From: Joerg Roedel <jroedel@suse.de>
Date: Fri, 15 Jun 2018 15:09:43 +0200
Subject: iommu/vt-d: Fix race condition in add_unmap()
Patch-mainline: No, upstream switched to a different implementation
References: bsc#1096790, bsc#1097034
The high-water-mark needs to be checked again after the lock
is taken, otherwise flush_data->size might grow larger than
the high-water-mark and we write behind the array limits of
the deferred flush tables.
Signed-off-by: Joerg Roedel <jroedel@suse.de>
---
drivers/iommu/intel-iommu.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
index 880830d..919ede7 100644
--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -3742,6 +3742,10 @@ static void add_unmap(struct dmar_domain *dom, unsigned long iova_pfn,
spin_lock_irqsave(&flush_data->lock, flags);
+ /* Need to check that again after we own the lock */
+ if (unlikely(flush_data->size == HIGH_WATER_MARK))
+ flush_unmaps(flush_data);
+
iommu = domain_get_iommu(dom);
iommu_id = iommu->seq_id;
--
2.12.3