1. Patchew
  2. linux
  3. View series

[PATCH] iommupt: Always add IOVA range to iotlb_gather in gather_range_pages()

Yu Zhang posted 1 patch 5 days, 2 hours ago
There is a newer version of this series
drivers/iommu/generic_pt/iommu_pt.h | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
[PATCH] iommupt: Always add IOVA range to iotlb_gather in gather_range_pages()
Posted by Yu Zhang 5 days, 2 hours ago 
Add current (iova, len) to the ioltb gather, regardless of the setting
of PT_FEAT_FLUSH_RANGE or PT_FEAT_FLUSH_RANGE_NO_GAPS.

In gather_range_pages(), the current unmap IOVA range is only added to
iotlb_gather when PT_FEAT_FLUSH_RANGE is set. Yet a virtual IOMMU with
NpCache use only PT_FEAT_FLUSH_RANGE_NO_GAPS. In that case, iotlb_gather
will stays empty (start=ULONG_MAX, end=0) after initialization, and the
currest (iova, len) will not be added to the iotlb_gather, causeing
subsequent iommu_iotlb_sync() to perform IOTLB invalidation with wrong
parameters (e.g. amd_iommu_iotlb_sync() computes size from
gather->end - gather->start + 1, leading to an invalid range).

The disjoint check and sync for PT_FEAT_FLUSH_RANGE_NO_GAPS remain
unchanged: when the new range is disjoint from the existing gather,
we still sync first and then add the new range, so semantics for
NO_GAPS are preserved.

Fixes: 7c53f4238aa8 ("iommupt: Add unmap_pages op")
Signed-off-by: Yu Zhang <zhangyu1@linux.microsoft.com>
---
 drivers/iommu/generic_pt/iommu_pt.h | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/iommu/generic_pt/iommu_pt.h b/drivers/iommu/generic_pt/iommu_pt.h
index d575f3ba9d34..3e33fe64feab 100644
--- a/drivers/iommu/generic_pt/iommu_pt.h
+++ b/drivers/iommu/generic_pt/iommu_pt.h
@@ -58,10 +58,9 @@ static void gather_range_pages(struct iommu_iotlb_gather *iotlb_gather,
 		 * Note that the sync frees the gather's free list, so we must
 		 * not have any pages on that list that are covered by iova/len
 		 */
-	} else if (pt_feature(common, PT_FEAT_FLUSH_RANGE)) {
-		iommu_iotlb_gather_add_range(iotlb_gather, iova, len);
 	}
 
+	iommu_iotlb_gather_add_range(iotlb_gather, iova, len);
 	iommu_pages_list_splice(free_list, &iotlb_gather->freelist);
 }
 
-- 
2.52.0
Re: [PATCH] iommupt: Always add IOVA range to iotlb_gather in gather_range_pages()
Posted by Jason Gunthorpe 4 days, 20 hours ago 
On Mon, Feb 02, 2026 at 05:54:58PM +0800, Yu Zhang wrote:
> diff --git a/drivers/iommu/generic_pt/iommu_pt.h b/drivers/iommu/generic_pt/iommu_pt.h
> index d575f3ba9d34..3e33fe64feab 100644
> --- a/drivers/iommu/generic_pt/iommu_pt.h
> +++ b/drivers/iommu/generic_pt/iommu_pt.h
> @@ -58,10 +58,9 @@ static void gather_range_pages(struct iommu_iotlb_gather *iotlb_gather,
>  		 * Note that the sync frees the gather's free list, so we must
>  		 * not have any pages on that list that are covered by iova/len
>  		 */
> -	} else if (pt_feature(common, PT_FEAT_FLUSH_RANGE)) {
> -		iommu_iotlb_gather_add_range(iotlb_gather, iova, len);
>  	}
>  
> +	iommu_iotlb_gather_add_range(iotlb_gather, iova, len);
>  	iommu_pages_list_splice(free_list, &iotlb_gather->freelist);
>  }

Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>

This should have a 

    Cc: stable@vger.kernel.org

It is a serious error.

Thanks,
Jason

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.