git: 04e9f1aab83a - releng/15.0 - amd64/vmm.c: Fix an incorrect memory segment check in vm_iommu_{un}map

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Tue, 16 Dec 2025 23:43:00 UTC 
The branch releng/15.0 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=04e9f1aab83a00e5b61aaed50fabf1cd69fb01cf

commit 04e9f1aab83a00e5b61aaed50fabf1cd69fb01cf
Author:     Bojan Novković <bnovkov@FreeBSD.org>
AuthorDate: 2025-12-13 14:53:45 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-12-16 16:01:22 +0000

    amd64/vmm.c: Fix an incorrect memory segment check in vm_iommu_{un}map
    
    This change fixes two checks that conflated memory mapping and memory
    segment idenitifers. In both cases the code iterates over all memory
    mappings but passes the index to `vm_memseg_sysmem`, which is wrong.
    
    Fix this by passing the memory mapping's segment identifier instead.
    
    Differential Revision:  https://reviews.freebsd.org/D54210
    Reviewed by:    markj
    Fixes:  c76c2a19ae37
    PR:     290920
    Approved by:    so
    Security:       FreeBSD-EN-25:20.vmm
    
    (cherry picked from commit f1809eab82a796845f126b703c01d4a31ccf2193)
    (cherry picked from commit 4f7436bf297b93fd9e835ffca3d56288ce934dc5)
---
 sys/amd64/vmm/vmm.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/sys/amd64/vmm/vmm.c b/sys/amd64/vmm/vmm.c
index c42da02d0bf6..cffbdf047d32 100644
--- a/sys/amd64/vmm/vmm.c
+++ b/sys/amd64/vmm/vmm.c
@@ -755,10 +755,10 @@ vm_iommu_map(struct vm *vm)
 	sx_assert(&vm->mem.mem_segs_lock, SX_LOCKED);
 
 	for (i = 0; i < VM_MAX_MEMMAPS; i++) {
-		if (!vm_memseg_sysmem(vm, i))
+		mm = &vm->mem.mem_maps[i];
+		if (!vm_memseg_sysmem(vm, mm->segid))
 			continue;
 
-		mm = &vm->mem.mem_maps[i];
 		KASSERT((mm->flags & VM_MEMMAP_F_IOMMU) == 0,
 		    ("iommu map found invalid memmap %#lx/%#lx/%#x",
 		    mm->gpa, mm->len, mm->flags));
@@ -803,10 +803,10 @@ vm_iommu_unmap(struct vm *vm)
 	sx_assert(&vm->mem.mem_segs_lock, SX_LOCKED);
 
 	for (i = 0; i < VM_MAX_MEMMAPS; i++) {
-		if (!vm_memseg_sysmem(vm, i))
+		mm = &vm->mem.mem_maps[i];
+		if (!vm_memseg_sysmem(vm, mm->segid))
 			continue;
 
-		mm = &vm->mem.mem_maps[i];
 		if ((mm->flags & VM_MEMMAP_F_IOMMU) == 0)
 			continue;
 		mm->flags &= ~VM_MEMMAP_F_IOMMU;