* [PATCH] iommufd: fix slab-use-after-free read in iommufd_ioas_unmap
@ 2026-04-21 13:47 l1za0.sec
2026-04-21 13:57 ` Jason Gunthorpe
0 siblings, 1 reply; 2+ messages in thread
From: l1za0.sec @ 2026-04-21 13:47 UTC (permalink / raw)
To: jgg, kevin.tian; +Cc: joro, will, robin.murphy, iommu, linux-kernel
From: Haocheng Yu <l1za0.sec@gmail.com>
A KASAN: slab-use-after-free read in iommufd_ioas_unmap is reported
by a modified Syzkaller-based kernel fuzzing tool we developed.
This issue is caused by a race condition between iommufd_destroy()
and iommufd_put_object(). Thread A first enters iommufd_put_object(),
which is called by iommufd_ioas_umap(), and executes
`refcount_dec(&obj->users);`, but before executing
`up_read(&obj->destroy_rwsem);`, thread B happens to enter
iommufd_destroy() and destroy the object. Later, when A wants to
release the lock, it accesses this already destroyed object,
causing a use-after-free error.
To fix this issue, before executing the destroy statement in
iommufd_destroy(), a write lock is acquired using down_write() to
ensure that up_read() has finished executing before destroy,
thus avoiding the UAF problem.
Signed-off-by: Haocheng Yu <l1za0.sec@gmail.com>
---
drivers/iommu/iommufd/main.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/iommu/iommufd/main.c b/drivers/iommu/iommufd/main.c
index e71523cbd0de..a1f0b591c412 100644
--- a/drivers/iommu/iommufd/main.c
+++ b/drivers/iommu/iommufd/main.c
@@ -212,6 +212,8 @@ static int iommufd_destroy(struct iommufd_ucmd *ucmd)
obj = iommufd_object_remove(ucmd->ictx, cmd->id, false);
if (IS_ERR(obj))
return PTR_ERR(obj);
+ down_write(&obj->destroy_rwsem);
+ up_write(&obj->destroy_rwsem);
iommufd_object_ops[obj->type].destroy(obj);
kfree(obj);
return 0;
base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa
--
2.51.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] iommufd: fix slab-use-after-free read in iommufd_ioas_unmap
2026-04-21 13:47 [PATCH] iommufd: fix slab-use-after-free read in iommufd_ioas_unmap l1za0.sec
@ 2026-04-21 13:57 ` Jason Gunthorpe
0 siblings, 0 replies; 2+ messages in thread
From: Jason Gunthorpe @ 2026-04-21 13:57 UTC (permalink / raw)
To: l1za0.sec; +Cc: kevin.tian, joro, will, robin.murphy, iommu, linux-kernel
On Tue, Apr 21, 2026 at 09:47:05PM +0800, l1za0.sec@gmail.com wrote:
> From: Haocheng Yu <l1za0.sec@gmail.com>
>
> A KASAN: slab-use-after-free read in iommufd_ioas_unmap is reported
> by a modified Syzkaller-based kernel fuzzing tool we developed.
Please don't submit bug reports without validating them on the latest
kernel. This was fixed 2 years ago:
commit 6f9c4d8c468c189d6dc470324bd52955f8aa0a10
Author: Jason Gunthorpe <jgg@ziepe.ca>
Date: Sun Nov 12 15:44:08 2023 -0400
iommufd: Do not UAF during iommufd_put_object()
The mixture of kernel and user space lifecycle objects continues to be
complicated inside iommufd. The obj->destroy_rwsem is used to bring order
to the kernel driver destruction sequence but it cannot be sequenced right
with the other refcounts so we end up possibly UAF'ing:
BUG: KASAN: slab-use-after-free in __up_read+0x627/0x750 kernel/locking/rwsem.c:1342
Read of size 8 at addr ffff888073cde868 by task syz-executor934/6535
> base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa
This is v6.6. Nobody wants patches and bug reports from v6.6
Jason
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-21 13:57 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-21 13:47 [PATCH] iommufd: fix slab-use-after-free read in iommufd_ioas_unmap l1za0.sec
2026-04-21 13:57 ` Jason Gunthorpe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox