From: Nicolin Chen <nicolinc@nvidia.com>
To: Jason Gunthorpe <jgg@nvidia.com>
Cc: <iommu@lists.linux.dev>, Kevin Tian <kevin.tian@intel.com>,
Lixiao Yang <lixiao.yang@intel.com>,
Matthew Rosato <mjrosato@linux.ibm.com>,
<syzbot+1ad12d16afca0e7d2dde@syzkaller.appspotmail.com>,
<syzbot+6c8d756f238a75fc3eb8@syzkaller.appspotmail.com>,
Yi Liu <yi.l.liu@intel.com>
Subject: Re: [PATCH rc 1/2] iommufd: Do not access the area pointer after unlocking
Date: Mon, 19 Jun 2023 21:42:19 -0700 [thread overview]
Message-ID: <ZJEuK3Tw6NnuA/Oi@Asurada-Nvidia> (raw)
In-Reply-To: <1-v1-9f7c19e02561+31-iommufd_syz2_jgg@nvidia.com>
On Mon, Jun 19, 2023 at 03:24:58PM -0300, Jason Gunthorpe wrote:
> Precompute what is needed to call the access function and do not check the
> area's num_accesses again as the pointer may not be valid anymore. Use a
> counter instead.
> @@ -458,6 +458,7 @@ static int iopt_unmap_iova_range(struct io_pagetable *iopt, unsigned long start,
> {
> struct iopt_area *area;
> unsigned long unmapped_bytes = 0;
> + unsigned int tries = 0;
> int rc = -ENOENT;
>
> /*
> @@ -490,13 +491,17 @@ static int iopt_unmap_iova_range(struct io_pagetable *iopt, unsigned long start,
> * without the pages->mutex.
> */
> if (area->num_accesses) {
> + size_t length = iopt_area_length(area);
> +
> start = area_first;
> area->prevent_access = true;
> up_write(&iopt->iova_rwsem);
> up_read(&iopt->domains_rwsem);
> - iommufd_access_notify_unmap(iopt, area_first,
> - iopt_area_length(area));
> - if (WARN_ON(READ_ONCE(area->num_accesses)))
> +
> + iommufd_access_notify_unmap(iopt, area_first, length);
> + /* Something is not responding to unmap requests. */
> + tries++;
> + if (WARN_ON(tries > 1000))
Hmm, just trying to understand this piece here...
IIUIC, the iommufd_access_notify_unmap() notifies the vfio device
to do a vfio_unpin_pages() that would do a "num_accesses--;". But
how does the counter work instead? And why 1000?
Btw, there seems to be a small typo in the comments above this
piece of code, though it's not in this patch:
s/iovam_rwsem/iova_rwsem
Thanks
Nicolin
next prev parent reply other threads:[~2023-06-20 4:42 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-19 18:24 [PATCH rc 0/2] iommufd syzkaller fixes Jason Gunthorpe
2023-06-19 18:24 ` [PATCH rc 1/2] iommufd: Do not access the area pointer after unlocking Jason Gunthorpe
2023-06-20 4:42 ` Nicolin Chen [this message]
2023-06-20 5:30 ` Tian, Kevin
2023-06-20 12:36 ` Jason Gunthorpe
2023-06-19 18:24 ` [PATCH rc 2/2] iommufd: Call iopt_area_contig_done() under the lock Jason Gunthorpe
2023-06-20 5:34 ` Tian, Kevin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZJEuK3Tw6NnuA/Oi@Asurada-Nvidia \
--to=nicolinc@nvidia.com \
--cc=iommu@lists.linux.dev \
--cc=jgg@nvidia.com \
--cc=kevin.tian@intel.com \
--cc=lixiao.yang@intel.com \
--cc=mjrosato@linux.ibm.com \
--cc=syzbot+1ad12d16afca0e7d2dde@syzkaller.appspotmail.com \
--cc=syzbot+6c8d756f238a75fc3eb8@syzkaller.appspotmail.com \
--cc=yi.l.liu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox