Re: [PATCH v5 11/14] iommu/amd: Introduce gDomID-to-hDomID Mapping and handle parent domain invalidation

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Jason Gunthorpe <jgg@nvidia.com>
To: Nicolin Chen <nicolinc@nvidia.com>
Cc: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>,
	linux-kernel@vger.kernel.org, robin.murphy@arm.com,
	will@kernel.org, joro@8bytes.org, kevin.tian@intel.com,
	jsnitsel@redhat.com, vasant.hegde@amd.com, iommu@lists.linux.dev,
	santosh.shukla@amd.com, sairaj.arunkodilkar@amd.com,
	jon.grimm@amd.com, prashanthpra@google.com, wvw@google.com,
	wnliu@google.com, gptran@google.com, kpsingh@google.com,
	joao.m.martins@oracle.com, alejandro.j.jimenez@oracle.com
Subject: Re: [PATCH v5 11/14] iommu/amd: Introduce gDomID-to-hDomID Mapping and handle parent domain invalidation
Date: Tue, 18 Nov 2025 20:02:17 -0400	[thread overview]
Message-ID: <20251119000217.GG120075@nvidia.com> (raw)
In-Reply-To: <aRZBN/nBz6lqTzmt@Asurada-Nvidia>

On Thu, Nov 13, 2025 at 12:36:07PM -0800, Nicolin Chen wrote:
> > +	curr = xa_cmpxchg(&aviommu->gdomid_array,
> > +			  ndom->gdom_id, NULL, gdom_info, GFP_ATOMIC);
> > +	if (curr) {
> > +		if (xa_err(curr)) {
> > +			ret = -EINVAL;
> > +			goto out_err_gdom_info;
> > +		} else {
> > +			/* The gDomID already exist */
> > +			pr_debug("%s: Found gdom_id=%#x, hdom_id=%#x\n",
> > +				 __func__, ndom->gdom_id, curr->hdom_id);
> > +			refcount_inc(&curr->users);
> > +			ndom->gdom_info = curr;
> 
> This looks racy..

Yes

> When a gDomID is shared between two nested domains, a concurrent
> nested_domain_free() could enter before refcount_inc(), and call
> refcount_dec_and_test() or even free the curr and ndom.
> 
> Then, this refcount_inc() will blow up, or curr/ndom will UAF.
> 
> Actually, I don't see where amd_iommu_alloc_domain_nested() gets
> used in this series.. I assume AMD will use the iommufd's vIOMMU
> infrastructure directly which doesn't mutex across nested domain
> allocation/free calls.
> 
> So, the entire thing here should hold xa_lock(), use xas_load()
> for the existing curr and use xas_store() to store gdom_info if
> !curr, and xa_unlock() after gdom_info is fully initialized.

No need for xas functions.. You can use the __ functions..

A helper function like this will do the job:

static void *xa_load_or_alloc_locked(struct xarray *xa, unsigned long index, size_t sz)
{
        void *elm, *res;

        elm = xa_load(xa, index);
        if (elm)
                return elm;

	xa_unlock(xa);
        elm = kzalloc(sz, GFP_KERNEL);
	xa_lock(xa);
        if (!elm)
                return ERR_PTR(-ENOMEM);

        res = __xa_cmpxchg(xa, index, NULL, elm, GFP_KERNEL);
        if (xa_is_err(res))
                res = ERR_PTR(xa_err(res));

        if (res) {
                kfree(elm);
                return res;
        }

        return elm;
}

Call like

 xa_lock(&aviommu->gdomid_array);
 elm = *xa_load_or_alloc_locked(..)
 if (IS_ERR(elm))
   ..
 elm->refcount++;
 xa_unlock(&aviommu->gdomid_array);

