iommufd: Fix missing update of domains_itree after splitting iopt_area

In iopt_area_split(), if the original iopt_area has filled a domain and is
linked to domains_itree, pages_nodes have to be properly
reinserted. Otherwise the domains_itree becomes corrupted and we will UAF.

Fixes: 51fe6141f0f6 ("iommufd: Data structure to provide IOVA to PFN mapping")
Link: https://lore.kernel.org/r/20231027162941.2864615-2-den@valinux.co.jp
Cc: stable@vger.kernel.org
Signed-off-by: Koichiro Den <den@valinux.co.jp>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

diff --git a/drivers/iommu/iommufd/io_pagetable.c b/drivers/iommu/iommufd/io_pagetable.c
index 9f060abe53b6c9144bc64a362dd66f7c246c54ac..c3e7791f8201bed5111893ff56f9d00548bd9227 100644 (file)
--- a/drivers/iommu/iommufd/io_pagetable.c
+++ b/drivers/iommu/iommufd/io_pagetable.c
@@ -1220,6 +1220,16 @@ static int iopt_area_split(struct iopt_area *area, unsigned long iova)
        if (WARN_ON(rc))
                goto err_remove_lhs;
 
+       /*
+        * If the original area has filled a domain, domains_itree has to be
+        * updated.
+        */
+       if (area->storage_domain) {
+               interval_tree_remove(&area->pages_node, &pages->domains_itree);
+               interval_tree_insert(&lhs->pages_node, &pages->domains_itree);
+               interval_tree_insert(&rhs->pages_node, &pages->domains_itree);
+       }
+
        lhs->storage_domain = area->storage_domain;
        lhs->pages = area->pages;
        rhs->storage_domain = area->storage_domain;