From: sashiko-bot@kernel.org
To: "Guanghui Feng" <guanghuifeng@linux.alibaba.com>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH 7/9] vfio/iommufd: use iova_to_phys_length for efficient unmap
Date: Sun, 31 May 2026 11:01:27 +0000 [thread overview]
Message-ID: <20260531110128.252771F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260531093637.3893199-8-guanghuifeng@linux.alibaba.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] Missing bounds check in `vfio_unmap_unpin` allows out-of-bounds unmap and unpin
--
commit 400f16aa1c5788ec3ad51067e2b226d2e48c53d6
Author: Guanghui Feng <guanghuifeng@linux.alibaba.com>
vfio/iommufd: use iova_to_phys_length for efficient unmap
Use iommu_iova_to_phys_length() to get PTE page size, allowing
traversal by actual mapping granularity instead of PAGE_SIZE steps.
> diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
> index c8151ba54de33..393f9e8f1511e 100644
> --- a/drivers/vfio/vfio_iommu_type1.c
> +++ b/drivers/vfio/vfio_iommu_type1.c
[ ... ]
> @@ -1177,25 +1177,41 @@ static long vfio_unmap_unpin(struct vfio_iommu *iommu, struct vfio_dma *dma,
[ ... ]
> /*
> * To optimize for fewer iommu_unmap() calls, each of which
> * may require hardware cache flushing, try to find the
> * largest contiguous physical memory chunk to unmap.
> + *
> + * Calculate remaining contiguous bytes within this PTE from
> + * our position, then try to join following physically
> + * contiguous PTEs.
> */
> - for (len = PAGE_SIZE; pos + len < dma->size; len += PAGE_SIZE) {
> - next = iommu_iova_to_phys(domain->domain, iova + len);
> + len = pgsize - (iova & (pgsize - 1));
[Severity: Critical]
Is it possible for the hardware PTE size to extend beyond the remaining size
of the logical DMA region?
If the IOMMU driver returns a page size that extends beyond dma->size - pos,
len is never clamped to the remaining size. This would cause len to overshoot
the region boundary.
> + for (; pos + len < dma->size; ) {
> + size_t next_pgsize;
> +
> + next = iommu_iova_to_phys_length(domain->domain,
> + iova + len,
> + &next_pgsize);
> if (next != phys + len)
> break;
> + if (!next_pgsize || next_pgsize < PAGE_SIZE)
> + next_pgsize = PAGE_SIZE;
> + len += next_pgsize;
[Severity: Critical]
Could unconditionally adding next_pgsize to len cause it to overshoot the
region boundary before the loop condition is evaluated?
If the next page size extends beyond the end of the region, len will again
overshoot the target boundary.
When an oversized len is subsequently passed to unmap_unpin_fast(), will it
unmap and drop pin references for physical memory outside the target region?
Dropping pin counts for active adjacent memory regions could corrupt page
refcounts and lead to physical use-after-free conditions.
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260531093637.3893199-1-guanghuifeng@linux.alibaba.com?part=7
next prev parent reply other threads:[~2026-05-31 11:01 UTC|newest]
Thread overview: 144+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-29 7:09 [RFC PATCH] Optimize VFIO and IOMMU mapping traversal Guanghui Feng
2026-05-29 7:52 ` sashiko-bot
2026-05-29 11:51 ` Jason Gunthorpe
2026-05-31 9:36 ` [PATCH 0/9] iommu: introduce iova_to_phys_length for efficient IOVA-to-physical translation Guanghui Feng
2026-05-31 9:36 ` [PATCH 1/9] iommu: introduce iova_to_phys_length in iommu_domain_ops Guanghui Feng
2026-05-31 9:54 ` sashiko-bot
2026-05-31 23:51 ` Jason Gunthorpe
2026-06-01 8:41 ` guanghuifeng
2026-06-01 13:43 ` Jason Gunthorpe
2026-06-01 14:14 ` guanghuifeng
2026-06-01 14:31 ` Jason Gunthorpe
2026-05-31 9:36 ` [PATCH 2/9] iommu/io-pgtable: introduce iova_to_phys_length in io_pgtable_ops Guanghui Feng
2026-05-31 10:03 ` sashiko-bot
2026-05-31 9:36 ` [PATCH 3/9] iommu/generic_pt: implement iova_to_phys_length Guanghui Feng
2026-05-31 10:12 ` sashiko-bot
2026-05-31 23:54 ` Jason Gunthorpe
2026-06-01 9:23 ` guanghuifeng
[not found] ` <fa924b86-1ca9-4819-8330-0d5f6ede8923@linux.alibaba.com>
2026-06-01 14:32 ` Jason Gunthorpe
2026-06-02 7:20 ` guanghuifeng
2026-06-02 12:32 ` Jason Gunthorpe
2026-05-31 9:36 ` [PATCH 4/9] iommu/arm-smmu: " Guanghui Feng
2026-05-31 10:22 ` sashiko-bot
2026-05-31 9:36 ` [PATCH 5/9] iommu: apple-dart/ipmmu/mtk_iommu " Guanghui Feng
2026-05-31 10:32 ` sashiko-bot
2026-05-31 9:36 ` [PATCH 6/9] iommu: direct page-table drivers " Guanghui Feng
2026-05-31 10:47 ` sashiko-bot
2026-05-31 9:36 ` [PATCH 7/9] vfio/iommufd: use iova_to_phys_length for efficient unmap Guanghui Feng
2026-05-31 11:01 ` sashiko-bot [this message]
2026-05-31 23:58 ` Jason Gunthorpe
2026-05-31 9:36 ` [PATCH 8/9] drm/gpu, iommu/io-pgtable: switch to iova_to_phys_length Guanghui Feng
2026-05-31 9:36 ` [PATCH 9/9] iommu: remove deprecated iova_to_phys from domain_ops and io_pgtable_ops Guanghui Feng
2026-05-31 11:17 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 00/30] iommu: introduce iova_to_phys_length for efficient IOVA-to-physical translation Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 01/30] iommu: introduce iova_to_phys_length in iommu_domain_ops Guanghui Feng
2026-06-02 11:05 ` sashiko-bot
2026-06-03 1:08 ` Jason Gunthorpe
2026-06-02 10:46 ` [PATCH v2 02/30] iommu/io-pgtable-arm: introduce iova_to_phys_length in io_pgtable_ops Guanghui Feng
2026-06-02 11:09 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 03/30] iommu/io-pgtable-arm-v7s: " Guanghui Feng
2026-06-02 11:02 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 04/30] iommu/io-pgtable-dart: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 05/30] iommu/generic_pt: implement iova_to_phys_length Guanghui Feng
2026-06-02 11:06 ` sashiko-bot
2026-06-03 1:11 ` Jason Gunthorpe
2026-06-02 10:46 ` [PATCH v2 06/30] iommu/arm-smmu-v3: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 07/30] iommu/arm-smmu: " Guanghui Feng
2026-06-02 11:04 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 08/30] iommu/qcom_iommu: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 09/30] iommu/apple-dart: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 10/30] iommu/ipmmu-vmsa: " Guanghui Feng
2026-06-03 1:13 ` Jason Gunthorpe
2026-06-02 10:46 ` [PATCH v2 11/30] iommu/mtk_iommu: " Guanghui Feng
2026-06-03 1:17 ` Jason Gunthorpe
2026-06-02 10:46 ` [PATCH v2 12/30] iommu/exynos: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 13/30] iommu/fsl_pamu: " Guanghui Feng
2026-06-02 11:02 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 14/30] iommu/msm: " Guanghui Feng
2026-06-02 11:04 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 15/30] iommu/mtk_v1: " Guanghui Feng
2026-06-02 11:12 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 16/30] iommu/omap: " Guanghui Feng
2026-06-02 11:09 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 17/30] iommu/rockchip: " Guanghui Feng
2026-06-02 11:03 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 18/30] iommu/s390: " Guanghui Feng
2026-06-02 11:10 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 19/30] iommu/sprd: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 20/30] iommu/sun50i: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 21/30] iommu/tegra-smmu: " Guanghui Feng
2026-06-02 11:10 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 22/30] iommu/virtio: " Guanghui Feng
2026-06-02 11:15 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 23/30] vfio/iommufd: use iova_to_phys_length for efficient unmap Guanghui Feng
2026-06-02 11:16 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 24/30] drm/panfrost: switch to iova_to_phys_length Guanghui Feng
2026-06-02 11:14 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 25/30] drm/panthor: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 26/30] iommu/io-pgtable: selftests " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 27/30] iommu/io-pgtable-arm: remove deprecated iova_to_phys wrapper Guanghui Feng
2026-06-02 13:22 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 28/30] iommu/io-pgtable-arm-v7s: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 29/30] iommu/io-pgtable-dart: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 30/30] iommu: remove iova_to_phys from domain_ops and io_pgtable_ops Guanghui Feng
