Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]iommufd: Fix race during abort for file descriptors[EOL][EOL]fput() doesn't actually call file_operations release() synchronously, it[EOL]puts the file on a work queue and it will be released eventually.[EOL][EOL]This is normally fine, except for iommufd the file and the iommufd_object[EOL]are tied to gether. The file has the object as it's private_data and holds[EOL]a users refcount, while the object is expected to remain alive as long as[EOL]the file is.[EOL][EOL]When the allocation of a new object aborts before installing the file it[EOL]will fput() the file and then go on to immediately kfree() the obj. This[EOL]causes a UAF once the workqueue completes the fput() and tries to[EOL]decrement the users refcount.[EOL][EOL]Fix this by putting the core code in charge of the file lifetime, and call[EOL]__fput_sync() during abort to ensure that release() is called before[EOL]kfree. __fput_sync() is a bit too tricky to open code in all the object[EOL]implementations. Instead the objects tell the core code where the file[EOL]pointer is and the core will take care of the life cycle.[EOL][EOL]If the object is successfully allocated then the file will hold a users[EOL]refcount and the iommufd_object cannot be destroyed.[EOL][EOL]It is worth noting that close(); ioctl(IOMMU_DESTROY); doesn't have an[EOL]issue because close() is already using a synchronous version of fput().[EOL][EOL]The UAF looks like this:[EOL][EOL]    BUG: KASAN: slab-use-after-free in iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376[EOL]    Write of size 4 at addr ffff888059c97804 by task syz.0.46/6164[EOL][EOL]    CPU: 0 UID: 0 PID: 6164 Comm: syz.0.46 Not tainted syzkaller #0 PREEMPT(full)[EOL]    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025[EOL]    Call Trace:[EOL]     <TASK>[EOL]     __dump_stack lib/dump_stack.c:94 [inline][EOL]     dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120[EOL]     print_address_description mm/kasan/report.c:378 [inline][EOL]     print_report+0xcd/0x630 mm/kasan/report.c:482[EOL]     kasan_report+0xe0/0x110 mm/kasan/report.c:595[EOL]     check_region_inline mm/kasan/generic.c:183 [inline][EOL]     kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:189[EOL]     instrument_atomic_read_write include/linux/instrumented.h:96 [inline][EOL]     atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:400 [inline][EOL]     __refcount_dec include/linux/refcount.h:455 [inline][EOL]     refcount_dec include/linux/refcount.h:476 [inline][EOL]     iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376[EOL]     __fput+0x402/0xb70 fs/file_table.c:468[EOL]     task_work_run+0x14d/0x240 kernel/task_work.c:227[EOL]     resume_user_mode_work include/linux/resume_user_mode.h:50 [inline][EOL]     exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43[EOL]     exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline][EOL]     syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline][EOL]     syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline][EOL]     do_syscall_64+0x41c/0x4c0 arch/x86/entry/syscall_64.c:100[EOL]     entry_SYSCALL_64_after_hwframe+0x77/0x7f