Patch "iommufd: Fix missing update of domains_itree after splitting iopt_area" has been added to the 6.6-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Wed, 22 Nov 2023 18:58:05 +0000

This is a note to let you know that I've just added the patch titled

    iommufd: Fix missing update of domains_itree after splitting iopt_area

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     iommufd-fix-missing-update-of-domains_itree-after-splitting-iopt_area.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From e7250ab7ca4998fe026f2149805b03e09dc32498 Mon Sep 17 00:00:00 2001
From: Koichiro Den <den@xxxxxxxxxxxxx>
Date: Sat, 28 Oct 2023 01:29:42 +0900
Subject: iommufd: Fix missing update of domains_itree after splitting iopt_area

From: Koichiro Den <den@xxxxxxxxxxxxx>

commit e7250ab7ca4998fe026f2149805b03e09dc32498 upstream.

In iopt_area_split(), if the original iopt_area has filled a domain and is
linked to domains_itree, pages_nodes have to be properly
reinserted. Otherwise the domains_itree becomes corrupted and we will UAF.

Fixes: 51fe6141f0f6 ("iommufd: Data structure to provide IOVA to PFN mapping")
Link: https://lore.kernel.org/r/20231027162941.2864615-2-den@xxxxxxxxxxxxx
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Koichiro Den <den@xxxxxxxxxxxxx>
Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/iommu/iommufd/io_pagetable.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/drivers/iommu/iommufd/io_pagetable.c
+++ b/drivers/iommu/iommufd/io_pagetable.c
@@ -1060,6 +1060,16 @@ static int iopt_area_split(struct iopt_a
 	if (WARN_ON(rc))
 		goto err_remove_lhs;
 
+	/*
+	 * If the original area has filled a domain, domains_itree has to be
+	 * updated.
+	 */
+	if (area->storage_domain) {
+		interval_tree_remove(&area->pages_node, &pages->domains_itree);
+		interval_tree_insert(&lhs->pages_node, &pages->domains_itree);
+		interval_tree_insert(&rhs->pages_node, &pages->domains_itree);
+	}
+
 	lhs->storage_domain = area->storage_domain;
 	lhs->pages = area->pages;
 	rhs->storage_domain = area->storage_domain;


Patches currently in stable-queue which might be from den@xxxxxxxxxxxxx are

queue-6.6/iommufd-fix-missing-update-of-domains_itree-after-splitting-iopt_area.patch
queue-6.6/x86-apic-msi-fix-misconfigured-non-maskable-msi-quirk.patch






