Re: [PATCH v4 1/4] iommufd/device: Associate a kvm pointer to iommufd_device

Next message: Jason Gunthorpe: "Re: [PATCH v4 2/4] iommufd/viommu: Associate a kvm pointer to iommufd_viommu"
Previous message: Andy Shevchenko: "Re: [PATCH v4 2/7] iio: adc: hx711: move scale computation to per-device storage"
In reply to: Baolu Lu: "Re: [PATCH v4 1/4] iommufd/device: Associate a kvm pointer to iommufd_device"
Next in thread: Jason Gunthorpe: "Re: [PATCH v4 1/4] iommufd/device: Associate a kvm pointer to iommufd_device"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jason Gunthorpe

Date: Mon Apr 27 2026 - 10:13:35 EST

On Mon, Apr 27, 2026 at 05:07:52PM +0800, Baolu Lu wrote:
> iommufd_device_unbind() is an asynchronous teardown operation. Is it
> possible for idev->kvm to persist or be accessed within the iommufd
> subsystem after iommufd_device_unbind() has returned? Should we add the
> change below to prevent this potential UAF case?
>
> diff --git a/drivers/iommu/iommufd/device.c b/drivers/iommu/iommufd/device.c
> index 170a7005f0bc..dac39cb5e7cc 100644
> --- a/drivers/iommu/iommufd/device.c
> +++ b/drivers/iommu/iommufd/device.c
> @@ -333,6 +333,7 @@ EXPORT_SYMBOL_NS_GPL(iommufd_ctx_has_group, "IOMMUFD");
> */
> void iommufd_device_unbind(struct iommufd_device *idev)
> {
> + idev->kvm = NULL;
> iommufd_object_destroy_user(idev->ictx, &idev->obj);
> }
> EXPORT_SYMBOL_NS_GPL(iommufd_device_unbind, "IOMMUFD");

iommufd_object_destroy_user() frees the memory of idev, it is not
useful to null before free.

Jason