On 2024/1/3 9:33, Yi Liu wrote:
On 2024/1/3 02:44, Jason Gunthorpe wrote:
On Tue, Jan 02, 2024 at 06:38:34AM -0800, Yi Liu wrote:
+static void intel_nested_flush_cache(struct dmar_domain *domain, u64
addr,
+ unsigned long npages, bool ih, u32 *error)
+{
+ struct iommu_domain_info *info;
+ unsigned long i;
+ unsigned mask;
+ u32 fault;
+
+ xa_for_each(&domain->iommu_array, i, info)
+ qi_flush_piotlb(info->iommu,
+ domain_id_iommu(domain, info->iommu),
+ IOMMU_NO_PASID, addr, npages, ih, NULL);
This locking on the xarray is messed up throughout the driver. There
could be a concurrent detach at this point which will free info and
UAF this.
hmmm, xa_for_each() takes and releases rcu lock, and according to the
domain_detach_iommu(), info is freed after xa_erase(). For an existing
info stored in xarray, xa_erase() should return after rcu lock is released.
is it? Any idea? @Baolu
I once thought locking for xarray is self-contained. I need more thought
on this before taking further action.
Best regards,
baolu
