From: sashiko-bot@kernel.org
To: "Narayana Murty N" <nnmlinux@linux.ibm.com>
Cc: kvm@vger.kernel.org
Subject: Re: [RFC PATCH 3/6] selftests/vfio: add sPAPR TCE v2 DMA window helpers
Date: Fri, 03 Jul 2026 08:05:39 +0000 [thread overview]
Message-ID: <20260703080540.F38E71F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260703032806.40946-4-nnmlinux@linux.ibm.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [Medium] `vfio_iommu_map()` incorrectly returns a clobbered `errno` if `VFIO_IOMMU_MAP_DMA` fails.
- [Medium] If memory unregistration fails during unmap, the region is left in the `dma_regions` list despite being successfully unmapped in the IOMMU.
- [Medium] Failed DDW creation leaves `iommu->active_window` pointing to an invalidated window, leading to stale IOVA ranges being returned.
--
commit 2deeaa397a1d09614f068ff5ae82a0732c573cd4
Author: Narayana Murty N <nnmlinux@linux.ibm.com>
selftests/vfio: add sPAPR TCE v2 DMA window helpers
This commit adds helper support for sPAPR TCE v2 DMA windows in the VFIO
selftest library. It tracks the platform default DMA window separately from
selftest-created dynamic DMA windows, and adds helpers to create, remove,
and register memory around DMA map/unmap operations.
> diff --git a/tools/testing/selftests/vfio/lib/iommu.c b/tools/testing/selftests/vfio/lib/iommu.c
> index e86457a715bf7..19d19bb45a14b 100644
> --- a/tools/testing/selftests/vfio/lib/iommu.c
> +++ b/tools/testing/selftests/vfio/lib/iommu.c
[ ... ]
> + /*
> + * Neither default nor DDW is sufficient.
> + * Remove only the selftest-created DDW, then create a new DDW.
> + */
> + ret = spapr_tce_remove_window(iommu, &iommu->ddw_window);
> + if (ret)
> + return ret;
> +
> + ret = spapr_tce_create_ddw(iommu, min_size, page_shift);
> + if (ret)
> + return ret;
[Severity: Medium]
If spapr_tce_create_ddw() fails here, does it leave iommu->active_window
pointing to a window that was just invalidated by spapr_tce_remove_window()?
If iommu->active_window was previously set to &iommu->ddw_window, it is not
reset to NULL on this error path. Later, spapr_tce_iova_ranges() reads
iommu->active_window->start without checking if the window is valid:
static struct iommu_iova_range *spapr_tce_iova_ranges(...)
{
...
ranges[0].start = iommu->active_window->start;
ranges[0].last = iommu->active_window->start +
iommu->active_window->size - 1;
...
}
Could this return stale IOVA ranges to the caller?
> +
> + iommu->active_window = &iommu->ddw_window;
> + return 0;
> +}
[ ... ]
> @@ -113,9 +342,27 @@ static int vfio_iommu_map(struct iommu *iommu, struct dma_region *region)
> .iova = region->iova,
> .size = region->size,
> };
> + int ret;
>
> - if (ioctl(iommu->container_fd, VFIO_IOMMU_MAP_DMA, &args))
> +#ifdef __powerpc__
> + if (iommu_is_spapr_tce_v2(iommu)) {
> + if (!spapr_tce_iova_inside_window(iommu, region))
> + return -EINVAL;
> +
> + ret = spapr_register_memory(iommu, region);
> + if (ret)
> + return ret;
> + }
> +#endif
> +
> + ret = ioctl(iommu->container_fd, VFIO_IOMMU_MAP_DMA, &args);
> + if (ret) {
> +#ifdef __powerpc__
> + if (iommu_is_spapr_tce_v2(iommu))
> + spapr_unregister_memory(iommu, region);
> +#endif
> return -errno;
> + }
[Severity: Medium]
Can the cleanup call to spapr_unregister_memory() clobber the errno from the
failed VFIO_IOMMU_MAP_DMA ioctl?
Since spapr_unregister_memory() performs its own ioctl, it might overwrite
the thread-local errno. Will this result in vfio_iommu_map() returning the
result of the cleanup operation instead of the actual mapping failure?
>
> return 0;
> }
[ ... ]
> @@ -177,8 +424,18 @@ static int __vfio_iommu_unmap(int fd, u64 iova, u64 size, u32 flags, u64 *unmapp
> static int vfio_iommu_unmap(struct iommu *iommu, struct dma_region *region,
> u64 *unmapped)
> {
> - return __vfio_iommu_unmap(iommu->container_fd, region->iova,
> - region->size, 0, unmapped);
> + int ret;
> +
> + ret = __vfio_iommu_unmap(iommu->container_fd, region->iova,
> + region->size, 0, unmapped);
> + if (ret)
> + return ret;
> +#ifdef __powerpc__
> + if (iommu_is_spapr_tce_v2(iommu))
> + ret = spapr_unregister_memory(iommu, region);
> +#endif
> +
> + return ret;
> }
[Severity: Medium]
If __vfio_iommu_unmap() succeeds but spapr_unregister_memory() fails, does
returning this error bypass the region cleanup in __iommu_unmap()?
In __iommu_unmap():
if (iommu->iommufd)
ret = iommufd_unmap(iommu, region, unmapped);
else
ret = vfio_iommu_unmap(iommu, region, unmapped);
if (ret)
return ret;
list_del_init(®ion->link);
If we return the unregistration failure here, the early return in
__iommu_unmap() skips list_del_init(). Will this leave the successfully
unmapped region in the dma_regions list and corrupt internal state tracking?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260703032806.40946-1-nnmlinux@linux.ibm.com?part=3
next prev parent reply other threads:[~2026-07-03 8:05 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-03 3:28 [RFC PATCH 0/6] selftests/vfio: Add sPAPR TCE v2 coverage Narayana Murty N
2026-07-03 3:28 ` [RFC PATCH 1/6] selftests/vfio: allow selecting IOMMU backend from environment Narayana Murty N
2026-07-03 8:06 ` sashiko-bot
2026-07-03 3:28 ` [RFC PATCH 2/6] selftests/vfio: add sPAPR TCE v2 IOMMU mode Narayana Murty N
2026-07-03 8:09 ` sashiko-bot
2026-07-03 3:28 ` [RFC PATCH 3/6] selftests/vfio: add sPAPR TCE v2 DMA window helpers Narayana Murty N
2026-07-03 8:05 ` sashiko-bot [this message]
2026-07-03 3:28 ` [RFC PATCH 4/6] selftests/vfio: Exercise sPAPR DDW path for hugepage DMA mappings Narayana Murty N
2026-07-03 8:11 ` sashiko-bot
2026-07-03 3:28 ` [RFC PATCH 5/6] selftests/vfio: Accept sPAPR errno for DMA range overflow Narayana Murty N
2026-07-03 8:08 ` sashiko-bot
2026-07-03 3:28 ` [RFC PATCH 6/6] selftests/vfio: Enable VFIO selftests on ppc64 and ppc64le Narayana Murty N
2026-07-03 8:14 ` sashiko-bot
2026-07-03 8:28 ` [RFC PATCH 0/6] selftests/vfio: Add sPAPR TCE v2 coverage Harsh Prateek Bora
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260703080540.F38E71F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=nnmlinux@linux.ibm.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox