Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp6902816rdb;
        Tue, 2 Jan 2024 19:06:43 -0800 (PST)
X-Google-Smtp-Source: AGHT+IGINd3FyTKCxDkxOHFSUNtNGWlvwtwDweOQM5KNa7nKbDk2R1GIJdkxILlcvwXs0KWg8/MT
X-Received: by 2002:a05:6a20:e116:b0:197:6fe9:46ac with SMTP id kr22-20020a056a20e11600b001976fe946acmr200508pzb.39.1704251203150;
        Tue, 02 Jan 2024 19:06:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1704251203; cv=none;
        d=google.com; s=arc-20160816;
        b=VGmwTpaPxcfuVwDZ8pNC1VehnAQ244d7GZi9PsFV/kgDZa9dDj+HEFc2x/V9Ew9BMN
         yZMzCff1BEv3yfIFQHA6eUaHF4X1DTXm01m1n3VxMvK4MZ9fNCCLgq4qNevMVQ43dEwJ
         F9tWVNh4g0Hpcf3catA2oKYoDcCb3J1s3jxNETPgo8HtwlTe13S99bPUywtw70YXqZUa
         rQRE2N/IOny3CRPZf5jGXj/zcaVl4Va/tiG2wxRmtYWgwSwcGo0E2mxpCQGeu7x41H3j
         C2NEW+IpLVXv+YaQpz9ANTaWY+qn2V/KyH1LZo8OHM0IYmEOMyv4ktdNQqP9bNyUMfFq
         izxg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:to:subject:cc:user-agent:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:date:message-id:dkim-signature;
        bh=8ZfMEecMSbk0WsBzK95APLj9K9HuYF5iiLkt6NhqfuY=;
        fh=Btt4z/3UyyOy7UdnBttJ7J902+BpNAf4oaNWqBJpXqw=;
        b=hsWT5k/keCOBbGnPkjC8okpNBvSAm1Cqrk9DtMgo2/ZV0hyJBSSVMg19BJ90jHdKAw
         DOqzFa8Ia6+HxbXrKuiYJmjLU36oe7YXc3iSCNcibo75rKlG6mp81dv2vd1qy2ZViHhP
         AOFN2DVnmB8iyiAsQC0D7ULSIq8pW32Z8E7QO3HXGwFLC9taUmguz/zSe3Pp56uJNrLm
         DCkBpQNjv/q60Qz4TnJ3WFe8aiMlcSxolXLb2ArGGgoAeBNuTk3a+UVX93vEOcIZgjTN
         8jwt5/KdcPjZKr8HrJY3OdN+kGQLy0WQJE59Mzpk7tPgvc4knotkR4TnhAHDa7XKmU9s
         N3rQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b=J5qYQCGY;
       spf=pass (google.com: domain of linux-kernel+bounces-15111-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-15111-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel+bounces-15111-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id bg6-20020a1709028e8600b001d45b688fc8si14341371plb.325.2024.01.02.19.06.42
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 02 Jan 2024 19:06:43 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-15111-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b=J5qYQCGY;
       spf=pass (google.com: domain of linux-kernel+bounces-15111-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-15111-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id C450428408C
	for <linux.lists.archive@gmail.com>; Wed,  3 Jan 2024 03:06:42 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 58625CA71;
	Wed,  3 Jan 2024 03:06:31 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="J5qYQCGY"
X-Original-To: linux-kernel@vger.kernel.org
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.8])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BC6D317984;
	Wed,  3 Jan 2024 03:06:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com
Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1704251189; x=1735787189;
  h=message-id:date:mime-version:cc:subject:to:references:
   from:in-reply-to:content-transfer-encoding;
  bh=54mZ8lt3FIE0at3u9CpLbmAD6Xka6IeZtdwSydhjovE=;
  b=J5qYQCGYYES4vGA0R3GOld6RKKdl+JukQRDUX8uAEnuiNkxxCbItz9k1
   agEdGzZRkqAKQNkNFm9Fih8lidhufh4q7qyM3BDEyZsdaGkg9Yw+0vvOD
   XDAwMEGq7bXBMRUiwtSzoRLrjCBXjrr/avvnl93UDAyA6KTu+OFoQYz1u
   9ijANgwqRdiY/mW+OXgC8Bsp2YE/sSfrGgExWZ3Fi3xtvR/d5zmbSf5bu
   XpitDnLUc6a4FtAA/PDB3ZZ/w8fpBMp6Q/28lHnrveNZIw5hxSF8K3xi7
   0m6FTeCkpXZnTKDCNkGHi62/QlvFEWDrYP/HYVRoSLYkvSH5AmY6M+sya
   Q==;
X-IronPort-AV: E=McAfee;i="6600,9927,10941"; a="10578496"
X-IronPort-AV: E=Sophos;i="6.04,326,1695711600"; 
   d="scan'208";a="10578496"
Received: from fmsmga001.fm.intel.com ([10.253.24.23])
  by fmvoesa102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Jan 2024 19:06:28 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10941"; a="923403014"
X-IronPort-AV: E=Sophos;i="6.04,326,1695711600"; 
   d="scan'208";a="923403014"
Received: from blu2-mobl.ccr.corp.intel.com (HELO [10.254.210.107]) ([10.254.210.107])
  by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Jan 2024 19:06:22 -0800
Message-ID: <7486492a-d6ca-425d-9fbe-87107dbbecea@linux.intel.com>
Date: Wed, 3 Jan 2024 11:06:19 +0800
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Cc: baolu.lu@linux.intel.com, joro@8bytes.org, alex.williamson@redhat.com,
 kevin.tian@intel.com, robin.murphy@arm.com, cohuck@redhat.com,
 eric.auger@redhat.com, nicolinc@nvidia.com, kvm@vger.kernel.org,
 mjrosato@linux.ibm.com, chao.p.peng@linux.intel.com,
 yi.y.sun@linux.intel.com, peterx@redhat.com, jasowang@redhat.com,
 shameerali.kolothum.thodi@huawei.com, lulu@redhat.com,
 suravee.suthikulpanit@amd.com, iommu@lists.linux.dev,
 linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
 zhenzhong.duan@intel.com, joao.m.martins@oracle.com, xin.zeng@intel.com,
 yan.y.zhao@intel.com, j.granados@samsung.com
Subject: Re: [PATCH v10 10/10] iommu/vt-d: Add iotlb flush for nested domain
To: Yi Liu <yi.l.liu@intel.com>, Jason Gunthorpe <jgg@nvidia.com>
References: <20240102143834.146165-1-yi.l.liu@intel.com>
 <20240102143834.146165-11-yi.l.liu@intel.com>
 <20240102184422.GI50406@nvidia.com>
 <ae271e08-f390-4ce7-914c-63668a46bc4b@intel.com>
Content-Language: en-US
From: Baolu Lu <baolu.lu@linux.intel.com>
In-Reply-To: <ae271e08-f390-4ce7-914c-63668a46bc4b@intel.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

On 2024/1/3 9:33, Yi Liu wrote:
> On 2024/1/3 02:44, Jason Gunthorpe wrote:
>> On Tue, Jan 02, 2024 at 06:38:34AM -0800, Yi Liu wrote:
>>
>>> +static void intel_nested_flush_cache(struct dmar_domain *domain, u64 
>>> addr,
>>> +                     unsigned long npages, bool ih, u32 *error)
>>> +{
>>> +    struct iommu_domain_info *info;
>>> +    unsigned long i;
>>> +    unsigned mask;
>>> +    u32 fault;
>>> +
>>> +    xa_for_each(&domain->iommu_array, i, info)
>>> +        qi_flush_piotlb(info->iommu,
>>> +                domain_id_iommu(domain, info->iommu),
>>> +                IOMMU_NO_PASID, addr, npages, ih, NULL);
>>
>> This locking on the xarray is messed up throughout the driver. There
>> could be a concurrent detach at this point which will free info and
>> UAF this.
> 
> hmmm, xa_for_each() takes and releases rcu lock, and according to the
> domain_detach_iommu(), info is freed after xa_erase(). For an existing
> info stored in xarray, xa_erase() should return after rcu lock is released.
> is it? Any idea? @Baolu

I once thought locking for xarray is self-contained. I need more thought
on this before taking further action.

Best regards,
baolu