From: Jason Gunthorpe <jgg@ziepe.ca>
To: "Tian, Kevin" <kevin.tian@intel.com>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@kernel.org>,
"iommu@lists.linux.dev" <iommu@lists.linux.dev>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Joerg Roedel <joro@8bytes.org>, Will Deacon <will@kernel.org>,
Robin Murphy <robin.murphy@arm.com>
Subject: Re: [RFC PATCH] iommufd: Destroy vdevice on device unbind
Date: Mon, 16 Jun 2025 13:49:41 -0300 [thread overview]
Message-ID: <20250616164941.GA1373692@ziepe.ca> (raw)
In-Reply-To: <BN9PR11MB527633CA2F698E83E12BFBD68C70A@BN9PR11MB5276.namprd11.prod.outlook.com>
On Mon, Jun 16, 2025 at 05:37:58AM +0000, Tian, Kevin wrote:
> the expected destruction flow from userspace is to IOMMU_DESTROY
> the vdevice object before closing the vfio cdev fd which unbinds the
> idevice.
>
> now we are discussing how to handle a malfunction userspace which
> violates that flow: let it be or add a tomestone state, after extending
> unbind to destroy the vdevice...
Right, to be clear the concern is
close(vfio_cdev)
ioctl(DESTROY, vdevice_id);
close(iommufd)
Which is a possibile sequence for userspace/syzkaller to trigger.
My position has historically been that DESTROY should not destroy some
random unrelated object eg because a parallel thread did an allocation
and re-used the kernel deleted ID. ID's that belong to userspace have
to be retained right up until DESTROY.
Thus we've historically avoided creating scenarios where IDs owned by
userspace are destroyed by the kernel.
Given we can say the above is illegal use of the API we could leave
behind a tombstone in the xarray. The goal would be to prevent lookup
of the object (since it is destroyed) and prevent reallocation of the
ID.
For instance a simple thing would be to drop in XA_ZERO_ENTRY, this
will reserve the ID and fail all future operations. The userspace will
get a failure on DESTROY so they know they did something wrong. The fd
close will clean up the reserved ID.
We just need to make some decision about the above sequence.
Jason
next prev parent reply other threads:[~2025-06-16 16:49 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-10 6:51 [RFC PATCH] iommufd: Destroy vdevice on device unbind Aneesh Kumar K.V (Arm)
2025-06-12 8:05 ` Tian, Kevin
2025-06-12 17:26 ` Jason Gunthorpe
2025-06-13 7:31 ` Tian, Kevin
2025-06-13 12:42 ` Jason Gunthorpe
2025-06-16 3:56 ` Xu Yilun
2025-06-16 4:28 ` Aneesh Kumar K.V
2025-06-16 5:37 ` Tian, Kevin
2025-06-16 16:49 ` Jason Gunthorpe [this message]
2025-06-17 8:07 ` Aneesh Kumar K.V
2025-06-17 18:34 ` Jason Gunthorpe
2025-06-18 5:29 ` Aneesh Kumar K.V
2025-06-18 13:35 ` Jason Gunthorpe
2025-06-18 14:52 ` Aneesh Kumar K.V
2025-06-18 15:00 ` Jason Gunthorpe
2025-06-19 5:37 ` Tian, Kevin
2025-06-24 10:33 ` Aneesh Kumar K.V
2025-06-24 12:24 ` Tian, Kevin
2025-06-16 5:19 ` Tian, Kevin
2025-06-16 4:15 ` Aneesh Kumar K.V
2025-06-16 5:21 ` Tian, Kevin
2025-06-16 4:46 ` Aneesh Kumar K.V
2025-06-16 5:48 ` Tian, Kevin
2025-06-16 5:58 ` Xu Yilun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250616164941.GA1373692@ziepe.ca \
--to=jgg@ziepe.ca \
--cc=aneesh.kumar@kernel.org \
--cc=iommu@lists.linux.dev \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=robin.murphy@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).