From: sashiko-bot@kernel.org
To: "Guanghui Feng" <guanghuifeng@linux.alibaba.com>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH v2 14/30] iommu/msm: implement iova_to_phys_length
Date: Tue, 02 Jun 2026 11:04:17 +0000 [thread overview]
Message-ID: <20260602110417.C7F061F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260602104637.1219810-15-guanghuifeng@linux.alibaba.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [High] Incorrect mapping length hardcoded to `SZ_4K` for 64KB and 1MB mappings causes unmap failures and resource leaks.
Pre-existing issues:
- [High] Negative error code from `__enable_clocks()` is returned as a valid physical address, bypassing IOMMU API failure checks.
- [High] Unsafe `list_first_entry()` on a potentially empty list causes invalid pointer dereference.
--
commit e11fea990236734e10ab3d7e27031085045028c3
Author: Guanghui Feng <guanghuifeng@linux.alibaba.com>
iommu/msm: implement iova_to_phys_length
Implement iova_to_phys_length for MSM IOMMU driver, returning the actual
PTE mapping size.
> diff --git a/drivers/iommu/msm_iommu.c b/drivers/iommu/msm_iommu.c
> index 0ad5ff431d5b6..af4020ed99876 100644
> --- a/drivers/iommu/msm_iommu.c
> +++ b/drivers/iommu/msm_iommu.c
> @@ -523,15 +523,19 @@ static size_t msm_iommu_unmap(struct iommu_domain *domain, unsigned long iova,
> return ret;
> }
>
> -static phys_addr_t msm_iommu_iova_to_phys(struct iommu_domain *domain,
> - dma_addr_t va)
> +static phys_addr_t msm_iommu_iova_to_phys_length(struct iommu_domain *domain,
> + dma_addr_t va,
> + size_t *mapped_length)
> {
[Severity: High]
This is a pre-existing issue, but does list_first_entry() return a valid
pointer if the list_attached list is empty?
If a domain has no devices attached, such as directly after domain
allocation, the list will be empty. Because list_first_entry() does not
check for emptiness, it seems this could result in a bogus pointer being
dereferenced during the subsequent list_empty() check on the ctx_list:
msm_iommu.c:msm_iommu_iova_to_phys_length() {
...
priv = to_msm_priv(domain);
iommu = list_first_entry(&priv->list_attached,
struct msm_iommu_dev, dom_node);
if (list_empty(&iommu->ctx_list))
goto fail;
...
}
[Severity: High]
This is also a pre-existing issue, but does the failure path for
__enable_clocks() unintentionally return a negative error code as a valid
physical address?
When __enable_clocks() fails, it returns a negative integer like -EINVAL.
This is assigned to ret, which is of type phys_addr_t. Since the code then
jumps to the fail label and returns ret, the unsigned cast of the negative
error code won't match the PHYS_ADDR_MAX failure sentinel:
msm_iommu.c:msm_iommu_iova_to_phys_length() {
...
ret = __enable_clocks(iommu);
if (ret)
goto fail;
...
fail:
spin_unlock_irqrestore(&msm_iommu_lock, flags);
return ret;
}
Could this cause the IOMMU API to interpret the failure as a valid mapping?
> struct msm_priv *priv;
> struct msm_iommu_dev *iommu;
> struct msm_iommu_ctx_dev *master;
[ ... ]
> @@ -558,13 +562,22 @@ static phys_addr_t msm_iommu_iova_to_phys(struct iommu_domain *domain,
> par = GET_PAR(iommu->base, master->num);
>
> /* We are dealing with a supersection */
> - if (GET_NOFAULT_SS(iommu->base, master->num))
> + if (GET_NOFAULT_SS(iommu->base, master->num)) {
> ret = (par & 0xFF000000) | (va & 0x00FFFFFF);
> - else /* Upper 20 bits from PAR, lower 12 from VA */
> + if (mapped_length)
> + *mapped_length = SZ_16M;
> + } else {
> + /* Upper 20 bits from PAR, lower 12 from VA */
> ret = (par & 0xFFFFF000) | (va & 0x00000FFF);
> + if (mapped_length)
> + *mapped_length = SZ_4K;
> + }
[Severity: High]
Does setting mapped_length to SZ_4K for all non-supersection mappings cause
issues with 64KB and 1MB mappings?
The hardware uses the ARM_V7S short descriptor format where the PAR register
doesn't explicitly differentiate between 1MB section, 64KB large page, and
4KB page mappings. If mapped_length is hardcoded to SZ_4K here, unmap
requests for larger regions might fail.
The underlying arm_v7s_unmap() pagetable code rejects partial unmaps of
larger sections. Could this lead to leaked memory and IOVA space?
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260602104637.1219810-1-guanghuifeng@linux.alibaba.com?part=14
next prev parent reply other threads:[~2026-06-02 11:04 UTC|newest]
Thread overview: 144+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-29 7:09 [RFC PATCH] Optimize VFIO and IOMMU mapping traversal Guanghui Feng
2026-05-29 7:52 ` sashiko-bot
2026-05-29 11:51 ` Jason Gunthorpe
2026-05-31 9:36 ` [PATCH 0/9] iommu: introduce iova_to_phys_length for efficient IOVA-to-physical translation Guanghui Feng
2026-05-31 9:36 ` [PATCH 1/9] iommu: introduce iova_to_phys_length in iommu_domain_ops Guanghui Feng
2026-05-31 9:54 ` sashiko-bot
2026-05-31 23:51 ` Jason Gunthorpe
2026-06-01 8:41 ` guanghuifeng
2026-06-01 13:43 ` Jason Gunthorpe
2026-06-01 14:14 ` guanghuifeng
2026-06-01 14:31 ` Jason Gunthorpe
2026-05-31 9:36 ` [PATCH 2/9] iommu/io-pgtable: introduce iova_to_phys_length in io_pgtable_ops Guanghui Feng
2026-05-31 10:03 ` sashiko-bot
2026-05-31 9:36 ` [PATCH 3/9] iommu/generic_pt: implement iova_to_phys_length Guanghui Feng
2026-05-31 10:12 ` sashiko-bot
2026-05-31 23:54 ` Jason Gunthorpe
2026-06-01 9:23 ` guanghuifeng
[not found] ` <fa924b86-1ca9-4819-8330-0d5f6ede8923@linux.alibaba.com>
2026-06-01 14:32 ` Jason Gunthorpe
2026-06-02 7:20 ` guanghuifeng
2026-06-02 12:32 ` Jason Gunthorpe
2026-05-31 9:36 ` [PATCH 4/9] iommu/arm-smmu: " Guanghui Feng
2026-05-31 10:22 ` sashiko-bot
2026-05-31 9:36 ` [PATCH 5/9] iommu: apple-dart/ipmmu/mtk_iommu " Guanghui Feng
2026-05-31 10:32 ` sashiko-bot
2026-05-31 9:36 ` [PATCH 6/9] iommu: direct page-table drivers " Guanghui Feng
2026-05-31 10:47 ` sashiko-bot
2026-05-31 9:36 ` [PATCH 7/9] vfio/iommufd: use iova_to_phys_length for efficient unmap Guanghui Feng
2026-05-31 11:01 ` sashiko-bot
2026-05-31 23:58 ` Jason Gunthorpe
2026-05-31 9:36 ` [PATCH 8/9] drm/gpu, iommu/io-pgtable: switch to iova_to_phys_length Guanghui Feng
2026-05-31 9:36 ` [PATCH 9/9] iommu: remove deprecated iova_to_phys from domain_ops and io_pgtable_ops Guanghui Feng
2026-05-31 11:17 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 00/30] iommu: introduce iova_to_phys_length for efficient IOVA-to-physical translation Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 01/30] iommu: introduce iova_to_phys_length in iommu_domain_ops Guanghui Feng
2026-06-02 11:05 ` sashiko-bot
2026-06-03 1:08 ` Jason Gunthorpe
2026-06-02 10:46 ` [PATCH v2 02/30] iommu/io-pgtable-arm: introduce iova_to_phys_length in io_pgtable_ops Guanghui Feng
2026-06-02 11:09 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 03/30] iommu/io-pgtable-arm-v7s: " Guanghui Feng
2026-06-02 11:02 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 04/30] iommu/io-pgtable-dart: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 05/30] iommu/generic_pt: implement iova_to_phys_length Guanghui Feng
2026-06-02 11:06 ` sashiko-bot
2026-06-03 1:11 ` Jason Gunthorpe
2026-06-02 10:46 ` [PATCH v2 06/30] iommu/arm-smmu-v3: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 07/30] iommu/arm-smmu: " Guanghui Feng
2026-06-02 11:04 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 08/30] iommu/qcom_iommu: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 09/30] iommu/apple-dart: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 10/30] iommu/ipmmu-vmsa: " Guanghui Feng
2026-06-03 1:13 ` Jason Gunthorpe
2026-06-02 10:46 ` [PATCH v2 11/30] iommu/mtk_iommu: " Guanghui Feng
2026-06-03 1:17 ` Jason Gunthorpe
2026-06-02 10:46 ` [PATCH v2 12/30] iommu/exynos: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 13/30] iommu/fsl_pamu: " Guanghui Feng
2026-06-02 11:02 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 14/30] iommu/msm: " Guanghui Feng
2026-06-02 11:04 ` sashiko-bot [this message]
2026-06-02 10:46 ` [PATCH v2 15/30] iommu/mtk_v1: " Guanghui Feng
2026-06-02 11:12 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 16/30] iommu/omap: " Guanghui Feng
2026-06-02 11:09 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 17/30] iommu/rockchip: " Guanghui Feng
2026-06-02 11:03 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 18/30] iommu/s390: " Guanghui Feng
2026-06-02 11:10 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 19/30] iommu/sprd: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 20/30] iommu/sun50i: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 21/30] iommu/tegra-smmu: " Guanghui Feng
2026-06-02 11:10 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 22/30] iommu/virtio: " Guanghui Feng
2026-06-02 11:15 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 23/30] vfio/iommufd: use iova_to_phys_length for efficient unmap Guanghui Feng
2026-06-02 11:16 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 24/30] drm/panfrost: switch to iova_to_phys_length Guanghui Feng
2026-06-02 11:14 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 25/30] drm/panthor: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 26/30] iommu/io-pgtable: selftests " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 27/30] iommu/io-pgtable-arm: remove deprecated iova_to_phys wrapper Guanghui Feng
2026-06-02 13:22 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 28/30] iommu/io-pgtable-arm-v7s: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 29/30] iommu/io-pgtable-dart: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 30/30] iommu: remove iova_to_phys from domain_ops and io_pgtable_ops Guanghui Feng
2026-06-02 11:16 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 00/32] iommu: introduce iova_to_phys_length and remove iova_to_phys Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 01/32] iommu: introduce iova_to_phys_length in iommu_domain_ops Guanghui Feng
2026-06-03 15:38 ` sashiko-bot
2026-06-04 2:44 ` Baolu Lu
2026-06-04 14:16 ` Jason Gunthorpe
2026-06-03 15:17 ` [PATCH v3 02/32] iommu/io-pgtable-arm: introduce iova_to_phys_length in io_pgtable_ops Guanghui Feng
2026-06-03 15:35 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 03/32] iommu/io-pgtable-arm-v7s: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 04/32] iommu/io-pgtable-dart: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 05/32] iommu/generic_pt: implement iova_to_phys_length Guanghui Feng
2026-06-03 15:39 ` sashiko-bot
2026-06-04 3:30 ` Baolu Lu
2026-06-04 14:12 ` Jason Gunthorpe
2026-06-03 15:17 ` [PATCH v3 06/32] iommu/arm-smmu-v3: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 07/32] iommu/arm-smmu: " Guanghui Feng
2026-06-03 15:42 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 08/32] iommu/qcom_iommu: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 09/32] iommu/apple-dart: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 10/32] iommu/ipmmu-vmsa: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 11/32] iommu/mtk_iommu: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 12/32] iommu/exynos: " Guanghui Feng
2026-06-03 15:46 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 13/32] iommu/fsl_pamu: " Guanghui Feng
2026-06-03 15:48 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 14/32] iommu/msm: " Guanghui Feng
2026-06-03 15:51 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 15/32] iommu/mtk_v1: " Guanghui Feng
2026-06-03 15:58 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 16/32] iommu/omap: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 17/32] iommu/rockchip: " Guanghui Feng
2026-06-03 15:53 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 18/32] iommu/s390: " Guanghui Feng
2026-06-03 16:03 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 19/32] iommu/sprd: " Guanghui Feng
2026-06-03 15:57 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 20/32] iommu/sun50i: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 21/32] iommu/tegra-smmu: " Guanghui Feng
2026-06-03 16:04 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 22/32] iommu/virtio: " Guanghui Feng
2026-06-03 16:10 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 23/32] vfio: use iova_to_phys_length for efficient unmap Guanghui Feng
2026-06-03 16:14 ` sashiko-bot
2026-06-04 14:27 ` Jason Gunthorpe
2026-06-03 15:17 ` [PATCH v3 24/32] iommufd: " Guanghui Feng
2026-06-03 16:14 ` sashiko-bot
2026-06-04 14:26 ` Jason Gunthorpe
2026-06-03 15:17 ` [PATCH v3 25/32] iommufd/selftest: switch to iommu_iova_to_phys_length Guanghui Feng
2026-06-03 16:17 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 26/32] drm/panfrost: switch to iova_to_phys_length Guanghui Feng
2026-06-03 16:13 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 27/32] drm/panthor: " Guanghui Feng
2026-06-03 16:16 ` sashiko-bot
2026-06-03 15:18 ` [PATCH v3 28/32] iommu/io-pgtable: selftests " Guanghui Feng
2026-06-03 15:18 ` [PATCH v3 29/32] iommu/io-pgtable-arm: remove deprecated iova_to_phys wrapper Guanghui Feng
2026-06-03 16:32 ` sashiko-bot
2026-06-03 15:18 ` [PATCH v3 30/32] iommu/io-pgtable-arm-v7s: " Guanghui Feng
2026-06-03 16:31 ` sashiko-bot
2026-06-03 15:18 ` [PATCH v3 31/32] iommu/io-pgtable-dart: " Guanghui Feng
2026-06-03 15:18 ` [PATCH v3 32/32] iommu: remove iova_to_phys from domain_ops and io_pgtable_ops Guanghui Feng
2026-06-03 16:26 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260602110417.C7F061F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=guanghuifeng@linux.alibaba.com \
--cc=kvm@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox