Add current (iova, len) to the iotlb gather, regardless of the setting
of PT_FEAT_FLUSH_RANGE or PT_FEAT_FLUSH_RANGE_NO_GAPS.

In gather_range_pages(), the current IOVA range is only added to
iotlb_gather when PT_FEAT_FLUSH_RANGE is set. Yet a virtual IOMMU with
NpCache uses only PT_FEAT_FLUSH_RANGE_NO_GAPS. In that case, iotlb_gather
will stay empty (start=ULONG_MAX, end=0) after initialization, and the
current (iova, len) will not be added to the iotlb_gather, causing
subsequent iommu_iotlb_sync() to perform IOTLB invalidation with wrong
parameters (e.g., amd_iommu_iotlb_sync() computes size from
gather->end - gather->start + 1, leading to an invalid range).

The disjoint check and sync for PT_FEAT_FLUSH_RANGE_NO_GAPS remain
unchanged: when the new range is disjoint from the existing gather,
we still sync first and then add the new range, so semantics for
NO_GAPS are preserved.

Fixes: 7c53f4238aa8 ("iommupt: Add unmap_pages op")
Cc: stable@vger.kernel.org
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Yu Zhang <zhangyu1@linux.microsoft.com>
---
v2:
- Fix grammar and spelling errors in commit message
- Add "Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>" and
  "Cc: stable@vger.kernel.org"

 drivers/iommu/generic_pt/iommu_pt.h | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/iommu/generic_pt/iommu_pt.h b/drivers/iommu/generic_pt/iommu_pt.h
index d575f3ba9d34..3e33fe64feab 100644
--- a/drivers/iommu/generic_pt/iommu_pt.h
+++ b/drivers/iommu/generic_pt/iommu_pt.h
@@ -58,10 +58,9 @@ static void gather_range_pages(struct iommu_iotlb_gather *iotlb_gather,
 		 * Note that the sync frees the gather's free list, so we must
 		 * not have any pages on that list that are covered by iova/len
 		 */
-	} else if (pt_feature(common, PT_FEAT_FLUSH_RANGE)) {
-		iommu_iotlb_gather_add_range(iotlb_gather, iova, len);
 	}
 
+	iommu_iotlb_gather_add_range(iotlb_gather, iova, len);
 	iommu_pages_list_splice(free_list, &iotlb_gather->freelist);
 }
 
-- 
2.52.0

On Tue, Feb 03, 2026 at 04:29:34PM +0800, Yu Zhang wrote:
> Add current (iova, len) to the iotlb gather, regardless of the setting
> of PT_FEAT_FLUSH_RANGE or PT_FEAT_FLUSH_RANGE_NO_GAPS.
> 
> In gather_range_pages(), the current IOVA range is only added to
> iotlb_gather when PT_FEAT_FLUSH_RANGE is set. Yet a virtual IOMMU with
> NpCache uses only PT_FEAT_FLUSH_RANGE_NO_GAPS. In that case, iotlb_gather
> will stay empty (start=ULONG_MAX, end=0) after initialization, and the
> current (iova, len) will not be added to the iotlb_gather, causing
> subsequent iommu_iotlb_sync() to perform IOTLB invalidation with wrong
> parameters (e.g., amd_iommu_iotlb_sync() computes size from
> gather->end - gather->start + 1, leading to an invalid range).
> 
> The disjoint check and sync for PT_FEAT_FLUSH_RANGE_NO_GAPS remain
> unchanged: when the new range is disjoint from the existing gather,
> we still sync first and then add the new range, so semantics for
> NO_GAPS are preserved.
> 
> Fixes: 7c53f4238aa8 ("iommupt: Add unmap_pages op")
> Cc: stable@vger.kernel.org
> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
> Signed-off-by: Yu Zhang <zhangyu1@linux.microsoft.com>

Applied, thanks.