summaryrefslogtreecommitdiffstats
path: root/drivers/iommu
Commit message (Collapse)AuthorAgeFilesLines
* iommu/amd: fix enabling exclusion range for an exact deviceSu Friendy2014-05-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | set_device_exclusion_range(u16 devid, struct ivmd_header *m) enables exclusion range for ONE device. IOMMU does not translate the access to the exclusion range from the device. The device is specified by input argument 'devid'. But 'devid' is not passed to the actual set function set_dev_entry_bit(), instead 'm->devid' is passed. 'm->devid' does not specify the exact device which needs enable the exclusion range. 'm->devid' represents DeviceID field of IVMD, which has different meaning depends on IVMD type. The caller init_exclusion_range() sets 'devid' for ONE device. When m->type is equal to ACPI_IVMD_TYPE_ALL or ACPI_IVMD_TYPE_RANGE, 'm->devid' is not equal to 'devid'. This patch fixes 'm->devid' to 'devid'. Signed-off-by: Su Friendy <friendy.su@sony.com.cn> Signed-off-by: Tamori Masahiro <Masahiro.Tamori@jp.sony.com> Signed-off-by: Joerg Roedel <joro@8bytes.org>
* iommu/amd: Take mmap_sem when calling get_user_pagesJay Cornwall2014-05-131-0/+2
| | | | | | | | get_user_pages requires caller to hold a read lock on mmap_sem. Signed-off-by: Jay Cornwall <jay.cornwall@amd.com> Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com> Signed-off-by: Joerg Roedel <joro@8bytes.org>
* iommu/amd: Fix interrupt remapping for aliased devicesAlex Williamson2014-05-131-1/+1
| | | | | | | | | | | | | | | An apparent cut and paste error prevents the correct flags from being set on the alias device resulting in MSI on conventional PCI devices failing to work. This also produces error events from the IOMMU like: AMD-Vi: Event logged [INVALID_DEVICE_REQUEST device=00:14.4 address=0x000000fdf8000000 flags=0x0a00] Where 14.4 is a PCIe-to-PCI bridge with a device behind it trying to use MSI interrupts. Signed-off-by: Alex Williamson <alex.williamson@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Joerg Roedel <joro@8bytes.org>
* Merge git://git.infradead.org/iommu-2.6 into iommu/fixesJoerg Roedel2014-04-162-4/+9
|\
| * iommu/vt-d: fix bug in matching PCI devices with DRHD/RMRR descriptorsJiang Liu2014-04-141-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit "59ce0515cdaf iommu/vt-d: Update DRHD/RMRR/ATSR device scope caches when PCI hotplug happens" introduces a bug, which fails to match PCI devices with DMAR device scope entries if PCI path array in the entry has more than one level. For example, it fails to handle [1D2h 0466 1] Device Scope Entry Type : 01 [1D3h 0467 1] Entry Length : 0A [1D4h 0468 2] Reserved : 0000 [1D6h 0470 1] Enumeration ID : 00 [1D7h 0471 1] PCI Bus Number : 00 [1D8h 0472 2] PCI Path : 1C,04 [1DAh 0474 2] PCI Path : 00,02 And cause DMA failure on HP DL980 as: DMAR:[fault reason 02] Present bit in context entry is clear dmar: DRHD: handling fault status reg 602 dmar: DMAR:[DMA Read] Request device [02:00.2] fault addr 7f61e000 Reported-and-tested-by: Davidlohr Bueso <davidlohr@hp.com> Signed-off-by: Jiang Liu <jiang.liu@linux.intel.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| * iommu/vt-d: Fix get_domain_for_dev() handling of upstream PCIe bridgesDavid Woodhouse2014-04-141-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 146922ec79 ("iommu/vt-d: Make get_domain_for_dev() take struct device") introduced new variables bridge_bus and bridge_devfn to identify the upstream PCIe to PCI bridge responsible for the given target device. Leaving the original bus/devfn variables to identify the target device itself, now that it is no longer assumed to be PCI and we can no longer trivially find that information. However, the patch failed to correctly use the new variables in all cases; instead using the as-yet-uninitialised 'bus' and 'devfn' variables. Reported-by: Alex Williamson <alex.williamson@redhat.