From: Nicolin Chen <nicolinc@nvidia.com>
Date: Fri, 28 Jul 2023 06:33:26 +0000 (-0700)
Subject: iommufd: Use iommufd_access_change_ioas in iommufd_access_destroy_object
X-Git-Tag: v6.6.7~2037^2~12
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=6129b59fcdf374b5d82e1f4518884da13de38b1a;p=platform%2Fkernel%2Flinux-starfive.git

iommufd: Use iommufd_access_change_ioas in iommufd_access_destroy_object

Update iommufd_access_destroy_object() to call the new
iommufd_access_change_ioas() helper.

It is impossible to legitimately race iommufd_access_destroy_object() with
iommufd_access_change_ioas() as iommufd_access_destroy_object() is only
called once the refcount reache zero, so any concurrent
iommufd_access_change_ioas() is already UAFing the memory.

Link: https://lore.kernel.org/r/f9fbeca2cde7f8515da18d689b3e02a6a40a5e14.1690523699.git.nicolinc@nvidia.com
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
---

diff --git a/drivers/iommu/iommufd/device.c b/drivers/iommu/iommufd/device.c
index e5c4084..c0b9cd9 100644
--- a/drivers/iommu/iommufd/device.c
+++ b/drivers/iommu/iommufd/device.c
@@ -753,12 +753,10 @@ void iommufd_access_destroy_object(struct iommufd_object *obj)
 	struct iommufd_access *access =
 		container_of(obj, struct iommufd_access, obj);
 
-	if (access->ioas) {
-		iopt_remove_access(&access->ioas->iopt, access,
-				   access->iopt_access_list_id);
-		refcount_dec(&access->ioas->obj.users);
-		access->ioas = NULL;
-	}
+	mutex_lock(&access->ioas_lock);
+	if (access->ioas)
+		WARN_ON(iommufd_access_change_ioas(access, NULL));
+	mutex_unlock(&access->ioas_lock);
 	iommufd_ctx_put(access->ictx);
 }