On Thu Jan 17 19, Jerry Snitselaar wrote:
In the error path of map_sg, free_iova_fast is being called with
address instead of the pfn. This results in a bad value getting into
the rcache, and can result in hitting a BUG_ON when
iova_magazine_free_pfns is called.
Cc: Joerg Roedel <j...@8bytes.org>
Cc: Suravee Suthikulpanit <suravee.suthikulpa...@amd.com>
Signed-off-by: Jerry Snitselaar <jsnit...@redhat.com>
---
drivers/iommu/amd_iommu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
index 87ba23a75b38..418df8ff3e50 100644
--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
@@ -2623,7 +2623,7 @@ static int map_sg(struct device *dev, struct scatterlist
*sglist,
}
out_free_iova:
- free_iova_fast(&dma_dom->iovad, address, npages);
+ free_iova_fast(&dma_dom->iovad, address >> PAGE_SHIFT, npages);
out_err:
return 0;
--
2.20.1.98.gecbdaf0899
I forgot to add the Fixes line.
Fixes: 80187fd39dcb ("iommu/amd: Optimize map_sg and unmap_sg")
