* [PATCH] iommu/intel: Prevent variable pollution in cache_tag_flush_range()
@ 2026-06-05 0:39 lirongqing
2026-06-17 7:51 ` 答复: " Li,Rongqing
0 siblings, 1 reply; 2+ messages in thread
From: lirongqing @ 2026-06-05 0:39 UTC (permalink / raw)
To: David Woodhouse, Lu Baolu, Joerg Roedel, Will Deacon,
Robin Murphy, iommu, linux-kernel
Cc: Li RongQing
From: Li RongQing <lirongqing@baidu.com>
The loop in cache_tag_flush_range() modifies local 'addr' and 'mask'
variables that persist across iterations. When CACHE_TAG_NESTING_DEVTLB
overrides them for a full flush and falls through, subsequent tags
incorrectly receive the modified values instead of the original range.
Fix by creating per-iteration local copies initialized from the original
parameters, ensuring each tag processes the intended flush range.
Signed-off-by: Li RongQing <lirongqing@baidu.com>
---
drivers/iommu/intel/cache.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/iommu/intel/cache.c b/drivers/iommu/intel/cache.c
index fdc8881..9253025 100644
--- a/drivers/iommu/intel/cache.c
+++ b/drivers/iommu/intel/cache.c
@@ -437,6 +437,9 @@ void cache_tag_flush_range(struct dmar_domain *domain, unsigned long start,
spin_lock_irqsave(&domain->cache_lock, flags);
list_for_each_entry(tag, &domain->cache_tags, node) {
+ unsigned long flush_addr = addr;
+ unsigned long flush_mask = mask;
+
if (iommu && iommu != tag->iommu)
qi_batch_flush_descs(iommu, domain->qi_batch);
iommu = tag->iommu;
@@ -444,7 +447,7 @@ void cache_tag_flush_range(struct dmar_domain *domain, unsigned long start,
switch (tag->type) {
case CACHE_TAG_IOTLB:
case CACHE_TAG_NESTING_IOTLB:
- cache_tag_flush_iotlb(domain, tag, addr, mask, ih);
+ cache_tag_flush_iotlb(domain, tag, flush_addr, flush_mask, ih);
break;
case CACHE_TAG_NESTING_DEVTLB:
/*
@@ -454,15 +457,15 @@ void cache_tag_flush_range(struct dmar_domain *domain, unsigned long start,
* affected by a change in S2. So just flush the entire
* device cache.
*/
- addr = 0;
- mask = MAX_AGAW_PFN_WIDTH;
+ flush_addr = 0;
+ flush_mask = MAX_AGAW_PFN_WIDTH;
fallthrough;
case CACHE_TAG_DEVTLB:
- cache_tag_flush_devtlb_psi(domain, tag, addr, mask);
+ cache_tag_flush_devtlb_psi(domain, tag, flush_addr, flush_mask);
break;
}
- trace_cache_tag_flush_range(tag, start, end, addr, mask);
+ trace_cache_tag_flush_range(tag, start, end, flush_addr, flush_mask);
}
qi_batch_flush_descs(iommu, domain->qi_batch);
spin_unlock_irqrestore(&domain->cache_lock, flags);
--
2.9.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* 答复: [PATCH] iommu/intel: Prevent variable pollution in cache_tag_flush_range()
2026-06-05 0:39 [PATCH] iommu/intel: Prevent variable pollution in cache_tag_flush_range() lirongqing
@ 2026-06-17 7:51 ` Li,Rongqing
0 siblings, 0 replies; 2+ messages in thread
From: Li,Rongqing @ 2026-06-17 7:51 UTC (permalink / raw)
To: David Woodhouse, Lu Baolu, Joerg Roedel, Will Deacon,
Robin Murphy, iommu@lists.linux.dev, linux-kernel@vger.kernel.org
>
> From: Li RongQing <lirongqing@baidu.com>
>
> The loop in cache_tag_flush_range() modifies local 'addr' and 'mask'
> variables that persist across iterations. When CACHE_TAG_NESTING_DEVTLB
> overrides them for a full flush and falls through, subsequent tags incorrectly
> receive the modified values instead of the original range.
>
> Fix by creating per-iteration local copies initialized from the original parameters,
> ensuring each tag processes the intended flush range.
>
> Signed-off-by: Li RongQing <lirongqing@baidu.com>
Ping
[Li,Rongqing]
> ---
> drivers/iommu/intel/cache.c | 13 ++++++++-----
> 1 file changed, 8 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/iommu/intel/cache.c b/drivers/iommu/intel/cache.c index
> fdc8881..9253025 100644
> --- a/drivers/iommu/intel/cache.c
> +++ b/drivers/iommu/intel/cache.c
> @@ -437,6 +437,9 @@ void cache_tag_flush_range(struct dmar_domain
> *domain, unsigned long start,
>
> spin_lock_irqsave(&domain->cache_lock, flags);
> list_for_each_entry(tag, &domain->cache_tags, node) {
> + unsigned long flush_addr = addr;
> + unsigned long flush_mask = mask;
> +
> if (iommu && iommu != tag->iommu)
> qi_batch_flush_descs(iommu, domain->qi_batch);
> iommu = tag->iommu;
> @@ -444,7 +447,7 @@ void cache_tag_flush_range(struct dmar_domain
> *domain, unsigned long start,
> switch (tag->type) {
> case CACHE_TAG_IOTLB:
> case CACHE_TAG_NESTING_IOTLB:
> - cache_tag_flush_iotlb(domain, tag, addr, mask, ih);
> + cache_tag_flush_iotlb(domain, tag, flush_addr, flush_mask, ih);
> break;
> case CACHE_TAG_NESTING_DEVTLB:
> /*
> @@ -454,15 +457,15 @@ void cache_tag_flush_range(struct dmar_domain
> *domain, unsigned long start,
> * affected by a change in S2. So just flush the entire
> * device cache.
> */
> - addr = 0;
> - mask = MAX_AGAW_PFN_WIDTH;
> + flush_addr = 0;
> + flush_mask = MAX_AGAW_PFN_WIDTH;
> fallthrough;
> case CACHE_TAG_DEVTLB:
> - cache_tag_flush_devtlb_psi(domain, tag, addr, mask);
> + cache_tag_flush_devtlb_psi(domain, tag, flush_addr, flush_mask);
> break;
> }
>
> - trace_cache_tag_flush_range(tag, start, end, addr, mask);
> + trace_cache_tag_flush_range(tag, start, end, flush_addr, flush_mask);
> }
> qi_batch_flush_descs(iommu, domain->qi_batch);
> spin_unlock_irqrestore(&domain->cache_lock, flags);
> --
> 2.9.4
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-17 7:51 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-05 0:39 [PATCH] iommu/intel: Prevent variable pollution in cache_tag_flush_range() lirongqing
2026-06-17 7:51 ` 答复: " Li,Rongqing
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.