From: Jason Gunthorpe <jgg@nvidia.com>
To: Nicolin Chen <nicolinc@nvidia.com>
Cc: iommu@lists.linux.dev, Joerg Roedel <joro@8bytes.org>,
Kevin Tian <kevin.tian@intel.com>,
linux-kselftest@vger.kernel.org,
Robin Murphy <robin.murphy@arm.com>,
Shuah Khan <shuah@kernel.org>, Will Deacon <will@kernel.org>,
Lu Baolu <baolu.lu@linux.intel.com>,
patches@lists.linux.dev,
syzbot+80620e2d0d0a33b09f93@syzkaller.appspotmail.com
Subject: Re: [PATCH 2/3] iommufd: WARN if an object is aborted with an elevated refcount
Date: Thu, 18 Sep 2025 11:47:37 -0300 [thread overview]
Message-ID: <20250918144737.GO1391379@nvidia.com> (raw)
In-Reply-To: <aMuiR791LkEybdAa@Asurada-Nvidia>
On Wed, Sep 17, 2025 at 11:10:15PM -0700, Nicolin Chen wrote:
> On Wed, Sep 17, 2025 at 05:01:48PM -0300, Jason Gunthorpe wrote:
> > If something holds a refcount then it is at risk of UAFing. For abort
> > paths we expect the caller to never share the object with a parallel
> > thread and to clean up any refcounts it obtained on its own.
> >
> > Add the missing dec inside iommufd_hwpt_paging_alloc()during error unwind
>
> Space between "()" and "during"
>
> And I don't see this patch touch iommufd_hwpt_paging_alloc(). Is
> that the iommufd_object_abort() part with the WARN_ON?
iommufd_hwpt_paging_alloc() calls iommufd_hw_pagetable_detach() so
this change gives it a put that it didn't have.
> > diff --git a/drivers/iommu/iommufd/iommufd_private.h b/drivers/iommu/iommufd/iommufd_private.h
> > index 0da2a81eedfa8b..627f9b78483a0e 100644
> > --- a/drivers/iommu/iommufd/iommufd_private.h
> > +++ b/drivers/iommu/iommufd/iommufd_private.h
> > @@ -454,9 +454,8 @@ static inline void iommufd_hw_pagetable_put(struct iommufd_ctx *ictx,
> > if (hwpt->obj.type == IOMMUFD_OBJ_HWPT_PAGING) {
> > struct iommufd_hwpt_paging *hwpt_paging = to_hwpt_paging(hwpt);
> >
> > - lockdep_assert_not_held(&hwpt_paging->ioas->mutex);
> > -
> > if (hwpt_paging->auto_domain) {
> > + lockdep_assert_not_held(&hwpt_paging->ioas->mutex);
> > iommufd_object_put_and_try_destroy(ictx, &hwpt->obj);
> > return;
> > }
>
> Hmm, this patch doesn't change the scope of ioas-mutex?
iommufd_hwpt_paging_alloc() now calls this and it knows it doesn't
pass an auto_domain but it is already under the ioas->mutex in its
callchain.
Jason
next prev parent reply other threads:[~2025-09-18 14:47 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-17 20:01 [PATCH 0/3] Fix a race with fput during eventq abort Jason Gunthorpe
2025-09-17 20:01 ` [PATCH 1/3] iommufd: Fix race during abort for file descriptors Jason Gunthorpe
2025-09-18 5:07 ` Nicolin Chen
2025-09-18 14:43 ` Jason Gunthorpe
2025-09-18 12:37 ` Nirmoy Das
2025-09-19 8:16 ` Tian, Kevin
2025-09-17 20:01 ` [PATCH 2/3] iommufd: WARN if an object is aborted with an elevated refcount Jason Gunthorpe
2025-09-18 6:10 ` Nicolin Chen
2025-09-18 14:47 ` Jason Gunthorpe [this message]
2025-09-18 20:49 ` Nicolin Chen
2025-09-18 20:50 ` Nicolin Chen
2025-09-19 8:16 ` Tian, Kevin
2025-09-17 20:01 ` [PATCH 3/3] iommufd/selftest: Update the fail_nth limit Jason Gunthorpe
2025-09-18 5:28 ` Nicolin Chen
2025-09-19 8:17 ` Tian, Kevin
2025-09-18 20:52 ` [PATCH 0/3] Fix a race with fput during eventq abort Nicolin Chen
2025-09-19 13:43 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250918144737.GO1391379@nvidia.com \
--to=jgg@nvidia.com \
--cc=baolu.lu@linux.intel.com \
--cc=iommu@lists.linux.dev \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=linux-kselftest@vger.kernel.org \
--cc=nicolinc@nvidia.com \
--cc=patches@lists.linux.dev \
--cc=robin.murphy@arm.com \
--cc=shuah@kernel.org \
--cc=syzbot+80620e2d0d0a33b09f93@syzkaller.appspotmail.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.