| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f371aeacc81b069f5279fa0e2e8f58afc3902c35.1760312725.git.nicolinc@nvidia.com>
Date: Sun, 12 Oct 2025 17:04:58 -0700
From: Nicolin Chen <nicolinc@...dia.com>
To: <joro@...tes.org>, <jgg@...dia.com>, <kevin.tian@...el.com>
CC: <suravee.suthikulpanit@....com>, <will@...nel.org>,
<robin.murphy@....com>, <sven@...nel.org>, <j@...nau.net>,
<jean-philippe@...aro.org>, <robin.clark@....qualcomm.com>,
<dwmw2@...radead.org>, <baolu.lu@...ux.intel.com>, <yong.wu@...iatek.com>,
<matthias.bgg@...il.com>, <angelogioacchino.delregno@...labora.com>,
<tjeznach@...osinc.com>, <pjw@...nel.org>, <palmer@...belt.com>,
<aou@...s.berkeley.edu>, <heiko@...ech.de>, <schnelle@...ux.ibm.com>,
<mjrosato@...ux.ibm.com>, <wens@...e.org>, <jernej.skrabec@...il.com>,
<samuel@...lland.org>, <thierry.reding@...il.com>, <jonathanh@...dia.com>,
<iommu@...ts.linux.dev>, <linux-kernel@...r.kernel.org>,
<asahi@...ts.linux.dev>, <linux-arm-kernel@...ts.infradead.org>,
<linux-arm-msm@...r.kernel.org>, <linux-mediatek@...ts.infradead.org>,
<linux-riscv@...ts.infradead.org>, <linux-rockchip@...ts.infradead.org>,
<linux-s390@...r.kernel.org>, <linux-sunxi@...ts.linux.dev>,
<linux-tegra@...r.kernel.org>, <virtualization@...ts.linux.dev>,
<patches@...ts.linux.dev>
Subject: [PATCH v1 01/20] iommu: Lock group->mutex in iommu_deferred_attach()
The iommu_deferred_attach() function invokes __iommu_attach_device() while
not holding the group->mutex, like other __iommu_attach_device() callers.
Though there is no pratical bug being triggered so far, it would be better
to apply the same locking to this __iommu_attach_device(), since the IOMMU
drivers nowaday are more aware of the group->mutex -- some of them use the
iommu_group_mutex_assert() function that could be potentially in the path
of an attach_dev callback function invoked by the __iommu_attach_device().
The iommu_deferred_attach() will soon need to invoke a new domain op that
must be locked with __iommu_attach_device under group->mutex.
So, grab the mutex to guard __iommu_attach_device() like other callers.
Reviewed-by: Jason Gunthorpe <jgg@...dia.com>
Reviewed-by: Kevin Tian <kevin.tian@...el.com>
Signed-off-by: Nicolin Chen <nicolinc@...dia.com>
---
drivers/iommu/iommu.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index 2ca990dfbb884..170e522b5bda4 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -2185,10 +2185,17 @@ EXPORT_SYMBOL_GPL(iommu_attach_device);
int iommu_deferred_attach(struct device *dev, struct iommu_domain *domain)
{
- if (dev->iommu && dev->iommu->attach_deferred)
- return __iommu_attach_device(domain, dev, NULL);
+ /*
+ * This is called on the dma mapping fast path so avoid locking. This is
+ * racy, but we have an expectation that the driver will setup its DMAs
+ * inside probe while being single threaded to avoid racing.
+ */
+ if (!dev->iommu || !dev->iommu->attach_deferred)
+ return 0;
- return 0;
+ guard(mutex)(&dev->iommu_group->mutex);
+
+ return __iommu_attach_device(domain, dev, NULL);
}
void iommu_detach_device(struct iommu_domain *domain, struct device *dev)
--
2.43.0
Powered by blists - more mailing lists