[PATCH 0/2] iommu/vt-d: Fix issues on probe error path

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH 0/2] iommu/vt-d: Fix issues on probe error path
@ 2026-05-29 11:34 Pranjal Shrivastava
  2026-05-29 11:34 ` [PATCH 1/2] iommu/vt-d: Fix RB-tree corruption in " Pranjal Shrivastava
  2026-05-29 11:34 ` [PATCH 2/2] iommu/vt-d: Fix Use-After-Free " Pranjal Shrivastava
  0 siblings, 2 replies; 5+ messages in thread
From: Pranjal Shrivastava @ 2026-05-29 11:34 UTC (permalink / raw)
  To: iommu, linux-kernel
  Cc: David Woodhouse, Lu Baolu, Joerg Roedel, Will Deacon,
	Robin Murphy, Kevin Tian, Samiullah Khawaja, Pranjal Shrivastava

This series addresses two pre-existing issues in the Intel VT-d driver's
probe error path. These issues were identified by Sashiko during the
review of the ATS series [1].

The first patch fixes an RB-tree corruption that occurs when probing
non-ATS devices. The second patch fixes a UAF by ensuring the per-device
private data pointer is cleared before freeing memory on failure.

[1] https://sashiko.dev/#/patchset/20260525184347.4059549-1-praan@google.com?part=4

Thanks,
Praan

Pranjal Shrivastava (2):
  iommu/vt-d: Fix RB-tree corruption in probe error path
  iommu/vt-d: Fix Use-After-Free in probe error path

 drivers/iommu/intel/iommu.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

-- 
2.54.0.823.g6e5bcc1fc9-goog


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 1/2] iommu/vt-d: Fix RB-tree corruption in probe error path
  2026-05-29 11:34 [PATCH 0/2] iommu/vt-d: Fix issues on probe error path Pranjal Shrivastava
@ 2026-05-29 11:34 ` Pranjal Shrivastava
  2026-05-29 11:34 ` [PATCH 2/2] iommu/vt-d: Fix Use-After-Free " Pranjal Shrivastava
  1 sibling, 0 replies; 5+ messages in thread
From: Pranjal Shrivastava @ 2026-05-29 11:34 UTC (permalink / raw)
  To: iommu, linux-kernel
  Cc: David Woodhouse, Lu Baolu, Joerg Roedel, Will Deacon,
	Robin Murphy, Kevin Tian, Samiullah Khawaja, Pranjal Shrivastava,
	sashiko-bot

The info->node RB-tree member is zero-initialized via kzalloc. If
a device does not support ATS, the device_rbtree_insert() call is
skipped. If a subsequent probe step fails, the error path jumps to
device_rbtree_remove(), which misinterprets the zeroed node as
a tree root and corrupts the device RB-tree.

Fix this by explicitly initializing the RB-node as empty using
RB_CLEAR_NODE() during initialization and guarding the removal with
RB_EMPTY_NODE().

Fixes: 4f1492efb495 ("iommu/vt-d: Revert ATS timing change to fix boot failure")
Reported-by: sashiko-bot@kernel.org
Closes: https://lore.kernel.org/all/20260525205628.CD4431F000E9@smtp.kernel.org/
Suggested-by: Baolu Lu <baolu.lu@linux.intel.com>
Signed-off-by: Pranjal Shrivastava <praan@google.com>
---
 drivers/iommu/intel/iommu.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
index c3d18cd77d2f..2702e9aa2241 100644
--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
@@ -157,7 +157,10 @@ static void device_rbtree_remove(struct device_domain_info *info)
 	unsigned long flags;
 
 	spin_lock_irqsave(&iommu->device_rbtree_lock, flags);
-	rb_erase(&info->node, &iommu->device_rbtree);
+	if (!RB_EMPTY_NODE(&info->node)) {
+		rb_erase(&info->node, &iommu->device_rbtree);
+		RB_CLEAR_NODE(&info->node);
+	}
 	spin_unlock_irqrestore(&iommu->device_rbtree_lock, flags);
 }
 
@@ -3254,6 +3257,7 @@ static struct iommu_device *intel_iommu_probe_device(struct device *dev)
 
 	info->dev = dev;
 	info->iommu = iommu;
+	RB_CLEAR_NODE(&info->node);
 	if (dev_is_pci(dev)) {
 		if (ecap_dev_iotlb_support(iommu->ecap) &&
 		    pci_ats_supported(pdev) &&
-- 
2.54.0.823.g6e5bcc1fc9-goog


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH 2/2] iommu/vt-d: Fix Use-After-Free in probe error path
  2026-05-29 11:34 [PATCH 0/2] iommu/vt-d: Fix issues on probe error path Pranjal Shrivastava
  2026-05-29 11:34 ` [PATCH 1/2] iommu/vt-d: Fix RB-tree corruption in " Pranjal Shrivastava
@ 2026-05-29 11:34 ` Pranjal Shrivastava
  2026-05-30 13:33   ` Baolu Lu
  1 sibling, 1 reply; 5+ messages in thread
From: Pranjal Shrivastava @ 2026-05-29 11:34 UTC (permalink / raw)
  To: iommu, linux-kernel
  Cc: David Woodhouse, Lu Baolu, Joerg Roedel, Will Deacon,
	Robin Murphy, Kevin Tian, Samiullah Khawaja, Pranjal Shrivastava,
	sashiko-bot

When intel_iommu_probe_device() fails after the info structure has
been linked to the device via dev_iommu_priv_set(), the error path
calls kfree(info) but does not clear the pointer in the device
structure.

