[PATCH 2/2] vfio: Prevent open_count decrement to negative

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH 2/2] vfio: Prevent open_count decrement to negative
  2025-05-16 16:45 Jacob Pan
@ 2025-05-16 16:45 ` Jacob Pan
  2025-05-26 23:53   ` Jason Gunthorpe
  2025-05-28  7:24   ` Yi Liu
  0 siblings, 2 replies; 7+ messages in thread
From: Jacob Pan @ 2025-05-16 16:45 UTC (permalink / raw)
  To: linux-kernel, iommu@lists.linux.dev, Alex Williamson, Liu, Yi L,
	jgg@nvidia.com, Jacob Pan
  Cc: Zhang Yu, Easwar Hariharan

When vfio_df_close() is called with open_count=0, it triggers a warning in
vfio_assert_device_open() but still decrements open_count to -1. This allows
a subsequent open to incorrectly pass the open_count == 0 check, leading to
unintended behavior, such as setting df->access_granted = true.

For example, running an IOMMUFD compat no-IOMMU device with VFIO tests
(https://github.com/awilliam/tests/blob/master/vfio-noiommu-pci-device-open.c)
results in a warning and a failed VFIO_GROUP_GET_DEVICE_FD ioctl on the first
run, but the second run succeeds incorrectly.

Add checks to avoid decrementing open_count below zero

Signed-off-by: Jacob Pan <jacob.pan@linux.microsoft.com>
---
 drivers/vfio/vfio_main.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/vfio/vfio_main.c b/drivers/vfio/vfio_main.c
index 1fd261efc582..5046cae05222 100644
--- a/drivers/vfio/vfio_main.c
+++ b/drivers/vfio/vfio_main.c
@@ -583,7 +583,8 @@ void vfio_df_close(struct vfio_device_file *df)

 	lockdep_assert_held(&device->dev_set->lock);

-	vfio_assert_device_open(device);
+	if (!vfio_assert_device_open(device))
+		return;
 	if (device->open_count == 1)
 		vfio_df_device_last_close(df);
 	device->open_count--;
-- 
2.34.1

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH 2/2] vfio: Prevent open_count decrement to negative
  2025-05-16 16:45 ` [PATCH 2/2] vfio: Prevent open_count decrement to negative Jacob Pan
@ 2025-05-26 23:53   ` Jason Gunthorpe
  2025-05-28  7:24   ` Yi Liu
  1 sibling, 0 replies; 7+ messages in thread
From: Jason Gunthorpe @ 2025-05-26 23:53 UTC (permalink / raw)
  To: Jacob Pan
  Cc: linux-kernel, iommu@lists.linux.dev, Alex Williamson, Liu, Yi L,
	Zhang Yu, Easwar Hariharan

On Fri, May 16, 2025 at 09:45:22AM -0700, Jacob Pan wrote:
> When vfio_df_close() is called with open_count=0, it triggers a warning in
> vfio_assert_device_open() but still decrements open_count to -1. This allows
> a subsequent open to incorrectly pass the open_count == 0 check, leading to
> unintended behavior, such as setting df->access_granted = true.
> 
> For example, running an IOMMUFD compat no-IOMMU device with VFIO tests
> (https://github.com/awilliam/tests/blob/master/vfio-noiommu-pci-device-open.c)
> results in a warning and a failed VFIO_GROUP_GET_DEVICE_FD ioctl on the first
> run, but the second run succeeds incorrectly.
> 
> Add checks to avoid decrementing open_count below zero
> 
> Signed-off-by: Jacob Pan <jacob.pan@linux.microsoft.com>
> ---
>  drivers/vfio/vfio_main.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>

Jason

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 2/2] vfio: Prevent open_count decrement to negative
  2025-05-16 16:45 ` [PATCH 2/2] vfio: Prevent open_count decrement to negative Jacob Pan
  2025-05-26 23:53   ` Jason Gunthorpe
@ 2025-05-28  7:24   ` Yi Liu
  1 sibling, 0 replies; 7+ messages in thread
From: Yi Liu @ 2025-05-28  7:24 UTC (permalink / raw)
  To: Jacob Pan, linux-kernel, iommu@lists.linux.dev, Alex Williamson,
	jgg@nvidia.com
  Cc: Zhang Yu, Easwar Hariharan

