Re: [PATCH rc v7 6/6] iommu: Fix UAF in pci_dev_reset_iommu_done() due to concurrent detach

Next message: Geert Uytterhoeven: "Re: [PATCH v2 1/2] dt-bindings: spi: renesas,rzv2h-rspi: Document RZ/G3L SoC"
Previous message: Verma, Vishal L: "Re: [PATCH] MAINTAINERS: Add maintainer info for libnvdimm and DAX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Baolu Lu

Date: Fri Apr 24 2026 - 02:46:42 EST

On 4/19/26 07:41, Nicolin Chen wrote:

In __iommu_group_set_domain_internal(), concurrent domain attachments are
rejected when any device in the group is recovering. This is necessary to
fence concurrent attachments to a multi-device group where devices might
share the same RID due to PCI DMA alias quirks.

However, IOMMU_SET_DOMAIN_MUST_SUCCEED callers (detach/teardown paths such
as __iommu_group_set_core_domain and __iommu_release_dma_ownership) should
not be rejected, as the domain would be free-ed anyway in this nofail path
while group->domain is still pointing to it. So pci_dev_reset_iommu_done()
could trigger a UAF when re-attaching group->domain.

Honor the IOMMU_SET_DOMAIN_MUST_SUCCEED flag, allowing the callers through
the group->recovery_cnt fence, so as to update the group->domain pointer.
Instead add gdev->blocked checks in the device iteration loop to avoid any
concurrent per-device detachment.

Fixes: c279e83953d9 ("iommu: Introduce pci_dev_reset_iommu_prepare/done()")
Cc:stable@xxxxxxxxxxxxxxx
Reported-by: Kevin Tian<kevin.tian@xxxxxxxxx>
Closes:https://lore.kernel.org/all/ BN9PR11MB5276D60096EBF15C5753C4BB8C202@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/
Signed-off-by: Nicolin Chen<nicolinc@xxxxxxxxxx>
---
drivers/iommu/iommu.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)

Agreed with Kevin's comments. With that included in the commit message:

Reviewed-by: Lu Baolu <baolu.lu@xxxxxxxxxxxxxxx>