From: Jason Gunthorpe <jgg@ziepe.ca>
To: Baolu Lu <baolu.lu@linux.intel.com>
Cc: "Aneesh Kumar K.V (Arm)" <aneesh.kumar@kernel.org>,
iommu@lists.linux.dev, linux-kernel@vger.kernel.org,
kvm@vger.kernel.org, Alexey Kardashevskiy <aik@amd.com>,
Bjorn Helgaas <helgaas@kernel.org>,
Dan Williams <dan.j.williams@intel.com>,
Joerg Roedel <joro@8bytes.org>,
Jonathan Cameron <jic23@kernel.org>,
Kevin Tian <kevin.tian@intel.com>,
Nicolin Chen <nicolinc@nvidia.com>,
Samuel Ortiz <sameo@rivosinc.com>,
Steven Price <steven.price@arm.com>,
Suzuki K Poulose <Suzuki.Poulose@arm.com>,
Will Deacon <will@kernel.org>,
Xu Yilun <yilun.xu@linux.intel.com>,
Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
Subject: Re: [PATCH v4 1/4] iommufd/device: Associate a kvm pointer to iommufd_device
Date: Mon, 27 Apr 2026 11:01:31 -0300 [thread overview]
Message-ID: <20260427140131.GC740385@ziepe.ca> (raw)
In-Reply-To: <f5f2bd86-4cde-4efe-b824-d9f1c82357ac@linux.intel.com>
On Mon, Apr 27, 2026 at 05:07:52PM +0800, Baolu Lu wrote:
> iommufd_device_unbind() is an asynchronous teardown operation. Is it
> possible for idev->kvm to persist or be accessed within the iommufd
> subsystem after iommufd_device_unbind() has returned? Should we add the
> change below to prevent this potential UAF case?
>
> diff --git a/drivers/iommu/iommufd/device.c b/drivers/iommu/iommufd/device.c
> index 170a7005f0bc..dac39cb5e7cc 100644
> --- a/drivers/iommu/iommufd/device.c
> +++ b/drivers/iommu/iommufd/device.c
> @@ -333,6 +333,7 @@ EXPORT_SYMBOL_NS_GPL(iommufd_ctx_has_group, "IOMMUFD");
> */
> void iommufd_device_unbind(struct iommufd_device *idev)
> {
> + idev->kvm = NULL;
> iommufd_object_destroy_user(idev->ictx, &idev->obj);
> }
> EXPORT_SYMBOL_NS_GPL(iommufd_device_unbind, "IOMMUFD");
iommufd_object_destroy_user() frees the memory of idev, it is not
useful to null before free.
Jason
next prev parent reply other threads:[~2026-04-27 14:01 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-27 6:10 [PATCH v4 0/4] Add iommufd ioctls to support TSM operations Aneesh Kumar K.V (Arm)
2026-04-27 6:10 ` [PATCH v4 1/4] iommufd/device: Associate a kvm pointer to iommufd_device Aneesh Kumar K.V (Arm)
2026-04-27 9:07 ` Baolu Lu
2026-04-27 14:01 ` Jason Gunthorpe [this message]
2026-04-27 13:59 ` Jason Gunthorpe
2026-04-28 12:01 ` Aneesh Kumar K.V
2026-04-28 12:50 ` Jason Gunthorpe
2026-04-29 13:52 ` Aneesh Kumar K.V
2026-04-27 6:10 ` [PATCH v4 2/4] iommufd/viommu: Associate a kvm pointer to iommufd_viommu Aneesh Kumar K.V (Arm)
2026-04-27 14:03 ` Jason Gunthorpe
2026-04-27 6:10 ` [PATCH v4 3/4] iommufd/tsm: add vdevice TSM bind/unbind ioctl Aneesh Kumar K.V (Arm)
2026-04-27 6:10 ` [PATCH v4 4/4] iommufd/vdevice: add TSM guest request ioctl Aneesh Kumar K.V (Arm)
2026-04-27 14:05 ` Jason Gunthorpe
2026-04-28 12:13 ` Aneesh Kumar K.V
2026-04-28 12:48 ` Jason Gunthorpe
2026-05-08 3:12 ` Tian, Kevin
2026-05-08 4:12 ` Aneesh Kumar K.V
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260427140131.GC740385@ziepe.ca \
--to=jgg@ziepe.ca \
--cc=Suzuki.Poulose@arm.com \
--cc=aik@amd.com \
--cc=aneesh.kumar@kernel.org \
--cc=baolu.lu@linux.intel.com \
--cc=dan.j.williams@intel.com \
--cc=helgaas@kernel.org \
--cc=iommu@lists.linux.dev \
--cc=jic23@kernel.org \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nicolinc@nvidia.com \
--cc=sameo@rivosinc.com \
--cc=shameerali.kolothum.thodi@huawei.com \
--cc=steven.price@arm.com \
--cc=will@kernel.org \
--cc=yilun.xu@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.