iommu MediaTek Larb UAF

Vulnerability analysis

Summary: Use-after-free vulnerability in MediaTek IOMMU driver during probe deferral

Root Cause: The MediaTek IOMMU driver was incorrectly dropping device references to larb (Local Arbiter) devices immediately after successful lookup during probe, even when the driver needed to retain those references. When a larb device had not yet been bound to its driver, causing the IOMMU driver probe to defer, the premature reference dropping could lead to the larb device being freed while the IOMMU driver still expected to use it later.

Attack Surface: This is a local vulnerability that occurs during device driver probe/initialization. It requires physical access to trigger device probe operations or the ability to cause driver probe deferrals through system configuration. The vulnerability is specific to MediaTek SoC platforms with IOMMU hardware and affects kernel stability rather than providing direct privilege escalation.

Fix Mechanism: The patch fixes the issue by removing the premature platform_device_put() calls that were dropping references immediately after device lookup. Instead, it keeps the references alive for the lifetime of the IOMMU driver binding and only releases them during driver removal or error cleanup paths. The fix adds proper reference cleanup in both the probe error path (err_larbdev_put) and the remove function.