Re: [PATCH] iommufd: fix slab-use-after-free read in iommufd_ioas_unmap

Next message: Steven Rostedt: "Re: [PATCH] kernel: trace: do not generate undefsyms_base.c"
Previous message: Jason Gunthorpe: "Re: [PATCH v2 7/8] dma-direct: set decrypted flag for remapped DMA allocations"
In reply to: l1za0 . sec: "[PATCH] iommufd: fix slab-use-after-free read in iommufd_ioas_unmap"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jason Gunthorpe

Date: Tue Apr 21 2026 - 10:02:10 EST

On Tue, Apr 21, 2026 at 09:47:05PM +0800, l1za0.sec@xxxxxxxxx wrote:
> From: Haocheng Yu <l1za0.sec@xxxxxxxxx>
>
> A KASAN: slab-use-after-free read in iommufd_ioas_unmap is reported
> by a modified Syzkaller-based kernel fuzzing tool we developed.

Please don't submit bug reports without validating them on the latest
kernel. This was fixed 2 years ago:

commit 6f9c4d8c468c189d6dc470324bd52955f8aa0a10
Author: Jason Gunthorpe <jgg@xxxxxxxx>
Date: Sun Nov 12 15:44:08 2023 -0400

iommufd: Do not UAF during iommufd_put_object()

The mixture of kernel and user space lifecycle objects continues to be
complicated inside iommufd. The obj->destroy_rwsem is used to bring order
to the kernel driver destruction sequence but it cannot be sequenced right
with the other refcounts so we end up possibly UAF'ing:

BUG: KASAN: slab-use-after-free in __up_read+0x627/0x750 kernel/locking/rwsem.c:1342
Read of size 8 at addr ffff888073cde868 by task syz-executor934/6535

> base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa

This is v6.6. Nobody wants patches and bug reports from v6.6

Jason