[RFC PATCH v3 3/5] iommu/arm-smmu-v3-iommufd: Pass in kvm pointer to viommu_alloc
Jason Gunthorpe
jgg at ziepe.ca
Wed Mar 19 16:31:11 PDT 2025
On Wed, Mar 19, 2025 at 05:32:00PM +0000, Shameer Kolothum wrote:
> diff --git a/drivers/iommu/iommufd/viommu.c b/drivers/iommu/iommufd/viommu.c
> index 69b88e8c7c26..e157d786f295 100644
> --- a/drivers/iommu/iommufd/viommu.c
> +++ b/drivers/iommu/iommufd/viommu.c
> @@ -47,7 +47,8 @@ int iommufd_viommu_alloc_ioctl(struct iommufd_ucmd *ucmd)
> goto out_put_hwpt;
> }
>
> - viommu = ops->viommu_alloc(idev->dev, hwpt_paging->common.domain,
> + viommu = ops->viommu_alloc(idev->dev, idev->kvm,
> + hwpt_paging->common.domain,
> ucmd->ictx, cmd->type);
> if (IS_ERR(viommu)) {
> rc = PTR_ERR(viommu);
This has a lifetime issue on the kvm pointer.
Because nothing is taking a refcount on the kvm we are relying on the
caller to hold the kvm refcount for the lifetime of the
iommufd_device_bind()/unbind() which is creating the idev.
However, the lifetime of the viommu object is not linked to the
lifetime of the idev. So the idev could be destroyed, and the kvm
refcount put before the viommu is destroyed.
Probably the right answer is to take a refcount on the kvm for the
viommu object somewhere along this path.
Jason
More information about the linux-arm-kernel
mailing list