From: Baolu Lu <baolu.lu@linux.intel.com>
To: Yi Liu <yi.l.liu@intel.com>, Jason Gunthorpe <jgg@nvidia.com>
Cc: baolu.lu@linux.intel.com, joro@8bytes.org,
alex.williamson@redhat.com, kevin.tian@intel.com,
robin.murphy@arm.com, cohuck@redhat.com, eric.auger@redhat.com,
nicolinc@nvidia.com, kvm@vger.kernel.org, mjrosato@linux.ibm.com,
chao.p.peng@linux.intel.com, yi.y.sun@linux.intel.com,
peterx@redhat.com, jasowang@redhat.com,
shameerali.kolothum.thodi@huawei.com, lulu@redhat.com,
suravee.suthikulpanit@amd.com, iommu@lists.linux.dev,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
zhenzhong.duan@intel.com, joao.m.martins@oracle.com,
xin.zeng@intel.com, yan.y.zhao@intel.com, j.granados@samsung.com
Subject: Re: [PATCH v10 10/10] iommu/vt-d: Add iotlb flush for nested domain
Date: Wed, 3 Jan 2024 11:06:19 +0800 [thread overview]
Message-ID: <7486492a-d6ca-425d-9fbe-87107dbbecea@linux.intel.com> (raw)
In-Reply-To: <ae271e08-f390-4ce7-914c-63668a46bc4b@intel.com>
On 2024/1/3 9:33, Yi Liu wrote:
> On 2024/1/3 02:44, Jason Gunthorpe wrote:
>> On Tue, Jan 02, 2024 at 06:38:34AM -0800, Yi Liu wrote:
>>
>>> +static void intel_nested_flush_cache(struct dmar_domain *domain, u64
>>> addr,
>>> + unsigned long npages, bool ih, u32 *error)
>>> +{
>>> + struct iommu_domain_info *info;
>>> + unsigned long i;
>>> + unsigned mask;
>>> + u32 fault;
>>> +
>>> + xa_for_each(&domain->iommu_array, i, info)
>>> + qi_flush_piotlb(info->iommu,
>>> + domain_id_iommu(domain, info->iommu),
>>> + IOMMU_NO_PASID, addr, npages, ih, NULL);
>>
>> This locking on the xarray is messed up throughout the driver. There
>> could be a concurrent detach at this point which will free info and
>> UAF this.
>
> hmmm, xa_for_each() takes and releases rcu lock, and according to the
> domain_detach_iommu(), info is freed after xa_erase(). For an existing
> info stored in xarray, xa_erase() should return after rcu lock is released.
> is it? Any idea? @Baolu
I once thought locking for xarray is self-contained. I need more thought
on this before taking further action.
Best regards,
baolu
next prev parent reply other threads:[~2024-01-03 3:06 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-02 14:38 [PATCH v10 00/10] Add iommufd nesting (part 2/2) Yi Liu
2024-01-02 14:38 ` [PATCH v10 01/10] iommu: Add cache_invalidate_user op Yi Liu
2024-01-02 14:38 ` [PATCH v10 02/10] iommufd: Add IOMMU_HWPT_INVALIDATE Yi Liu
2024-01-02 14:38 ` [PATCH v10 03/10] iommu: Add iommu_copy_struct_from_user_array helper Yi Liu
2024-01-02 14:38 ` [PATCH v10 04/10] iommufd/selftest: Add mock_domain_cache_invalidate_user support Yi Liu
2024-01-02 14:38 ` [PATCH v10 05/10] iommufd/selftest: Add IOMMU_TEST_OP_MD_CHECK_IOTLB test op Yi Liu
2024-01-02 14:38 ` [PATCH v10 06/10] iommufd/selftest: Add coverage for IOMMU_HWPT_INVALIDATE ioctl Yi Liu
2024-01-02 14:38 ` [PATCH v10 07/10] iommu/vt-d: Allow qi_submit_sync() to return the QI faults Yi Liu
2024-01-02 14:38 ` [PATCH v10 08/10] iommu/vt-d: Convert stage-1 cache invalidation to return QI fault Yi Liu
2024-01-02 14:38 ` [PATCH v10 09/10] iommufd: Add data structure for Intel VT-d stage-1 cache invalidation Yi Liu
2024-01-02 14:38 ` [PATCH v10 10/10] iommu/vt-d: Add iotlb flush for nested domain Yi Liu
2024-01-02 18:44 ` Jason Gunthorpe
2024-01-03 1:33 ` Yi Liu
2024-01-03 3:06 ` Baolu Lu [this message]
2024-01-03 12:44 ` Jason Gunthorpe
2024-01-02 19:17 ` [PATCH v10 00/10] Add iommufd nesting (part 2/2) Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7486492a-d6ca-425d-9fbe-87107dbbecea@linux.intel.com \
--to=baolu.lu@linux.intel.com \
--cc=alex.williamson@redhat.com \
--cc=chao.p.peng@linux.intel.com \
--cc=cohuck@redhat.com \
--cc=eric.auger@redhat.com \
--cc=iommu@lists.linux.dev \
--cc=j.granados@samsung.com \
--cc=jasowang@redhat.com \
--cc=jgg@nvidia.com \
--cc=joao.m.martins@oracle.com \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=lulu@redhat.com \
--cc=mjrosato@linux.ibm.com \
--cc=nicolinc@nvidia.com \
--cc=peterx@redhat.com \
--cc=robin.murphy@arm.com \
--cc=shameerali.kolothum.thodi@huawei.com \
--cc=suravee.suthikulpanit@amd.com \
--cc=xin.zeng@intel.com \
--cc=yan.y.zhao@intel.com \
--cc=yi.l.liu@intel.com \
--cc=yi.y.sun@linux.intel.com \
--cc=zhenzhong.duan@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.