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| * iommu/vt-d: fix memory leakage caused by commit ea8ea46Jiang Liu2014-04-131-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit ea8ea46 "iommu/vt-d: Clean up and fix page table clear/free behaviour" introduces possible leakage of DMA page tables due to: for (pte = page_address(pg); !first_pte_in_page(pte); pte++) { if (dma_pte_present(pte) && !dma_pte_superpage(pte)) freelist = dma_pte_list_pagetables(domain, level - 1, pte, freelist); } For the first pte in a page, first_pte_in_page(pte) will always be true, thus dma_pte_list_pagetables() will never be called and leak DMA page tables if level is bigger than 1. Signed-off-by: Jiang Liu <jiang.liu@linux.intel.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
* | iommu/arm-smmu: fix panic in arm_smmu_alloc_init_pteBin Wang2014-04-151-1/+1
| | | | | | | | | | | | | | | | | | | | kernel panic happened when iommu_unmap a buffer larger than 2MB, more than expected pmd entries got “invalidated”, due to a wrong range passed to arm_smmu_alloc_init_pte. it was likely a typo, now we fix it, passing the correct "end" address to arm_smmu_alloc_init_pte. Signed-off-by: Bin Wang <binw@marvell.com> Signed-off-by: Will Deacon <will.deacon@arm.com>
* | iommu/arm-smmu: Return 0 on unmap failureLaurent Pinchart2014-04-151-1/+1
| | | | | | | | | | | | | | | | | | The IOMMU core expects the unmap operation to return the number of bytes that have been unmapped or 0 on failure, a negative return value being treated like a number of bytes. Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com> Signed-off-by: Will Deacon <will.deacon@arm.com>
* | Merge tag 'iommu-updates-v3.15' of ↵Linus Torvalds2014-04-0512-957/+1650
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu Pull IOMMU upates from Joerg Roedel: "This time a few more updates queued up. - Rework VT-d code to support ACPI devices - Improvements for memory and PCI hotplug support in the VT-d driver - Device-tree support for OMAP IOMMU - Convert OMAP IOMMU to use devm_* interfaces - Fixed PASID support for AMD IOMMU - Other random cleanups and fixes for OMAP, ARM-SMMU and SHMOBILE IOMMU Most of the changes are in the VT-d driver because some rework was necessary for better hotplug and ACPI device support" * tag 'iommu-updates-v3.15' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: (75 commits) iommu/vt-d: Fix error handling in ANDD processing iommu/vt-d: returning free pointer in get_domain_for_dev() iommu/vt-d: Only call dmar_acpi_dev_scope_init() if DRHD units present iommu/vt-d: Check for NULL pointer in dmar_acpi_dev_scope_init() iommu/amd: Fix logic to determine and checking max PASID iommu/vt-d: Include ACPI devices in iommu=pt iommu/vt-d: Finally enable translation for non-PCI devices iommu/vt-d: Remove to_pci_dev() in intel_map_page() iommu/vt-d: Remove pdev from intel_iommu_attach_device() iommu/vt-d: Remove pdev from iommu_no_mapping() iommu/vt-d: Make domain_add_dev_info() take struct device iommu/vt-d: Make domain_remove_one_dev_info() take struct device iommu/vt-d: Rename 'hwdev' variables to 'dev' now that that's the norm iommu/vt-d: Remove some pointless to_pci_dev() calls iommu/vt-d: Make get_valid_domain_for_dev() take struct device iommu/vt-d: Make iommu_should_identity_map() take struct device iommu/vt-d: Handle RMRRs for non-PCI devices iommu/vt-d: Make get_domain_for_dev() take struct device iommu/vt-d: Make domain_context_mapp{ed,ing}() take struct device iommu/vt-d: Make device_to_iommu() cope with non-PCI devices ...
