The complication of the mutex and refcount will be amplified after we
introduce the replace support for access. So, add a preparatory change
of a constitutive helper iommufd_access_change_ioas() and its wrapper
iommufd_access_change_ioas_id(). They can simply take care of existing
iommufd_access_attach() and iommufd_access_detach(), with a less risk
of race condition.
Also, update the unprotect routine in iommufd_access_destroy_object()
to calling the new iommufd_access_change_ioas() helper.
Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
---
drivers/iommu/iommufd/device.c | 123 +++++++++++++++++++++------------
1 file changed, 80 insertions(+), 43 deletions(-)
diff --git a/drivers/iommu/iommufd/device.c b/drivers/iommu/iommufd/device.c
index 7a3e8660b902..e79cbedd8626 100644
--- a/drivers/iommu/iommufd/device.c
+++ b/drivers/iommu/iommufd/device.c
@@ -684,17 +684,82 @@ void iommufd_device_detach(struct iommufd_device *idev)
}
EXPORT_SYMBOL_NS_GPL(iommufd_device_detach, IOMMUFD);
+/*
+ * On success, it will refcount_inc() at a valid new_ioas and refcount_dec() at
+ * a valid cur_ioas (access->ioas). A caller passing in a valid new_ioas should
+ * call iommufd_put_object() if it does an iommufd_get_object() for a new_ioas.
+ */
+static int iommufd_access_change_ioas(struct iommufd_access *access,
+ struct iommufd_ioas *new_ioas)
+{
+ u32 iopt_access_list_id = access->iopt_access_list_id;
+ struct iommufd_ioas *cur_ioas = access->ioas;
+ int rc;
+
+ lockdep_assert_held(&access->ioas_lock);
+
+ /* We are racing with a concurrent detach, bail */
+ if (cur_ioas != access->ioas_unpin)
+ return -EBUSY;
+
+ if (IS_ERR(new_ioas))
+ return PTR_ERR(new_ioas);
+
+ if (cur_ioas == new_ioas)
+ return 0;
+
+ /*
+ * Set ioas to NULL to block any further iommufd_access_pin_pages().
+ * iommufd_access_unpin_pages() can continue using access->ioas_unpin.
+ */
+ access->ioas = NULL;
+
+ if (new_ioas) {
+ rc = iopt_add_access(&new_ioas->iopt, access);
+ if (rc) {
+ access->ioas = cur_ioas;
+ return rc;
+ }
+ refcount_inc(&new_ioas->obj.users);
+ }
+
+ if (cur_ioas) {
+ if (access->ops->unmap) {
+ mutex_unlock(&access->ioas_lock);
+ access->ops->unmap(access->data, 0, ULONG_MAX);
+ mutex_lock(&access->ioas_lock);
+ }
+ iopt_remove_access(&cur_ioas->iopt, access, iopt_access_list_id);
+ refcount_dec(&cur_ioas->obj.users);
+ }
+
+ access->ioas = new_ioas;
+ access->ioas_unpin = new_ioas;
+
+ return 0;
+}
+
+static int iommufd_access_change_ioas_id(struct iommufd_access *access, u32 id)
+{
+ struct iommufd_ioas *ioas = iommufd_get_ioas(access->ictx, id);
+ int rc;
+
+ if (IS_ERR(ioas))
+ return PTR_ERR(ioas);
+ rc = iommufd_access_change_ioas(access, ioas);
+ iommufd_put_object(&ioas->obj);
+ return rc;
+}
+
void iommufd_access_destroy_object(struct iommufd_object *obj)
{
struct iommufd_access *access =
container_of(obj, struct iommufd_access, obj);
- if (access->ioas) {
- iopt_remove_access(&access->ioas->iopt, access,
- access->iopt_access_list_id);
- refcount_dec(&access->ioas->obj.users);
- access->ioas = NULL;
- }
+ mutex_lock(&access->ioas_lock);
+ if (access->ioas)
+ WARN_ON(iommufd_access_change_ioas(access, NULL));
+ mutex_unlock(&access->ioas_lock);
iommufd_ctx_put(access->ictx);
}
@@ -761,60 +826,32 @@ EXPORT_SYMBOL_NS_GPL(iommufd_access_destroy, IOMMUFD);
void iommufd_access_detach(struct iommufd_access *access)
{
- struct iommufd_ioas *cur_ioas = access->ioas;
+ int rc;
mutex_lock(&access->ioas_lock);
- if (WARN_ON(!access->ioas))
- goto out;
- /*
- * Set ioas to NULL to block any further iommufd_access_pin_pages().
