iommu/amd: Remove amd_iommu_domain_update() from page table freeing

jgunthorpe · joergroedel · commit 322d889ae7d3 · 2024-09-04T11:37:43.000+02:00
It is a serious bug if the domain is still mapped to any DTEs when it is freed as we immediately start freeing page table memory, so any remaining HW touch will UAF. If it is not mapped then dev_list is empty and amd_iommu_domain_update() does nothing. Remove it and add a WARN_ON() to catch this class of bug. Reviewed-by: Vasant Hegde <vasant.hegde@amd.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> Link: https://lore.kernel.org/r/4-v2-831cdc4d00f3+1a315-amd_iopgtbl_jgg@nvidia.com Signed-off-by: Joerg Roedel <jroedel@suse.de>
diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c
@@ -577,9 +577,6 @@ static void v1_free_pgtable(struct io_pgtable *iop)
 
 	/* Update data structure */
 	amd_iommu_domain_clr_pt_root(dom);
-
-	/* Make changes visible to IOMMUs */
-	amd_iommu_domain_update(dom);
 }
 
 static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *cookie)
diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
@@ -2255,6 +2255,8 @@ void protection_domain_free(struct protection_domain *domain)
 	if (!domain)
 		return;
 
+	WARN_ON(!list_empty(&domain->dev_list));
+
 	if (domain->iop.pgtbl_cfg.tlb)
 		free_io_pgtable_ops(&domain->iop.iop.ops);
 

Original file line number	Diff line number	Diff line change
`@@ -577,9 +577,6 @@ static void v1_free_pgtable(struct io_pgtable *iop)`
`577`	`577`
`578`	`578`	`/* Update data structure */`
`579`	`579`	`amd_iommu_domain_clr_pt_root(dom);`
`580`		`-`
`581`		`- /* Make changes visible to IOMMUs */`
`582`		`- amd_iommu_domain_update(dom);`
`583`	`580`	`}`
`584`	`581`
`585`	`582`	`static struct io_pgtable v1_alloc_pgtable(struct io_pgtable_cfg cfg, void *cookie)`