto: qat - Intel(R) QAT DH895xcc accelerator")
> Fixes: dd0f368398ea ("crypto: qat - Add qat dh895xcc VF driver")
> Fixes: a6dabee6c8ba ("crypto: qat - add support for c62x accel type")
> Fixes: 3771df3cff75 ("crypto: qat - add support for c62xvf accel type")
> Fixes: 890c55f4dc0e ("crypto: qat - add support for c3xxx accel type")
> Fixes: 8b206f2d666f ("crypto: qat - add support for c3xxxvf accel type")
> Fixes: 8c8268166e83 ("crypto: qat - add qat_4xxx driver")
> Fixes: fcf60f4bcf54 ("crypto: qat - add support for 420xx devices")
> Signed-off-by: Shwethax Shetty <shwethax.shetty@xxxxxxxxx>
> Reviewed-by: Srikanth Thokala <srikanth.thokala@xxxxxxxxx>
> Reviewed-by: Ahsan Atta <ahsan.atta@xxxxxxxxx>
> Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@xxxxxxxxx>
> ---
Herbert, please discard this patch.

`accel_dev->list` refers to an element within the list and the fields
`next` and `prev` are set when the element is added. This patch is
unnecessary.

Thanks,

-- 
Giovanni