From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f67.google.com (mail-pj1-f67.google.com [209.85.216.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 69EDA1A6828 for ; Tue, 21 Apr 2026 13:47:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.67 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776779254; cv=none; b=M0a0Xi4NNQQi/WyOJ1KIMykqGTEeFF3245ET1UJbZ5hlR8l+N53F9B+C3ir0J6DSGHZ6ENasFlD4cvVzrANV5VGiGMqai3jS9BHWj2GsGPfLnDd+BDTjPibBaVnnaH+YPCLcSRQ4+/9HOXo3lqphcLO4AMxr1ZSejKISTeYmgbs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776779254; c=relaxed/simple; bh=s15RL/I1MS/3imuLtkC2xq7uTBGavm8FT9td9CFmlIs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=rOZGhvm5+UviCySt1/lADfROXOzwNVAxg65KWmssuXyIIEwtjw64Q21hvrWG9icEoy9lHXvpbsfja364aD8aHp8i+0ksgS4w0+i1RyBG1IDXgX/84+xin7PaHXDXttFZgMAvJa87GUNY3AaDw/3LgArrdoPAXIQ5Ytely8ngVD4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kXv1vQY2; arc=none smtp.client-ip=209.85.216.67 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kXv1vQY2" Received: by mail-pj1-f67.google.com with SMTP id 98e67ed59e1d1-36146ae9dd4so3244026a91.3 for ; Tue, 21 Apr 2026 06:47:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776779253; x=1777384053; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Ks2vHMRh0my4MpDz0dclabjbLc7A4OosqiA6OhNyWHQ=; b=kXv1vQY29FYOZS7i9FFGpYX1R1dwQZ66YqJJde0+03ecYCV4jSGSer4ofDGBnKJw3o wJe9ZS2JxQ7SEzUgkXuoscUb1p5H4buxpTWLSbVQyPfl2wCrlXzdDAa/mboDo34wZR6y EvBSyEluCppnm4eMJPwLPYLFMLNGLNq5tnYpzM28I61A4GrNR3s0p8t3pOTBezr0M4S5 eDEp0EdWusHrmHB8jL/JHIX0cKbYSAMaLw4uW6NS67x0SR6V37FW0jE8D+cM6+AG3yKM LZ0ljnqA0Djc2V2IVkr+wlV7lGt6ybwSHNCGM9HZIA3Vj0WyNI9BWDTu3HnaCQVyCTaC Bmyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776779253; x=1777384053; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Ks2vHMRh0my4MpDz0dclabjbLc7A4OosqiA6OhNyWHQ=; b=Kmkdz4rjNq72oiIdsmCt3r+E7oj8bXDqVEDAkN7DKWmJCAnA5v7X+WYgxMFVuoJwJb 8rnvIUZFwVnZFZkaOgwc3I62r8mx2YbzktVMqnoSOskRzpWk6qIM6YkYZminkCvm47To NXypzMMpCRNAl/5AChYULNfF3f9FWixp+dGi/Hy27V0+R5f0+02d+Awda1OWk7/AmS4u M7wUj18Uf/0UEzjdm/+kU3/S9zbsZC6O0QLfwwEDn66sXWmObuY1vVDw/490o77eQgj9 xgfH2vTRzKzHBTzAa6JID6agrnwA5+Rti78CMU8rcEpMPLk+tCVEHE2Q04BYhTO4H0+G ZzoA== X-Forwarded-Encrypted: i=1; AFNElJ/At9s+cOumK+LW3TsfNjZyeLGsQ48omfCRlj5YZ5RAdNhS/d3sh5VcuwwPFGJz//fu/FRFPxgXmGi5OjU=@vger.kernel.org X-Gm-Message-State: AOJu0Ywdsn44uSwS1WqhxmKwdDbkqnHCnNdwZ0xKOLdcBbA3d1brqMJp paoM93yuA5TY0o+J0o7yBf/5wS7ep9gkGDyLhTIYDTOgZ5e5KYlCJ2UX X-Gm-Gg: AeBDieuNcUwgjKlCwhZjU/wwhVkWGDpsdoAgWC1iNqsh/Vf/0BbiaJrwBNh5lBwJZFa RNEiYXlarMiokEnngInjqXmc5yqh+wlR+3bh6U2k0Lv20qU9pcmr+4NuilyBnUo+uSSX1REoW+K 