[PATCH 2/2] iommu/vt-d: Fix Use-After-Free in probe error path

Next message: Pranjal Shrivastava: "[PATCH 0/2] iommu/vt-d: Fix issues on probe error path"
Previous message: Can Guo: "[PATCH v6 1/2] dt-bindings: ufs: Document static TX Equalization settings properties"
In reply to: Pranjal Shrivastava: "[PATCH 1/2] iommu/vt-d: Fix RB-tree corruption in probe error path"
Next in thread: Baolu Lu: "Re: [PATCH 2/2] iommu/vt-d: Fix Use-After-Free in probe error path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pranjal Shrivastava

Date: Fri May 29 2026 - 07:35:37 EST

When intel_iommu_probe_device() fails after the info structure has
been linked to the device via dev_iommu_priv_set(), the error path
calls kfree(info) but does not clear the pointer in the device
structure.

This results in a Use-After-Free regression if the pointer is accessed
by a subsequent IOMMU core call or a re-probe.

Fix this by ensuring dev_iommu_priv_set(dev, NULL) is called before
freeing the info structure in the error path.

Fixes: 89436f4f5412 ("iommu/vt-d: Fix WARN_ON in iommu probe path")
Reported-by: sashiko-bot@xxxxxxxxxx
Closes: https://lore.kernel.org/all/20260525205628.CD4431F000E9@xxxxxxxxxxxxxxx/
Signed-off-by: Pranjal Shrivastava <praan@xxxxxxxxxx>
---
drivers/iommu/intel/iommu.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
index 2702e9aa2241..6c718adf97ae 100644
--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
@@ -3320,6 +3320,7 @@ static struct iommu_device *intel_iommu_probe_device(struct device *dev)
clear_rbtree:
device_rbtree_remove(info);
free:
+ dev_iommu_priv_set(dev, NULL);
kfree(info);

return ERR_PTR(ret);
--
2.54.0.823.g6e5bcc1fc9-goog