Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp3101188rdh; Thu, 28 Sep 2023 02:37:18 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGQ0EKkJJ5pZNqzsq/JDg+BB5EU1hg9cmjZrErq+Mg46yW5j4G/g0J7rQZS1WNcttjUjChj X-Received: by 2002:aca:d05:0:b0:3a8:84a9:2440 with SMTP id 5-20020aca0d05000000b003a884a92440mr690070oin.25.1695893838159; Thu, 28 Sep 2023 02:37:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695893838; cv=none; d=google.com; s=arc-20160816; b=uUAKCEBZvRMQrMhEp5lBZDTGt20m23ZdE8XXWps9qxQ3BvoA/dVt3WxQ8RY2+q1npr /lbpzh/p2tXoSQv/TP8GHtUDFTNU2W4rahzpgUgy3mos2D2VFfhJlnc6/NO/M6BJENvo CAv84SavV/Bn/rTt31sCQ+RCFu8HvQNtIJsETOjUyhcgJ6JY4FRmijhGi+eqi0Msaxnw sO6t2oYtMMwmVtLkfS8ZP0ODXueytVd+B9PUeZYPdI/d5aYyb7OQr2UBbwb9hL0l7h/p CxL5XIalR9B6RTQx16IBsUQUdKFBwHiSgBRuV/cRdjppg7DEzs0KlgZC5L2bNTuyytVh DODQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=JDuDZqDIcO9ENYpK+tFTmS3IaMdHxNRUPw326X/hJak=; fh=PCYaf1h2EyVhA86vqhjvdu6edIH9O0Eplsdmb/iOVNg=; b=NvJ/gKIDwFvKzr2fMNXJMNczJewVoUMXK5aGmVLKUIx7XLQDFHac8YsjkznSyvzF3+ 9NJb88GrbPsTt7q9p+o5GkAOyjDPRtGOPNaZA5rrh2V10iZGReoI+B0Jkmkk98XRPy86 KSLlnnpjB2LGOW+TFdtuI4kDUBMzNnHe7GE/0lDS42+9TW382dbr/5mNPnAmnqBhK72h wkm59YF0AJvVrzQSK99+YK5e1zP/52JYbWxglzaGxkz8aO1qD9keHSwLVZAmkzL6leh4 DOwuoulJwO5b1g7pBp6X/0vr0yQ7lTCyR+GTI7P1y6lckqSsRLbGMq21hESHE6oGspUZ wVrA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from pete.vger.email (pete.vger.email. [23.128.96.36]) by mx.google.com with ESMTPS id a73-20020a63904c000000b0057884435a7csi17182207pge.292.2023.09.28.02.37.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Sep 2023 02:37:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) client-ip=23.128.96.36; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id 7D4BC804C499; Thu, 28 Sep 2023 02:28:04 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231686AbjI1J1j (ORCPT + 99 others); Thu, 28 Sep 2023 05:27:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53860 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231641AbjI1J1h (ORCPT ); Thu, 28 Sep 2023 05:27:37 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id BDD75193 for ; Thu, 28 Sep 2023 02:27:35 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id F32F51FB; Thu, 28 Sep 2023 02:28:13 -0700 (PDT) Received: from [10.57.0.224] (unknown [10.57.0.224]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 5AFD13F59C; Thu, 28 Sep 2023 02:27:34 -0700 (PDT) Message-ID: Date: Thu, 28 Sep 2023 10:27:23 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 Subject: Re: [PATCH] iommu: Sanity check on param list for iommu_get_resv_regions Content-Language: en-GB To: Dawei Li , Baolu Lu Cc: joro@8bytes.org, will@kernel.org, jgg@nvidia.com, iommu@lists.linux.dev, linux-kernel@vger.kernel.org References: <7c7b8981-022c-2fa8-7ee5-9c97d8e17862@linux.intel.com> From: Robin Murphy In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.2 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Thu, 28 Sep 2023 02:28:04 -0700 (PDT) On 2023-09-28 09:57, Dawei Li wrote: > Hi, > Thanks for reviewing, > > On Thu, Sep 28, 2023 at 09:33:29AM +0800, Baolu Lu wrote: >> On 9/27/23 10:25 PM, Dawei Li wrote: >>> In iommu_get_resv_regions(), param list is an argument supplied by caller, >>> into which callee is supposed to insert resv regions. >>> >>> In other words, this 'list' argument is expected to be an empty list, >>> so make