The Linux Kernel Mailing List
 help / color / mirror / Atom feed
From: Nicolin Chen <nicolinc@nvidia.com>
To: Will Deacon <will@kernel.org>
Cc: Robin Murphy <robin.murphy@arm.com>,
	"Joerg Roedel (AMD)" <joro@8bytes.org>,
	Jason Gunthorpe <jgg@nvidia.com>, <linux-tegra@vger.kernel.org>,
	<linux-arm-kernel@lists.infradead.org>, <iommu@lists.linux.dev>,
	<linux-kernel@vger.kernel.org>
Subject: [PATCH v1 00/11] iommu/tegra241-cmdqv: Fix error-interrupt races and VINTF lifecycle bugs
Date: Thu, 2 Jul 2026 22:31:26 -0700	[thread overview]
Message-ID: <cover.1783054570.git.nicolinc@nvidia.com> (raw)

These fix a cluster of bugs reported by Sashiko during patch reviews. The
patches are ordered roughly most-critical-first, so some later ones fix
smaller pre-existing issues in the same functions that earlier patches
touch.

Issues fixed:
  - the error ISR racing VINTF (de)init and reading a NULL, freed, or not
    yet fully initialized slot
  - the probe fallback dereferencing an smmu freed by devm_krealloc()
  - a guest vSID programmed without validating its width or the device's
    Stream ID count
  - VINTF0 leaked on an init-failure path
  - error-map index/bounds handling and a VCMDQ base above the 48-bit limit
  - the error ISR flooding the kernel log under repeated guest errors

False positives raised by Sashiko:
  - a viommu outliving an SMMU unbind and touching freed memory on close: a
    physical IOMMU is not a pluggable device, so iommufd holds no reference
    on the one behind a viommu, and this teardown cannot arise.
  - the ISR running after cmdqv is freed on probe failure: free_irq() runs
    first from tegra241_cmdqv_remove(), the devm device_remove action,
    which devres invokes before the cmdqv allocation is released.
  - a guest never acking its VCMDQ error wedging the shared interrupt: the
    interrupt is edge-signaled per event, and the host ISR only snapshots
    the error map into the guest's bounded vEVENTQ, never depending on a
    guest-side GERRORN ack.
  - the ISR accessing a de-assigned LVCMDQ page after a VINTF hw_init()
    failure: the page remains a mapped MMIO region backed by empty
    registers, so reads are benign and writes are dropped.

In parallel to Shameer's Tegra241 CMDQV CMD_SYNC use-after-free fix:
https://lore.kernel.org/all/20260629094106.251694-1-skolothumtho@nvidia.com/

This is on github:
https://github.com/nicolinc/iommufd/commits/fix_cmdqv_sashiko-v1

Nicolin Chen (11):
  iommu/tegra241-cmdqv: Publish an LVCMDQ only after it is fully
    initialized
  iommu/tegra241-cmdqv: Synchronize the error ISR against VINTF (de)init
  iommu/tegra241-cmdqv: Harden error-map index handling in the error ISR
  iommu/tegra241-cmdqv: Don't run the error ISR before probe sets up
    vintfs
  iommu/tegra241-cmdqv: Don't fall back to a freed smmu after
    devm_krealloc()
  iommu/tegra241-cmdqv: Free the error IRQ before tearing down VINTFs
  iommu/tegra241-cmdqv: Reject a vSID wider than the SID_MATCH field
  iommu/tegra241-cmdqv: Require exactly one Stream ID for a vSID
  iommu/tegra241-cmdqv: Fix VINTF0 leak on the init-failure path
  iommu/tegra241-cmdqv: Warn on a VCMDQ base above the 48-bit hardware
    limit
  iommu/tegra241-cmdqv: Rate-limit the error ISR's log message

 .../iommu/arm/arm-smmu-v3/tegra241-cmdqv.c    | 224 ++++++++++++------
 1 file changed, 156 insertions(+), 68 deletions(-)

-- 
2.43.0


             reply	other threads:[~2026-07-03  5:32 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-03  5:31 Nicolin Chen [this message]
2026-07-03  5:31 ` [PATCH v1 01/11] iommu/tegra241-cmdqv: Publish an LVCMDQ only after it is fully initialized Nicolin Chen
2026-07-03  5:31 ` [PATCH v1 02/11] iommu/tegra241-cmdqv: Synchronize the error ISR against VINTF (de)init Nicolin Chen
2026-07-03  5:31 ` [PATCH v1 03/11] iommu/tegra241-cmdqv: Harden error-map index handling in the error ISR Nicolin Chen
2026-07-03  5:31 ` [PATCH v1 04/11] iommu/tegra241-cmdqv: Don't run the error ISR before probe sets up vintfs Nicolin Chen
2026-07-03  5:31 ` [PATCH v1 05/11] iommu/tegra241-cmdqv: Don't fall back to a freed smmu after devm_krealloc() Nicolin Chen
2026-07-03  5:31 ` [PATCH v1 06/11] iommu/tegra241-cmdqv: Free the error IRQ before tearing down VINTFs Nicolin Chen
2026-07-03  5:31 ` [PATCH v1 07/11] iommu/tegra241-cmdqv: Reject a vSID wider than the SID_MATCH field Nicolin Chen
2026-07-03  5:31 ` [PATCH v1 08/11] iommu/tegra241-cmdqv: Require exactly one Stream ID for a vSID Nicolin Chen
2026-07-03  7:11   ` Nicolin Chen
2026-07-03  5:31 ` [PATCH v1 09/11] iommu/tegra241-cmdqv: Fix VINTF0 leak on the init-failure path Nicolin Chen
2026-07-03  5:31 ` [PATCH v1 10/11] iommu/tegra241-cmdqv: Warn on a VCMDQ base above the 48-bit hardware limit Nicolin Chen
2026-07-03  5:31 ` [PATCH v1 11/11] iommu/tegra241-cmdqv: Rate-limit the error ISR's log message Nicolin Chen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cover.1783054570.git.nicolinc@nvidia.com \
    --to=nicolinc@nvidia.com \
    --cc=iommu@lists.linux.dev \
    --cc=jgg@nvidia.com \
    --cc=joro@8bytes.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-tegra@vger.kernel.org \
    --cc=robin.murphy@arm.com \
    --cc=will@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox