| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251107194158.GB1932966@nvidia.com>
Date: Fri, 7 Nov 2025 15:41:58 -0400
From: Jason Gunthorpe <jgg@...dia.com>
To: Nicolin Chen <nicolinc@...dia.com>
Cc: will@...nel.org, jean-philippe@...aro.org, robin.murphy@....com,
joro@...tes.org, balbirs@...dia.com, miko.lenczewski@....com,
peterz@...radead.org, kevin.tian@...el.com, praan@...gle.com,
linux-arm-kernel@...ts.infradead.org, iommu@...ts.linux.dev,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4 3/7] iommu/arm-smmu-v3: Introduce a per-domain
arm_smmu_invs array
On Mon, Oct 27, 2025 at 11:54:17AM -0700, Nicolin Chen wrote:
> +struct arm_smmu_invs *arm_smmu_invs_merge(struct arm_smmu_invs *invs,
> + struct arm_smmu_invs *to_merge)
> +{
> + struct arm_smmu_invs *new_invs;
> + struct arm_smmu_inv *new;
> + size_t num_trashes = 0;
> + size_t num_adds = 0;
> + size_t i, j;
> +
> + for (i = j = 0; i != invs->num_invs || j != to_merge->num_invs;) {
> + int cmp = arm_smmu_invs_cmp(invs, i, to_merge, j);
> +
> + /* Skip any unwanted trash entry */
> + if (cmp < 0 && !refcount_read(&invs->inv[i].users)) {
Do we need cmp < 0 here and in all these other similar ifs? Can't we
just fully ignore trash entries no matter how they cmopare to the
other list?
If cmp ==0 and we do num_trash++ then the next iteration will see j
ass cmp > 1 so it will do num_adds++ and the two will cancel out.
> + num_trashes++;
> + i++;
> + continue;
> + }
> +
> + if (cmp < 0) {
> + /* not found in to_merge, leave alone */
> + i++;
> + } else if (cmp == 0) {
> + /* same item */
> + i++;
> + j++;
> + } else {
> + /* unique to to_merge */
> + num_adds++;
> + j++;
> + }
> + }
> +
> + new_invs = arm_smmu_invs_alloc(invs->num_invs - num_trashes + num_adds);
> + if (IS_ERR(new_invs))
> + return new_invs;
> +
> + new = new_invs->inv;
> + for (i = j = 0; i != invs->num_invs || j != to_merge->num_invs;) {
> + int cmp = arm_smmu_invs_cmp(invs, i, to_merge, j);
> +
> + if (cmp <= 0 && !refcount_read(&invs->inv[i].users)) {
> + i++;
> + continue;
> + }
> +
> + if (cmp < 0) {
> + *new = invs->inv[i];
> + i++;
> + } else if (cmp == 0) {
> + *new = invs->inv[i];
> + refcount_inc(&new->users);
> + i++;
> + j++;
> + } else {
> + *new = to_merge->inv[j];
> + refcount_set(&new->users, 1);
> + j++;
> + }
> +
> + if (new != new_invs->inv)
> + WARN_ON_ONCE(arm_smmu_inv_cmp(new - 1, new) == 1);
I'd add a little comment here:
Check that the resulting list is sorted, this also checks that
to_merge is sorted.
> static inline void arm_smmu_domain_free(struct arm_smmu_domain *smmu_domain)
> {
> + kfree_rcu(rcu_dereference_protected(smmu_domain->invs, true), rcu);
It is working as is, but maybe a small comment
No concurrency with invalidation is possible at this point
And you can just use kfree instead of kfree_rcu.
When the domain is destroyed the caller has to guarentee it isn't
calling map/unmap/etc anymore from any parallel threds or it will
UAF. So we know there can be, and will never be, no concurrent read
side cricitical regions on the RCU.
Reviewed-by: Jason Gunthorpe <jgg@...dia.com>
Jason
Powered by blists - more mailing lists