1. Patchew
  2. linux
  3. View series

[PATCH] iommufd: fix slab-use-after-free read in iommufd_ioas_unmap

l1za0.sec@gmail.com posted 1 patch 1 month, 3 weeks ago 
drivers/iommu/iommufd/main.c | 2 ++
1 file changed, 2 insertions(+)
[PATCH] iommufd: fix slab-use-after-free read in iommufd_ioas_unmap
Posted by l1za0.sec@gmail.com 1 month, 3 weeks ago 
From: Haocheng Yu <l1za0.sec@gmail.com>

A KASAN: slab-use-after-free read in iommufd_ioas_unmap is reported
by a modified Syzkaller-based kernel fuzzing tool we developed.

This issue is caused by a race condition between iommufd_destroy()
and iommufd_put_object(). Thread A first enters iommufd_put_object(),
which is called by iommufd_ioas_umap(), and executes
`refcount_dec(&obj->users);`, but before executing
`up_read(&obj->destroy_rwsem);`, thread B happens to enter
iommufd_destroy() and destroy the object. Later, when A wants to
release the lock, it accesses this already destroyed object,
causing a use-after-free error.

To fix this issue, before executing the destroy statement in
iommufd_destroy(), a write lock is acquired using down_write() to
ensure that up_read() has finished executing before destroy,
thus avoiding the UAF problem.

Signed-off-by: Haocheng Yu <l1za0.sec@gmail.com>
---
 drivers/iommu/iommufd/main.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/iommu/iommufd/main.c b/drivers/iommu/iommufd/main.c
index e71523cbd0de..a1f0b591c412 100644
--- a/drivers/iommu/iommufd/main.c
+++ b/drivers/iommu/iommufd/main.c
@@ -212,6 +212,8 @@ static int iommufd_destroy(struct iommufd_ucmd *ucmd)
 	obj = iommufd_object_remove(ucmd->ictx, cmd->id, false);
 	if (IS_ERR(obj))
 		return PTR_ERR(obj);
+	down_write(&obj->destroy_rwsem);
+	up_write(&obj->destroy_rwsem);
 	iommufd_object_ops[obj->type].destroy(obj);
 	kfree(obj);
 	return 0;

base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa
-- 
2.51.0
Re: [PATCH] iommufd: fix slab-use-after-free read in iommufd_ioas_unmap
Posted by Jason Gunthorpe 1 month, 3 weeks ago 
On Tue, Apr 21, 2026 at 09:47:05PM +0800, l1za0.sec@gmail.com wrote:
> From: Haocheng Yu <l1za0.sec@gmail.com>
> 
> A KASAN: slab-use-after-free read in iommufd_ioas_unmap is reported
> by a modified Syzkaller-based kernel fuzzing tool we developed.

Please don't submit bug reports without validating them on the latest
kernel.  This was fixed 2 years ago:

commit 6f9c4d8c468c189d6dc470324bd52955f8aa0a10
Author: Jason Gunthorpe <jgg@ziepe.ca>
Date:   Sun Nov 12 15:44:08 2023 -0400

    iommufd: Do not UAF during iommufd_put_object()
    
    The mixture of kernel and user space lifecycle objects continues to be
    complicated inside iommufd. The obj->destroy_rwsem is used to bring order
    to the kernel driver destruction sequence but it cannot be sequenced right
    with the other refcounts so we end up possibly UAF'ing:
    
      BUG: KASAN: slab-use-after-free in __up_read+0x627/0x750 kernel/locking/rwsem.c:1342
      Read of size 8 at addr ffff888073cde868 by task syz-executor934/6535
    
> base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa

This is v6.6. Nobody wants patches and bug reports from v6.6

Jason

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.