From: "Li,Rongqing" <lirongqing@baidu.com>
To: David Woodhouse <dwmw2@infradead.org>,
Lu Baolu <baolu.lu@linux.intel.com>,
Joerg Roedel <joro@8bytes.org>, Will Deacon <will@kernel.org>,
Robin Murphy <robin.murphy@arm.com>,
"iommu@lists.linux.dev" <iommu@lists.linux.dev>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: 答复: [PATCH] iommu/intel: Prevent variable pollution in cache_tag_flush_range()
Date: Wed, 17 Jun 2026 07:51:39 +0000 [thread overview]
Message-ID: <2ffd9844662a46d6acb975d14d14947b@baidu.com> (raw)
In-Reply-To: <20260605003950.1720-1-lirongqing@baidu.com>
>
> From: Li RongQing <lirongqing@baidu.com>
>
> The loop in cache_tag_flush_range() modifies local 'addr' and 'mask'
> variables that persist across iterations. When CACHE_TAG_NESTING_DEVTLB
> overrides them for a full flush and falls through, subsequent tags incorrectly
> receive the modified values instead of the original range.
>
> Fix by creating per-iteration local copies initialized from the original parameters,
> ensuring each tag processes the intended flush range.
>
> Signed-off-by: Li RongQing <lirongqing@baidu.com>
Ping
[Li,Rongqing]
> ---
> drivers/iommu/intel/cache.c | 13 ++++++++-----
> 1 file changed, 8 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/iommu/intel/cache.c b/drivers/iommu/intel/cache.c index
> fdc8881..9253025 100644
> --- a/drivers/iommu/intel/cache.c
> +++ b/drivers/iommu/intel/cache.c
> @@ -437,6 +437,9 @@ void cache_tag_flush_range(struct dmar_domain
> *domain, unsigned long start,
>
> spin_lock_irqsave(&domain->cache_lock, flags);
> list_for_each_entry(tag, &domain->cache_tags, node) {
> + unsigned long flush_addr = addr;
> + unsigned long flush_mask = mask;
> +
> if (iommu && iommu != tag->iommu)
> qi_batch_flush_descs(iommu, domain->qi_batch);
> iommu = tag->iommu;
> @@ -444,7 +447,7 @@ void cache_tag_flush_range(struct dmar_domain
> *domain, unsigned long start,
> switch (tag->type) {
> case CACHE_TAG_IOTLB:
> case CACHE_TAG_NESTING_IOTLB:
> - cache_tag_flush_iotlb(domain, tag, addr, mask, ih);
> + cache_tag_flush_iotlb(domain, tag, flush_addr, flush_mask, ih);
> break;
> case CACHE_TAG_NESTING_DEVTLB:
> /*
> @@ -454,15 +457,15 @@ void cache_tag_flush_range(struct dmar_domain
> *domain, unsigned long start,
> * affected by a change in S2. So just flush the entire
> * device cache.
> */
> - addr = 0;
> - mask = MAX_AGAW_PFN_WIDTH;
> + flush_addr = 0;
> + flush_mask = MAX_AGAW_PFN_WIDTH;
> fallthrough;
> case CACHE_TAG_DEVTLB:
> - cache_tag_flush_devtlb_psi(domain, tag, addr, mask);
> + cache_tag_flush_devtlb_psi(domain, tag, flush_addr, flush_mask);
> break;
> }
>
> - trace_cache_tag_flush_range(tag, start, end, addr, mask);
> + trace_cache_tag_flush_range(tag, start, end, flush_addr, flush_mask);
> }
> qi_batch_flush_descs(iommu, domain->qi_batch);
> spin_unlock_irqrestore(&domain->cache_lock, flags);
> --
> 2.9.4
prev parent reply other threads:[~2026-06-17 7:51 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-05 0:39 [PATCH] iommu/intel: Prevent variable pollution in cache_tag_flush_range() lirongqing
2026-06-17 7:51 ` Li,Rongqing [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2ffd9844662a46d6acb975d14d14947b@baidu.com \
--to=lirongqing@baidu.com \
--cc=baolu.lu@linux.intel.com \
--cc=dwmw2@infradead.org \
--cc=iommu@lists.linux.dev \
--cc=joro@8bytes.org \
--cc=linux-kernel@vger.kernel.org \
--cc=robin.murphy@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.