Re: [PATCH v7 3/5] iommu/arm-smmu-v3: Fix a UAF in the probe_device error path
From: Pranjal Shrivastava
Date: Wed Jun 03 2026 - 09:43:30 EST
On Wed, Jun 03, 2026 at 07:31:38AM +0000, Tian, Kevin wrote:
> > From: Pranjal Shrivastava <praan@xxxxxxxxxx>
> > Sent: Monday, June 1, 2026 10:37 PM
> >
> > Clear the iommu->priv to NULL while returning an error from probe_device.
> >
> > Fixes: a2be6218e649 ("iommu/arm-smmu-v3: Improve add_device() error
> > handling")
> > Signed-off-by: Pranjal Shrivastava <praan@xxxxxxxxxx>
>
> probably add a note that UAF is theoretical at this point.
>
> iommu_init_device() calls dev_iommu_free() right after @probe_device()
> fails...
Ack. This is just to prevent a UAF against future refactors. I saw the
intel & amd iommu drivers doing it and felt this is missing from smmuv3
>
> Reviewed-by: Kevin Tian <kevin.tian@xxxxxxxxx>
Thanks,
Praan