[4/6] vfio: Fully lock struct vfio_group::container

Message ID	4-v1-c1d14aae2e8f+2f4-vfio_group_locking_jgg@nvidia.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <kvm-owner@kernel.org> From: Jason Gunthorpe <jgg@nvidia.com> To: Alex Williamson <alex.williamson@redhat.com>, Cornelia Huck <cohuck@redhat.com>, kvm@vger.kernel.org Cc: Xiao Guangrong <guangrong.xiao@linux.intel.com>, Jike Song <jike.song@intel.com>, Kirti Wankhede <kwankhede@nvidia.com>, Nicolin Chen <nicolinc@nvidia.com>, Paolo Bonzini <pbonzini@redhat.com> Subject: [PATCH 4/6] vfio: Fully lock struct vfio_group::container Date: Thu, 5 May 2022 21:25:04 -0300 Message-Id: <4-v1-c1d14aae2e8f+2f4-vfio_group_locking_jgg@nvidia.com> In-Reply-To: <0-v1-c1d14aae2e8f+2f4-vfio_group_locking_jgg@nvidia.com> References: Content-Transfer-Encoding: 8bit Content-Type: text/plain MIME-Version: 1.0 Precedence: bulk
Series	Fully lock the container members of struct vfio_group \| expand [0/6] Fully lock the container members of struct vfio_group [1/6] vfio: Add missing locking for struct vfio_group::kvm [2/6] vfio: Change struct vfio_group::opened from an atomic to bool [3/6] vfio: Split up vfio_group_get_device_fd() [4/6] vfio: Fully lock struct vfio_group::container [5/6] vfio: Simplify the life cycle of the group FD [6/6] vfio: Change struct vfio_group::container_users to a non-atomic int

Message ID

4-v1-c1d14aae2e8f+2f4-vfio_group_locking_jgg@nvidia.com (mailing list archive)

