Re: [PATCH 2/2] iommu/vt-d: Fix Use-After-Free in probe error path

Next message: Jarkko Sakkinen: "Re: [PATCH] KEYS: fix overflow in keyctl_pkey_params_get_2()"
Previous message: Pranjal Shrivastava: "[PATCH v2 2/2] iommu/vt-d: Fix Use-After-Free in probe error path"
In reply to: Baolu Lu: "Re: [PATCH 2/2] iommu/vt-d: Fix Use-After-Free in probe error path"
Next in thread: Pranjal Shrivastava: "[PATCH 0/2] iommu/vt-d: Fix issues on probe error path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pranjal Shrivastava

Date: Sun May 31 2026 - 13:03:58 EST

On Sat, May 30, 2026 at 09:33:12PM +0800, Baolu Lu wrote:
> On 5/29/2026 7:34 PM, Pranjal Shrivastava wrote:
> > When intel_iommu_probe_device() fails after the info structure has
> > been linked to the device via dev_iommu_priv_set(), the error path
> > calls kfree(info) but does not clear the pointer in the device
> > structure.
> >
> > This results in a Use-After-Free regression if the pointer is accessed
> > by a subsequent IOMMU core call or a re-probe.
> >
> > Fix this by ensuring dev_iommu_priv_set(dev, NULL) is called before
> > freeing the info structure in the error path.
> >
> > Fixes: 89436f4f5412 ("iommu/vt-d: Fix WARN_ON in iommu probe path")
>
> Fixes: eda1a94caf6b ("iommu: Mark dev_iommu_priv_set() with a lockdep")

Ack. Sending a v2 with this.

Thanks,
Praan