From nobody Mon Jun 8 07:23:00 2026 Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B12B2391E59 for ; Sun, 31 May 2026 17:03:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780246981; cv=none; b=gkD6VSu/vDa4Kqt+ftTpq74sFcw8Vr2EYH3mjbmAfgW1LQ9OlKWyU1TJfFqHNnEvAj0aoyRO9GVfCK9iM9GhvYHwueCuWYnT9W5i99q4dI7GvSuzkkIuPkUwUr214sSbokJqYlxcTwYBG/eX7etJjfJjT0ejPzC9dKuR40dbIKA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780246981; c=relaxed/simple; bh=FWe+zkG6d1dSp2BnJpzvZr07OMSiwnHIAa4IQItE6Ig=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=LoEsAHfx6q8gdPKT33aUyjC5tbzz+AEES2GbTF62PYWGOD+ohtzpsrOIdzkFb6AdKiU7LwvjdbwhpClT76fuzvhRRai+nMIxxrt4UYyYZA0AH3XwMiuwq2afY3z4SDJEdm8Mr3p8T4mvx/YoDeR5iyLrmwyQS6KUGfsF+X9RF+s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--praan.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=mPHBOksX; arc=none smtp.client-ip=209.85.214.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--praan.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="mPHBOksX" Received: by mail-pl1-f202.google.com with SMTP id d9443c01a7336-2c0c272e532so6551355ad.1 for ; Sun, 31 May 2026 10:03:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1780246980; x=1780851780; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=QWXlHKTSa6jbTlPQqXflZFEjWNMHtxbOFAcz50SUsYQ=; b=mPHBOksX3Shaur8qTaMzJR3I5NTie1qscWm/N6Ew/FGs7tdTZ2JEyWrcCbZ3cnYCqg vqN8GtBjRRrgRYFzZxe/5aseCtKBWV447nWzB0nYJJa02cQGXeUPo6zR1kY3hodr5BOU LBg+Cxpl9SidnSQ2GZeqWcI9CsY8CB4/b1FbBItgG3qcddHAj94xJTCURQgYMpnNGGa5 vrelPkDTitsAQD7Dcr+v08dJyeNBZbmHWZwfs3v4u89vqu+Zyk0Ec3xrHaLMBoEKR5Ms ZsbStJCJqQDNehuzWLyxAxAbfC9euT5OeXl7XM9IBI7Bc/9FESdZfT38oOxBGDWpNAPG r0dw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780246980; x=1780851780; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=QWXlHKTSa6jbTlPQqXflZFEjWNMHtxbOFAcz50SUsYQ=; b=MZn1gw3vnkHUuLMdfoK4zko59e7KOzKm4RuB0bj3TWo6u+5Fgjj+TqlfFAVzGePs36 eW3li+c1xwTF+tulEdL5LD3B/2+I9u8U9Rf7JEjpT+Ti+NgMDNenxSjPxQIBOUdtiG7Q 11s39RkfA4xzqSKwb6gjf+wO5nM+rhr9bt8rh0h/t0AfW7cYzDUjumrxP/8PUNlOs6VK ZWjbXfWx5QCWKaxpKrB9cZShOIy+yxsLJ3TCx2cOeW7c64B1qJVrVnXtUs4UDvg3Dl6l 6CWdecCvuY74yLKQte5vIeYoiRNi1dQS9D+DZPQ9js5xV6yn+PR6ZJCcbgSHENb9Rp5d T6xA== X-Forwarded-Encrypted: i=1; AFNElJ+EKtMLJXF6GR/1YGcq3zyNmmWo/ABOu+JZtdu5vbCzh2eS+uy/OPaJTR5YP9OD/QatDsqa8vEq2jYeN94=@vger.kernel.org X-Gm-Message-State: AOJu0YzaL8kAkULb3Z+iY2lYrP9Q2YiY6aEn+blJbWQ6xRwhQf9Qk7mF CWGrPm1C27DXuuwyKon3RIqptBC7Oa8kjZ4btlzLi8dOzkQIfI3lv7WUu549E1V3Yud2DRuZ7XC 4eQ== X-Received: from plqu18.prod.google.com ([2002:a17:902:a612:b0:2c0:b770:dccc]) (user=praan job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:ccc8:b0:2bd:ba44:6c07 with SMTP id d9443c01a7336-2bf367f292cmr78806815ad.16.1780246979738; Sun, 31 May 2026 10:02:59 -0700 (PDT) Date: Sun, 31 May 2026 17:02:53 +0000 In-Reply-To: <20260531170254.60493-1-praan@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260531170254.60493-1-praan@google.com> X-Mailer: git-send-email 2.54.0.823.g6e5bcc1fc9-goog Message-ID: <20260531170254.60493-2-praan@google.com> Subject: [PATCH v2 1/2] iommu/vt-d: Fix RB-tree corruption in probe error path From: Pranjal Shrivastava To: iommu@lists.linux.dev, linux-kernel@vger.kernel.org Cc: David Woodhouse , Lu Baolu , Joerg Roedel , Will Deacon , Robin Murphy , Kevin Tian , Samiullah Khawaja , Pranjal Shrivastava , sashiko-bot@kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The info->node RB-tree member is zero-initialized via kzalloc. If a device does not support ATS, the device_rbtree_insert() call is skipped. If a subsequent probe step fails, the error path jumps to device_rbtree_remove(), which misinterprets the zeroed node as a tree root and corrupts the device RB-tree. Fix this by explicitly initializing the RB-node as empty using RB_CLEAR_NODE() during initialization and guarding the removal with RB_EMPTY_NODE(). Fixes: 4f1492efb495 ("iommu/vt-d: Revert ATS timing change to fix boot fail= ure") Reported-by: sashiko-bot@kernel.org Closes: https://lore.kernel.org/all/20260525205628.CD4431F000E9@smtp.kernel= .org/ Suggested-by: Baolu Lu Signed-off-by: Pranjal Shrivastava --- drivers/iommu/intel/iommu.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c index c3d18cd77d2f..2702e9aa2241 100644 --- a/drivers/iommu/intel/iommu.c +++ b/drivers/iommu/intel/iommu.c @@ -157,7 +157,10 @@ static void device_rbtree_remove(struct device_domain_= info *info) unsigned long flags; =20 spin_lock_irqsave(&iommu->device_rbtree_lock, flags); - rb_erase(&info->node, &iommu->device_rbtree); + if (!RB_EMPTY_NODE(&info->node)) { + rb_erase(&info->node, &iommu->device_rbtree); + RB_CLEAR_NODE(&info->node); + } spin_unlock_irqrestore(&iommu->device_rbtree_lock, flags); } =20 @@ -3254,6 +3257,7 @@ static struct iommu_device *intel_iommu_probe_device(= struct device *dev) =20 info->dev =3D dev; info->iommu =3D iommu; + RB_CLEAR_NODE(&info->node); if (dev_is_pci(dev)) { if (ecap_dev_iotlb_support(iommu->ecap) && pci_ats_supported(pdev) && --=20 2.54.0.823.g6e5bcc1fc9-goog From nobody Mon Jun 8 07:23:00 2026 Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B38BB355F35 for ; Sun, 31 May 2026 17:03:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780246985; cv=none; b=hgT6ujyc5IPe9Ok+kRdd+a5YkpXT4dQGSVjQZssIYSPEVwQue8adDyfeYNbRnZVVdSlsT5IjWdO1Oa+njRVXjU+mgfRX/d+XGanP/XfarAEFfBEhNqu63WeV5hkM687NlY4Xs0RhmnZbaASLDlYB1T18TqM61tT9F4KfdG5ZzpI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780246985; c=relaxed/simple; bh=YgLJf47j2rvL5UzJW0CWIyQNsMhK13ggWUOSMGN3lnI=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=Xg1HmD/OfBqztYAa0jO7VNHAuHkXxz3B9qeljEFslIJUy49pZt5L++E3mLKZGVQTmxuNBjZ1KfgkcK1S+W1t4r+a5dUJjkHRMs6NpvzKY8vh7FbBFYLeKnwMX+eNoQfJ/flKBBk2FHdjigF/iCzzQ0U6vKcVzXiXQvSZozDiaII= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--praan.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=puGD2ZzS; arc=none smtp.client-ip=209.85.214.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--praan.