From: sashiko-bot@kernel.org
To: "Pranjal Shrivastava" <praan@google.com>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH v7 3/5] iommu/arm-smmu-v3: Fix a UAF in the probe_device error path
Date: Mon, 01 Jun 2026 15:06:12 +0000 [thread overview]
Message-ID: <20260601150613.0F9B61F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260601143644.2358771-4-praan@google.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Critical] Calling `rb_erase()` on an unlinked, zero-initialized stream node silently corrupts the SMMU streams rbtree by zeroing the tree root.
--
commit 785579083a69b017d9dafe6dce3c844bea656662
Author: Pranjal Shrivastava <praan@google.com>
iommu/arm-smmu-v3: Fix a UAF in the probe_device error path
Clear the iommu->priv to NULL while returning an error from probe_device.
> diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
> index a10affb483a4f..54c7f1ae3a841 100644
> --- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
> +++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
> @@ -4206,6 +4206,7 @@ static struct iommu_device *arm_smmu_probe_device(struct device *dev)
> arm_smmu_disable_pasid(master);
> arm_smmu_remove_master(master);
[Severity: Critical]
This is a pre-existing issue, but could calling arm_smmu_remove_master()
here silently corrupt the smmu streams rbtree if there are duplicate
Stream IDs?
In arm_smmu_insert_master(), master->streams is allocated with kzalloc,
leaving the rb_node zero-initialized. If a device has duplicate Stream IDs
(expected for bridged PCI devices), it skips inserting the duplicate node
into smmu->streams:
drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c:arm_smmu_insert_master() {
...
/* Bridged PCI devices may end up with duplicated IDs */
if (existing_master == master)
continue;
...
}
However, arm_smmu_remove_master() unconditionally calls rb_erase() on all
nodes:
drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c:arm_smmu_remove_master() {
...
for (i = 0; i < fwspec->num_ids; i++)
rb_erase(&master->streams[i].node, &smmu->streams);
...
}
Since the rb_erase() implementation interprets a zero-initialized node as a
root node with no children, it clears it by setting root->rb_node = NULL.
Does this detach the entire stream tracking tree?
The error path in arm_smmu_insert_master() also unconditionally calls
rb_erase() on processed nodes:
drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c:arm_smmu_insert_master() {
...
for (i--; i >= 0; i--)
rb_erase(&master->streams[i].node, &smmu->streams);
...
}
Would this also trigger the same corruption if a failure happens after
skipping a duplicate ID?
> err_free_master:
> + dev_iommu_priv_set(dev, NULL);
> kfree(master);
> return ERR_PTR(ret);
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260601143644.2358771-1-praan@google.com?part=3
next prev parent reply other threads:[~2026-06-01 15:06 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-01 14:36 [PATCH v7 0/5] iommu: Standardize ATS robustness and state tracking Pranjal Shrivastava
2026-06-01 14:36 ` [PATCH v7 1/5] PCI/ATS: Ensure pci_ats_supported() is PF-aware for VFs Pranjal Shrivastava
2026-06-03 7:25 ` Tian, Kevin
2026-06-01 14:36 ` [PATCH v7 2/5] PCI/ATS: Validate STU for VFs in pci_prepare_ats() Pranjal Shrivastava
2026-06-03 7:28 ` Tian, Kevin
2026-06-01 14:36 ` [PATCH v7 3/5] iommu/arm-smmu-v3: Fix a UAF in the probe_device error path Pranjal Shrivastava
2026-06-01 15:06 ` sashiko-bot [this message]
2026-06-03 7:31 ` Tian, Kevin
2026-06-03 13:28 ` Pranjal Shrivastava
2026-06-03 14:59 ` Jason Gunthorpe
2026-06-04 2:29 ` Baolu Lu
2026-06-04 5:22 ` Pranjal Shrivastava
2026-06-01 14:36 ` [PATCH v7 4/5] iommu/arm-smmu-v3: Standardize ATS enablement failure reporting Pranjal Shrivastava
2026-06-03 7:34 ` Tian, Kevin
2026-06-03 9:12 ` Pranjal Shrivastava
2026-06-03 10:12 ` Tian, Kevin
2026-06-01 14:36 ` [PATCH v7 5/5] iommu/vt-d: Fail probe on ATS configuration failure Pranjal Shrivastava
2026-06-01 15:30 ` sashiko-bot
2026-06-01 16:01 ` Pranjal Shrivastava
2026-06-03 5:41 ` Baolu Lu
2026-06-03 7:34 ` Tian, Kevin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260601150613.0F9B61F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=praan@google.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.