Commit 90c5def1 authored Mar 02, 2026 by Jason Gunthorpe Committed by Joerg Roedel Mar 27, 2026

iommu: Do not call drivers for empty gathers



An empty gather is coded with start=U64_MAX, end=0 and several drivers go
on to convert that to a size with:

 end - start + 1

Which gives 2 for an empty gather. This then causes Weird Stuff to
happen (for example an UBSAN splat in VT-d) that is hopefully harmless,
but maybe not.

Prevent drivers from being called right in iommu_iotlb_sync().

Auditing shows that AMD, Intel, Mediatek and RSIC-V drivers all do things
on these empty gathers.

Further, there are several callers that can trigger empty gathers,
especially in unusual conditions. For example iommu_map_nosync() will call
a 0 size unmap on some error paths. Also in VFIO, iommupt and other
places.

Cc: stable@vger.kernel.org
Reported-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
Closes: https://lore.kernel.org/r/11145826.aFP6jjVeTY@jkrzyszt-mobl2.ger.corp.intel.com


Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
Reviewed-by: Samiullah Khawaja <skhawaja@google.com>
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>

parent c3692998

include/linux/iommu.h

+2 −1

Original line number	Diff line number	Diff line
		@@ -980,7 +980,8 @@ static inline void iommu_flush_iotlb_all(struct iommu_domain *domain)
		static inline void iommu_iotlb_sync(struct iommu_domain *domain,
		struct iommu_iotlb_gather *iotlb_gather)
		{
		if (domain->ops->iotlb_sync)
		if (domain->ops->iotlb_sync &&
		likely(iotlb_gather->start < iotlb_gather->end))
		domain->ops->iotlb_sync(domain, iotlb_gather);

		iommu_iotlb_gather_init(iotlb_gather);