From: sashiko-bot@kernel.org
To: "Guanghui Feng" <guanghuifeng@linux.alibaba.com>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH v3 01/32] iommu: introduce iova_to_phys_length in iommu_domain_ops
Date: Wed, 03 Jun 2026 15:38:55 +0000 [thread overview]
Message-ID: <20260603153856.491841F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260603151804.1963871-2-guanghuifeng@linux.alibaba.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] The iova_to_phys_length callback API lacks error-value documentation, leading to implementations returning 0 on error instead of PHYS_ADDR_MAX, causing critical security issues when physical page 0 is wrongly unpinned.
--
commit 9607eab32e3052be526d8972c7af679e0ea36c75
Author: Guanghui Feng <guanghuifeng@linux.alibaba.com>
iommu: introduce iova_to_phys_length in iommu_domain_ops
This commit introduces a new iova_to_phys_length callback in
iommu_domain_ops and a corresponding iommu_iova_to_phys_length() core
function. The callback allows returning both the physical address and the
PTE mapping page size in a single page table walk. Callers like VFIO can
use this to traverse IOVA space more efficiently.
> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
> index d1a9e713d3a05..320ea13488e7b 100644
> --- a/drivers/iommu/iommu.c
> +++ b/drivers/iommu/iommu.c
[ ... ]
> @@ -2545,15 +2545,55 @@ void iommu_detach_group(struct iommu_domain *domain, struct iommu_group *group)
> }
> EXPORT_SYMBOL_GPL(iommu_detach_group);
>
> -phys_addr_t iommu_iova_to_phys(struct iommu_domain *domain, dma_addr_t iova)
> +/**
> + * iommu_iova_to_phys_length - Translate IOVA and return mapping page size
> + * @domain: IOMMU domain to query
> + * @iova: IO virtual address to translate
> + * @mapped_length: Output parameter for the PTE page size (e.g. 4KB/2MB/1GB)
> + *
> + * Like iommu_iova_to_phys() but additionally returns the page size of the
> + * PTE mapping at @iova through @mapped_length.
> + *
> + * Return: The physical address for the given IOVA, or PHYS_ADDR_MAX if no
> + * translation exists.
> + */
> +phys_addr_t iommu_iova_to_phys_length(struct iommu_domain *domain,
> + dma_addr_t iova,
> + size_t *mapped_length)
> {
> - if (domain->type == IOMMU_DOMAIN_IDENTITY)
> + phys_addr_t phys;
> +
> + if (domain->type == IOMMU_DOMAIN_IDENTITY) {
> + if (mapped_length)
> + *mapped_length = PAGE_SIZE;
> return iova;
> + }
>
> - if (domain->type == IOMMU_DOMAIN_BLOCKED)
> - return 0;
> + if (mapped_length)
> + *mapped_length = 0;
> +
> + if (domain->ops->iova_to_phys_length)
> + return domain->ops->iova_to_phys_length(domain, iova, mapped_length);
[Severity: Critical]
Does this code handle failures correctly if the driver returns 0 on error?
The documentation for iommu_iova_to_phys_length() states that it returns
PHYS_ADDR_MAX if no translation exists. However, if the underlying driver
incorrectly returns 0 on failure, this wrapper directly propagates that 0.
If callers like VFIO check for PHYS_ADDR_MAX to detect errors, they will
assume 0 is a valid physical address. This can lead to unmapping and
unpinning physical PFN 0, which corrupts page refcounts and can result in
use-after-free vulnerabilities.
Could we sanitize the return value here?
> diff --git a/include/linux/iommu.h b/include/linux/iommu.h
> index bf8a77a164e4d..29c7c042d400d 100644
> --- a/include/linux/iommu.h
> +++ b/include/linux/iommu.h
[ ... ]
> @@ -804,6 +807,9 @@ struct iommu_domain_ops {
>
> phys_addr_t (*iova_to_phys)(struct iommu_domain *domain,
> dma_addr_t iova);
> + phys_addr_t (*iova_to_phys_length)(struct iommu_domain *domain,
> + dma_addr_t iova,
> + size_t *mapped_length);
[Severity: Critical]
Could we add documentation specifying the error return value for this new
callback?
Since legacy iova_to_phys implementations often returned 0 on error, drivers
implementing this new callback might also return 0 instead of PHYS_ADDR_MAX
on failure.
For example, arm_smmu_iova_to_phys_hard() defaults its address variable to 0
on translation faults.
Additionally, drivers might fail to set mapped_length on success, which
can cause kernel warnings in callers like VFIO and iommufd.
