From: Leon Romanovsky <leon@kernel.org>
To: Alex Williamson <alex@shazbot.org>
Cc: "Bjorn Helgaas" <bhelgaas@google.com>,
"Logan Gunthorpe" <logang@deltatee.com>,
"Jens Axboe" <axboe@kernel.dk>,
"Robin Murphy" <robin.murphy@arm.com>,
"Joerg Roedel" <joro@8bytes.org>, "Will Deacon" <will@kernel.org>,
"Marek Szyprowski" <m.szyprowski@samsung.com>,
"Jason Gunthorpe" <jgg@ziepe.ca>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Jonathan Corbet" <corbet@lwn.net>,
"Sumit Semwal" <sumit.semwal@linaro.org>,
"Christian König" <christian.koenig@amd.com>,
"Kees Cook" <kees@kernel.org>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
"Ankit Agrawal" <ankita@nvidia.com>,
"Yishai Hadas" <yishaih@nvidia.com>,
"Shameer Kolothum" <skolothumtho@nvidia.com>,
"Kevin Tian" <kevin.tian@intel.com>,
"Krishnakant Jaju" <kjaju@nvidia.com>,
"Matt Ochs" <mochs@nvidia.com>,
linux-pci@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-block@vger.kernel.org, iommu@lists.linux.dev,
linux-mm@kvack.org, linux-doc@vger.kernel.org,
linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org,
linaro-mm-sig@lists.linaro.org, kvm@vger.kernel.org,
linux-hardening@vger.kernel.org,
"Vivek Kasireddy" <vivek.kasireddy@intel.com>
Subject: Re: [PATCH v9 10/11] vfio/pci: Add dma-buf export support for MMIO regions
Date: Fri, 21 Nov 2025 09:42:03 +0200 [thread overview]
Message-ID: <20251121074203.GX18335@unreal> (raw)
In-Reply-To: <20251120170413.050ccbb5.alex@shazbot.org>
On Thu, Nov 20, 2025 at 05:04:13PM -0700, Alex Williamson wrote:
> On Thu, 20 Nov 2025 11:28:29 +0200
> Leon Romanovsky <leon@kernel.org> wrote:
> > diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
> > index 142b84b3f225..51a3bcc26f8b 100644
> > --- a/drivers/vfio/pci/vfio_pci_core.c
> > +++ b/drivers/vfio/pci/vfio_pci_core.c
> ...
> > @@ -2487,8 +2500,11 @@ static int vfio_pci_dev_set_hot_reset(struct vfio_device_set *dev_set,
> >
> > err_undo:
> > list_for_each_entry_from_reverse(vdev, &dev_set->device_list,
> > - vdev.dev_set_list)
> > + vdev.dev_set_list) {
> > + if (__vfio_pci_memory_enabled(vdev))
> > + vfio_pci_dma_buf_move(vdev, false);
> > up_write(&vdev->memory_lock);
> > + }
>
> I ran into a bug here. In the hot reset path we can have dev_sets
> where one or more devices are not opened by the user. The vconfig
> buffer for the device is established on open. However:
>
> bool __vfio_pci_memory_enabled(struct vfio_pci_core_device *vdev)
> {
> struct pci_dev *pdev = vdev->pdev;
> u16 cmd = le16_to_cpu(*(__le16 *)&vdev->vconfig[PCI_COMMAND]);
> ...
>
> Leads to a NULL pointer dereference.
>
> I think the most straightforward fix is simply to test the open_count
> on the vfio_device, which is also protected by the dev_set->lock that
> we already hold here:
>
> --- a/drivers/vfio/pci/vfio_pci_core.c
> +++ b/drivers/vfio/pci/vfio_pci_core.c
> @@ -2501,7 +2501,7 @@ static int vfio_pci_dev_set_hot_reset(struct vfio_device_set *dev_set,
> err_undo:
> list_for_each_entry_from_reverse(vdev, &dev_set->device_list,
> vdev.dev_set_list) {
> - if (__vfio_pci_memory_enabled(vdev))
> + if (vdev->vdev.open_count && __vfio_pci_memory_enabled(vdev))
> vfio_pci_dma_buf_move(vdev, false);
> up_write(&vdev->memory_lock);
> }
>
> Any other suggestions? This should be the only reset path with this
> nuance of affecting non-opened devices. Thanks,
It seems right to me.