On 2025/5/17 00:45, Jacob Pan wrote:
> When vfio_df_close() is called with open_count=0, it triggers a warning in
> vfio_assert_device_open() but still decrements open_count to -1. This allows
> a subsequent open to incorrectly pass the open_count == 0 check, leading to
> unintended behavior, such as setting df->access_granted = true.
> 
> For example, running an IOMMUFD compat no-IOMMU device with VFIO tests
> (https://github.com/awilliam/tests/blob/master/vfio-noiommu-pci-device-open.c)
> results in a warning and a failed VFIO_GROUP_GET_DEVICE_FD ioctl on the first
> run, but the second run succeeds incorrectly.
> 
> Add checks to avoid decrementing open_count below zero
> 
> Signed-off-by: Jacob Pan <jacob.pan@linux.microsoft.com>
> ---
>   drivers/vfio/vfio_main.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)

Reviewed-by: Yi Liu <yi.l.liu@intel.com>

> diff --git a/drivers/vfio/vfio_main.c b/drivers/vfio/vfio_main.c
> index 1fd261efc582..5046cae05222 100644
> --- a/drivers/vfio/vfio_main.c
> +++ b/drivers/vfio/vfio_main.c
> @@ -583,7 +583,8 @@ void vfio_df_close(struct vfio_device_file *df)
>   
>   	lockdep_assert_held(&device->dev_set->lock);
>   
> -	vfio_assert_device_open(device);
> +	if (!vfio_assert_device_open(device))
> +		return;
>   	if (device->open_count == 1)
>   		vfio_df_device_last_close(df);
>   	device->open_count--;

-- 
Regards,
Yi Liu

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH 1/2] vfio: Fix unbalanced vfio_df_close call in no-iommu mode
@ 2025-06-02 23:43 Jacob Pan
  2025-06-02 23:43 ` [PATCH 2/2] vfio: Prevent open_count decrement to negative Jacob Pan
  2025-06-02 23:49 ` [PATCH 1/2] vfio: Fix unbalanced vfio_df_close call in no-iommu mode Jason Gunthorpe
  0 siblings, 2 replies; 7+ messages in thread
From: Jacob Pan @ 2025-06-02 23:43 UTC (permalink / raw)
  To: linux-kernel, iommu@lists.linux.dev, Alex Williamson, Liu, Yi L,
	jgg@nvidia.com, Jacob Pan
  Cc: Zhang Yu, Easwar Hariharan, Saurabh Sengar

For no-iommu enabled devices working under IOMMUFD VFIO compat mode, the
group open path does not call vfio_df_open() and the open_count is 0. So
calling vfio_df_close() in the group close path will trigger warning in
vfio_assert_device_open(device);

E.g. The following warning can be seen by running VFIO test.
https://github.com/awilliam/tests/blob/master/vfio-noiommu-pci-device-open.c
CONFIG_VFIO_CONTAINER = n
[   29.094781] vfio-pci 0000:02:01.0: vfio-noiommu device opened by user (vfio-noiommu-pc:164)
Failed to get device info
[   29.096540] ------------[ cut here ]------------
[   29.096616] WARNING: CPU: 1 PID: 164 at drivers/vfio/vfio_main.c:487 vfio_df_close+0xac/0xb4

This patch adds checks for no-iommu mode and open_count to skip calling vfio_df_close.

