vmm: fix use after free in ppt_detach()

The vmm module destroys the host_domain before unloading the ppt module causing a use after free. This can happen when kldunload'ing vmm. Reviewed by: markj, jhb Differential Revision: https://reviews.freebsd.org/D38072
2023-01-20 11:25:27 +00:00 · 2023-01-20 11:25:27 +00:00 · 27029bc08f
commit 27029bc08f
parent c668e8173a
3 changed files with 6 additions and 1 deletions
--- a/sys/amd64/vmm/intel/vtd.c
+++ b/sys/amd64/vmm/intel/vtd.c
@ -446,6 +446,8 @@ vtd_add_device(void *arg, uint16_t rid)
 	struct vtdmap *vtdmap;
 	uint8_t bus;

+	KASSERT(dom != NULL, ("domain is NULL"));
+
 	bus = PCI_RID2BUS(rid);
 	ctxp = ctx_tables[bus];
 	pt_paddr = vtophys(dom->ptp);
--- a/sys/amd64/vmm/io/iommu.c
+++ b/sys/amd64/vmm/io/iommu.c
@ -258,6 +258,7 @@ iommu_cleanup(void)
 	}
 	IOMMU_DISABLE();
 	IOMMU_DESTROY_DOMAIN(host_domain);
+	host_domain = NULL;
 	IOMMU_CLEANUP();
 }

--- a/sys/amd64/vmm/io/ppt.c
+++ b/sys/amd64/vmm/io/ppt.c
@ -182,7 +182,9 @@ ppt_detach(device_t dev)
 	num_pptdevs--;
 	TAILQ_REMOVE(&pptdev_list, ppt, next);
 	pci_disable_busmaster(dev);
-	iommu_add_device(iommu_host_domain(), pci_get_rid(dev));
+
+	if (iommu_host_domain() != NULL)
+		iommu_add_device(iommu_host_domain(), pci_get_rid(dev));

 	return (0);
 }