an explicit annotation on it. >>> >>> Signed-off-by: Dawei Li >>> --- >>> drivers/iommu/iommu.c | 9 +++++---- >>> 1 file changed, 5 insertions(+), 4 deletions(-) >>> >>> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c >>> index 1ecac2b5c54f..a01c4a7a9d19 100644 >>> --- a/drivers/iommu/iommu.c >>> +++ b/drivers/iommu/iommu.c >>> @@ -813,7 +813,7 @@ int iommu_get_group_resv_regions(struct iommu_group *group, >>> mutex_lock(&group->mutex); >>> for_each_group_device(group, device) { >>> - struct list_head dev_resv_regions; >>> + LIST_HEAD(dev_resv_regions); >>> /* >>> * Non-API groups still expose reserved_regions in sysfs, >>> @@ -822,7 +822,6 @@ int iommu_get_group_resv_regions(struct iommu_group *group, >>> if (!device->dev->iommu) >>> break; >>> - INIT_LIST_HEAD(&dev_resv_regions); >>> iommu_get_resv_regions(device->dev, &dev_resv_regions); >>> ret = iommu_insert_device_resv_regions(&dev_resv_regions, head); >>> iommu_put_resv_regions(device->dev, &dev_resv_regions); >>> @@ -1061,12 +1060,11 @@ static int iommu_create_device_direct_mappings(struct iommu_domain *domain, >>> struct device *dev) >>> { >>> struct iommu_resv_region *entry; >>> - struct list_head mappings; >>> unsigned long pg_size; >>> + LIST_HEAD(mappings); >>> int ret = 0; >>> pg_size = domain->pgsize_bitmap ? 1UL << __ffs(domain->pgsize_bitmap) : 0; >>> - INIT_LIST_HEAD(&mappings); >>> if (WARN_ON_ONCE(iommu_is_dma_domain(domain) && !pg_size)) >>> return -EINVAL; >>> @@ -2813,6 +2811,9 @@ void iommu_get_resv_regions(struct device *dev, struct list_head *list) >>> { >>> const struct iommu_ops *ops = dev_iommu_ops(dev); >>> + if (WARN_ON(!list_empty(list))) >>> + return; >> >> I don't understand why the input list *must* be empty. This interface Yeah, the commit message really doesn't make much sense :( > Because @list is an output-only argument, which is supposed to be filled > by caller(inserting elements into it). If it's not empty, it's an inputing > argument, in which case caller will take existing node (in @list) into account, > and insert new nodes before/after them. > Please lemme put it another way, if list argment is not empty: > > Before calling: > list: head->A > > After calling > list: head->A->B->C > > It will confuse caller cuz it can't tell whether A is a valid returned > by callee. If a caller would be confused by appending to a non-empty list then that caller should avoid passing a non-empty list. But that's not the API's problem; in general, appending to non-empty lists is absolutely a valid thing to do, it's kind of the point of using a list rather than, say, returning an array. It seems entirely reasonable that a caller might want to collect the reserved regions for multiple groups into a single list for its own convenience, and we have absolutely no reason to disallow that. Note also that your arbitrary input vs. output argument rule fundamentally couldn't work for this API, since actual implementations of ops->get_resv_regions already *do* build up the list by passing it around multiple different helper APIs internally (look at the call path through arm_smmu_get_resv_regions(), for instance). Thanks, Robin. >> has already been exported, so please update the comment to explain this >> new requirement. >> >>> + >>> if (ops->get_resv_regions) >>> ops->get_resv_regions(dev, list); >>> } >> >> Best regards, >> baolu