Signed-off-by: Jacob Pan <jacob.pan@linux.microsoft.com>
---
 drivers/vfio/group.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/vfio/group.c b/drivers/vfio/group.c
index c321d442f0da..834421149ffe 100644
--- a/drivers/vfio/group.c
+++ b/drivers/vfio/group.c
@@ -238,12 +238,13 @@ void vfio_df_group_close(struct vfio_device_file *df)
 	mutex_lock(&device->group->group_lock);
 	mutex_lock(&device->dev_set->lock);

-	vfio_df_close(df);
-	df->iommufd = NULL;
-
 	if (device->open_count == 0)
 		vfio_device_put_kvm(device);

+	if (!vfio_device_is_noiommu(device))
+		vfio_df_close(df);
+
+	df->iommufd = NULL;
 	mutex_unlock(&device->dev_set->lock);
 	mutex_unlock(&device->group->group_lock);
 }
-- 
2.34.1

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [PATCH 2/2] vfio: Prevent open_count decrement to negative
  2025-06-02 23:43 [PATCH 1/2] vfio: Fix unbalanced vfio_df_close call in no-iommu mode Jacob Pan
@ 2025-06-02 23:43 ` Jacob Pan
  2025-06-02 23:49 ` [PATCH 1/2] vfio: Fix unbalanced vfio_df_close call in no-iommu mode Jason Gunthorpe
  1 sibling, 0 replies; 7+ messages in thread
From: Jacob Pan @ 2025-06-02 23:43 UTC (permalink / raw)
  To: linux-kernel, iommu@lists.linux.dev, Alex Williamson, Liu, Yi L,
	jgg@nvidia.com, Jacob Pan
  Cc: Zhang Yu, Easwar Hariharan, Saurabh Sengar

When vfio_df_close() is called with open_count=0, it triggers a warning in
vfio_assert_device_open() but still decrements open_count to -1. This allows
a subsequent open to incorrectly pass the open_count == 0 check, leading to
unintended behavior, such as setting df->access_granted = true.

For example, running an IOMMUFD compat no-IOMMU device with VFIO tests
(https://github.com/awilliam/tests/blob/master/vfio-noiommu-pci-device-open.c)
results in a warning and a failed VFIO_GROUP_GET_DEVICE_FD ioctl on the first
run, but the second run succeeds incorrectly.

Add checks to avoid decrementing open_count below zero

Signed-off-by: Jacob Pan <jacob.pan@linux.microsoft.com>
---
 drivers/vfio/vfio_main.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/vfio/vfio_main.c b/drivers/vfio/vfio_main.c
index 1fd261efc582..5046cae05222 100644
--- a/drivers/vfio/vfio_main.c
+++ b/drivers/vfio/vfio_main.c
@@ -583,7 +583,8 @@ void vfio_df_close(struct vfio_device_file *df)

 	lockdep_assert_held(&device->dev_set->lock);

-	vfio_assert_device_open(device);
+	if (!vfio_assert_device_open(device))
+		return;
 	if (device->open_count == 1)
 		vfio_df_device_last_close(df);
 	device->open_count--;
-- 
2.34.1

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH 1/2] vfio: Fix unbalanced vfio_df_close call in no-iommu mode
  2025-06-02 23:43 [PATCH 1/2] vfio: Fix unbalanced vfio_df_close call in no-iommu mode Jacob Pan
  2025-06-02 23:43 ` [PATCH 2/2] vfio: Prevent open_count decrement to negative Jacob Pan
@ 2025-06-02 23:49 ` Jason Gunthorpe
  2025-06-03 15:25   ` Jacob Pan
  1 sibling, 1 reply; 7+ messages in thread
From: Jason Gunthorpe @ 2025-06-02 23:49 UTC (permalink / raw)
  To: Jacob Pan
  Cc: linux-kernel, iommu@lists.linux.dev, Alex Williamson, Liu, Yi L,
	Zhang Yu, Easwar Hariharan, Saurabh Sengar