State

New, archived

Headers

From: Jason Gunthorpe <jgg@nvidia.com>
To: Alex Williamson <alex.williamson@redhat.com>,
        Cornelia Huck <cohuck@redhat.com>, kvm@vger.kernel.org
Cc: Xiao Guangrong <guangrong.xiao@linux.intel.com>,
        Jike Song <jike.song@intel.com>,
        Kirti Wankhede <kwankhede@nvidia.com>,
        Nicolin Chen <nicolinc@nvidia.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH 4/6] vfio: Fully lock struct vfio_group::container
Date: Thu,  5 May 2022 21:25:04 -0300
Message-Id: <4-v1-c1d14aae2e8f+2f4-vfio_group_locking_jgg@nvidia.com>
In-Reply-To: <0-v1-c1d14aae2e8f+2f4-vfio_group_locking_jgg@nvidia.com>
References: 
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 PwSSqIAdF0HbRyasoZ8fAQt/PdZZT8M6pAwPimcJKc27s1K3TYS4aBPnpKzO0swyaHJI9oPi8NHFncbZ2LS8QMqsdaJn887G726veENCESr6BKe1WdYNp1Uq32LeR/Ws3qxvBoabA/MkTBUGPum+qtlhty5oziXdFCRJnZKXH4b23MNI4/2kmYohBK67vf6AwK71QGAHFF5j7CaH3+0oFlojAmcW8OVcplWcmBaG3RZb7TW2GFRj0FlaQbi2GqD5LJpGF26Y+2mF4//MfhyAYZCiCFo3/jheAGF7oODVdt1HgyHM6kGoveg1ekK0bRutKd980tL29phONCqCu1pd9sREclKRibN04wv7ar8jPkaUkToWVmAHiSqkLhOiTrVXSH+ctTaNZtjJ0uopHDzLSP+jUxeHApLTAlTDQyvsq5H9V1zp3PW7son48wSkPwO4Bl4QrhNFn7spT1+VJVd11dHnqs1gO3VXD4qr+Z/8ZHRgyKUgOSMBt3kUhKRo1liyEOK6v7F2mTAyXiQEJx4LKuRZO4ZnHvD0rUO4GHSO3LefNyO8hnOpI4wYPGVioHUL0TtRCtYmgPXYYu57pF1BR/Jv/BzUhFfHI5kP0GSUnH6xAR6W5wpqkESYrt24eJC4OsXVIBJkParTCkWzMFr1sX/QkEn7cUfQBYqndI711FzA15NC0wa80xDG1w+80nHN0xy9HGmxEubcQG1uMJMLF2dkmqy2GrIeCR+JCjO4QRADaZJRZGtLgkX9cgXPt8hprcyYYov23BKg11uilGMRRavN2cDsRKArOUjxKaJRtODYOXSDFA2vWxn6PCW9ZfYptfimA22QyWSv3ZPcsn7wPQMe1iqHboVrBSHaWZYGt2NV1xLYJghPbkcwsIp/nT5a3/U3k3jrtVraeFStOmhoQWyHbknKEq6jypM5bVGjz9j5CkhRfZGoiojV/Pb+DsHwuyxaM9TipVNnO3hZqthCmVQ+dT+OaKmPms+dkVLg7DHjoAitH9LDBzU2wLr/bXpYfW744SeEDnVhZxhhpxqnJs2XroHeieYAL3Uk8iotcmtG7TGev+8qPHJGtgvgrY+kMVcZex1rVXAydVXLD7O74ycnPQ/rQoPYwf21kXFTWf3r/Go/DvqS389Rz1WUBBHfukK37ViTyGgKA58vqvedjryXjCZrHImwXcQYKk+rEK/InT8usA98d6BPbazj7Z4z4ZbtRrcr6eLi1FhReVNKnjL9L/Dfeu1ag4k3UBENMJgb9nYIsbyeloTPboTbSG6OZKpYy+J+s/lGjYA3aRUSMvmzfBwcz+DU7kBnOBVoADzsGeLG+OPoof6p8qpPRDZs5To35NSFohrQwClKP0UHadz3oHNjsaRMJdupzZOHWODDrWESWlCQ5r52OqkPxd8PmFWH8bnSKzvIKAZaZP36oS2Z8ls8DhurLZEPw42gza53DdK2j0JAXJX0YH+3sO4TYrB97ykFB9O3IrXIvAtPEB+3Dv0w3EEr0kGMCDhq3sUvsz59wzgoYMH82sZ+SzmjK4+gq9BQ2FpcIlLZsbiTzc8e40L3aITR7XjV7EO3yvdRFeI0bIFdA6BUpx6b+0AV1YUB3k4ka9/i3zlGZdZ8x3qZImeHedrBMTWrnR8Cb2MUkj+qMgQQjo/Dg8Npw5BIYSdsTCC2WJqI7MzqtKn7FBTuQIVR/R9Y/6oGkDX4yvGsCQJUtPl6qFPTq05eKxI14L6sohYE1nqHDF2WepKEkg==
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 83ff7a76-6367-4084-f8da-08da2ef6e078
X-MS-Exchange-CrossTenant-AuthSource: MN2PR12MB4192.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 May 2022 00:25:09.0609
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 IX7eVJh63mT+kQQ5K/1ImJOea32+OLstOcc7kyBSm2MSvpItsE7v6/tUIUNXRso2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR12MB5025
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org

Series

Fully lock the container members of struct vfio_group | expand

Commit Message

Jason Gunthorpe May 6, 2022, 12:25 a.m. UTC

This is necessary to avoid various user triggerable races, for instance
racing SET_CONTAINER/UNSET_CONTAINER:

                                  ioctl(VFIO_GROUP_SET_CONTAINER)
ioctl(VFIO_GROUP_UNSET_CONTAINER)
 vfio_group_unset_container
    int users = atomic_cmpxchg(&group->container_users, 1, 0);
    // users == 1 container_users == 0
    __vfio_group_unset_container(group);

                                    vfio_group_set_container()
	                              if (atomic_read(&group->container_users))
				        down_write(&container->group_lock);
				        group->container = container;
				        up_write(&container->group_lock);

      down_write(&container->group_lock);
      group->container = NULL;
      up_write(&container->group_lock);
      vfio_container_put(container);
      /* woops we leaked the original container  */

This can then go on to NULL pointer deref since container == 0 and
container_users == 1.

Wrap all touches of container, except those on a performance path with a
known open device, with the group_rwsem.

The only user of vfio_group_add_container_user() holds the user count for
a simple operation, change it to just hold the group_lock over the
operation and delete vfio_group_add_container_user(). Containers now only
gain a user when a device FD is opened.

Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
---
 drivers/vfio/vfio.c | 66 +++++++++++++++++++++++++++------------------
 1 file changed, 40 insertions(+), 26 deletions(-)

Comments

Tian, Kevin May 13, 2022, 9:53 a.m. UTC | #1

> From: Jason Gunthorpe <jgg@nvidia.com>
> Sent: Friday, May 6, 2022 8:25 AM
> 
> This is necessary to avoid various user triggerable races, for instance
> racing SET_CONTAINER/UNSET_CONTAINER:
> 
>                                   ioctl(VFIO_GROUP_SET_CONTAINER)
> ioctl(VFIO_GROUP_UNSET_CONTAINER)
>  vfio_group_unset_container
>     int users = atomic_cmpxchg(&group->container_users, 1, 0);
>     // users == 1 container_users == 0
>     __vfio_group_unset_container(group);
> 
>                                     vfio_group_set_container()
> 	                              if (atomic_read(&group->container_users))

	                       if (!atomic_read(...))

> 				        down_write(&container->group_lock);
> 				        group->container = container;
> 				        up_write(&container->group_lock);
> 

It'd be clearer to add below step here:

       container = group->container;

otherwise if this assignment is done before above race then the
original container is not leaked.

>       down_write(&container->group_lock);
>       group->container = NULL;
>       up_write(&container->group_lock);
>       vfio_container_put(container);
>       /* woops we leaked the original container  */
> 
> This can then go on to NULL pointer deref since container == 0 and
> container_users == 1.
> 
> Wrap all touches of container, except those on a performance path with a
> known open device, with the group_rwsem.
> 
> The only user of vfio_group_add_container_user() holds the user count for
> a simple operation, change it to just hold the group_lock over the
> operation and delete vfio_group_add_container_user(). Containers now only
> gain a user when a device FD is opened.
> 
> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

Reviewed-by: Kevin Tian <kevin.tian@intel.com>

> ---
>  drivers/vfio/vfio.c | 66 +++++++++++++++++++++++++++------------------
>  1 file changed, 40 insertions(+), 26 deletions(-)
> 
> diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
> index d8d14e528ab795..63f7fa872eae60 100644
> --- a/drivers/vfio/vfio.c
> +++ b/drivers/vfio/vfio.c
> @@ -937,6 +937,8 @@ static void __vfio_group_unset_container(struct
> vfio_group *group)
>  	struct vfio_container *container = group->container;
>  	struct vfio_iommu_driver *driver;
> 
> +	lockdep_assert_held_write(&group->group_rwsem);
> +
>  	down_write(&container->group_lock);
> 
>  	driver = container->iommu_driver;
> @@ -973,6 +975,8 @@ static int vfio_group_unset_container(struct
> vfio_group *group)
>  {
>  	int users = atomic_cmpxchg(&group->container_users, 1, 0);
> 
> +	lockdep_assert_held_write(&group->group_rwsem);
> +
>  	if (!users)
>  		return -EINVAL;
>  	if (users != 1)
> @@ -991,8 +995,10 @@ static int vfio_group_unset_container(struct
> vfio_group *group)
>   */
>  static void vfio_group_try_dissolve_container(struct vfio_group *group)
>  {
> +	down_write(&group->group_rwsem);
>  	if (0 == atomic_dec_if_positive(&group->container_users))
>  		__vfio_group_unset_container(group);
> +	up_write(&group->group_rwsem);
>  }
> 
>  static int vfio_group_set_container(struct vfio_group *group, int
> container_fd)
> @@ -1002,6 +1008,8 @@ static int vfio_group_set_container(struct
> vfio_group *group, int container_fd)
>  	struct vfio_iommu_driver *driver;
>  	int ret = 0;
> 
> +	lockdep_assert_held_write(&group->group_rwsem);
> +
>  	if (atomic_read(&group->container_users))
>  		return -EINVAL;
> 
> @@ -1059,23 +1067,6 @@ static int vfio_group_set_container(struct
> vfio_group *group, int container_fd)
>  	return ret;
>  }
> 
> -static int vfio_group_add_container_user(struct vfio_group *group)
> -{
> -	if (!atomic_inc_not_zero(&group->container_users))
> -		return -EINVAL;
> -
> -	if (group->type == VFIO_NO_IOMMU) {
> -		atomic_dec(&group->container_users);
> -		return -EPERM;
> -	}
> -	if (!group->container->iommu_driver) {
> -		atomic_dec(&group->container_users);
> -		return -EINVAL;
> -	}
> -
> -	return 0;
> -}
> -
>  static const struct file_operations vfio_device_fops;
> 
>  /* true if the vfio_device has open_device() called but not close_device() */
> @@ -1088,6 +1079,8 @@ static int vfio_device_assign_container(struct
> vfio_device *device)
>  {
>  	struct vfio_group *group = device->group;
> 
> +	lockdep_assert_held_write(&group->group_rwsem);
> +
>  	if (0 == atomic_read(&group->container_users) ||
>  	    !group->container->iommu_driver)
>  		return -EINVAL;
> @@ -1109,7 +1102,9 @@ static struct file *vfio_device_open(struct
> vfio_device *device)
>  	struct file *filep;
>  	int ret;
> 
> +	down_write(&device->group->group_rwsem);
>  	ret = vfio_device_assign_container(device);
> +	up_write(&device->group->group_rwsem);
>  	if (ret)
>  		return ERR_PTR(ret);
> 
> @@ -1219,11 +1214,13 @@ static long vfio_group_fops_unl_ioctl(struct file
> *filep,
> 
>  		status.flags = 0;
> 
> +		down_read(&group->group_rwsem);
>  		if (group->container)
>  			status.flags |= VFIO_GROUP_FLAGS_CONTAINER_SET
> |
>  					VFIO_GROUP_FLAGS_VIABLE;
>  		else if (!iommu_group_dma_owner_claimed(group-
> >iommu_group))
>  			status.flags |= VFIO_GROUP_FLAGS_VIABLE;
> +		up_read(&group->group_rwsem);
> 
>  		if (copy_to_user((void __user *)arg, &status, minsz))
>  			return -EFAULT;
> @@ -1241,11 +1238,15 @@ static long vfio_group_fops_unl_ioctl(struct file
> *filep,
>  		if (fd < 0)
>  			return -EINVAL;
> 
> +		down_write(&group->group_rwsem);
>  		ret = vfio_group_set_container(group, fd);
> +		up_write(&group->group_rwsem);
>  		break;
>  	}
>  	case VFIO_GROUP_UNSET_CONTAINER:
> +		down_write(&group->group_rwsem);
>  		ret = vfio_group_unset_container(group);
> +		up_write(&group->group_rwsem);
>  		break;
>  	case VFIO_GROUP_GET_DEVICE_FD:
>  	{
> @@ -1731,15 +1732,19 @@ bool vfio_file_enforced_coherent(struct file *file)
>  	if (file->f_op != &vfio_group_fops)
>  		return true;
> 
> -	/*
> -	 * Since the coherency state is determined only once a container is
> -	 * attached the user must do so before they can prove they have
> -	 * permission.
> -	 */
> -	if (vfio_group_add_container_user(group))
> -		return true;
> -	ret = vfio_ioctl_check_extension(group->container,
> VFIO_DMA_CC_IOMMU);
> -	vfio_group_try_dissolve_container(group);
> +	down_read(&group->group_rwsem);
> +	if (group->container) {
> +		ret = vfio_ioctl_check_extension(group->container,
> +						 VFIO_DMA_CC_IOMMU);
> +	} else {
> +		/*
> +		 * Since the coherency state is determined only once a
> container
> +		 * is attached the user must do so before they can prove they
> +		 * have permission.
> +		 */
> +		ret = true;
> +	}
> +	up_read(&group->group_rwsem);
>  	return ret;
>  }
>  EXPORT_SYMBOL_GPL(vfio_file_enforced_coherent);
> @@ -1932,6 +1937,7 @@ int vfio_pin_pages(struct vfio_device *device,
> unsigned long *user_pfn,
>  	if (group->dev_counter > 1)
>  		return -EINVAL;
> 
> +	/* group->container cannot change while a vfio device is open */
>  	container = group->container;
>  	driver = container->iommu_driver;
>  	if (likely(driver && driver->ops->pin_pages))
> @@ -1967,6 +1973,7 @@ int vfio_unpin_pages(struct vfio_device *device,
> unsigned long *user_pfn,
>  	if (npage > VFIO_PIN_PAGES_MAX_ENTRIES)
>  		return -E2BIG;
> 
> +	/* group->container cannot change while a vfio device is open */
>  	container = device->group->container;
>  	driver = container->iommu_driver;
>  	if (likely(driver && driver->ops->unpin_pages))
> @@ -2006,6 +2013,7 @@ int vfio_dma_rw(struct vfio_device *device,
> dma_addr_t user_iova, void *data,
>  	if (!data || len <= 0 || !vfio_assert_device_open(device))
>  		return -EINVAL;
> 
> +	/* group->container cannot change while a vfio device is open */
>  	container = device->group->container;
>  	driver = container->iommu_driver;
> 
> @@ -2026,6 +2034,7 @@ static int vfio_register_iommu_notifier(struct
> vfio_group *group,
>  	struct vfio_iommu_driver *driver;
>  	int ret;
> 
> +	down_read(&group->group_rwsem);
>  	container = group->container;
>  	driver = container->iommu_driver;
>  	if (likely(driver && driver->ops->register_notifier))
> @@ -2033,6 +2042,8 @@ static int vfio_register_iommu_notifier(struct
> vfio_group *group,
>  						     events, nb);
>  	else
>  		ret = -ENOTTY;
> +	up_read(&group->group_rwsem);
> +
>  	return ret;
>  }
> 
> @@ -2043,6 +2054,7 @@ static int vfio_unregister_iommu_notifier(struct
> vfio_group *group,
>  	struct vfio_iommu_driver *driver;
>  	int ret;
> 
> +	down_read(&group->group_rwsem);
>  	container = group->container;
>  	driver = container->iommu_driver;
>  	if (likely(driver && driver->ops->unregister_notifier))
> @@ -2050,6 +2062,8 @@ static int vfio_unregister_iommu_notifier(struct
> vfio_group *group,
>  						       nb);
>  	else
>  		ret = -ENOTTY;
> +	up_read(&group->group_rwsem);
> +
>  	return ret;
>  }
> 
> --
> 2.36.0

Jason Gunthorpe May 13, 2022, 1:29 p.m. UTC | #2

On Fri, May 13, 2022 at 09:53:05AM +0000, Tian, Kevin wrote:
> > From: Jason Gunthorpe <jgg@nvidia.com>
> > Sent: Friday, May 6, 2022 8:25 AM
> > 
> > This is necessary to avoid various user triggerable races, for instance
> > racing SET_CONTAINER/UNSET_CONTAINER:
> > 
> >                                   ioctl(VFIO_GROUP_SET_CONTAINER)
> > ioctl(VFIO_GROUP_UNSET_CONTAINER)
> >  vfio_group_unset_container
> >     int users = atomic_cmpxchg(&group->container_users, 1, 0);
> >     // users == 1 container_users == 0
> >     __vfio_group_unset_container(group);
> > 
> >                                     vfio_group_set_container()
> > 	                              if (atomic_read(&group->container_users))
> 
> 	                       if (!atomic_read(...))
> 
> > 				        down_write(&container->group_lock);
> > 				        group->container = container;
> > 				        up_write(&container->group_lock);
> > 
> 
> It'd be clearer to add below step here:
> 
>        container = group->container;
> 
> otherwise if this assignment is done before above race then the
> original container is not leaked.

Not quite, it is the assignment to NULL that is trouble:

> >       down_write(&container->group_lock);
> >       group->container = NULL;
> >       up_write(&container->group_lock);

Either we leaked the original container or we leaked the new
container, and now the atomics are out of sync with the state of
group->container.

But sure, it is a touch clearer to focus only one scenario, I picked
the one where group->container is read early and we leak the new
container.

Thanks,
Jason

diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
index d8d14e528ab795..63f7fa872eae60 100644
--- a/drivers/vfio/vfio.c
+++ b/drivers/vfio/vfio.c
@@ -937,6 +937,8 @@  static void __vfio_group_unset_container(struct vfio_group *group)
 	struct vfio_container *container = group->container;
 	struct vfio_iommu_driver *driver;
 
+	lockdep_assert_held_write(&group->group_rwsem);
+
 	down_write(&container->group_lock);
 
 	driver = container->iommu_driver;
@@ -973,6 +975,8 @@  static int vfio_group_unset_container(struct vfio_group *group)
 {
 	int users = atomic_cmpxchg(&group->container_users, 1, 0);
 
+	lockdep_assert_held_write(&group->group_rwsem);
+
 	if (!users)
 		return -EINVAL;
 	if (users != 1)
@@ -991,8 +995,10 @@  static int vfio_group_unset_container(struct vfio_group *group)
  */
 static void vfio_group_try_dissolve_container(struct vfio_group *group)
 {
+	down_write(&group->group_rwsem);
 	if (0 == atomic_dec_if_positive(&group->container_users))
 		__vfio_group_unset_container(group);
+	up_write(&group->group_rwsem);
 }
 
 static int vfio_group_set_container(struct vfio_group *group, int container_fd)
@@ -1002,6 +1008,8 @@  static int vfio_group_set_container(struct vfio_group *group, int container_fd)
 	struct vfio_iommu_driver *driver;
 	int ret = 0;
 
+	lockdep_assert_held_write(&group->group_rwsem);
+
 	if (atomic_read(&group->container_users))
 		return -EINVAL;
 
@@ -1059,23 +1067,6 @@  static int vfio_group_set_container(struct vfio_group *group, int container_fd)
 	return ret;
 }
 
-static int vfio_group_add_container_user(struct vfio_group *group)
-{
-	if (!atomic_inc_not_zero(&group->container_users))
-		return -EINVAL;
-
-	if (group->type == VFIO_NO_IOMMU) {
-		atomic_dec(&group->container_users);
-		return -EPERM;
-	}
-	if (!group->container->iommu_driver) {
-		atomic_dec(&group->container_users);
-		return -EINVAL;
-	}
-
-	return 0;
-}
-
 static const struct file_operations vfio_device_fops;
 
 /* true if the vfio_device has open_device() called but not close_device() */
@@ -1088,6 +1079,8 @@  static int vfio_device_assign_container(struct vfio_device *device)
 {
 	struct vfio_group *group = device->group;
 
+	lockdep_assert_held_write(&group->group_rwsem);
+
 	if (0 == atomic_read(&group->container_users) ||
 	    !group->container->iommu_driver)
 		return -EINVAL;
@@ -1109,7 +1102,9 @@  static struct file *vfio_device_open(struct vfio_device *device)
 	struct file *filep;
 	int ret;
 
+	down_write(&device->group->group_rwsem);
 	ret = vfio_device_assign_container(device);
+	up_write(&device->group->group_rwsem);
 	if (ret)
 		return ERR_PTR(ret);
 
@@ -1219,11 +1214,13 @@  static long vfio_group_fops_unl_ioctl(struct file *filep,
 
 		status.flags = 0;
 
+		down_read(&group->group_rwsem);
 		if (group->container)
 			status.flags |= VFIO_GROUP_FLAGS_CONTAINER_SET |
 					VFIO_GROUP_FLAGS_VIABLE;
 		else if (!iommu_group_dma_owner_claimed(group->iommu_group))
 			status.flags |= VFIO_GROUP_FLAGS_VIABLE;
+		up_read(&group->group_rwsem);
 
 		if (copy_to_user((void __user *)arg, &status, minsz))
 			return -EFAULT;
@@ -1241,11 +1238,15 @@  static long vfio_group_fops_unl_ioctl(struct file *filep,
 		if (fd < 0)
 			return -EINVAL;
 
