[PATCH] iommu/riscv: fix use after free of riscv_iommu_domain
BillXiang
xiangwencheng at lanxincomputing.com
Mon Apr 28 20:40:07 PDT 2025
The function vfio_group_detach_container begins by calling
vfio_iommu_type1_detach_group, which may subsequently calls
riscv_iommu_free_paging_domain to release the riscv_iommu_domain.
Then, iommu_group_release_dma_owner is triggered, which results in
the execution of riscv_iommu_attach_paging_domain and
riscv_iommu_bond_unlink(info->domain). However, the info->domain
had been freed beforehand but was not set to NULL, leading to errors.
This commit resolves the issue by setting info->domain to NULL within
riscv_iommu_bond_unlink, a function that is called by
riscv_iommu_attach_blocking_domain before the domain was freed.
Signed-off-by: BillXiang <xiangwencheng at lanxincomputing.com>
---
drivers/iommu/riscv/iommu.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/drivers/iommu/riscv/iommu.c b/drivers/iommu/riscv/iommu.c
index bb57092ca901..f9e127978ac7 100644
--- a/drivers/iommu/riscv/iommu.c
+++ b/drivers/iommu/riscv/iommu.c
@@ -880,6 +880,7 @@ static void riscv_iommu_bond_unlink(struct riscv_iommu_domain *domain,
struct riscv_iommu_device *iommu = dev_to_iommu(dev);
struct riscv_iommu_bond *bond, *found = NULL;
struct riscv_iommu_command cmd;
+ struct riscv_iommu_info *info;
int count = 0;
if (!domain)
@@ -894,8 +895,11 @@ static void riscv_iommu_bond_unlink(struct riscv_iommu_domain *domain,
else if (dev_to_iommu(bond->dev) == iommu)
count++;
}
- if (found)
+ if (found) {
+ info = dev_iommu_priv_get(dev);
+ info->domain = NULL;
list_del_rcu(&found->list);
+ }
spin_unlock(&domain->lock);
kfree_rcu(found, rcu);
@@ -1293,8 +1297,16 @@ static void riscv_iommu_free_paging_domain(struct iommu_domain *iommu_domain)
{
struct riscv_iommu_domain *domain = iommu_domain_to_riscv(iommu_domain);
const unsigned long pfn = virt_to_pfn(domain->pgd_root);
+ struct riscv_iommu_bond *bond;
+ struct riscv_iommu_info *info;
WARN_ON(!list_empty(&domain->bonds));
+ spin_lock(&domain->lock);
+ list_for_each_entry(bond, &domain->bonds, list) {
+ info = dev_iommu_priv_get(bond->dev);
+ info->domain = NULL;
+ }
+ spin_unlock(&domain->lock);
if ((int)domain->pscid > 0)
ida_free(&riscv_iommu_pscids, domain->pscid);
--
2.46.2.windows.1
More information about the linux-riscv
mailing list