From: Alex Williamson <alex.williamson@redhat.com>
To: Jason Gunthorpe <jgg@nvidia.com>
Cc: Cornelia Huck <cohuck@redhat.com>,
iommu@lists.linux.dev, Joerg Roedel <joro@8bytes.org>,
kvm@vger.kernel.org, Will Deacon <will@kernel.org>,
Qian Cai <cai@lca.pw>, Joerg Roedel <jroedel@suse.de>,
Marek Szyprowski <m.szyprowski@samsung.com>,
Matthew Rosato <mjrosato@linux.ibm.com>,
Robin Murphy <robin.murphy@arm.com>
Subject: Re: [PATCH 2/4] vfio: Move the sanity check of the group to vfio_create_group()
Date: Thu, 22 Sep 2022 13:10:50 -0600 [thread overview]
Message-ID: <20220922131050.7136481f.alex.williamson@redhat.com> (raw)
In-Reply-To: <2-v1-ef00ffecea52+2cb-iommu_group_lifetime_jgg@nvidia.com>
On Thu, 8 Sep 2022 15:44:59 -0300
Jason Gunthorpe <jgg@nvidia.com> wrote:
> __vfio_register_dev() has a bit of code to sanity check if an (existing)
> group is not corrupted by having two copies of the same struct device in
> it. This should be impossible.
>
> It then has some complicated error unwind to uncreate the group.
>
> Instead check if the existing group is sane at the same time we locate
> it. If a bug is found then there is no error unwind, just simply fail
> allocation.
>
> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
> ---
> drivers/vfio/vfio_main.c | 79 ++++++++++++++++++----------------------
> 1 file changed, 36 insertions(+), 43 deletions(-)
>
> diff --git a/drivers/vfio/vfio_main.c b/drivers/vfio/vfio_main.c
> index 4ab13808b536e1..ba8b6bed12c7e7 100644
> --- a/drivers/vfio/vfio_main.c
> +++ b/drivers/vfio/vfio_main.c
> @@ -306,15 +306,15 @@ static void vfio_container_put(struct vfio_container *container)
> * Group objects - create, release, get, put, search
> */
> static struct vfio_group *
> -__vfio_group_get_from_iommu(struct iommu_group *iommu_group)
> +vfio_group_find_from_iommu(struct iommu_group *iommu_group)
> {
> struct vfio_group *group;
>
> + lockdep_assert_held(&vfio.group_lock);
> +
> list_for_each_entry(group, &vfio.group_list, vfio_next) {
> - if (group->iommu_group == iommu_group) {
> - vfio_group_get(group);
> + if (group->iommu_group == iommu_group)
> return group;
> - }
> }
> return NULL;
> }
> @@ -365,11 +365,27 @@ static struct vfio_group *vfio_group_alloc(struct iommu_group *iommu_group,
> return group;
> }
>
> +static bool vfio_group_has_device(struct vfio_group *group, struct device *dev)
> +{
> + struct vfio_device *device;
> +
> + mutex_lock(&group->device_lock);
> + list_for_each_entry(device, &group->device_list, group_next) {
> + if (device->dev == dev) {
> + mutex_unlock(&group->device_lock);
> + return true;
> + }
> + }
> + mutex_unlock(&group->device_lock);
> + return false;
> +}
> +
> /*
> * Return a struct vfio_group * for the given iommu_group. If no vfio_group
> * already exists then create a new one.
> */
> -static struct vfio_group *vfio_get_group(struct iommu_group *iommu_group,
> +static struct vfio_group *vfio_get_group(struct device *dev,
> + struct iommu_group *iommu_group,
> enum vfio_group_type type)
> {
> struct vfio_group *group;
> @@ -378,13 +394,20 @@ static struct vfio_group *vfio_get_group(struct iommu_group *iommu_group,
>
> mutex_lock(&vfio.group_lock);
>
> - ret = __vfio_group_get_from_iommu(iommu_group);
> - if (ret)
> - goto err_unlock;
> + ret = vfio_group_find_from_iommu(iommu_group);
> + if (ret) {
> + if (WARN_ON(vfio_group_has_device(ret, dev))) {
> + ret = ERR_PTR(-EINVAL);
> + goto out_unlock;
> + }
This still looks racy. We only know within vfio_group_has_device() that
the device is not present in the group, what prevents a race between
here and when we finally do add it to group->device_list? We can't
make any guarantees if we drop group->device_lock between test and add.
The semantics of vfio_get_group() are also rather strange, 'return a
vfio_group for this iommu_group, but make sure it doesn't include this
device' :-\ Thanks,
Alex
next prev parent reply other threads:[~2022-09-22 19:10 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-08 18:44 [PATCH 0/4] Fix splats releated to using the iommu_group after destroying devices Jason Gunthorpe
2022-09-08 18:44 ` [PATCH 1/4] vfio: Simplify vfio_create_group() Jason Gunthorpe
2022-09-20 19:45 ` Matthew Rosato
2022-09-08 18:44 ` [PATCH 2/4] vfio: Move the sanity check of the group to vfio_create_group() Jason Gunthorpe
2022-09-22 19:10 ` Alex Williamson [this message]
2022-09-22 19:36 ` Jason Gunthorpe
2022-09-22 21:23 ` Alex Williamson
2022-09-22 23:12 ` Jason Gunthorpe
2022-09-08 18:45 ` [PATCH 3/4] vfio: Follow a strict lifetime for struct iommu_group * Jason Gunthorpe
2022-09-20 19:32 ` Matthew Rosato
2022-09-08 18:45 ` [PATCH 4/4] iommu: Fix ordering of iommu_release_device() Jason Gunthorpe
2022-09-08 21:05 ` Robin Murphy
2022-09-08 21:27 ` Robin Murphy
2022-09-08 21:43 ` Jason Gunthorpe
2022-09-09 9:05 ` Robin Murphy
2022-09-09 13:25 ` Jason Gunthorpe
2022-09-09 17:57 ` Robin Murphy
2022-09-09 18:30 ` Jason Gunthorpe
2022-09-09 19:55 ` Robin Murphy
2022-09-09 23:45 ` Jason Gunthorpe
2022-09-12 11:13 ` Robin Murphy
2022-09-22 16:56 ` Jason Gunthorpe
2022-09-09 12:49 ` [PATCH 0/4] Fix splats releated to using the iommu_group after destroying devices Matthew Rosato
2022-09-09 16:24 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220922131050.7136481f.alex.williamson@redhat.com \
--to=alex.williamson@redhat.com \
--cc=cai@lca.pw \
--cc=cohuck@redhat.com \
--cc=iommu@lists.linux.dev \
--cc=jgg@nvidia.com \
--cc=joro@8bytes.org \
--cc=jroedel@suse.de \
--cc=kvm@vger.kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=mjrosato@linux.ibm.com \
--cc=robin.murphy@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).