[PATCH v5 5/7] iommu/vt-d: Fix RB-tree corruption and Use-After-Free in probe
Pranjal Shrivastava
praan at google.com
Fri May 29 00:04:46 PDT 2026
On Fri, May 29, 2026 at 11:20:47AM +0800, Baolu Lu wrote:
> On 5/29/26 04:23, Pranjal Shrivastava wrote:
> > The intel_iommu_probe_device() function contains two pre-existing
> > memory safety issues on its error path:
> >
> > 1. The info->node RB-tree member is zero-initialized via kzalloc. If
> > a device does not support ATS, the device_rbtree_insert() call is
> > skipped. If a subsequent probe step fails, the error path jumps to
> > device_rbtree_remove(), which misinterprets the zeroed node as
> > a tree root and corrupts the device RB-tree.
> >
> > 2. The info structure is freed on failure, but the pointer remains
> > linked to the device via dev_iommu_priv_set(). This leads to a
> > Use-After-Free regression if the pointer is accessed later.
> >
> > Fix these by explicitly initializing the RB-node as empty and guarding
> > its removal. Additionally, ensure dev_iommu_priv_set(dev, NULL) is
> > called before freeing the info structure in the error path.
>
> Thanks for the fixes. Could you please separate these two fixes into two
> distinct patches and post them as a standalone series? These two fixes
> are quick cleanups and are not part of the current series, which focuses
> on improving the robustness of ATS enablement.
Ack. I'll send these as stanalone patches. I added these here to keep
Sashiko at bay.
Thanks,
Praan
More information about the linux-arm-kernel
mailing list