From: "Roger Pau Monné" <roger.pau@citrix.com>
To: "Marek Marczykowski-Górecki" <marmarek@invisiblethingslab.com>
Cc: xen-devel@lists.xenproject.org, Jan Beulich <jbeulich@suse.com>,
Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: [PATCH] VT-d: fix off-by-one when handling extra RMRR ranges
Date: Fri, 13 Feb 2026 09:16:50 +0100 [thread overview]
Message-ID: <aY7d8ohWykrmOmf5@Mac.lan> (raw)
In-Reply-To: <20260213031801.1744145-1-marmarek@invisiblethingslab.com>
On Fri, Feb 13, 2026 at 04:17:48AM +0100, Marek Marczykowski-Górecki wrote:
> add_one_user_rmrr() operates on inclusive [start,end] range, which means
> the end page needs to be calculated as (start + page_count - 1).
> This off-by-one error resulted in one extra pages being mapped in IOMMU
> context, but not marked as reserved in the memory map. This in turns
> confused PVH dom0 code, resulting in the following crash:
>
> (XEN) [ 3.934848] d0: GFN 0x5475c (0x5475c,5,3) -> (0x46a0f4,0,7) not permitted (0x20)
> (XEN) [ 3.969657] domain_crash called from arch/x86/mm/p2m.c:695
> (XEN) [ 3.972568] Domain 0 reported crashed by domain 32767 on cpu#0:
> (XEN) [ 3.975527] Hardware Dom0 crashed: rebooting machine in 5 seconds.
> (XEN) [ 8.986353] Resetting with ACPI MEMORY or I/O RESET_REG.
>
> I checked other parts of this API and it was the only error like this.
> Other places:
> - iommu_get_extra_reserved_device_memory() -> reserve_e820_ram() - this
> function expects exclusive range, so the code is correct
> - add_one_extra_ivmd() - this operates on start address and memory
> length
>
You possibly want:
Fixes: 2d9b3699136d ("IOMMU/VT-d: wire common device reserved memory API")
> Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
> ---
> xen/drivers/passthrough/vtd/dmar.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/xen/drivers/passthrough/vtd/dmar.c b/xen/drivers/passthrough/vtd/dmar.c
> index 91c22b833043..3da0854e6d91 100644
> --- a/xen/drivers/passthrough/vtd/dmar.c
> +++ b/xen/drivers/passthrough/vtd/dmar.c
> @@ -1065,7 +1065,7 @@ static int __init add_user_rmrr(void)
> static int __init cf_check add_one_extra_rmrr(xen_pfn_t start, xen_ulong_t nr, u32 id, void *ctxt)
> {
> u32 sbdf_array[] = { id };
> - return add_one_user_rmrr(start, start+nr, 1, sbdf_array);
> + return add_one_user_rmrr(start, start + nr - 1, 1, sbdf_array);
While here, would you mind if we add a newline between the sbdf_array
definition and the return?
Thanks, Roger.
next prev parent reply other threads:[~2026-02-13 8:17 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-13 3:17 [PATCH] VT-d: fix off-by-one when handling extra RMRR ranges Marek Marczykowski-Górecki
2026-02-13 8:16 ` Roger Pau Monné [this message]
2026-02-13 9:37 ` Marek Marczykowski-Górecki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aY7d8ohWykrmOmf5@Mac.lan \
--to=roger.pau@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=jbeulich@suse.com \
--cc=marmarek@invisiblethingslab.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.