Explicitly documenting the expectations for mapped_length and the return
value on failure (PHYS_ADDR_MAX) might prevent these driver implementation
errors.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260603151804.1963871-1-guanghuifeng@linux.alibaba.com?part=1
next prev parent reply other threads:[~2026-06-03 15:38 UTC|newest]
Thread overview: 145+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-29 7:09 [RFC PATCH] Optimize VFIO and IOMMU mapping traversal Guanghui Feng
2026-05-29 7:52 ` sashiko-bot
2026-05-29 11:51 ` Jason Gunthorpe
2026-05-31 9:36 ` [PATCH 0/9] iommu: introduce iova_to_phys_length for efficient IOVA-to-physical translation Guanghui Feng
2026-05-31 9:36 ` [PATCH 1/9] iommu: introduce iova_to_phys_length in iommu_domain_ops Guanghui Feng
2026-05-31 9:54 ` sashiko-bot
2026-05-31 23:51 ` Jason Gunthorpe
2026-06-01 8:41 ` guanghuifeng
2026-06-01 13:43 ` Jason Gunthorpe
2026-06-01 14:14 ` guanghuifeng
2026-06-01 14:31 ` Jason Gunthorpe
2026-05-31 9:36 ` [PATCH 2/9] iommu/io-pgtable: introduce iova_to_phys_length in io_pgtable_ops Guanghui Feng
2026-05-31 10:03 ` sashiko-bot
2026-05-31 9:36 ` [PATCH 3/9] iommu/generic_pt: implement iova_to_phys_length Guanghui Feng
2026-05-31 10:12 ` sashiko-bot
2026-05-31 23:54 ` Jason Gunthorpe
2026-06-01 9:23 ` guanghuifeng
2026-06-01 14:24 ` guanghuifeng
2026-06-01 14:32 ` Jason Gunthorpe
2026-06-02 7:20 ` guanghuifeng
2026-06-02 12:32 ` Jason Gunthorpe
2026-05-31 9:36 ` [PATCH 4/9] iommu/arm-smmu: " Guanghui Feng
2026-05-31 10:22 ` sashiko-bot
2026-05-31 9:36 ` [PATCH 5/9] iommu: apple-dart/ipmmu/mtk_iommu " Guanghui Feng
2026-05-31 10:32 ` sashiko-bot
2026-05-31 9:36 ` [PATCH 6/9] iommu: direct page-table drivers " Guanghui Feng
2026-05-31 10:47 ` sashiko-bot
2026-05-31 9:36 ` [PATCH 7/9] vfio/iommufd: use iova_to_phys_length for efficient unmap Guanghui Feng
2026-05-31 11:01 ` sashiko-bot
2026-05-31 23:58 ` Jason Gunthorpe
2026-05-31 9:36 ` [PATCH 8/9] drm/gpu, iommu/io-pgtable: switch to iova_to_phys_length Guanghui Feng
2026-05-31 9:36 ` [PATCH 9/9] iommu: remove deprecated iova_to_phys from domain_ops and io_pgtable_ops Guanghui Feng
2026-05-31 11:17 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 00/30] iommu: introduce iova_to_phys_length for efficient IOVA-to-physical translation Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 01/30] iommu: introduce iova_to_phys_length in iommu_domain_ops Guanghui Feng
2026-06-02 11:05 ` sashiko-bot
2026-06-03 1:08 ` Jason Gunthorpe
2026-06-02 10:46 ` [PATCH v2 02/30] iommu/io-pgtable-arm: introduce iova_to_phys_length in io_pgtable_ops Guanghui Feng
2026-06-02 11:09 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 03/30] iommu/io-pgtable-arm-v7s: " Guanghui Feng
2026-06-02 11:02 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 04/30] iommu/io-pgtable-dart: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 05/30] iommu/generic_pt: implement iova_to_phys_length Guanghui Feng
2026-06-02 11:06 ` sashiko-bot
2026-06-03 1:11 ` Jason Gunthorpe
2026-06-02 10:46 ` [PATCH v2 06/30] iommu/arm-smmu-v3: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 07/30] iommu/arm-smmu: " Guanghui Feng
2026-06-02 11:04 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 08/30] iommu/qcom_iommu: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 09/30] iommu/apple-dart: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 10/30] iommu/ipmmu-vmsa: " Guanghui Feng
2026-06-03 1:13 ` Jason Gunthorpe
2026-06-02 10:46 ` [PATCH v2 11/30] iommu/mtk_iommu: " Guanghui Feng
2026-06-03 1:17 ` Jason Gunthorpe
2026-06-02 10:46 ` [PATCH v2 12/30] iommu/exynos: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 13/30] iommu/fsl_pamu: " Guanghui Feng
2026-06-02 11:02 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 14/30] iommu/msm: " Guanghui Feng
2026-06-02 11:04 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 15/30] iommu/mtk_v1: " Guanghui Feng
2026-06-02 11:12 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 16/30] iommu/omap: " Guanghui Feng
2026-06-02 11:09 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 17/30] iommu/rockchip: " Guanghui Feng
2026-06-02 11:03 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 18/30] iommu/s390: " Guanghui Feng
2026-06-02 11:10 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 19/30] iommu/sprd: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 20/30] iommu/sun50i: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 21/30] iommu/tegra-smmu: " Guanghui Feng
2026-06-02 11:10 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 22/30] iommu/virtio: " Guanghui Feng
2026-06-02 11:15 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 23/30] vfio/iommufd: use iova_to_phys_length for efficient unmap Guanghui Feng