+		down_write(&group->group_rwsem);
 		ret = vfio_group_set_container(group, fd);
+		up_write(&group->group_rwsem);
 		break;
 	}
 	case VFIO_GROUP_UNSET_CONTAINER:
+		down_write(&group->group_rwsem);
 		ret = vfio_group_unset_container(group);
+		up_write(&group->group_rwsem);
 		break;
 	case VFIO_GROUP_GET_DEVICE_FD:
 	{
@@ -1731,15 +1732,19 @@  bool vfio_file_enforced_coherent(struct file *file)
 	if (file->f_op != &vfio_group_fops)
 		return true;
 
-	/*
-	 * Since the coherency state is determined only once a container is
-	 * attached the user must do so before they can prove they have
-	 * permission.
-	 */
-	if (vfio_group_add_container_user(group))
-		return true;
-	ret = vfio_ioctl_check_extension(group->container, VFIO_DMA_CC_IOMMU);
-	vfio_group_try_dissolve_container(group);
+	down_read(&group->group_rwsem);
+	if (group->container) {
+		ret = vfio_ioctl_check_extension(group->container,
+						 VFIO_DMA_CC_IOMMU);
+	} else {
+		/*
+		 * Since the coherency state is determined only once a container
+		 * is attached the user must do so before they can prove they
+		 * have permission.
+		 */
+		ret = true;
+	}
+	up_read(&group->group_rwsem);
 	return ret;
 }
 EXPORT_SYMBOL_GPL(vfio_file_enforced_coherent);
@@ -1932,6 +1937,7 @@  int vfio_pin_pages(struct vfio_device *device, unsigned long *user_pfn,
 	if (group->dev_counter > 1)
 		return -EINVAL;
 
+	/* group->container cannot change while a vfio device is open */
 	container = group->container;
 	driver = container->iommu_driver;
 	if (likely(driver && driver->ops->pin_pages))
@@ -1967,6 +1973,7 @@  int vfio_unpin_pages(struct vfio_device *device, unsigned long *user_pfn,
 	if (npage > VFIO_PIN_PAGES_MAX_ENTRIES)
 		return -E2BIG;
 
+	/* group->container cannot change while a vfio device is open */
 	container = device->group->container;
 	driver = container->iommu_driver;
 	if (likely(driver && driver->ops->unpin_pages))
@@ -2006,6 +2013,7 @@  int vfio_dma_rw(struct vfio_device *device, dma_addr_t user_iova, void *data,
 	if (!data || len <= 0 || !vfio_assert_device_open(device))
 		return -EINVAL;
 
+	/* group->container cannot change while a vfio device is open */
 	container = device->group->container;
 	driver = container->iommu_driver;
 
@@ -2026,6 +2034,7 @@  static int vfio_register_iommu_notifier(struct vfio_group *group,
 	struct vfio_iommu_driver *driver;
 	int ret;
 
+	down_read(&group->group_rwsem);
 	container = group->container;
 	driver = container->iommu_driver;
 	if (likely(driver && driver->ops->register_notifier))
@@ -2033,6 +2042,8 @@  static int vfio_register_iommu_notifier(struct vfio_group *group,
 						     events, nb);
 	else
 		ret = -ENOTTY;
+	up_read(&group->group_rwsem);
+
 	return ret;
 }
 
@@ -2043,6 +2054,7 @@  static int vfio_unregister_iommu_notifier(struct vfio_group *group,
 	struct vfio_iommu_driver *driver;
 	int ret;
 
+	down_read(&group->group_rwsem);
 	container = group->container;
 	driver = container->iommu_driver;
 	if (likely(driver && driver->ops->unregister_notifier))
@@ -2050,6 +2062,8 @@  static int vfio_unregister_iommu_notifier(struct vfio_group *group,
 						       nb);
 	else
 		ret = -ENOTTY;
+	up_read(&group->group_rwsem);
+
 	return ret;
 }

[4/6] vfio: Fully lock struct vfio_group::container

Commit Message

Comments

Patch