On Tue, Jan 02, 2024 at 06:38:34AM -0800, Yi Liu wrote:
> +static void intel_nested_flush_cache(struct dmar_domain *domain, u64 addr,
> + unsigned long npages, bool ih, u32 *error)
> +{
> + struct iommu_domain_info *info;
> + unsigned long i;
> + unsigned mask;
> + u32 fault;
> +
> + xa_for_each(&domain->iommu_array, i, info)
> + qi_flush_piotlb(info->iommu,
> + domain_id_iommu(domain, info->iommu),
> + IOMMU_NO_PASID, addr, npages, ih, NULL);
This locking on the xarray is messed up throughout the driver. There
could be a concurrent detach at this point which will free info and
UAF this.
This seems to be systemic issue, so I'm going to ignore it here, but
please make a series to fix it completely.
xarray is probably a bad data structure to manage attachment, a linked
list is going to use less memory in most cases and you need a mutex
lock anyhow.
Jason
