Re: [PATCH 2/2] iommu/vt-d: Fix Use-After-Free in probe error path

Next message: Luca Ceresoli: "Re: [PATCH v4 2/3] drm/bridge: analogix_dp: Add validation for samsung,lane-count property"
Previous message: Dennis Zhou: "Re: [PATCH 1/2] mm/percpu: Preserve NOFS/NOIO scope during chunk create and populate"
In reply to: Pranjal Shrivastava: "[PATCH 2/2] iommu/vt-d: Fix Use-After-Free in probe error path"
Next in thread: Pranjal Shrivastava: "Re: [PATCH 2/2] iommu/vt-d: Fix Use-After-Free in probe error path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Baolu Lu

Date: Sat May 30 2026 - 09:34:04 EST

On 5/29/2026 7:34 PM, Pranjal Shrivastava wrote:

When intel_iommu_probe_device() fails after the info structure has
been linked to the device via dev_iommu_priv_set(), the error path
calls kfree(info) but does not clear the pointer in the device
structure.

This results in a Use-After-Free regression if the pointer is accessed
by a subsequent IOMMU core call or a re-probe.

Fix this by ensuring dev_iommu_priv_set(dev, NULL) is called before
freeing the info structure in the error path.

Fixes: 89436f4f5412 ("iommu/vt-d: Fix WARN_ON in iommu probe path")

Fixes: eda1a94caf6b ("iommu: Mark dev_iommu_priv_set() with a lockdep")

Reported-by: sashiko-bot@xxxxxxxxxx
Closes: https://lore.kernel.org/all/20260525205628.CD4431F000E9@xxxxxxxxxxxxxxx/
Signed-off-by: Pranjal Shrivastava <praan@xxxxxxxxxx>
---
drivers/iommu/intel/iommu.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
index 2702e9aa2241..6c718adf97ae 100644
--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
@@ -3320,6 +3320,7 @@ static struct iommu_device *intel_iommu_probe_device(struct device *dev)
clear_rbtree:
device_rbtree_remove(info);
free:
+ dev_iommu_priv_set(dev, NULL);
kfree(info);
return ERR_PTR(ret);

Thanks,
baolu