Re: [PATCH v4] Fixes a race in iopt_unmap_iova_range

Next message: Marek Vasut: "[PATCH] ARM: dts: stm32: Enable PHY SSC on DH STM32MP13xx DHCOR DHSBC board"
Previous message: Jonathan Corbet: "Re: [RFC PATCH] Documentation: Add managed interrupts"
In reply to: Sina Hassani: "[PATCH v4] Fixes a race in iopt_unmap_iova_range"
Next in thread: Sina Hassani: "Re: [PATCH v4] Fixes a race in iopt_unmap_iova_range"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jason Gunthorpe

Date: Sat Apr 11 2026 - 09:09:45 EST

On Fri, Apr 10, 2026 at 11:32:44AM -0700, Sina Hassani wrote:
> Bug: iopt_unmap_iova_range releases the lock on iova_rwsem inside the loop
> body when getting to the more expensive unmap operations. This is fine on
> its own except the loop condition is based on the first area that matches
> the unmap address range. If a concurrent call to map picks an area that was
> unmapped in the previous iterations, this loop will try to mistakenly unmap
> them.
>
> How to reproduce: I was able to reproduce this by having one userspace
> thread mapping buffers and passing them to another thread that unmaps
> them. The problem easily shows up as ebusy errors if you use single page
> mappings.
>
> The fix: A simple fix that I implemented here is to advance the start
> pointer after we unmap an area. That way we are only looking at the
> IOVA range that is mapped and hence guaranteed to not have any overlaps
> in each iteration.
>
> Test: I tested this against the repro mentioned above and it works fine.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Sina Hassani <sina@xxxxxxxxxx>
> ---
> drivers/iommu/iommufd/io_pagetable.c | 6 ++++++
> 1 file changed, 6 insertions(+)

The patch is corrupted but I fixed it up by hand and applied it

Thanks,
Jason