2026-06-02 11:16 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 24/30] drm/panfrost: switch to iova_to_phys_length Guanghui Feng
2026-06-02 11:14 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 25/30] drm/panthor: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 26/30] iommu/io-pgtable: selftests " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 27/30] iommu/io-pgtable-arm: remove deprecated iova_to_phys wrapper Guanghui Feng
2026-06-02 13:22 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 28/30] iommu/io-pgtable-arm-v7s: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 29/30] iommu/io-pgtable-dart: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 30/30] iommu: remove iova_to_phys from domain_ops and io_pgtable_ops Guanghui Feng
2026-06-02 11:16 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 00/32] iommu: introduce iova_to_phys_length and remove iova_to_phys Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 01/32] iommu: introduce iova_to_phys_length in iommu_domain_ops Guanghui Feng
2026-06-03 15:38 ` sashiko-bot [this message]
2026-06-04 2:44 ` Baolu Lu
2026-06-04 14:16 ` Jason Gunthorpe
2026-06-03 15:17 ` [PATCH v3 02/32] iommu/io-pgtable-arm: introduce iova_to_phys_length in io_pgtable_ops Guanghui Feng
2026-06-03 15:35 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 03/32] iommu/io-pgtable-arm-v7s: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 04/32] iommu/io-pgtable-dart: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 05/32] iommu/generic_pt: implement iova_to_phys_length Guanghui Feng
2026-06-03 15:39 ` sashiko-bot
2026-06-04 3:30 ` Baolu Lu
2026-06-04 14:12 ` Jason Gunthorpe
2026-06-03 15:17 ` [PATCH v3 06/32] iommu/arm-smmu-v3: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 07/32] iommu/arm-smmu: " Guanghui Feng
2026-06-03 15:42 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 08/32] iommu/qcom_iommu: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 09/32] iommu/apple-dart: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 10/32] iommu/ipmmu-vmsa: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 11/32] iommu/mtk_iommu: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 12/32] iommu/exynos: " Guanghui Feng
2026-06-03 15:46 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 13/32] iommu/fsl_pamu: " Guanghui Feng
2026-06-03 15:48 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 14/32] iommu/msm: " Guanghui Feng
2026-06-03 15:51 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 15/32] iommu/mtk_v1: " Guanghui Feng
2026-06-03 15:58 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 16/32] iommu/omap: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 17/32] iommu/rockchip: " Guanghui Feng
2026-06-03 15:53 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 18/32] iommu/s390: " Guanghui Feng
2026-06-03 16:03 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 19/32] iommu/sprd: " Guanghui Feng
2026-06-03 15:57 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 20/32] iommu/sun50i: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 21/32] iommu/tegra-smmu: " Guanghui Feng
2026-06-03 16:04 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 22/32] iommu/virtio: " Guanghui Feng
2026-06-03 16:10 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 23/32] vfio: use iova_to_phys_length for efficient unmap Guanghui Feng
2026-06-03 16:14 ` sashiko-bot
2026-06-04 14:27 ` Jason Gunthorpe
2026-06-03 15:17 ` [PATCH v3 24/32] iommufd: " Guanghui Feng
2026-06-03 16:14 ` sashiko-bot
2026-06-04 14:26 ` Jason Gunthorpe
2026-06-03 15:17 ` [PATCH v3 25/32] iommufd/selftest: switch to iommu_iova_to_phys_length Guanghui Feng
2026-06-03 16:17 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 26/32] drm/panfrost: switch to iova_to_phys_length Guanghui Feng
2026-06-03 16:13 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 27/32] drm/panthor: " Guanghui Feng
2026-06-03 16:16 ` sashiko-bot
2026-06-03 15:18 ` [PATCH v3 28/32] iommu/io-pgtable: selftests " Guanghui Feng
2026-06-03 15:18 ` [PATCH v3 29/32] iommu/io-pgtable-arm: remove deprecated iova_to_phys wrapper Guanghui Feng
2026-06-03 16:32 ` sashiko-bot
2026-06-03 15:18 ` [PATCH v3 30/32] iommu/io-pgtable-arm-v7s: " Guanghui Feng
2026-06-03 16:31 ` sashiko-bot
2026-06-03 15:18 ` [PATCH v3 31/32] iommu/io-pgtable-dart: " Guanghui Feng
2026-06-03 15:18 ` [PATCH v3 32/32] iommu: remove iova_to_phys from domain_ops and io_pgtable_ops Guanghui Feng
2026-06-03 16:26 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260603153856.491841F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=guanghuifeng@linux.alibaba.com \
--cc=kvm@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.