Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp3101188rdh;
        Thu, 28 Sep 2023 02:37:18 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGQ0EKkJJ5pZNqzsq/JDg+BB5EU1hg9cmjZrErq+Mg46yW5j4G/g0J7rQZS1WNcttjUjChj
X-Received: by 2002:aca:d05:0:b0:3a8:84a9:2440 with SMTP id 5-20020aca0d05000000b003a884a92440mr690070oin.25.1695893838159;
        Thu, 28 Sep 2023 02:37:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695893838; cv=none;
        d=google.com; s=arc-20160816;
        b=uUAKCEBZvRMQrMhEp5lBZDTGt20m23ZdE8XXWps9qxQ3BvoA/dVt3WxQ8RY2+q1npr
         /lbpzh/p2tXoSQv/TP8GHtUDFTNU2W4rahzpgUgy3mos2D2VFfhJlnc6/NO/M6BJENvo
         CAv84SavV/Bn/rTt31sCQ+RCFu8HvQNtIJsETOjUyhcgJ6JY4FRmijhGi+eqi0Msaxnw
         sO6t2oYtMMwmVtLkfS8ZP0ODXueytVd+B9PUeZYPdI/d5aYyb7OQr2UBbwb9hL0l7h/p
         CxL5XIalR9B6RTQx16IBsUQUdKFBwHiSgBRuV/cRdjppg7DEzs0KlgZC5L2bNTuyytVh
         DODQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id;
        bh=JDuDZqDIcO9ENYpK+tFTmS3IaMdHxNRUPw326X/hJak=;
        fh=PCYaf1h2EyVhA86vqhjvdu6edIH9O0Eplsdmb/iOVNg=;
        b=NvJ/gKIDwFvKzr2fMNXJMNczJewVoUMXK5aGmVLKUIx7XLQDFHac8YsjkznSyvzF3+
         9NJb88GrbPsTt7q9p+o5GkAOyjDPRtGOPNaZA5rrh2V10iZGReoI+B0Jkmkk98XRPy86
         KSLlnnpjB2LGOW+TFdtuI4kDUBMzNnHe7GE/0lDS42+9TW382dbr/5mNPnAmnqBhK72h
         wkm59YF0AJvVrzQSK99+YK5e1zP/52JYbWxglzaGxkz8aO1qD9keHSwLVZAmkzL6leh4
         DOwuoulJwO5b1g7pBp6X/0vr0yQ7lTCyR+GTI7P1y6lckqSsRLbGMq21hESHE6oGspUZ
         wVrA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from pete.vger.email (pete.vger.email. [23.128.96.36])
        by mx.google.com with ESMTPS id a73-20020a63904c000000b0057884435a7csi17182207pge.292.2023.09.28.02.37.17
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 28 Sep 2023 02:37:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) client-ip=23.128.96.36;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by pete.vger.email (Postfix) with ESMTP id 7D4BC804C499;
	Thu, 28 Sep 2023 02:28:04 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231686AbjI1J1j (ORCPT <rfc822;stevenley.huang@gmail.com>
        + 99 others); Thu, 28 Sep 2023 05:27:39 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53860 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231641AbjI1J1h (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 28 Sep 2023 05:27:37 -0400
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id BDD75193
        for <linux-kernel@vger.kernel.org>; Thu, 28 Sep 2023 02:27:35 -0700 (PDT)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
        by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id F32F51FB;
        Thu, 28 Sep 2023 02:28:13 -0700 (PDT)
Received: from [10.57.0.224] (unknown [10.57.0.224])
        by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 5AFD13F59C;
        Thu, 28 Sep 2023 02:27:34 -0700 (PDT)
Message-ID: <abdc07fb-f558-ae44-0226-a4c03909a3f4@arm.com>
Date:   Thu, 28 Sep 2023 10:27:23 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101
 Thunderbird/102.15.1
Subject: Re: [PATCH] iommu: Sanity check on param list for
 iommu_get_resv_regions
Content-Language: en-GB
To:     Dawei Li <set_pte_at@outlook.com>,
        Baolu Lu <baolu.lu@linux.intel.com>
Cc:     joro@8bytes.org, will@kernel.org, jgg@nvidia.com,
        iommu@lists.linux.dev, linux-kernel@vger.kernel.org
References: <TYTP286MB35645FDEF45FDFC91D35CE1ECAC2A@TYTP286MB3564.JPNP286.PROD.OUTLOOK.COM>
 <7c7b8981-022c-2fa8-7ee5-9c97d8e17862@linux.intel.com>
 <TYTP286MB3564BA78F5ED7E8FE4DEEE93CAC1A@TYTP286MB3564.JPNP286.PROD.OUTLOOK.COM>
From:   Robin Murphy <robin.murphy@arm.com>
In-Reply-To: <TYTP286MB3564BA78F5ED7E8FE4DEEE93CAC1A@TYTP286MB3564.JPNP286.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-2.2 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Thu, 28 Sep 2023 02:28:04 -0700 (PDT)

On 2023-09-28 09:57, Dawei Li wrote:
> Hi,
> Thanks for reviewing,
> 
> On Thu, Sep 28, 2023 at 09:33:29AM +0800, Baolu Lu wrote:
>> On 9/27/23 10:25 PM, Dawei Li wrote:
>>> In iommu_get_resv_regions(), param list is an argument supplied by caller,
>>> into which callee is supposed to insert resv regions.
>>>
>>> In other words, this 'list' argument is expected to be an empty list,
>>> so make an explicit annotation on it.
>>>
>>> Signed-off-by: Dawei Li <set_pte_at@outlook.com>
>>> ---
>>>    drivers/iommu/iommu.c | 9 +++++----
>>>    1 file changed, 5 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
>>> index 1ecac2b5c54f..a01c4a7a9d19 100644
>>> --- a/drivers/iommu/iommu.c
>>> +++ b/drivers/iommu/iommu.c
>>> @@ -813,7 +813,7 @@ int iommu_get_group_resv_regions(struct iommu_group *group,
>>>    	mutex_lock(&group->mutex);
>>>    	for_each_group_device(group, device) {
>>> -		struct list_head dev_resv_regions;
>>> +		LIST_HEAD(dev_resv_regions);
>>>    		/*
>>>    		 * Non-API groups still expose reserved_regions in sysfs,
>>> @@ -822,7 +822,6 @@ int iommu_get_group_resv_regions(struct iommu_group *group,
>>>    		if (!device->dev->iommu)
>>>    			break;
>>> -		INIT_LIST_HEAD(&dev_resv_regions);
>>>    		iommu_get_resv_regions(device->dev, &dev_resv_regions);
>>>    		ret = iommu_insert_device_resv_regions(&dev_resv_regions, head);
>>>    		iommu_put_resv_regions(device->dev, &dev_resv_regions);
>>> @@ -1061,12 +1060,11 @@ static int iommu_create_device_direct_mappings(struct iommu_domain *domain,
>>>    					       struct device *dev)
>>>    {
>>>    	struct iommu_resv_region *entry;
>>> -	struct list_head mappings;
>>>    	unsigned long pg_size;
>>> +	LIST_HEAD(mappings);
>>>    	int ret = 0;
>>>    	pg_size = domain->pgsize_bitmap ? 1UL << __ffs(domain->pgsize_bitmap) : 0;
>>> -	INIT_LIST_HEAD(&mappings);
>>>    	if (WARN_ON_ONCE(iommu_is_dma_domain(domain) && !pg_size))
>>>    		return -EINVAL;
>>> @@ -2813,6 +2811,9 @@ void iommu_get_resv_regions(struct device *dev, struct list_head *list)
>>>    {
>>>    	const struct iommu_ops *ops = dev_iommu_ops(dev);
>>> +	if (WARN_ON(!list_empty(list)))
>>> +		return;
>>
>> I don't understand why the input list *must* be empty. This interface

Yeah, the commit message really doesn't make much sense :(

> Because @list is an output-only argument, which is supposed to be filled
> by caller(inserting elements into it). If it's not empty, it's an inputing
> argument, in which case caller will take existing node (in @list) into account,
> and insert new nodes before/after them.
> Please lemme put it another way, if list argment is not empty:
> 
> Before calling:
> list: head->A
> 
> After calling
> list: head->A->B->C
> 
> It will confuse caller cuz it can't tell whether A is a valid returned
> by callee.

If a caller would be confused by appending to a non-empty list then that 
caller should avoid passing a non-empty list. But that's not the API's 
problem; in general, appending to non-empty lists is absolutely a valid 
thing to do, it's kind of the point of using a list rather than, say, 
returning an array. It seems entirely reasonable that a caller might 
want to collect the reserved regions for multiple groups into a single 
list for its own convenience, and we have absolutely no reason to 
disallow that.

Note also that your arbitrary input vs. output argument rule 
fundamentally couldn't work for this API, since actual implementations 
of ops->get_resv_regions already *do* build up the list by passing it 
around multiple different helper APIs internally (look at the call path 
through arm_smmu_get_resv_regions(), for instance).

Thanks,
Robin.

>> has already been exported, so please update the comment to explain this
>> new requirement.
>>
>>> +
>>>    	if (ops->get_resv_regions)
>>>    		ops->get_resv_regions(dev, list);
>>>    }
>>
>> Best regards,
>> baolu