Patch "iommu/iova: Fix race between FQ timeout and teardown" has been added to the 5.16-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    iommu/iova: Fix race between FQ timeout and teardown

to the 5.16-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     iommu-iova-fix-race-between-fq-timeout-and-teardown.patch
and it can be found in the queue-5.16 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 4b6514c4d2f95966544fce7e9a0f505f07e28eef
Author: Xiongfeng Wang <wangxiongfeng2@xxxxxxxxxx>
Date:   Fri Dec 17 15:30:55 2021 +0000

    iommu/iova: Fix race between FQ timeout and teardown
    
    [ Upstream commit d7061627d701c90e1cac1e1e60c45292f64f3470 ]
    
    It turns out to be possible for hotplugging out a device to reach the
    stage of tearing down the device's group and default domain before the
    domain's flush queue has drained naturally. At this point, it is then
    possible for the timeout to expire just before the del_timer() call
    in free_iova_flush_queue(), such that we then proceed to free the FQ
    resources while fq_flush_timeout() is still accessing them on another
    CPU. Crashes due to this have been observed in the wild while removing
    NVMe devices.
    
    Close the race window by using del_timer_sync() to safely wait for any
    active timeout handler to finish before we start to free things. We
    already avoid any locking in free_iova_flush_queue() since the FQ is
    supposed to be inactive anyway, so the potential deadlock scenario does
    not apply.
    
    Fixes: 9a005a800ae8 ("iommu/iova: Add flush timer")
    Reviewed-by: John Garry <john.garry@xxxxxxxxxx>
    Signed-off-by: Xiongfeng Wang <wangxiongfeng2@xxxxxxxxxx>
    [ rm: rewrite commit message ]
    Signed-off-by: Robin Murphy <robin.murphy@xxxxxxx>
    Link: https://lore.kernel.org/r/0a365e5b07f14b7344677ad6a9a734966a8422ce.1639753638.git.robin.murphy@xxxxxxx
    Signed-off-by: Joerg Roedel <jroedel@xxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c
index 9e8bc802ac053..920fcc27c9a1e 100644
--- a/drivers/iommu/iova.c
+++ b/drivers/iommu/iova.c
@@ -83,8 +83,7 @@ static void free_iova_flush_queue(struct iova_domain *iovad)
 	if (!has_iova_flush_queue(iovad))
 		return;
 
-	if (timer_pending(&iovad->fq_timer))
-		del_timer(&iovad->fq_timer);
+	del_timer_sync(&iovad->fq_timer);
 
 	fq_destroy_all_entries(iovad);