Patch "iommu/amd: Remove amd_iommu_domain_update() from page table freeing" has been added to the 6.11-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 1 Dec 2024 07:54:30 -0500

This is a note to let you know that I've just added the patch titled

    iommu/amd: Remove amd_iommu_domain_update() from page table freeing

to the 6.11-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     iommu-amd-remove-amd_iommu_domain_update-from-page-t.patch
and it can be found in the queue-6.11 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 73f35d35c70047829be5ecf9480e3227fc78c83d
Author: Jason Gunthorpe <jgg@xxxxxxxx>
Date:   Thu Aug 29 21:06:13 2024 -0300

    iommu/amd: Remove amd_iommu_domain_update() from page table freeing
    
    [ Upstream commit 322d889ae7d39f8538a6deac35869aa3be1855bd ]
    
    It is a serious bug if the domain is still mapped to any DTEs when it is
    freed as we immediately start freeing page table memory, so any remaining
    HW touch will UAF.
    
    If it is not mapped then dev_list is empty and amd_iommu_domain_update()
    does nothing.
    
    Remove it and add a WARN_ON() to catch this class of bug.
    
    Reviewed-by: Vasant Hegde <vasant.hegde@xxxxxxx>
    Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/4-v2-831cdc4d00f3+1a315-amd_iopgtbl_jgg@xxxxxxxxxx
    Signed-off-by: Joerg Roedel <jroedel@xxxxxxx>
    Stable-dep-of: 016991606aa0 ("iommu/amd/pgtbl_v2: Take protection domain lock before invalidating TLB")
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c
index 05aed3cb46f1b..b3991ad1ae8ea 100644
--- a/drivers/iommu/amd/io_pgtable.c
+++ b/drivers/iommu/amd/io_pgtable.c
@@ -578,9 +578,6 @@ static void v1_free_pgtable(struct io_pgtable *iop)
 
 	/* Update data structure */
 	amd_iommu_domain_clr_pt_root(dom);
-
-	/* Make changes visible to IOMMUs */
-	amd_iommu_domain_update(dom);
 }
 
 static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *cookie)
diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
index 1a61f14459e4f..881f6c589257c 100644
--- a/drivers/iommu/amd/iommu.c
+++ b/drivers/iommu/amd/iommu.c
@@ -2262,6 +2262,8 @@ void protection_domain_free(struct protection_domain *domain)
 	if (!domain)
 		return;
 
+	WARN_ON(!list_empty(&domain->dev_list));
+
 	if (domain->iop.pgtbl_cfg.tlb)
 		free_io_pgtable_ops(&domain->iop.iop.ops);
 