- * iommufd_access_unpin_pages() can continue using access->ioas_unpin.
- */
- access->ioas = NULL;
-
- if (access->ops->unmap) {
+ if (WARN_ON(!access->ioas)) {
mutex_unlock(&access->ioas_lock);
- access->ops->unmap(access->data, 0, ULONG_MAX);
- mutex_lock(&access->ioas_lock);
+ return;
}
- iopt_remove_access(&cur_ioas->iopt, access,
- access->iopt_access_list_id);
- refcount_dec(&cur_ioas->obj.users);
-out:
- access->ioas_unpin = NULL;
+ rc = iommufd_access_change_ioas(access, NULL);
+ WARN_ON(rc);
mutex_unlock(&access->ioas_lock);
}
EXPORT_SYMBOL_NS_GPL(iommufd_access_detach, IOMMUFD);
int iommufd_access_attach(struct iommufd_access *access, u32 ioas_id)
{
- struct iommufd_ioas *new_ioas;
- int rc = 0;
+ int rc;
mutex_lock(&access->ioas_lock);
- if (WARN_ON(access->ioas || access->ioas_unpin)) {
+ if (WARN_ON(access->ioas)) {
mutex_unlock(&access->ioas_lock);
return -EINVAL;
}
- new_ioas = iommufd_get_ioas(access->ictx, ioas_id);
- if (IS_ERR(new_ioas)) {
- mutex_unlock(&access->ioas_lock);
- return PTR_ERR(new_ioas);
- }
-
- rc = iopt_add_access(&new_ioas->iopt, access);
- if (rc) {
- mutex_unlock(&access->ioas_lock);
- iommufd_put_object(&new_ioas->obj);
- return rc;
- }
- iommufd_ref_to_users(&new_ioas->obj);
-
- access->ioas = new_ioas;
- access->ioas_unpin = new_ioas;
+ rc = iommufd_access_change_ioas_id(access, ioas_id);
mutex_unlock(&access->ioas_lock);
- return 0;
+ return rc;
}
EXPORT_SYMBOL_NS_GPL(iommufd_access_attach, IOMMUFD);
--
2.41.0> From: Nicolin Chen <nicolinc@nvidia.com>
> Sent: Friday, July 28, 2023 4:25 AM
>
> +static int iommufd_access_change_ioas(struct iommufd_access *access,
> + struct iommufd_ioas *new_ioas)
> +{
> + u32 iopt_access_list_id = access->iopt_access_list_id;
> + struct iommufd_ioas *cur_ioas = access->ioas;
> + int rc;
> +
> + lockdep_assert_held(&access->ioas_lock);
> +
> + /* We are racing with a concurrent detach, bail */
> + if (cur_ioas != access->ioas_unpin)
> + return -EBUSY;
> +
> + if (IS_ERR(new_ioas))
> + return PTR_ERR(new_ioas);
iommufd_access_change_ioas_id() already checks errors.
> +
> void iommufd_access_destroy_object(struct iommufd_object *obj)
> {
> struct iommufd_access *access =
> container_of(obj, struct iommufd_access, obj);
>
> - if (access->ioas) {
> - iopt_remove_access(&access->ioas->iopt, access,
> - access->iopt_access_list_id);
> - refcount_dec(&access->ioas->obj.users);
> - access->ioas = NULL;
> - }
> + mutex_lock(&access->ioas_lock);
> + if (access->ioas)
> + WARN_ON(iommufd_access_change_ioas(access, NULL));
> + mutex_unlock(&access->ioas_lock);
> iommufd_ctx_put(access->ictx);
> }
this changes the behavior of destroy. Previously it always removes
the access w/o detecting race while now it will give up and throw
out a warning. While I'm fine with this change from bisec p.o.v.
it might be good to split this into a separate patch.
> void iommufd_access_detach(struct iommufd_access *access)
> {
> - struct iommufd_ioas *cur_ioas = access->ioas;
> + int rc;
>
> mutex_lock(&access->ioas_lock);
> - if (WARN_ON(!access->ioas))
> - goto out;
> - /*
> - * Set ioas to NULL to block any further iommufd_access_pin_pages().
> - * iommufd_access_unpin_pages() can continue using access-
> >ioas_unpin.
> - */
> - access->ioas = NULL;
> -
> - if (access->ops->unmap) {
> + if (WARN_ON(!access->ioas)) {
> mutex_unlock(&access->ioas_lock);
> - access->ops->unmap(access->data, 0, ULONG_MAX);
> - mutex_lock(&access->ioas_lock);
> + return;
> }
> - iopt_remove_access(&cur_ioas->iopt, access,
> - access->iopt_access_list_id);
> - refcount_dec(&cur_ioas->obj.users);
> -out:
> - access->ioas_unpin = NULL;
> + rc = iommufd_access_change_ioas(access, NULL);
> + WARN_ON(rc);
'rc' can be removed.
Just "WARN_ON(iommufd_access_change_ioas(access, NULL));"
otherwise looks good to me,
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
On Fri, Jul 28, 2023 at 04:23:03AM +0000, Tian, Kevin wrote:
> > From: Nicolin Chen <nicolinc@nvidia.com>
> > Sent: Friday, July 28, 2023 4:25 AM
> >
> > +static int iommufd_access_change_ioas(struct iommufd_access *access,
> > + struct iommufd_ioas *new_ioas)
> > +{
> > + u32 iopt_access_list_id = access->iopt_access_list_id;
> > + struct iommufd_ioas *cur_ioas = access->ioas;
> > + int rc;
> > +
> > + lockdep_assert_held(&access->ioas_lock);
> > +
> > + /* We are racing with a concurrent detach, bail */
> > + if (cur_ioas != access->ioas_unpin)
> > + return -EBUSY;
> > +
> > + if (IS_ERR(new_ioas))
> > + return PTR_ERR(new_ioas);
>
> iommufd_access_change_ioas_id() already checks errors.
I've thought about that: given that iommufd_access_change_ioas
is a standalone API, though it's not used anywhere else at the
moment, it might be safer to have this check again. Otherwise,
we would need a line of comments saying that "caller must make
sure that the input new_ioas is not holding an error code" or
so?
> > +
> > void iommufd_access_destroy_object(struct iommufd_object *obj)
> > {
> > struct iommufd_access *access =
> > container_of(obj, struct iommufd_access, obj);
> >
> > - if (access->ioas) {
> > - iopt_remove_access(&access->ioas->iopt, access,
> > - access->iopt_access_list_id);
> > - refcount_dec(&access->ioas->obj.users);
> > - access->ioas = NULL;
> > - }
> > + mutex_lock(&access->ioas_lock);
> > + if (access->ioas)
> > + WARN_ON(iommufd_access_change_ioas(access, NULL));
> > + mutex_unlock(&access->ioas_lock);
> > iommufd_ctx_put(access->ictx);
> > }
>
> this changes the behavior of destroy. Previously it always removes
> the access w/o detecting race while now it will give up and throw
> out a warning.
You mean the -EBUSY case? That's a good catch..
> While I'm fine with this change from bisec p.o.v.
> it might be good to split this into a separate patch.
Yea, I can do that.
> > void iommufd_access_detach(struct iommufd_access *access)
> > {
> > - struct iommufd_ioas *cur_ioas = access->ioas;
> > + int rc;
> >
> > mutex_lock(&access->ioas_lock);
> > - if (WARN_ON(!access->ioas))
> > - goto out;
> > - /*
> > - * Set ioas to NULL to block any further iommufd_access_pin_pages().
> > - * iommufd_access_unpin_pages() can continue using access-
> > >ioas_unpin.
