iommufd/selftest: Do not leak the hwpt if IOMMU_TEST_OP_MD_CHECK_MAP fails

If the input validation fails it returned without freeing the hwpt
refcount causing a leak. This triggers a WARN_ON when closing the fd:

  WARNING: drivers/iommu/iommufd/main.c:369 at iommufd_fops_release+0x385/0x430, CPU#1: repro/724

Found by szykaller.

Fixes: e93d5945ed5b ("iommufd: Change the selftest to use iommupt instead of xarray")
Link: https://patch.msgid.link/r/0-v1-c8ed57e24380+44ae-iommufd_selftest_hwpt_leak_jgg@nvidia.com
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Reviewed-by: Pasha Tatashin <pasha.tatashin@soleen.com>
Reported-by: "Lai, Yi" <yi1.lai@linux.intel.com>
Closes: https://lore.kernel.org/r/aTJGMaqwQK0ASj0G@ly-workstation
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

diff --git a/drivers/iommu/iommufd/selftest.c b/drivers/iommu/iommufd/selftest.c
index c4322fd26f93e56767f0f24453e6ea4803365dd2..86446e1537949af91e6db9f0287632405014e5ee 100644 (file)
--- a/drivers/iommu/iommufd/selftest.c
+++ b/drivers/iommu/iommufd/selftest.c
@@ -1215,8 +1215,10 @@ static int iommufd_test_md_check_pa(struct iommufd_ucmd *ucmd,
        page_size = 1 << __ffs(mock->domain.pgsize_bitmap);
        if (iova % page_size || length % page_size ||
            (uintptr_t)uptr % page_size ||
-           check_add_overflow((uintptr_t)uptr, (uintptr_t)length, &end))
-               return -EINVAL;
+           check_add_overflow((uintptr_t)uptr, (uintptr_t)length, &end)) {
+               rc = -EINVAL;
+               goto out_put;
+       }
 
        for (; length; length -= page_size) {
                struct page *pages[1];