On 2024/1/3 9:33, Yi Liu wrote:
On 2024/1/3 02:44, Jason Gunthorpe wrote:
On Tue, Jan 02, 2024 at 06:38:34AM -0800, Yi Liu wrote:
+static void intel_nested_flush_cache(struct dmar_domain *domain, u64 addr, + unsigned long npages, bool ih, u32 *error) +{ + struct iommu_domain_info *info; + unsigned long i; + unsigned mask; + u32 fault;
+ xa_for_each(&domain->iommu_array, i, info) + qi_flush_piotlb(info->iommu, + domain_id_iommu(domain, info->iommu), + IOMMU_NO_PASID, addr, npages, ih, NULL);
This locking on the xarray is messed up throughout the driver. There could be a concurrent detach at this point which will free info and UAF this.
hmmm, xa_for_each() takes and releases rcu lock, and according to the domain_detach_iommu(), info is freed after xa_erase(). For an existing info stored in xarray, xa_erase() should return after rcu lock is released. is it? Any idea? @Baolu
I once thought locking for xarray is self-contained. I need more thought on this before taking further action.
Best regards, baolu