2wwMUw9oio/2Tvzhzj+8FbtOucGkoSL7GT9bved2Sqe4ir4Cy1LOqN8y2FgsZFY8LHVTnQ4k4AQ TLORhaRTinhW5zgFKY7HWn9i6QGTcrHk87DAb2GEyaXgZmgeMOgG/pJpxZX9W/lYrhxnPGWyszS clr0B6fbCb9C5f7lauZctSktCTN25RLPlQPjKm+Rq7BZQt3tzkgOAAXpiqzMQh05G05pdeXxr0F E0k0aBJisfsHNsMhZ0W7DLRoaoUyEfgPpKcfbR6BgpqMbUPtIad0jbz/ecf1ed71ub0Wiwy1/Wq CHtjgiel9glYbLJyXHaeYLPon6AJWQePz9dy8XaU2w1x+nVJjWGwbJlO8= X-Received: by 2002:a17:90b:2e41:b0:35d:aeb2:25b2 with SMTP id 98e67ed59e1d1-361404aeddcmr19957529a91.27.1776779252761; Tue, 21 Apr 2026 06:47:32 -0700 (PDT) Received: from LAPTOP-1HUHJV8R.localdomain ([2408:8642:893:d2da:c016:592:ddae:fe0d]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-362bbf963c9sm3630056a91.16.2026.04.21.06.47.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Apr 2026 06:47:32 -0700 (PDT) From: l1za0.sec@gmail.com To: jgg@ziepe.ca, kevin.tian@intel.com Cc: joro@8bytes.org, will@kernel.org, robin.murphy@arm.com, iommu@lists.linux.dev, linux-kernel@vger.kernel.org Subject: [PATCH] iommufd: fix slab-use-after-free read in iommufd_ioas_unmap Date: Tue, 21 Apr 2026 21:47:05 +0800 Message-ID: <20260421134719.33801-1-l1za0.sec@gmail.com> X-Mailer: git-send-email 2.51.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Haocheng Yu A KASAN: slab-use-after-free read in iommufd_ioas_unmap is reported by a modified Syzkaller-based kernel fuzzing tool we developed. This issue is caused by a race condition between iommufd_destroy() and iommufd_put_object(). Thread A first enters iommufd_put_object(), which is called by iommufd_ioas_umap(), and executes `refcount_dec(&obj->users);`, but before executing `up_read(&obj->destroy_rwsem);`, thread B happens to enter iommufd_destroy() and destroy the object. Later, when A wants to release the lock, it accesses this already destroyed object, causing a use-after-free error. To fix this issue, before executing the destroy statement in iommufd_destroy(), a write lock is acquired using down_write() to ensure that up_read() has finished executing before destroy, thus avoiding the UAF problem. Signed-off-by: Haocheng Yu --- drivers/iommu/iommufd/main.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iommu/iommufd/main.c b/drivers/iommu/iommufd/main.c index e71523cbd0de..a1f0b591c412 100644 --- a/drivers/iommu/iommufd/main.c +++ b/drivers/iommu/iommufd/main.c @@ -212,6 +212,8 @@ static int iommufd_destroy(struct iommufd_ucmd *ucmd) obj = iommufd_object_remove(ucmd->ictx, cmd->id, false); if (IS_ERR(obj)) return PTR_ERR(obj); + down_write(&obj->destroy_rwsem); + up_write(&obj->destroy_rwsem); iommufd_object_ops[obj->type].destroy(obj); kfree(obj); return 0; base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa -- 2.51.0