linux-yocto/drivers/iommu
Eugene Koira ba0e586d11 iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page()
commit dce043c07ca1ac19cfbe2844a6dc71e35c322353 upstream.

switch_to_super_page() assumes the memory range it's working on is aligned
to the target large page level. Unfortunately, __domain_mapping() doesn't
take this into account when using it, and will pass unaligned ranges
ultimately freeing a PTE range larger than expected.

Take for example a mapping with the following iov_pfn range [0x3fe400,
0x4c0600), which should be backed by the following mappings:

   iov_pfn [0x3fe400, 0x3fffff] covered by 2MiB pages
   iov_pfn [0x400000, 0x4bffff] covered by 1GiB pages
   iov_pfn [0x4c0000, 0x4c05ff] covered by 2MiB pages

Under this circumstance, __domain_mapping() will pass [0x400000, 0x4c05ff]
to switch_to_super_page() at a 1 GiB granularity, which will in turn
free PTEs all the way to iov_pfn 0x4fffff.

Mitigate this by rounding down the iov_pfn range passed to
switch_to_super_page() in __domain_mapping()
to the target large page level.

Additionally add range alignment checks to switch_to_super_page.

Fixes: 9906b9352a ("iommu/vt-d: Avoid duplicate removing in __domain_mapping()")
Signed-off-by: Eugene Koira <eugkoira@amazon.com>
Cc: stable@vger.kernel.org
Reviewed-by: Nicolas Saenz Julienne <nsaenz@amazon.com>
Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
Link: https://lore.kernel.org/r/20250826143816.38686-1-eugkoira@amazon.com
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-09-25 10:58:52 +02:00
..
amd iommu/amd: Avoid stack buffer overflow from kernel cmdline 2025-08-28 16:26:17 +02:00
arm iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream ids 2025-05-09 09:41:45 +02:00
intel iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() 2025-09-25 10:58:52 +02:00
apple-dart.c
dma-iommu.c genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie 2025-06-04 14:40:12 +02:00
dma-iommu.h
exynos-iommu.c
fsl_pamu_domain.c
fsl_pamu_domain.h
fsl_pamu.c
fsl_pamu.h
hyperv-iommu.c
io-pgfault.c
io-pgtable-arm-v7s.c iommu: Do not return 0 from map_pages if it doesn't do anything 2024-09-04 13:25:01 +02:00
io-pgtable-arm.c iommu/io-pgtable-arm: Fix stage-2 map/unmap for concatenated tables 2024-12-14 19:54:13 +01:00
io-pgtable-arm.h
io-pgtable-dart.c iommu: Do not return 0 from map_pages if it doesn't do anything 2024-09-04 13:25:01 +02:00
io-pgtable.c
ioasid.c
iommu-debugfs.c
iommu-sva-lib.c
iommu-sva-lib.h
iommu-sysfs.c
iommu-traces.c
iommu.c iommu: Protect against overflow in iommu_pgsize() 2025-06-27 11:07:09 +01:00
iova.c
ipmmu-vmsa.c
irq_remapping.c
irq_remapping.h
Kconfig iommu: remove duplicate selection of DMAR_TABLE 2025-06-27 11:07:11 +01:00
Makefile
msm_iommu_hw-8xxx.h
msm_iommu.c
msm_iommu.h
mtk_iommu_v1.c
mtk_iommu.c iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group 2025-04-25 10:43:26 +02:00
of_iommu.c
omap-iommu-debug.c
omap-iommu.c
omap-iommu.h
omap-iopgtable.h
rockchip-iommu.c
s390-iommu.c
sprd-iommu.c iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en 2024-08-03 08:49:53 +02:00
sun50i-iommu.c iommu: sun50i: clear bypass register 2024-09-12 11:10:19 +02:00
tegra-gart.c
tegra-smmu.c
virtio-iommu.c