iommu/vt-d: fix memory leakage caused by commit ea8ea46

Commit ea8ea46 "iommu/vt-d: Clean up and fix page table clear/free
behaviour" introduces possible leakage of DMA page tables due to:
        for (pte = page_address(pg); !first_pte_in_page(pte); pte++) {
                if (dma_pte_present(pte) && !dma_pte_superpage(pte))
                        freelist = dma_pte_list_pagetables(domain, level - 1,
                                                           pte, freelist);
        }

For the first pte in a page, first_pte_in_page(pte) will always be true,
thus dma_pte_list_pagetables() will never be called and leak DMA page
tables if level is bigger than 1.

Signed-off-by: Jiang Liu <[email protected]>
Signed-off-by: David Woodhouse <[email protected]>

diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
index 69fa7da5e48beba40a9595f67117505efc4e069b..13dc2318e17a3af7d5887b7b2e719c8ae483087f 100644 (file)
--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -1009,11 +1009,13 @@ static struct page *dma_pte_list_pagetables(struct dmar_domain *domain,
        if (level == 1)
                return freelist;
 
-       for (pte = page_address(pg); !first_pte_in_page(pte); pte++) {
+       pte = page_address(pg);
+       do {
                if (dma_pte_present(pte) && !dma_pte_superpage(pte))
                        freelist = dma_pte_list_pagetables(domain, level - 1,
                                                           pte, freelist);
-       }
+               pte++;
+       } while (!first_pte_in_page(pte));
 
        return freelist;
 }