Thanks
>
> Alex
next prev parent reply other threads:[~2025-11-21 7:42 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-20 9:28 [PATCH v9 00/11] vfio/pci: Allow MMIO regions to be exported through dma-buf Leon Romanovsky
2025-11-20 9:28 ` [PATCH v9 01/11] PCI/P2PDMA: Separate the mmap() support from the core logic Leon Romanovsky
2026-01-02 23:40 ` Bjorn Helgaas
2025-11-20 9:28 ` [PATCH v9 02/11] PCI/P2PDMA: Simplify bus address mapping API Leon Romanovsky
2025-11-20 9:28 ` [PATCH v9 03/11] PCI/P2PDMA: Refactor to separate core P2P functionality from memory allocation Leon Romanovsky
2025-11-20 9:28 ` [PATCH v9 04/11] PCI/P2PDMA: Provide an access to pci_p2pdma_map_type() function Leon Romanovsky
2025-11-20 9:28 ` [PATCH v9 05/11] PCI/P2PDMA: Document DMABUF model Leon Romanovsky
2025-11-20 9:28 ` [PATCH v9 06/11] dma-buf: provide phys_vec to scatter-gather mapping routine Leon Romanovsky
2025-11-20 9:33 ` Christian König
2025-11-20 10:03 ` Leon Romanovsky
2025-11-26 0:18 ` Alex Mastro
2025-11-26 13:12 ` Pranjal Shrivastava
2025-11-26 16:08 ` Alex Mastro
2025-11-26 16:54 ` Jason Gunthorpe
2025-11-20 9:28 ` [PATCH v9 07/11] vfio: Export vfio device get and put registration helpers Leon Romanovsky
2025-11-20 9:28 ` [PATCH v9 08/11] vfio/pci: Share the core device pointer while invoking feature functions Leon Romanovsky
2025-11-20 9:28 ` [PATCH v9 09/11] vfio/pci: Enable peer-to-peer DMA transactions by default Leon Romanovsky
2025-11-20 9:28 ` [PATCH v9 10/11] vfio/pci: Add dma-buf export support for MMIO regions Leon Romanovsky
2025-11-21 0:04 ` Alex Williamson
2025-11-21 0:23 ` Jason Gunthorpe
2025-11-21 0:40 ` Alex Williamson
2025-11-21 7:42 ` Leon Romanovsky [this message]
2025-11-20 9:28 ` [PATCH v9 11/11] vfio/nvgrace: Support get_dmabuf_phys Leon Romanovsky
2025-11-20 17:13 ` Ankit Agrawal
2025-11-20 17:23 ` [PATCH v9 00/11] vfio/pci: Allow MMIO regions to be exported through dma-buf Ankit Agrawal
2025-11-21 16:24 ` Alex Williamson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251121074203.GX18335@unreal \
--to=leon@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=alex@shazbot.org \
--cc=ankita@nvidia.com \
--cc=axboe@kernel.dk \
--cc=bhelgaas@google.com \
--cc=christian.koenig@amd.com \
--cc=corbet@lwn.net \
--cc=dri-devel@lists.freedesktop.org \
--cc=gustavoars@kernel.org \
--cc=iommu@lists.linux.dev \
--cc=jgg@ziepe.ca \
--cc=joro@8bytes.org \
--cc=kees@kernel.org \
--cc=kevin.tian@intel.com \
--cc=kjaju@nvidia.com \
--cc=kvm@vger.kernel.org \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-pci@vger.kernel.org \
--cc=logang@deltatee.com \
--cc=m.szyprowski@samsung.com \
--cc=mochs@nvidia.com \
--cc=robin.murphy@arm.com \
--cc=skolothumtho@nvidia.com \
--cc=sumit.semwal@linaro.org \
--cc=vivek.kasireddy@intel.com \
--cc=will@kernel.org \
--cc=yishaih@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.