1. Patchew
  2. linux
  3. View series

[PATCH] iommu/intel: Prevent variable pollution in cache_tag_flush_range()

lirongqing posted 1 patch 3 days, 5 hours ago 
drivers/iommu/intel/cache.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
[PATCH] iommu/intel: Prevent variable pollution in cache_tag_flush_range()
Posted by lirongqing 3 days, 5 hours ago 
From: Li RongQing <lirongqing@baidu.com>

The loop in cache_tag_flush_range() modifies local 'addr' and 'mask'
variables that persist across iterations. When CACHE_TAG_NESTING_DEVTLB
overrides them for a full flush and falls through, subsequent tags
incorrectly receive the modified values instead of the original range.

Fix by creating per-iteration local copies initialized from the original
parameters, ensuring each tag processes the intended flush range.

Signed-off-by: Li RongQing <lirongqing@baidu.com>
---
 drivers/iommu/intel/cache.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/drivers/iommu/intel/cache.c b/drivers/iommu/intel/cache.c
index fdc8881..9253025 100644
--- a/drivers/iommu/intel/cache.c
+++ b/drivers/iommu/intel/cache.c
@@ -437,6 +437,9 @@ void cache_tag_flush_range(struct dmar_domain *domain, unsigned long start,
 
 	spin_lock_irqsave(&domain->cache_lock, flags);
 	list_for_each_entry(tag, &domain->cache_tags, node) {
+		unsigned long flush_addr = addr;
+		unsigned long flush_mask = mask;
+
 		if (iommu && iommu != tag->iommu)
 			qi_batch_flush_descs(iommu, domain->qi_batch);
 		iommu = tag->iommu;
@@ -444,7 +447,7 @@ void cache_tag_flush_range(struct dmar_domain *domain, unsigned long start,
 		switch (tag->type) {
 		case CACHE_TAG_IOTLB:
 		case CACHE_TAG_NESTING_IOTLB:
-			cache_tag_flush_iotlb(domain, tag, addr, mask, ih);
+			cache_tag_flush_iotlb(domain, tag, flush_addr, flush_mask, ih);
 			break;
 		case CACHE_TAG_NESTING_DEVTLB:
 			/*
@@ -454,15 +457,15 @@ void cache_tag_flush_range(struct dmar_domain *domain, unsigned long start,
 			 * affected by a change in S2. So just flush the entire
 			 * device cache.
 			 */
-			addr = 0;
-			mask = MAX_AGAW_PFN_WIDTH;
+			flush_addr = 0;
+			flush_mask = MAX_AGAW_PFN_WIDTH;
 			fallthrough;
 		case CACHE_TAG_DEVTLB:
-			cache_tag_flush_devtlb_psi(domain, tag, addr, mask);
+			cache_tag_flush_devtlb_psi(domain, tag, flush_addr, flush_mask);
 			break;
 		}
 
-		trace_cache_tag_flush_range(tag, start, end, addr, mask);
+		trace_cache_tag_flush_range(tag, start, end, flush_addr, flush_mask);
 	}
 	qi_batch_flush_descs(iommu, domain->qi_batch);
 	spin_unlock_irqrestore(&domain->cache_lock, flags);
-- 
2.9.4

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.