> > - */
> > - access->ioas = NULL;
> > -
> > - if (access->ops->unmap) {
> > + if (WARN_ON(!access->ioas)) {
> > mutex_unlock(&access->ioas_lock);
> > - access->ops->unmap(access->data, 0, ULONG_MAX);
> > - mutex_lock(&access->ioas_lock);
> > + return;
> > }
> > - iopt_remove_access(&cur_ioas->iopt, access,
> > - access->iopt_access_list_id);
> > - refcount_dec(&cur_ioas->obj.users);
> > -out:
> > - access->ioas_unpin = NULL;
> > + rc = iommufd_access_change_ioas(access, NULL);
> > + WARN_ON(rc);
>
> 'rc' can be removed.
>
> Just "WARN_ON(iommufd_access_change_ioas(access, NULL));"
Will do that in v11.
> otherwise looks good to me,
>
> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Thanks!
Nic
> From: Nicolin Chen <nicolinc@nvidia.com>
> Sent: Friday, July 28, 2023 12:37 PM
>
> On Fri, Jul 28, 2023 at 04:23:03AM +0000, Tian, Kevin wrote:
> > > From: Nicolin Chen <nicolinc@nvidia.com>
> > > Sent: Friday, July 28, 2023 4:25 AM
> > >
> > > +static int iommufd_access_change_ioas(struct iommufd_access *access,
> > > + struct iommufd_ioas *new_ioas)
> > > +{
> > > + u32 iopt_access_list_id = access->iopt_access_list_id;
> > > + struct iommufd_ioas *cur_ioas = access->ioas;
> > > + int rc;
> > > +
> > > + lockdep_assert_held(&access->ioas_lock);
> > > +
> > > + /* We are racing with a concurrent detach, bail */
> > > + if (cur_ioas != access->ioas_unpin)
> > > + return -EBUSY;
> > > +
> > > + if (IS_ERR(new_ioas))
> > > + return PTR_ERR(new_ioas);
> >
> > iommufd_access_change_ioas_id() already checks errors.
>
> I've thought about that: given that iommufd_access_change_ioas
> is a standalone API, though it's not used anywhere else at the
> moment, it might be safer to have this check again. Otherwise,
> we would need a line of comments saying that "caller must make
> sure that the input new_ioas is not holding an error code" or
> so?
>
I don't think it's a common practice for the caller to pass in
an error pointer when it already knows it's an error...
On Fri, Jul 28, 2023 at 04:41:18AM +0000, Tian, Kevin wrote:
> > From: Nicolin Chen <nicolinc@nvidia.com>
> > Sent: Friday, July 28, 2023 12:37 PM
> >
> > On Fri, Jul 28, 2023 at 04:23:03AM +0000, Tian, Kevin wrote:
> > > > From: Nicolin Chen <nicolinc@nvidia.com>
> > > > Sent: Friday, July 28, 2023 4:25 AM
> > > >
> > > > +static int iommufd_access_change_ioas(struct iommufd_access *access,
> > > > + struct iommufd_ioas *new_ioas)
> > > > +{
> > > > + u32 iopt_access_list_id = access->iopt_access_list_id;
> > > > + struct iommufd_ioas *cur_ioas = access->ioas;
> > > > + int rc;
> > > > +
> > > > + lockdep_assert_held(&access->ioas_lock);
> > > > +
> > > > + /* We are racing with a concurrent detach, bail */
> > > > + if (cur_ioas != access->ioas_unpin)
> > > > + return -EBUSY;
> > > > +
> > > > + if (IS_ERR(new_ioas))
> > > > + return PTR_ERR(new_ioas);
> > >
> > > iommufd_access_change_ioas_id() already checks errors.
> >
> > I've thought about that: given that iommufd_access_change_ioas
> > is a standalone API, though it's not used anywhere else at the
> > moment, it might be safer to have this check again. Otherwise,
> > we would need a line of comments saying that "caller must make
> > sure that the input new_ioas is not holding an error code" or
> > so?
> >
>
> I don't think it's a common practice for the caller to pass in
> an error pointer when it already knows it's an error...
OK. I will just drop it then.
© 2016 - 2025 Red Hat, Inc.