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="puGD2ZzS" Received: by mail-pl1-f202.google.com with SMTP id d9443c01a7336-2c0bf6904a6so12135905ad.1 for ; Sun, 31 May 2026 10:03:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1780246984; x=1780851784; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=61nUYKvRFkNmEacFmLV+B7OCu4lQy5aTJXNSuY6+Mt4=; b=puGD2ZzSuQSNUEsaCKmrnOTXv+3d/LQAkK+ZIrxfSFnS3hmZRrVC8PpmokkiIhIxle iQVtrMKU/nm5vWVKGH7CucmCNjqbe8WUK4TGDBND89cT1cf7OWGevXIzVLS7Q1KEvBDq stzvvRXPfAEc9UNcChtZZ0Iab8c9OQYNkJsndCbEslkUk7q5Qw+LIFKf3q8HRFkdx0GC BJJ48P+iv9Cn3drZpaH+ObbLfULBxEDOpXI1YvNXDL+wq4dx6KhOWzuiUvZks8/2G/Cj nVlOp+OJ66hyupwxnlb1cEax3zoVpdexutuDwRa6ayPnZ3X8jlB0kT7eKvdhjkf47759 +khw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780246984; x=1780851784; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=61nUYKvRFkNmEacFmLV+B7OCu4lQy5aTJXNSuY6+Mt4=; b=QewlmsgPcWYUbwj2M92JO6aAxCTS5P2hcxRw1VxCIgsiMigGXjzmpfqNUiKcu6PUEQ xpcKuh6EOrPN10B2xroALfjlK1MzNDPbWFuK2yd3n411Ky0axTAkwGanjrGVYABoduA2 JZSiab28jD6N1knpUTZuoQUv5pGdcSRCTb+V47mA+5qQ+NhKydukrkN9XDnXwJPZuDM0 0vPg9z+5GutZ+abf5zCT1d2WurHvLxp/icSNd048hCqzw9SQfTcuA+BvJWWS4UOqQq7H TBHlrJlMa4E/P1q5Gx96dw68TqKzAgOWmVVMb+GvamTx4ceoeRMiL7vip5vPS2yXzP16 oKuQ== X-Forwarded-Encrypted: i=1; AFNElJ9baEv9TD6Y8r04XdpMH3f0kA/o3MAfO8sDeZOhIrfj7eX/VEV69mrO+Ppabmp5pN24W9o8gcGi1EdNL9E=@vger.kernel.org X-Gm-Message-State: AOJu0YxGgd+vDTj7ayiw2/6MfTn2PcDhsyB5QrGgpvnv0DIFgW+xM5C1 j+kmSKwg7nFGUwTzoiaj/ZfmySak9psaky5bocjFR10D7MITcHgNcgpzwRLn0G9/AqUZYprx4vX X7A== X-Received: from plxj16.prod.google.com ([2002:a17:902:da90:b0:2bf:2cd5:1d4a]) (user=praan job=prod-delivery.src-stubby-dispatcher) by 2002:a17:903:1b4d:b0:2bf:2015:5b93 with SMTP id d9443c01a7336-2bf367d9879mr94331165ad.11.1780246983783; Sun, 31 May 2026 10:03:03 -0700 (PDT) Date: Sun, 31 May 2026 17:02:54 +0000 In-Reply-To: <20260531170254.60493-1-praan@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260531170254.60493-1-praan@google.com> X-Mailer: git-send-email 2.54.0.823.g6e5bcc1fc9-goog Message-ID: <20260531170254.60493-3-praan@google.com> Subject: [PATCH v2 2/2] iommu/vt-d: Fix Use-After-Free in probe error path From: Pranjal Shrivastava To: iommu@lists.linux.dev, linux-kernel@vger.kernel.org Cc: David Woodhouse , Lu Baolu , Joerg Roedel , Will Deacon , Robin Murphy , Kevin Tian , Samiullah Khawaja , Pranjal Shrivastava , sashiko-bot@kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When intel_iommu_probe_device() fails after the info structure has been linked to the device via dev_iommu_priv_set(), the error path calls kfree(info) but does not clear the pointer in the device structure. This results in a Use-After-Free regression if the pointer is accessed by a subsequent IOMMU core call or a re-probe. Fix this by ensuring dev_iommu_priv_set(dev, NULL) is called before freeing the info structure in the error path. Fixes: eda1a94caf6b ("iommu: Mark dev_iommu_priv_set() with a lockdep") Reported-by: sashiko-bot@kernel.org Closes: https://lore.kernel.org/all/20260525205628.CD4431F000E9@smtp.kernel= .org/ Signed-off-by: Pranjal Shrivastava --- drivers/iommu/intel/iommu.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c index 2702e9aa2241..6c718adf97ae 100644 --- a/drivers/iommu/intel/iommu.c +++ b/drivers/iommu/intel/iommu.c @@ -3320,6 +3320,7 @@ static struct iommu_device *intel_iommu_probe_device(= struct device *dev) clear_rbtree: device_rbtree_remove(info); free: + dev_iommu_priv_set(dev, NULL); kfree(info); =20 return ERR_PTR(ret); --=20 2.54.0.823.g6e5bcc1fc9-goog