Needs more bits if you want to use refcount_t

Jason

next prev parent reply	other threads:[~2025-11-19  0:02 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-12 18:24 [PATCH v5 00/14] iommu/amd: Introduce Nested Translation support Suravee Suthikulpanit
2025-11-12 18:24 ` [PATCH v5 01/14] iommu/amd: Rename DEV_DOMID_MASK to DTE_DOMID_MASK Suravee Suthikulpanit
2025-11-12 18:24 ` [PATCH v5 02/14] iommu/amd: Make amd_iommu_pdom_id_alloc() non-static Suravee Suthikulpanit
2025-11-12 18:24 ` [PATCH v5 03/14] iommu/amd: Make amd_iommu_pdom_id_free() non-static Suravee Suthikulpanit
2025-11-12 18:24 ` [PATCH v5 04/14] iommu/amd: Make amd_iommu_make_clear_dte() non-static inline Suravee Suthikulpanit
2025-11-18 23:44   ` Jason Gunthorpe
2025-11-12 18:24 ` [PATCH v5 05/14] iommu/amd: Introduce helper function amd_iommu_update_dte() Suravee Suthikulpanit
2025-11-13 19:18   ` Nicolin Chen
2026-01-15  9:20     ` Suthikulpanit, Suravee
2025-11-18 23:50   ` Jason Gunthorpe
2025-11-12 18:24 ` [PATCH v5 06/14] iommufd: Introduce data struct for AMD nested domain allocation Suravee Suthikulpanit
2025-11-12 18:24 ` [PATCH v5 07/14] iommu/amd: Always enable GCR3TRPMode when supported Suravee Suthikulpanit
2025-11-13 19:19   ` Nicolin Chen
2025-11-12 18:25 ` [PATCH v5 08/14] iommu/amd: Add support for nest parent domain allocation Suravee Suthikulpanit
2025-11-12 18:25 ` [PATCH v5 09/14] iommu/amd: Introduce struct amd_iommu_viommu Suravee Suthikulpanit
2025-11-13 19:21   ` Nicolin Chen
2025-11-12 18:25 ` [PATCH v5 10/14] iommu/amd: Add support for nested domain allocation Suravee Suthikulpanit
2025-11-12 18:25 ` [PATCH v5 11/14] iommu/amd: Introduce gDomID-to-hDomID Mapping and handle parent domain invalidation Suravee Suthikulpanit
2025-11-13 20:36   ` Nicolin Chen
2025-11-19  0:02     ` Jason Gunthorpe [this message]
2026-01-15  9:25       ` Suthikulpanit, Suravee
2026-01-15  9:21     ` Suthikulpanit, Suravee
2025-11-19  0:11   ` Jason Gunthorpe
2025-11-19  1:10     ` Nicolin Chen
2025-11-12 18:25 ` [PATCH v5 12/14] iommu/amd: Refactor persistent DTE bits programming into amd_iommu_make_clear_dte() Suravee Suthikulpanit
2025-11-13 20:42   ` Nicolin Chen
2025-11-12 18:25 ` [PATCH v5 13/14] iommu/amd: Refactor logic to program the host page table in DTE Suravee Suthikulpanit
2025-11-13 21:19   ` Nicolin Chen
2025-11-13 21:29     ` Nicolin Chen
2025-11-19  0:21       ` Jason Gunthorpe
2025-11-19  0:20     ` Jason Gunthorpe
2026-01-15  9:24     ` Suthikulpanit, Suravee
2025-11-19  0:18   ` Jason Gunthorpe
2025-11-12 18:25 ` [PATCH v5 14/14] iommu/amd: Add support for nested domain attach/detach Suravee Suthikulpanit
2025-11-13 21:34   ` Nicolin Chen
2025-11-19  0:28   ` Jason Gunthorpe
2025-11-13 21:52 ` [PATCH v5 00/14] iommu/amd: Introduce Nested Translation support Nicolin Chen
2025-11-17 17:54   ` Jason Gunthorpe
2026-01-15  9:18     ` Suthikulpanit, Suravee

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251119000217.GG120075@nvidia.com \
    --to=jgg@nvidia.com \
    --cc=alejandro.j.jimenez@oracle.com \
    --cc=gptran@google.com \
    --cc=iommu@lists.linux.dev \
    --cc=joao.m.martins@oracle.com \
    --cc=jon.grimm@amd.com \
    --cc=joro@8bytes.org \
    --cc=jsnitsel@redhat.com \
    --cc=kevin.tian@intel.com \
    --cc=kpsingh@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nicolinc@nvidia.com \
    --cc=prashanthpra@google.com \
    --cc=robin.murphy@arm.com \
    --cc=sairaj.arunkodilkar@amd.com \
    --cc=santosh.shukla@amd.com \
    --cc=suravee.suthikulpanit@amd.com \
    --cc=vasant.hegde@amd.com \
    --cc=will@kernel.org \
    --cc=wnliu@google.com \
    --cc=wvw@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox