From: Pranjal Shrivastava <praan@google.com>
To: Baolu Lu <baolu.lu@linux.intel.com>
Cc: iommu@lists.linux.dev, linux-pci@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, Joerg Roedel <joro@8bytes.org>,
Will Deacon <will@kernel.org>,
Bjorn Helgaas <bhelgaas@google.com>,
David Woodhouse <dwmw2@infradead.org>,
Robin Murphy <robin.murphy@arm.com>,
Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>,
Jason Gunthorpe <jgg@ziepe.ca>,
Nicolin Chen <nicolinc@nvidia.com>,
David Matlack <dmatlack@google.com>,
Samiullah Khawaja <skhawaja@google.com>,
Daniel Mentz <danielmentz@google.com>,
Pasha Tatashin <pasha.tatashin@soleen.com>,
Mostafa Saleh <smostafa@google.com>,
sashiko-bot@kernel.org
Subject: Re: [PATCH v5 5/7] iommu/vt-d: Fix RB-tree corruption and Use-After-Free in probe
Date: Fri, 29 May 2026 07:04:46 +0000 [thread overview]
Message-ID: <ahk6jom_zexIt5S8@google.com> (raw)
In-Reply-To: <5c5e85f1-f745-4667-af0d-30af71288294@linux.intel.com>
On Fri, May 29, 2026 at 11:20:47AM +0800, Baolu Lu wrote:
> On 5/29/26 04:23, Pranjal Shrivastava wrote:
> > The intel_iommu_probe_device() function contains two pre-existing
> > memory safety issues on its error path:
> >
> > 1. The info->node RB-tree member is zero-initialized via kzalloc. If
> > a device does not support ATS, the device_rbtree_insert() call is
> > skipped. If a subsequent probe step fails, the error path jumps to
> > device_rbtree_remove(), which misinterprets the zeroed node as
> > a tree root and corrupts the device RB-tree.
> >
> > 2. The info structure is freed on failure, but the pointer remains
> > linked to the device via dev_iommu_priv_set(). This leads to a
> > Use-After-Free regression if the pointer is accessed later.
> >
> > Fix these by explicitly initializing the RB-node as empty and guarding
> > its removal. Additionally, ensure dev_iommu_priv_set(dev, NULL) is
> > called before freeing the info structure in the error path.
>
> Thanks for the fixes. Could you please separate these two fixes into two
> distinct patches and post them as a standalone series? These two fixes
> are quick cleanups and are not part of the current series, which focuses
> on improving the robustness of ATS enablement.
Ack. I'll send these as stanalone patches. I added these here to keep
Sashiko at bay.
Thanks,
Praan
next prev parent reply other threads:[~2026-05-29 7:05 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-28 20:23 [PATCH v5 0/7] iommu: Standardize ATS robustness and state tracking Pranjal Shrivastava
2026-05-28 20:23 ` [PATCH v5 1/7] PCI/ATS: Ensure pci_ats_supported() is PF-aware for VFs Pranjal Shrivastava
2026-05-29 6:02 ` Baolu Lu
2026-05-28 20:23 ` [PATCH v5 2/7] PCI/ATS: Validate STU for VFs in pci_prepare_ats() Pranjal Shrivastava
2026-05-29 6:05 ` Baolu Lu
2026-05-28 20:23 ` [PATCH v5 3/7] PCI/ATS: Decouple pci_ats_supported() from pci_prepare_ats() Pranjal Shrivastava
2026-05-29 6:29 ` Baolu Lu
2026-05-29 7:08 ` Pranjal Shrivastava
2026-05-28 20:23 ` [PATCH v5 4/7] iommu/arm-smmu-v3: Standardize ATS enablement failure reporting Pranjal Shrivastava
2026-05-28 22:33 ` sashiko-bot
2026-05-28 20:23 ` [PATCH v5 5/7] iommu/vt-d: Fix RB-tree corruption and Use-After-Free in probe Pranjal Shrivastava
2026-05-29 3:20 ` Baolu Lu
2026-05-29 7:04 ` Pranjal Shrivastava [this message]
2026-05-28 20:23 ` [PATCH v5 6/7] iommu/vt-d: Fail probe on ATS configuration failure Pranjal Shrivastava
2026-05-29 6:39 ` Baolu Lu
2026-05-29 7:03 ` Pranjal Shrivastava
2026-05-28 20:23 ` [PATCH v5 7/7] iommu/amd: " Pranjal Shrivastava
2026-05-29 0:48 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ahk6jom_zexIt5S8@google.com \
--to=praan@google.com \
--cc=baolu.lu@linux.intel.com \
--cc=bhelgaas@google.com \
--cc=danielmentz@google.com \
--cc=dmatlack@google.com \
--cc=dwmw2@infradead.org \
--cc=iommu@lists.linux.dev \
--cc=jgg@ziepe.ca \
--cc=joro@8bytes.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=nicolinc@nvidia.com \
--cc=pasha.tatashin@soleen.com \
--cc=robin.murphy@arm.com \
--cc=sashiko-bot@kernel.org \
--cc=skhawaja@google.com \
--cc=smostafa@google.com \
--cc=suravee.suthikulpanit@amd.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.