Skip to content

Commit

Permalink
iommufd: Fail replace if device has not been attached
Browse files Browse the repository at this point in the history 
The current implementation of iommufd_device_do_replace() implicitly
assumes that the input device has already been attached. However, there
is no explicit check to verify this assumption. If another device within
the same group has been attached, the replace operation might succeed,
but the input device itself may not have been attached yet.

As a result, the input device might not be tracked in the
igroup->device_list, and its reserved IOVA might not be added. Despite
this, the caller might incorrectly assume that the device has been
successfully replaced, which could lead to unexpected behavior or errors.

To address this issue, add a check to ensure that the input device has
been attached before proceeding with the replace operation. This check
will help maintain the integrity of the device tracking system and prevent
potential issues arising from incorrect assumptions about the device's
attachment status.

Fixes: e88d4ec ("iommufd: Add iommufd_device_replace()")
Link: https://patch.msgid.link/r/20250306034842.5950-1-yi.l.liu@intel.com
Cc: stable@vger.kernel.org
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Yi Liu <yi.l.liu@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
  • Loading branch information
Yi Liu authored and Jason Gunthorpe committed Mar 7, 2025
1 parent 897008d commit 55c85fa
Showing 1 changed file with 16 additions and 0 deletions.
16 changes: 16 additions & 0 deletions drivers/iommu/iommufd/device.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -471,6 +471,17 @@ iommufd_device_attach_reserved_iova(struct iommufd_device *idev,

/* The device attach/detach/replace helpers for attach_handle */

/* Check if idev is attached to igroup->hwpt */
static bool iommufd_device_is_attached(struct iommufd_device *idev)
{
struct iommufd_device *cur;

list_for_each_entry(cur, &idev->igroup->device_list, group_item)
if (cur == idev)
return true;
return false;
}

static int iommufd_hwpt_attach_device(struct iommufd_hw_pagetable *hwpt,
struct iommufd_device *idev)
{
Expand Down Expand Up @@ -710,6 +721,11 @@ iommufd_device_do_replace(struct iommufd_device *idev,
goto err_unlock;
}

if (!iommufd_device_is_attached(idev)) {
rc = -EINVAL;
goto err_unlock;
}

if (hwpt == igroup->hwpt) {
mutex_unlock(&idev->igroup->lock);
return NULL;
Expand Down

0 comments on commit 55c85fa

Please sign in to comment.