2026-06-02 11:16 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 00/32] iommu: introduce iova_to_phys_length and remove iova_to_phys Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 01/32] iommu: introduce iova_to_phys_length in iommu_domain_ops Guanghui Feng
2026-06-03 15:38 ` sashiko-bot
2026-06-04 2:44 ` Baolu Lu
2026-06-04 14:16 ` Jason Gunthorpe
2026-06-03 15:17 ` [PATCH v3 02/32] iommu/io-pgtable-arm: introduce iova_to_phys_length in io_pgtable_ops Guanghui Feng
2026-06-03 15:35 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 03/32] iommu/io-pgtable-arm-v7s: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 04/32] iommu/io-pgtable-dart: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 05/32] iommu/generic_pt: implement iova_to_phys_length Guanghui Feng
2026-06-03 15:39 ` sashiko-bot
2026-06-04 3:30 ` Baolu Lu
2026-06-04 14:12 ` Jason Gunthorpe
2026-06-03 15:17 ` [PATCH v3 06/32] iommu/arm-smmu-v3: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 07/32] iommu/arm-smmu: " Guanghui Feng
2026-06-03 15:42 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 08/32] iommu/qcom_iommu: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 09/32] iommu/apple-dart: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 10/32] iommu/ipmmu-vmsa: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 11/32] iommu/mtk_iommu: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 12/32] iommu/exynos: " Guanghui Feng
2026-06-03 15:46 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 13/32] iommu/fsl_pamu: " Guanghui Feng
2026-06-03 15:48 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 14/32] iommu/msm: " Guanghui Feng
2026-06-03 15:51 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 15/32] iommu/mtk_v1: " Guanghui Feng
2026-06-03 15:58 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 16/32] iommu/omap: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 17/32] iommu/rockchip: " Guanghui Feng
2026-06-03 15:53 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 18/32] iommu/s390: " Guanghui Feng
2026-06-03 16:03 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 19/32] iommu/sprd: " Guanghui Feng
2026-06-03 15:57 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 20/32] iommu/sun50i: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 21/32] iommu/tegra-smmu: " Guanghui Feng
2026-06-03 16:04 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 22/32] iommu/virtio: " Guanghui Feng
2026-06-03 16:10 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 23/32] vfio: use iova_to_phys_length for efficient unmap Guanghui Feng
2026-06-03 16:14 ` sashiko-bot
2026-06-04 14:27 ` Jason Gunthorpe
2026-06-03 15:17 ` [PATCH v3 24/32] iommufd: " Guanghui Feng
2026-06-03 16:14 ` sashiko-bot
2026-06-04 14:26 ` Jason Gunthorpe
2026-06-03 15:17 ` [PATCH v3 25/32] iommufd/selftest: switch to iommu_iova_to_phys_length Guanghui Feng
2026-06-03 16:17 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 26/32] drm/panfrost: switch to iova_to_phys_length Guanghui Feng
2026-06-03 16:13 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 27/32] drm/panthor: " Guanghui Feng
2026-06-03 16:16 ` sashiko-bot
2026-06-03 15:18 ` [PATCH v3 28/32] iommu/io-pgtable: selftests " Guanghui Feng
2026-06-03 15:18 ` [PATCH v3 29/32] iommu/io-pgtable-arm: remove deprecated iova_to_phys wrapper Guanghui Feng
2026-06-03 16:32 ` sashiko-bot
2026-06-03 15:18 ` [PATCH v3 30/32] iommu/io-pgtable-arm-v7s: " Guanghui Feng
2026-06-03 16:31 ` sashiko-bot
2026-06-03 15:18 ` [PATCH v3 31/32] iommu/io-pgtable-dart: " Guanghui Feng
2026-06-03 15:18 ` [PATCH v3 32/32] iommu: remove iova_to_phys from domain_ops and io_pgtable_ops Guanghui Feng
2026-06-03 16:26 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260531110128.252771F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=guanghuifeng@linux.alibaba.com \
--cc=kvm@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox