Re: [PATCH v5 5/7] iommu/vt-d: Fix RB-tree corruption and Use-After-Free in probe

Next message: Khristine Andreea Barbulescu: "[PATCH v3 1/1] arm64: dts: s32g: add PWM support for s32g2 and s32g3"
Previous message: Khristine Andreea Barbulescu: "[PATCH v3 0/1] add PWM DTS support for S32G2/S32G3 SoCs"
In reply to: Baolu Lu: "Re: [PATCH v5 5/7] iommu/vt-d: Fix RB-tree corruption and Use-After-Free in probe"
Next in thread: Pranjal Shrivastava: "[PATCH v5 1/7] PCI/ATS: Ensure pci_ats_supported() is PF-aware for VFs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pranjal Shrivastava

Date: Fri May 29 2026 - 03:05:31 EST

On Fri, May 29, 2026 at 11:20:47AM +0800, Baolu Lu wrote:
> On 5/29/26 04:23, Pranjal Shrivastava wrote:
> > The intel_iommu_probe_device() function contains two pre-existing
> > memory safety issues on its error path:
> >
> > 1. The info->node RB-tree member is zero-initialized via kzalloc. If
> > a device does not support ATS, the device_rbtree_insert() call is
> > skipped. If a subsequent probe step fails, the error path jumps to
> > device_rbtree_remove(), which misinterprets the zeroed node as
> > a tree root and corrupts the device RB-tree.
> >
> > 2. The info structure is freed on failure, but the pointer remains
> > linked to the device via dev_iommu_priv_set(). This leads to a
> > Use-After-Free regression if the pointer is accessed later.
> >
> > Fix these by explicitly initializing the RB-node as empty and guarding
> > its removal. Additionally, ensure dev_iommu_priv_set(dev, NULL) is
> > called before freeing the info structure in the error path.
>
> Thanks for the fixes. Could you please separate these two fixes into two
> distinct patches and post them as a standalone series? These two fixes
> are quick cleanups and are not part of the current series, which focuses
> on improving the robustness of ATS enablement.

Ack. I'll send these as stanalone patches. I added these here to keep
Sashiko at bay.

Thanks,
Praan