| | \
| | \
| | \
| | \
| | \
| | \
| | \
| | \
| *-------. | Merge branches 'iommu/fixes', 'arm/smmu', 'x86/amd', 'arm/omap', ↵Joerg Roedel2014-04-0212-957/+1650
| |\ \ \ \ \| | | | | | | | | | | | | | | | | | | | | | 'arm/shmobile' and 'x86/vt-d' into next
| | | | | | * iommu/vt-d: Fix error handling in ANDD processingDavid Woodhouse2014-04-011-5/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If we failed to find an ACPI device to correspond to an ANDD record, we would fail to increment our pointer and would just process the same record over and over again, with predictable results. Turn it from a while() loop into a for() loop to let the 'continue' in the error paths work correctly. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: returning free pointer in get_domain_for_dev()Dan Carpenter2014-03-281-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If we hit this error condition then we want to return a NULL pointer and not a freed variable. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Only call dmar_acpi_dev_scope_init() if DRHD units presentDavid Woodhouse2014-03-281-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As pointed out by Jörg and fixed in commit 11f1a7768 ("iommu/vt-d: Check for NULL pointer in dmar_acpi_dev_scope_init(), this code path can bizarrely get exercised even on AMD IOMMU systems with IRQ remapping enabled. In addition to the defensive check for NULL which Jörg added, let's also just avoid calling the function at all if there aren't an Intel IOMMU units in the system. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Check for NULL pointer in dmar_acpi_dev_scope_init()Joerg Roedel2014-03-251-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When ir_dev_scope_init() is called via a rootfs initcall it will check for irq_remapping_enabled before it calls (indirectly) into dmar_acpi_dev_scope_init() which uses the dmar_tbl pointer without any checks. The AMD IOMMU driver also sets the irq_remapping_enabled flag which causes the dmar_acpi_dev_scope_init() function to be called on systems with AMD IOMMU hardware too, causing a boot-time kernel crash. Signed-off-by: Joerg Roedel <joro@8bytes.org>
| | | | | | * iommu/vt-d: Include ACPI devices in iommu=ptDavid Woodhouse2014-03-241-13/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Finally enable translation for non-PCI devicesDavid Woodhouse2014-03-241-3/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Remove to_pci_dev() in intel_map_page()David Woodhouse2014-03-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It might not be... Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Remove pdev from intel_iommu_attach_device()David Woodhouse2014-03-241-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Remove pdev from iommu_no_mapping()David Woodhouse2014-03-241-7/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Make domain_add_dev_info() take struct deviceDavid Woodhouse2014-03-241-9/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Make domain_remove_one_dev_info() take struct deviceDavid Woodhouse2014-03-241-14/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Rename 'hwdev' variables to 'dev' now that that's the normDavid Woodhouse2014-03-241-22/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Remove some pointless to_pci_dev() callsDavid Woodhouse2014-03-241-8/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Mostly made redundant by using dev_name() instead of pci_name(), and one instance of using *dev->dma_mask instead of pdev->dma_mask. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Make get_valid_domain_for_dev() take struct deviceDavid Woodhouse2014-03-241-14/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Make iommu_should_identity_map() take struct deviceDavid Woodhouse2014-03-241-50/+57
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Handle RMRRs for non-PCI devicesDavid Woodhouse2014-03-241-16/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Should hopefully never happen (RMRRs are an abomination) but while we're busy eliminating all the PCI assumptions, we might as well do it. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Make get_domain_for_dev() take struct deviceDavid Woodhouse2014-03-241-39/+36
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Make domain_context_mapp{ed,ing}() take struct deviceDavid Woodhouse2014-03-241-14/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Make device_to_iommu() cope with non-PCI devicesDavid Woodhouse2014-03-241-32/+46
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pass the struct device to it, and also make it return the bus/devfn to use, since that is also stored in the DMAR table. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Make identity_mapping() take struct device not struct pci_devDavid Woodhouse2014-03-241-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Remove segment from struct device_domain_info()David Woodhouse2014-03-241-10/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It's accessible via info->iommu->segment so this is redundant. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Store PCI segment number in struct intel_iommuDavid Woodhouse2014-03-241-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Remove device_to_iommu() call from domain_remove_dev_info()David Woodhouse2014-03-241-5/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This was problematic because it works by domain/bus/devfn and we want to make device_to_iommu() use only a struct device * (for handling non-PCI devices). Now that the iommu pointer is reliably stored in the device_domain_info, we don't need to look it up. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Simplify iommu check in domain_remove_one_dev_info()David Woodhouse2014-03-241-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Now we store the iommu in the device_domain_info, we don't need to do a lookup. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Always store iommu in device_domain_infoDavid Woodhouse2014-03-241-16/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Use domain_remove_one_dev_info() in domain_add_dev_info() error pathDavid Woodhouse2014-03-241-7/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: use dmar_insert_dev_info() from dma_add_dev_info()David Woodhouse2014-03-241-15/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Stop dmar_insert_dev_info() freeing domains on losing raceDavid Woodhouse2014-03-241-24/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | By moving this into get_domain_for_dev() we can make dmar_insert_dev_info() suitable for use with "special" domains such as the si_domain, which currently use domain_add_dev_info(). Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Pass iommu to domain_context_mapping_one() and ↵David Woodhouse2014-03-241-18/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | iommu_support_dev_iotlb() Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Use struct device in device_domain_info, not struct pci_devDavid Woodhouse2014-03-241-22/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Make dmar_insert_dev_info() take struct device instead of struct ↵David Woodhouse2014-03-241-11/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | pci_dev Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Make iommu_dummy() take struct device instead of struct pci_devDavid Woodhouse2014-03-241-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Add ACPI devices into dmaru->devices[] arrayDavid Woodhouse2014-03-241-0/+75
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Change scope lists to struct device, bus, devfnDavid Woodhouse2014-03-242-37/+47
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It's not only for PCI devices any more, and the scope information for an ACPI device provides the bus and devfn so that has to be stored here too. It is the device pointer itself which needs to be protected with RCU, so the __rcu annotation follows it into the definition of struct dmar_dev_scope, since we're no longer just passing arrays of device pointers around. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Allocate space for ACPI devicesDavid Woodhouse2014-03-201-12/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Parse ANDD recordsDavid Woodhouse2014-03-201-0/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Be less pessimistic about domain coherency where possibleDavid Woodhouse2014-03-191-4/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In commit 2e12bc29 ("intel-iommu: Default to non-coherent for domains unattached to iommus") we decided to err on the side of caution and always assume that it's possible that a device will be attached which is behind a non-coherent IOMMU. In some cases, however, that just *cannot* happen. If there *are* no IOMMUs in the system which are non-coherent, then we don't need to do it. And flushing the dcache is a *significant* performance hit. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Honour intel_iommu=sp_off for non-VMM domainsDavid Woodhouse2014-03-191-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
| | | | | | * iommu/vt-d: Clean up and fix page table clear/free behaviourDavid Woodhouse2014-03-191-45/+187
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There is a race condition between the existing clear/free code and the hardware. The IOMMU is actually permitted to cache the intermediate levels of the page tables, and doesn't need to walk the table from the very top of the PGD each time. So the existing back-to-back calls to dma_pte_clear_range() and dma_pte_free_pagetable() can lead to a use-after-free where the IOMMU reads from a freed page table. When freeing page tables we actually need to do the IOTLB flush, with the 'invalidation hint' bit clear to indicate that it's not just a leaf-node flush, after unlinking each page table page from the next level up but before actually freeing it. So in the rewritten domain_unmap() we just return a list of pages (using pg->freelist to make a list of them), and then the caller is expected to do the appropriate IOTLB flush (or tear down the domain completely, whatever), before finally calling dma_free_pagelist() to free the pages. As an added bonus, we no longer need to flush the CPU's data cache for pages which are about to be *removed* from the page table hierarchy anyway, in the non-cache-coherent case. This drastically improves the performance of large unmaps. As a side-effect of all these changes, this also fixes the fact that intel_iommu_unmap() was neglecting to free the page tables for the range in question after clearing them. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>