iommu: Fix potential memory leak in iopf_queue_remove_device()

JIRA: https://issues.redhat.com/browse/RHEL-78704
Upstream Status: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

commit 9759ae2
Author: Lu Baolu <baolu.lu@linux.intel.com>
Date:   Fri Jan 17 13:58:00 2025 +0800

    iommu: Fix potential memory leak in iopf_queue_remove_device()

    The iopf_queue_remove_device() helper removes a device from the per-iommu
    iopf queue when PRI is disabled on the device. It responds to all
    outstanding iopf's with an IOMMU_PAGE_RESP_INVALID code and detaches the
    device from the queue.

    However, it fails to release the group structure that represents a group
    of iopf's awaiting for a response after responding to the hardware. This
    can cause a memory leak if iopf_queue_remove_device() is called with
    pending iopf's.

    Fix it by calling iopf_free_group() after the iopf group is responded.

    Fixes: 1991123 ("iommu: Track iopf group instead of last fault")
    Cc: stable@vger.kernel.org
    Suggested-by: Kevin Tian <kevin.tian@intel.com>
    Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
    Reviewed-by: Kevin Tian <kevin.tian@intel.com>
    Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
    Link: https://lore.kernel.org/r/20250117055800.782462-1-baolu.lu@linux.intel.com
    Signed-off-by: Joerg Roedel <jroedel@suse.de>

(cherry picked from commit 9759ae2)
Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>

Author: snits

drivers/iommu/io-pgfault.c

@@ -478,6 +478,7 @@ void iopf_queue_remove_device(struct iopf_queue *queue, struct device *dev)
 
 		ops->page_response(dev, iopf, &resp);
 		list_del_init(&group->pending_node);
+		iopf_free_group(group);
 	}
 	mutex_unlock(&fault_param->lock);