From: Nicolin Chen <nicolinc@nvidia.com>
To: Will Deacon <will@kernel.org>
Cc: Robin Murphy <robin.murphy@arm.com>,
"Joerg Roedel (AMD)" <joro@8bytes.org>,
Jason Gunthorpe <jgg@nvidia.com>, <linux-tegra@vger.kernel.org>,
<linux-arm-kernel@lists.infradead.org>, <iommu@lists.linux.dev>,
<linux-kernel@vger.kernel.org>
Subject: [PATCH v1 00/11] iommu/tegra241-cmdqv: Fix error-interrupt races and VINTF lifecycle bugs
Date: Thu, 2 Jul 2026 22:31:26 -0700 [thread overview]
Message-ID: <cover.1783054570.git.nicolinc@nvidia.com> (raw)
These fix a cluster of bugs reported by Sashiko during patch reviews. The
patches are ordered roughly most-critical-first, so some later ones fix
smaller pre-existing issues in the same functions that earlier patches
touch.
Issues fixed:
- the error ISR racing VINTF (de)init and reading a NULL, freed, or not
yet fully initialized slot
- the probe fallback dereferencing an smmu freed by devm_krealloc()
- a guest vSID programmed without validating its width or the device's
Stream ID count
- VINTF0 leaked on an init-failure path
- error-map index/bounds handling and a VCMDQ base above the 48-bit limit
- the error ISR flooding the kernel log under repeated guest errors
False positives raised by Sashiko:
- a viommu outliving an SMMU unbind and touching freed memory on close: a
physical IOMMU is not a pluggable device, so iommufd holds no reference
on the one behind a viommu, and this teardown cannot arise.
- the ISR running after cmdqv is freed on probe failure: free_irq() runs
first from tegra241_cmdqv_remove(), the devm device_remove action,
which devres invokes before the cmdqv allocation is released.
- a guest never acking its VCMDQ error wedging the shared interrupt: the
interrupt is edge-signaled per event, and the host ISR only snapshots
the error map into the guest's bounded vEVENTQ, never depending on a
guest-side GERRORN ack.
- the ISR accessing a de-assigned LVCMDQ page after a VINTF hw_init()
failure: the page remains a mapped MMIO region backed by empty
registers, so reads are benign and writes are dropped.
In parallel to Shameer's Tegra241 CMDQV CMD_SYNC use-after-free fix:
https://lore.kernel.org/all/20260629094106.251694-1-skolothumtho@nvidia.com/
This is on github:
https://github.com/nicolinc/iommufd/commits/fix_cmdqv_sashiko-v1
Nicolin Chen (11):
iommu/tegra241-cmdqv: Publish an LVCMDQ only after it is fully
initialized
iommu/tegra241-cmdqv: Synchronize the error ISR against VINTF (de)init
iommu/tegra241-cmdqv: Harden error-map index handling in the error ISR
iommu/tegra241-cmdqv: Don't run the error ISR before probe sets up
vintfs
iommu/tegra241-cmdqv: Don't fall back to a freed smmu after
devm_krealloc()
iommu/tegra241-cmdqv: Free the error IRQ before tearing down VINTFs
iommu/tegra241-cmdqv: Reject a vSID wider than the SID_MATCH field
iommu/tegra241-cmdqv: Require exactly one Stream ID for a vSID
iommu/tegra241-cmdqv: Fix VINTF0 leak on the init-failure path
iommu/tegra241-cmdqv: Warn on a VCMDQ base above the 48-bit hardware
limit
iommu/tegra241-cmdqv: Rate-limit the error ISR's log message
.../iommu/arm/arm-smmu-v3/tegra241-cmdqv.c | 224 ++++++++++++------
1 file changed, 156 insertions(+), 68 deletions(-)
--
2.43.0
next reply other threads:[~2026-07-03 5:32 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-03 5:31 Nicolin Chen [this message]
2026-07-03 5:31 ` [PATCH v1 01/11] iommu/tegra241-cmdqv: Publish an LVCMDQ only after it is fully initialized Nicolin Chen
2026-07-03 5:31 ` [PATCH v1 02/11] iommu/tegra241-cmdqv: Synchronize the error ISR against VINTF (de)init Nicolin Chen
2026-07-03 5:31 ` [PATCH v1 03/11] iommu/tegra241-cmdqv: Harden error-map index handling in the error ISR Nicolin Chen
2026-07-03 5:31 ` [PATCH v1 04/11] iommu/tegra241-cmdqv: Don't run the error ISR before probe sets up vintfs Nicolin Chen
2026-07-03 5:31 ` [PATCH v1 05/11] iommu/tegra241-cmdqv: Don't fall back to a freed smmu after devm_krealloc() Nicolin Chen
2026-07-03 5:31 ` [PATCH v1 06/11] iommu/tegra241-cmdqv: Free the error IRQ before tearing down VINTFs Nicolin Chen
2026-07-03 5:31 ` [PATCH v1 07/11] iommu/tegra241-cmdqv: Reject a vSID wider than the SID_MATCH field Nicolin Chen
2026-07-03 5:31 ` [PATCH v1 08/11] iommu/tegra241-cmdqv: Require exactly one Stream ID for a vSID Nicolin Chen
2026-07-03 7:11 ` Nicolin Chen
2026-07-03 5:31 ` [PATCH v1 09/11] iommu/tegra241-cmdqv: Fix VINTF0 leak on the init-failure path Nicolin Chen
2026-07-03 5:31 ` [PATCH v1 10/11] iommu/tegra241-cmdqv: Warn on a VCMDQ base above the 48-bit hardware limit Nicolin Chen
2026-07-03 5:31 ` [PATCH v1 11/11] iommu/tegra241-cmdqv: Rate-limit the error ISR's log message Nicolin Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1783054570.git.nicolinc@nvidia.com \
--to=nicolinc@nvidia.com \
--cc=iommu@lists.linux.dev \
--cc=jgg@nvidia.com \
--cc=joro@8bytes.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-tegra@vger.kernel.org \
--cc=robin.murphy@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox