From: Joerg Roedel on
In the amd_iommu_domain_destroy the protection_domain_free
function is partly reimplemented. The 'partly' is the bug
here because the domain is not deleted from the domain list.
This results in use-after-free errors and data-corruption.
Fix it by just using protection_domain_free instead.

Cc: stable(a)kernel.org
Signed-off-by: Joerg Roedel <joerg.roedel(a)amd.com>
---
arch/x86/kernel/amd_iommu.c | 4 +---
1 files changed, 1 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kernel/amd_iommu.c b/arch/x86/kernel/amd_iommu.c
index 0c04254..b06f29e 100644
--- a/arch/x86/kernel/amd_iommu.c
+++ b/arch/x86/kernel/amd_iommu.c
@@ -2380,9 +2380,7 @@ static void amd_iommu_domain_destroy(struct iommu_domain *dom)

free_pagetable(domain);

- domain_id_free(domain->id);
-
- kfree(domain);
+ protection_domain_free(domain);

dom->priv = NULL;
}
--
1.7.0.4


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/