From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qt1-f174.google.com (mail-qt1-f174.google.com [209.85.160.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4B2E12C2363 for ; Tue, 21 Apr 2026 13:57:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.174 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776779863; cv=none; b=A4G9CxyZ3wVC327zFcp6mUsWVjCBsUXKrrQmqtma4lIm5//tWDUTTTlSqCSS6Q/TQnVpoIhrY/SeFLLuUOy3Ws7r7wipG5ZaROeHLNmMct5AOiiUslFliwYBgQt3vPEo9TaTDv1gB6fRj2nXm+HAOH1Zoj+GeRsPobrEOzXIM0w= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776779863; c=relaxed/simple; bh=KWyu8W/AF/2QHsLoVTQLid1d0phRuiMbOZXo2GaltoM=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=gmYDHNhZhkcZDQTXQnb4wweH2qSy1mAqqzxP+IhSl0Ys8fTjnuVy+HK98DMRwnNdh82t6FwdEHU7D+R96j+xceu3cY0xDJURTFhhC7Sc0U5iNNzObooWCectV63kiu1PhUn04eZscQKSfjtYAdlov7NVhCrphAXpmxkb7Nyb8G4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=ziepe.ca; spf=pass smtp.mailfrom=ziepe.ca; dkim=pass (2048-bit key) header.d=ziepe.ca header.i=@ziepe.ca header.b=oEmbHVw4; arc=none smtp.client-ip=209.85.160.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=ziepe.ca Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ziepe.ca Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ziepe.ca header.i=@ziepe.ca header.b="oEmbHVw4" Received: by mail-qt1-f174.google.com with SMTP id d75a77b69052e-50e614fdb42so19256571cf.3 for ; Tue, 21 Apr 2026 06:57:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ziepe.ca; s=google; t=1776779861; x=1777384661; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=rcyKryWSxcxtXxubRhxdSk38Nrwzl+k8BQ+7s4VBFAw=; b=oEmbHVw4EkhwP1ttslfPO80GKx+Y9T8pwYmg/5JGLzFWN+9fsipkr3SjqJCgcmzcwS bb28Dvbqc2CLauTn1aDEwPYuMwuOofcxiOpqt/kHre/ydRkyejoB0qZZXpuGI3umZSwF NgDmnRbZMRIEXKrl2xZR7AvWkKGgsxOeSv2MevrbBggDq5UT1jfyVF1zQx1FppEeiQ91 n4uQvju7M1AV/BJcqKuOB1sIVXMdG5sE4f69Kh64YwzRxtUpoRQzd7gVaJFL0k8g7ZL5 JiK+zWBifZ6WqukW9X0DfLepr0Xp8whWUBenTgkk5wCXN1EEXkJ4b7mq1XpGVGKibp7E 0IBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776779861; x=1777384661; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rcyKryWSxcxtXxubRhxdSk38Nrwzl+k8BQ+7s4VBFAw=; b=YD9CN827JXWJ4IBN9s86/MS5oaqDhDSBlfPNTM0CcOXva9FERFSSLzeFi7YwMSa+ba 4VrFUboGL3MLRohN4ZdzsC0EDkBOU+RPf0E6L+Bv/CC/rXnvuSt9+fZXQvmPwreODGST jN33qhwODeK+2A12h+R+FAIlB4tGJb3kD15NzBwAom/d20cVTX3CDXkC0cQU/xF5yCsm O6rTzGgB40uw82at+AfpXQIrcLPdYyUMXWxaiZ9Qmf6aYlrNR9TSKR5y4ijNB3eL5UJn ujd4Ms/S7jAgjK+uBrDczGLvFQTWGiBc+GVZ88zW+H5afxs7Tpr9KWBFIG8XUapL+7xt BrVg== X-Forwarded-Encrypted: i=1; AFNElJ/8MyPM0RI3zHWbhSA905a8rxdjwI28PqFWG/InZweVWFsx+WH0YjdebFSqEn6YAQ43o7qQhMII9/RBel0=@vger.kernel.org X-Gm-Message-State: AOJu0YxjTq596EA3H0nc6PR19LFHrqunVMQwGYKtmNsV3n1du4Gxsm9B