This results in a Use-After-Free regression if the pointer is accessed
by a subsequent IOMMU core call or a re-probe.

Fix this by ensuring dev_iommu_priv_set(dev, NULL) is called before
freeing the info structure in the error path.

Fixes: 89436f4f5412 ("iommu/vt-d: Fix WARN_ON in iommu probe path")
Reported-by: sashiko-bot@kernel.org
Closes: https://lore.kernel.org/all/20260525205628.CD4431F000E9@smtp.kernel.org/
Signed-off-by: Pranjal Shrivastava <praan@google.com>
---
 drivers/iommu/intel/iommu.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
index 2702e9aa2241..6c718adf97ae 100644
--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
@@ -3320,6 +3320,7 @@ static struct iommu_device *intel_iommu_probe_device(struct device *dev)
 clear_rbtree:
 	device_rbtree_remove(info);
 free:
+	dev_iommu_priv_set(dev, NULL);
 	kfree(info);
 
 	return ERR_PTR(ret);
-- 
2.54.0.823.g6e5bcc1fc9-goog


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 2/2] iommu/vt-d: Fix Use-After-Free in probe error path
  2026-05-29 11:34 ` [PATCH 2/2] iommu/vt-d: Fix Use-After-Free " Pranjal Shrivastava
@ 2026-05-30 13:33   ` Baolu Lu
  2026-05-31 17:03     ` Pranjal Shrivastava
  0 siblings, 1 reply; 5+ messages in thread
From: Baolu Lu @ 2026-05-30 13:33 UTC (permalink / raw)
  To: Pranjal Shrivastava, iommu, linux-kernel
  Cc: baolu.lu, David Woodhouse, Joerg Roedel, Will Deacon,
	Robin Murphy, Kevin Tian, Samiullah Khawaja, sashiko-bot

On 5/29/2026 7:34 PM, Pranjal Shrivastava wrote:
> When intel_iommu_probe_device() fails after the info structure has
> been linked to the device via dev_iommu_priv_set(), the error path
> calls kfree(info) but does not clear the pointer in the device
> structure.
> 
> This results in a Use-After-Free regression if the pointer is accessed
> by a subsequent IOMMU core call or a re-probe.
> 
> Fix this by ensuring dev_iommu_priv_set(dev, NULL) is called before
> freeing the info structure in the error path.
> 
> Fixes: 89436f4f5412 ("iommu/vt-d: Fix WARN_ON in iommu probe path")

Fixes: eda1a94caf6b ("iommu: Mark dev_iommu_priv_set() with a lockdep")

> Reported-by: sashiko-bot@kernel.org
> Closes: https://lore.kernel.org/all/20260525205628.CD4431F000E9@smtp.kernel.org/
> Signed-off-by: Pranjal Shrivastava <praan@google.com>
> ---
>   drivers/iommu/intel/iommu.c | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
> index 2702e9aa2241..6c718adf97ae 100644
> --- a/drivers/iommu/intel/iommu.c
> +++ b/drivers/iommu/intel/iommu.c
> @@ -3320,6 +3320,7 @@ static struct iommu_device *intel_iommu_probe_device(struct device *dev)
>   clear_rbtree:
>   	device_rbtree_remove(info);
>   free:
> +	dev_iommu_priv_set(dev, NULL);
>   	kfree(info);
>   
>   	return ERR_PTR(ret);

Thanks,
baolu

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 2/2] iommu/vt-d: Fix Use-After-Free in probe error path
  2026-05-30 13:33   ` Baolu Lu
@ 2026-05-31 17:03     ` Pranjal Shrivastava
  0 siblings, 0 replies; 5+ messages in thread
From: Pranjal Shrivastava @ 2026-05-31 17:03 UTC (permalink / raw)
  To: Baolu Lu
  Cc: iommu, linux-kernel, David Woodhouse, Joerg Roedel, Will Deacon,
	Robin Murphy, Kevin Tian, Samiullah Khawaja, sashiko-bot

On Sat, May 30, 2026 at 09:33:12PM +0800, Baolu Lu wrote:
> On 5/29/2026 7:34 PM, Pranjal Shrivastava wrote:
> > When intel_iommu_probe_device() fails after the info structure has
> > been linked to the device via dev_iommu_priv_set(), the error path
> > calls kfree(info) but does not clear the pointer in the device
> > structure.
> > 
> > This results in a Use-After-Free regression if the pointer is accessed
> > by a subsequent IOMMU core call or a re-probe.
> > 
> > Fix this by ensuring dev_iommu_priv_set(dev, NULL) is called before
> > freeing the info structure in the error path.
> > 
> > Fixes: 89436f4f5412 ("iommu/vt-d: Fix WARN_ON in iommu probe path")
> 
> Fixes: eda1a94caf6b ("iommu: Mark dev_iommu_priv_set() with a lockdep")

Ack. Sending a v2 with this.

Thanks,
Praan

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-05-31 17:03 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-29 11:34 [PATCH 0/2] iommu/vt-d: Fix issues on probe error path Pranjal Shrivastava
2026-05-29 11:34 ` [PATCH 1/2] iommu/vt-d: Fix RB-tree corruption in " Pranjal Shrivastava
2026-05-29 11:34 ` [PATCH 2/2] iommu/vt-d: Fix Use-After-Free " Pranjal Shrivastava
2026-05-30 13:33   ` Baolu Lu
2026-05-31 17:03     ` Pranjal Shrivastava

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.