On Tue, Jan 02, 2024 at 06:38:34AM -0800, Yi Liu wrote: > +static void intel_nested_flush_cache(struct dmar_domain *domain, u64 addr, > + unsigned long npages, bool ih, u32 *error) > +{ > + struct iommu_domain_info *info; > + unsigned long i; > + unsigned mask; > + u32 fault; > + > + xa_for_each(&domain->iommu_array, i, info) > + qi_flush_piotlb(info->iommu, > + domain_id_iommu(domain, info->iommu), > + IOMMU_NO_PASID, addr, npages, ih, NULL);
This locking on the xarray is messed up throughout the driver. There could be a concurrent detach at this point which will free info and UAF this. This seems to be systemic issue, so I'm going to ignore it here, but please make a series to fix it completely. xarray is probably a bad data structure to manage attachment, a linked list is going to use less memory in most cases and you need a mutex lock anyhow. Jason