Re: [PATCH 2/3] iommufd: WARN if an object is aborted with an elevated refcount

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Nicolin Chen <nicolinc@nvidia.com>
To: Jason Gunthorpe <jgg@nvidia.com>
Cc: <iommu@lists.linux.dev>, Joerg Roedel <joro@8bytes.org>,
	Kevin Tian <kevin.tian@intel.com>,
	<linux-kselftest@vger.kernel.org>,
	Robin Murphy <robin.murphy@arm.com>,
	Shuah Khan <shuah@kernel.org>, Will Deacon <will@kernel.org>,
	Lu Baolu <baolu.lu@linux.intel.com>, <patches@lists.linux.dev>,
	<syzbot+80620e2d0d0a33b09f93@syzkaller.appspotmail.com>
Subject: Re: [PATCH 2/3] iommufd: WARN if an object is aborted with an elevated refcount
Date: Thu, 18 Sep 2025 13:49:49 -0700	[thread overview]
Message-ID: <aMxwbQ8HTXFzXS+J@Asurada-Nvidia> (raw)
In-Reply-To: <20250918144737.GO1391379@nvidia.com>

On Thu, Sep 18, 2025 at 11:47:37AM -0300, Jason Gunthorpe wrote:
> On Wed, Sep 17, 2025 at 11:10:15PM -0700, Nicolin Chen wrote:
> > On Wed, Sep 17, 2025 at 05:01:48PM -0300, Jason Gunthorpe wrote:
> > > If something holds a refcount then it is at risk of UAFing. For abort
> > > paths we expect the caller to never share the object with a parallel
> > > thread and to clean up any refcounts it obtained on its own.
> > > 
> > > Add the missing dec inside iommufd_hwpt_paging_alloc()during error unwind
> > 
> > Space between "()" and "during"
> > 
> > And I don't see this patch touch iommufd_hwpt_paging_alloc(). Is
> > that the iommufd_object_abort() part with the WARN_ON?
> 
> iommufd_hwpt_paging_alloc() calls iommufd_hw_pagetable_detach() so
> this change gives it a put that it didn't have.

Ah, I see.

> > > diff --git a/drivers/iommu/iommufd/iommufd_private.h b/drivers/iommu/iommufd/iommufd_private.h
> > > index 0da2a81eedfa8b..627f9b78483a0e 100644
> > > --- a/drivers/iommu/iommufd/iommufd_private.h
> > > +++ b/drivers/iommu/iommufd/iommufd_private.h
> > > @@ -454,9 +454,8 @@ static inline void iommufd_hw_pagetable_put(struct iommufd_ctx *ictx,
> > >  	if (hwpt->obj.type == IOMMUFD_OBJ_HWPT_PAGING) {
> > >  		struct iommufd_hwpt_paging *hwpt_paging = to_hwpt_paging(hwpt);
> > >  
> > > -		lockdep_assert_not_held(&hwpt_paging->ioas->mutex);
> > > -
> > >  		if (hwpt_paging->auto_domain) {
> > > +			lockdep_assert_not_held(&hwpt_paging->ioas->mutex);
> > >  			iommufd_object_put_and_try_destroy(ictx, &hwpt->obj);
> > >  			return;
> > >  		}
> > 
> > Hmm, this patch doesn't change the scope of ioas-mutex?
> 
> iommufd_hwpt_paging_alloc() now calls this and it knows it doesn't
> pass an auto_domain but it is already under the ioas->mutex in its
> callchain.

I see. This part exists for iommufd_device_change_pt() calling
iommufd_device_do_replace() where auto_domain is the only case
that is ensured to not have ioas->mutex held.

Thanks
Nicolin

next prev parent reply	other threads:[~2025-09-18 20:50 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-17 20:01 [PATCH 0/3] Fix a race with fput during eventq abort Jason Gunthorpe
2025-09-17 20:01 ` [PATCH 1/3] iommufd: Fix race during abort for file descriptors Jason Gunthorpe
2025-09-18  5:07   ` Nicolin Chen
2025-09-18 14:43     ` Jason Gunthorpe
2025-09-18 12:37   ` Nirmoy Das
2025-09-19  8:16   ` Tian, Kevin
2025-09-17 20:01 ` [PATCH 2/3] iommufd: WARN if an object is aborted with an elevated refcount Jason Gunthorpe
2025-09-18  6:10   ` Nicolin Chen
2025-09-18 14:47     ` Jason Gunthorpe
2025-09-18 20:49       ` Nicolin Chen [this message]
2025-09-18 20:50   ` Nicolin Chen
2025-09-19  8:16   ` Tian, Kevin
2025-09-17 20:01 ` [PATCH 3/3] iommufd/selftest: Update the fail_nth limit Jason Gunthorpe
2025-09-18  5:28   ` Nicolin Chen
2025-09-19  8:17   ` Tian, Kevin
2025-09-18 20:52 ` [PATCH 0/3] Fix a race with fput during eventq abort Nicolin Chen
2025-09-19 13:43 ` Jason Gunthorpe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aMxwbQ8HTXFzXS+J@Asurada-Nvidia \
    --to=nicolinc@nvidia.com \
    --cc=baolu.lu@linux.intel.com \
    --cc=iommu@lists.linux.dev \
    --cc=jgg@nvidia.com \
    --cc=joro@8bytes.org \
    --cc=kevin.tian@intel.com \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=patches@lists.linux.dev \
    --cc=robin.murphy@arm.com \
    --cc=shuah@kernel.org \
    --cc=syzbot+80620e2d0d0a33b09f93@syzkaller.appspotmail.com \
    --cc=will@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.