intel-iommu: fix off-by-one in pagetable freeing

commit 08336fd218e087cc4fcc458e6b6dcafe8702b098 upstream. dma_pte_free_level() has an off-by-one error when checking whether a pte is completely covered by a range. Take for example the case of attempting to free pfn 0x0 - 0x1ff, ie. 512 entries covering the first 2M superpage. The level_size() is 0x200 and we test: static void dma_pte_free_level(... ... if (!(0 > 0 || 0x1ff < 0 + 0x200)) { ... } Clearly the 2nd test is true, which means we fail to take the branch to clear and free the pagetable entry. As a result, we're leaking pagetables and failing to install new pages over the range. This was found with a PCI device assigned to a QEMU guest using vfio-pci without a VGA device present. The first 1M of guest address space is mapped with various combinations of 4K pages, but eventually the range is entirely freed and replaced with a 2M contiguous mapping. intel-iommu errors out with something like: ERROR: DMA PTE for vPFN 0x0 already set (to 5c2b8003 not 849c00083) In this case 5c2b8003 is the pointer to the previous leaf page that was neither freed nor cleared and 849c00083 is the superpage entry that we're trying to replace it with. Signed-off-by: Alex Williamson <alex.williamson@redhat.com> Cc: David Woodhouse <dwmw2@infradead.org> Cc: Joerg Roedel <joro@8bytes.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Alex Williamson <alex.williamson@redhat.com> 2014-01-21 18:48:18 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-02-13 16:47:59 -0500
commit: 32df365df6fe849e54101681b8278ff6a8d7482b (patch)
tree: 9f6ac9025206f3ca23f24637faff84a99ebc2645
parent: 25f43284e1fa20779186481d014997196c70fc50 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
index 25943a683d15..6771e3c94801 100644
--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -917,7 +917,7 @@ static void dma_pte_free_level(struct dmar_domain *domain, int level,
                /* If range covers entire pagetable, free it */
                if (!(start_pfn > level_pfn ||
-                      last_pfn < level_pfn + level_size(level))) {
+                      last_pfn < level_pfn + level_size(level) - 1)) {
                        dma_clear_pte(pte);
                        domain_flush_cache(domain, pte, sizeof(*pte));
                        free_pgtable_page(level_pte);
author	Alex Williamson <alex.williamson@redhat.com>	2014-01-21 18:48:18 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2014-02-13 16:47:59 -0500
commit	32df365df6fe849e54101681b8278ff6a8d7482b (patch)
tree	9f6ac9025206f3ca23f24637faff84a99ebc2645
parent	25f43284e1fa20779186481d014997196c70fc50 (diff)

diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c index 25943a683d15..6771e3c94801 100644 --- a/drivers/iommu/intel-iommu.c +++ b/drivers/iommu/intel-iommu.c
@@ -917,7 +917,7 @@ static void dma_pte_free_level(struct dmar_domain *domain, int level,
917		917
918	/* If range covers entire pagetable, free it */	918	/* If range covers entire pagetable, free it */
919	if (!(start_pfn > level_pfn \|\|	919	if (!(start_pfn > level_pfn \|\|
920	last_pfn < level_pfn + level_size(level))) {	920	last_pfn < level_pfn + level_size(level) - 1)) {
921	dma_clear_pte(pte);	921	dma_clear_pte(pte);
922	domain_flush_cache(domain, pte, sizeof(*pte));	922	domain_flush_cache(domain, pte, sizeof(*pte));
923	free_pgtable_page(level_pte);	923	free_pgtable_page(level_pte);