On Mon, Jun 02, 2025 at 04:43:18PM -0700, Jacob Pan wrote:
> For no-iommu enabled devices working under IOMMUFD VFIO compat mode, the
> group open path does not call vfio_df_open() and the open_count is 0. So
> calling vfio_df_close() in the group close path will trigger warning in
> vfio_assert_device_open(device);
> 
> E.g. The following warning can be seen by running VFIO test.
> https://github.com/awilliam/tests/blob/master/vfio-noiommu-pci-device-open.c
> CONFIG_VFIO_CONTAINER = n
> [   29.094781] vfio-pci 0000:02:01.0: vfio-noiommu device opened by user (vfio-noiommu-pc:164)
> Failed to get device info
> [   29.096540] ------------[ cut here ]------------
> [   29.096616] WARNING: CPU: 1 PID: 164 at drivers/vfio/vfio_main.c:487 vfio_df_close+0xac/0xb4
> 
> This patch adds checks for no-iommu mode and open_count to skip calling vfio_df_close.
> 
> Signed-off-by: Jacob Pan <jacob.pan@linux.microsoft.com>
> ---
>  drivers/vfio/group.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)

Did you mean to resend the original version?

Jason

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 1/2] vfio: Fix unbalanced vfio_df_close call in no-iommu mode
  2025-06-02 23:49 ` [PATCH 1/2] vfio: Fix unbalanced vfio_df_close call in no-iommu mode Jason Gunthorpe
@ 2025-06-03 15:25   ` Jacob Pan
  0 siblings, 0 replies; 7+ messages in thread
From: Jacob Pan @ 2025-06-03 15:25 UTC (permalink / raw)
  To: Jason Gunthorpe
  Cc: linux-kernel, iommu@lists.linux.dev, Alex Williamson, Liu, Yi L,
	Zhang Yu, Easwar Hariharan, Saurabh Sengar, jacob.pan

Hi Jason,

On Mon, 2 Jun 2025 20:49:03 -0300
Jason Gunthorpe <jgg@nvidia.com> wrote:

> On Mon, Jun 02, 2025 at 04:43:18PM -0700, Jacob Pan wrote:
> > For no-iommu enabled devices working under IOMMUFD VFIO compat
> > mode, the group open path does not call vfio_df_open() and the
> > open_count is 0. So calling vfio_df_close() in the group close path
> > will trigger warning in vfio_assert_device_open(device);
> > 
> > E.g. The following warning can be seen by running VFIO test.
> > https://github.com/awilliam/tests/blob/master/vfio-noiommu-pci-device-open.c
> > CONFIG_VFIO_CONTAINER = n
> > [   29.094781] vfio-pci 0000:02:01.0: vfio-noiommu device opened by
> > user (vfio-noiommu-pc:164) Failed to get device info
> > [   29.096540] ------------[ cut here ]------------
> > [   29.096616] WARNING: CPU: 1 PID: 164 at
> > drivers/vfio/vfio_main.c:487 vfio_df_close+0xac/0xb4
> > 
> > This patch adds checks for no-iommu mode and open_count to skip
> > calling vfio_df_close.
> > 
> > Signed-off-by: Jacob Pan <jacob.pan@linux.microsoft.com>
> > ---
> >  drivers/vfio/group.c | 7 ++++---
> >  1 file changed, 4 insertions(+), 3 deletions(-)  
> 
> Did you mean to resend the original version?
my mistake, just sent v2.

Thanks!

Jacob



^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2025-06-03 15:25 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-02 23:43 [PATCH 1/2] vfio: Fix unbalanced vfio_df_close call in no-iommu mode Jacob Pan
2025-06-02 23:43 ` [PATCH 2/2] vfio: Prevent open_count decrement to negative Jacob Pan
2025-06-02 23:49 ` [PATCH 1/2] vfio: Fix unbalanced vfio_df_close call in no-iommu mode Jason Gunthorpe
2025-06-03 15:25   ` Jacob Pan
  -- strict thread matches above, loose matches on Subject: below --
2025-05-16 16:45 Jacob Pan
2025-05-16 16:45 ` [PATCH 2/2] vfio: Prevent open_count decrement to negative Jacob Pan
2025-05-26 23:53   ` Jason Gunthorpe
2025-05-28  7:24   ` Yi Liu

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.