[PATCH] iommu/riscv: fix use after free of riscv_iommu_domain
Baolu Lu
baolu.lu at linux.intel.com
Mon Apr 28 23:50:39 PDT 2025
On 4/29/25 11:40, BillXiang wrote:
> The function vfio_group_detach_container begins by calling
> vfio_iommu_type1_detach_group, which may subsequently calls
I don't follow here. vfio_iommu_type1_detach_group() will eventually
call riscv_iommu_attach_blocking_domain() and info->domain has been
cleared there:
static int riscv_iommu_attach_blocking_domain(struct iommu_domain
*iommu_domain,
struct device *dev)
{
struct riscv_iommu_device *iommu = dev_to_iommu(dev);
struct riscv_iommu_info *info = dev_iommu_priv_get(dev);
/* Make device context invalid, translation requests will fault
w/ #258 */
riscv_iommu_iodir_update(iommu, dev, RISCV_IOMMU_FSC_BARE, 0);
riscv_iommu_bond_unlink(info->domain, dev);
info->domain = NULL;
return 0;
}
Perhaps I overlooked anything?
> riscv_iommu_free_paging_domain to release the riscv_iommu_domain.
> Then, iommu_group_release_dma_owner is triggered, which results in
> the execution of riscv_iommu_attach_paging_domain and
> riscv_iommu_bond_unlink(info->domain). However, the info->domain
> had been freed beforehand but was not set to NULL, leading to errors.
>
> This commit resolves the issue by setting info->domain to NULL within
> riscv_iommu_bond_unlink, a function that is called by
> riscv_iommu_attach_blocking_domain before the domain was freed.
>
> Signed-off-by: BillXiang<xiangwencheng at lanxincomputing.com>
> ---
> drivers/iommu/riscv/iommu.c | 14 +++++++++++++-
> 1 file changed, 13 insertions(+), 1 deletion(-)
Thanks,
baolu
More information about the linux-riscv
mailing list