From: Joerg Roedel <jroedel@suse.de>
Date: Fri, 15 Jun 2018 15:09:43 +0200
Subject: iommu/vt-d: Fix race condition in add_unmap()
Patch-mainline: No, upstream switched to a different implementation
References: bsc#1096790, bsc#1097034

The high-water-mark needs to be checked again after the lock
is taken, otherwise flush_data->size might grow larger than
the high-water-mark and we write behind the array limits of
the deferred flush tables.

Signed-off-by: Joerg Roedel <jroedel@suse.de>
---
 drivers/iommu/intel-iommu.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
index 880830d..919ede7 100644
--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -3742,6 +3742,10 @@ static void add_unmap(struct dmar_domain *dom, unsigned long iova_pfn,
 
 	spin_lock_irqsave(&flush_data->lock, flags);
 
+	/* Need to check that again after we own the lock */
+	if (unlikely(flush_data->size == HIGH_WATER_MARK))
+		flush_unmaps(flush_data);
+
 	iommu = domain_get_iommu(dom);
 	iommu_id = iommu->seq_id;
 
-- 
2.12.3