[PATCH 4/6] iommu/amd: Fix Use-After-Free in non-fatal probe error path
From: Pranjal Shrivastava
Date: Mon Jun 01 2026 - 09:49:12 EST
When amd_iommu_probe_device() fails for optional features (e.g.
PD_MODE_NONE), the dev_data remains globally linked with a pointer
to the struct device. Since the IOMMU core does not invoke
release_device() after a probe failure, this could lead to a UAF once
the physical device is removed.
Fix this by introducing amd_iommu_clear_device_dte() to clear the HW
state and setting dev_data->dev = NULL on the non-fatal error path.
Reported-by: sashiko-bot@xxxxxxxxxx
Closes: https://lore.kernel.org/all/20260529153216.2AD1E1F00899@xxxxxxxxxxxxxxx/
Signed-off-by: Pranjal Shrivastava <praan@xxxxxxxxxx>
---
drivers/iommu/amd/iommu.c | 24 +++++++++++++++++-------
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
index c3b3750d4a22..4ef6024c5a4e 100644
--- a/drivers/iommu/amd/iommu.c
+++ b/drivers/iommu/amd/iommu.c
@@ -734,6 +734,15 @@ static int iommu_init_device(struct amd_iommu *iommu, struct device *dev)
return 0;
}
+static void amd_iommu_clear_device_dte(struct amd_iommu *iommu,
+ struct iommu_dev_data *dev_data)
+{
+ struct dev_table_entry new = {};
+
+ amd_iommu_make_clear_dte(dev_data, &new);
+ update_dte256(iommu, dev_data, &new);
+}
+
static void iommu_ignore_device(struct amd_iommu *iommu, struct device *dev)
{
struct amd_iommu_pci_seg *pci_seg = iommu->pci_seg;
@@ -753,14 +762,10 @@ static void iommu_ignore_device(struct amd_iommu *iommu, struct device *dev)
pci_seg->rlookup_table[devid] = NULL;
/* Clear DTE if we have a live entry */
- if (dev_data) {
- struct dev_table_entry new = {};
-
- amd_iommu_make_clear_dte(dev_data, &new);
- update_dte256(iommu, dev_data, &new);
- } else {
+ if (dev_data)
+ amd_iommu_clear_device_dte(iommu, dev_data);
+ else
memset(&dev_table[devid], 0, sizeof(struct dev_table_entry));
- }
}
@@ -2517,6 +2522,11 @@ static struct iommu_device *amd_iommu_probe_device(struct device *dev)
err_deinit:
iommu_ignore_device(iommu, dev);
out_err:
+ if (dev_data) {
+ amd_iommu_clear_device_dte(iommu, dev_data);
+ dev_data->dev = NULL;
+ }
+
return iommu_dev;
}
--
2.54.0.823.g6e5bcc1fc9-goog