Since npages is declared as int, shifting npages << PAGE_SHIFT for a 2 GB+ scatter-gather list overflows before reaching __unmap_single(), leading to incorrect unmapping.
A 2 GB region equals 524,288 pages. The expression npages << PAGE_SHIFT yields 0x80000000, which exceeds INT32_MAX (0x7FFFFFFF). Casting to size_t therefore produces 0xFFFFFFFF80000000, an overflow value that breaks the unmap size calculation.
Fix the overflow by casting npages to size_t before the PAGE_SHIFT left-shift.
Fixes: 89736a0ee81d ("Revert "iommu/amd: Remove the leftover of bypass support"") Cc: stable@vger.kernel.org # 5.4 Signed-off-by: Jinhui Guo guojinhui.liam@bytedance.com ---
Hi,
We hit an IO_PAGE_FAULT on AMD with 5.4-stable when mapping a 2 GB scatter-gather list.
The fault is caused by an overflow in unmap_sg(): on stable-5.4 the SG-mmap path was never moved to the IOMMU framework, so the bug exists only in this branch.
Regards, Jinhui
drivers/iommu/amd_iommu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c index a30aac41af42..60872d7be52b 100644 --- a/drivers/iommu/amd_iommu.c +++ b/drivers/iommu/amd_iommu.c @@ -2682,7 +2682,7 @@ static void unmap_sg(struct device *dev, struct scatterlist *sglist, dma_dom = to_dma_ops_domain(domain); npages = sg_num_pages(dev, sglist, nelems);
- __unmap_single(dma_dom, startaddr, npages << PAGE_SHIFT, dir); + __unmap_single(dma_dom, startaddr, (size_t)npages << PAGE_SHIFT, dir); }
/*
On Thu, Oct 30, 2025 at 07:19:56PM +0800, Jinhui Guo wrote:
Since npages is declared as int, shifting npages << PAGE_SHIFT for a 2 GB+ scatter-gather list overflows before reaching __unmap_single(), leading to incorrect unmapping.
A 2 GB region equals 524,288 pages. The expression npages << PAGE_SHIFT yields 0x80000000, which exceeds INT32_MAX (0x7FFFFFFF). Casting to size_t therefore produces 0xFFFFFFFF80000000, an overflow value that breaks the unmap size calculation.
Fix the overflow by casting npages to size_t before the PAGE_SHIFT left-shift.
Fixes: 89736a0ee81d ("Revert "iommu/amd: Remove the leftover of bypass support"") Cc: stable@vger.kernel.org # 5.4 Signed-off-by: Jinhui Guo guojinhui.liam@bytedance.com
Hi,
We hit an IO_PAGE_FAULT on AMD with 5.4-stable when mapping a 2 GB scatter-gather list.
The fault is caused by an overflow in unmap_sg(): on stable-5.4 the SG-mmap path was never moved to the IOMMU framework, so the bug exists only in this branch.
What upstream commit fixed this? And why not just backport that?
And as this kernel is only going to be "alive" for one more month (i.e. probably one more release), why care about it now at all? Shouldn't you already have moved your whole infrastructure off of it by now?
Especially because, as of right now, release 5.4.301 contains 1527 unfixed CVEs? Surely that should mean something? :)
thanks,
greg k-h
linux-stable-mirror@lists.linaro.org
-
Greg KH -
Jinhui Guo