Re: [PATCH rc v7 6/6] iommu: Fix UAF in pci_dev_reset_iommu_done() due to concurrent detach

[Baolu Lu <baolu.lu@linux.intel.com>]

On 4/19/26 07:41, Nicolin Chen wrote:
> In __iommu_group_set_domain_internal(), concurrent domain attachments are
> rejected when any device in the group is recovering. This is necessary to
> fence concurrent attachments to a multi-device group where devices might
> share the same RID due to PCI DMA alias quirks.
> 
> However, IOMMU_SET_DOMAIN_MUST_SUCCEED callers (detach/teardown paths such
> as __iommu_group_set_core_domain and __iommu_release_dma_ownership) should
> not be rejected, as the domain would be free-ed anyway in this nofail path
> while group->domain is still pointing to it. So pci_dev_reset_iommu_done()
> could trigger a UAF when re-attaching group->domain.
> 
> Honor the IOMMU_SET_DOMAIN_MUST_SUCCEED flag, allowing the callers through
> the group->recovery_cnt fence, so as to update the group->domain pointer.
> Instead add gdev->blocked checks in the device iteration loop to avoid any
> concurrent per-device detachment.
> 
> Fixes: c279e83953d9 ("iommu: Introduce pci_dev_reset_iommu_prepare/done()")
> Cc:stable@vger.kernel.org
> Reported-by: Kevin Tian<kevin.tian@intel.com>
> Closes:https://lore.kernel.org/all/ 
> BN9PR11MB5276D60096EBF15C5753C4BB8C202@BN9PR11MB5276.namprd11.prod.outlook.com/
> Signed-off-by: Nicolin Chen<nicolinc@nvidia.com>
> ---
>   drivers/iommu/iommu.c | 14 +++++++++++++-
>   1 file changed, 13 insertions(+), 1 deletion(-)

Agreed with Kevin's comments. With that included in the commit message:

Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>