X478E4uWGH8nI+sBC8fzh4Z5wO9Uo8wte3fHBdM45dVbwBY+Y/1+LityG+AUibCkdRQ= X-Gm-Gg: AeBDievJ7vRDlofe+qwCFTPVH/8fkGU59idpleUDoRvV0wJLp67PQhxibTav9eS+jM8 OWKxKfpY7tJmmXlwNRlqZl4b9VCEQkYc7c7sl7E6/EDMRgrSje45ZaiSZ6NxG+ogcarXJvQSz/4 g3GHhy3RMB66xafLAdPtNELw1ydTyFDEU0DE5XZCq4wNqXSQLwMR71hzOL4oJVZ4U30V0J2r5ZN AsC87j+6GlsLPDq/fK2mhzVDRJHDwJFHYHLVb8x+83zrQ297jHbYcnDiI0eV/eNH+XHRnsbhtFy ChwDEmKf7nHTAn029Og3RqQP+Lr8GTuQkhPIgXSF9548yL4bgb84Xnz7u30uO0BpR1I4Ym2kx2G IIYtBCFMvO7N6d3Z7HFSGLsMVSM4seQkTp7S7kcNeTyhi09svivJRiZt7TCjANcrhWPGcECwkAN VnoqHcFnGBRfs5/PjuwLP+7s8pkXs4n8GpSoq4HnPKRVYUEKZJntm/6eoyf2d8lIckcH94MHU97 +6gE3LLljVuZHD9rZzQgDuhIjE= X-Received: by 2002:ac8:7e8f:0:b0:50f:817c:5d45 with SMTP id d75a77b69052e-50f817c676cmr84046341cf.23.1776779861245; Tue, 21 Apr 2026 06:57:41 -0700 (PDT) Received: from ziepe.ca (crbknf0213w-47-54-130-67.pppoe-dynamic.high-speed.nl.bellaliant.net. [47.54.130.67]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8b02ac4513asm100113276d6.1.2026.04.21.06.57.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Apr 2026 06:57:40 -0700 (PDT) Received: from jgg by wakko with local (Exim 4.97) (envelope-from ) id 1wFBbg-00000001itC-11jD; Tue, 21 Apr 2026 10:57:40 -0300 Date: Tue, 21 Apr 2026 10:57:40 -0300 From: Jason Gunthorpe To: l1za0.sec@gmail.com Cc: kevin.tian@intel.com, joro@8bytes.org, will@kernel.org, robin.murphy@arm.com, iommu@lists.linux.dev, linux-kernel@vger.kernel.org Subject: Re: [PATCH] iommufd: fix slab-use-after-free read in iommufd_ioas_unmap Message-ID: <20260421135740.GI3611611@ziepe.ca> References: <20260421134719.33801-1-l1za0.sec@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260421134719.33801-1-l1za0.sec@gmail.com> On Tue, Apr 21, 2026 at 09:47:05PM +0800, l1za0.sec@gmail.com wrote: > From: Haocheng Yu > > A KASAN: slab-use-after-free read in iommufd_ioas_unmap is reported > by a modified Syzkaller-based kernel fuzzing tool we developed. Please don't submit bug reports without validating them on the latest kernel. This was fixed 2 years ago: commit 6f9c4d8c468c189d6dc470324bd52955f8aa0a10 Author: Jason Gunthorpe Date: Sun Nov 12 15:44:08 2023 -0400 iommufd: Do not UAF during iommufd_put_object() The mixture of kernel and user space lifecycle objects continues to be complicated inside iommufd. The obj->destroy_rwsem is used to bring order to the kernel driver destruction sequence but it cannot be sequenced right with the other refcounts so we end up possibly UAF'ing: BUG: KASAN: slab-use-after-free in __up_read+0x627/0x750 kernel/locking/rwsem.c:1342 Read of size 8 at addr ffff888073cde868 by task syz-executor934/6535 > base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa This is v6.6. Nobody wants patches and bug reports from v6.6 Jason