Re: [PATCH v4] Fixes a race in iopt_unmap_iova_range

Next message: Song Liu: "Re: [PATCH bpf-next 2/2] bpf, riscv: Remove redundant bpf_flush_icache() after pack allocator finalize"
Previous message: Borislav Petkov: "[GIT PULL] RAS updates for v7.1-rc1"
In reply to: Jason Gunthorpe: "Re: [PATCH v4] Fixes a race in iopt_unmap_iova_range"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sina Hassani

Date: Mon Apr 13 2026 - 13:32:14 EST

Thanks Jason.

On Sat, Apr 11, 2026 at 6:03 AM Jason Gunthorpe <jgg@xxxxxxxx> wrote:
>
> On Fri, Apr 10, 2026 at 11:32:44AM -0700, Sina Hassani wrote:
> > Bug: iopt_unmap_iova_range releases the lock on iova_rwsem inside the loop
> > body when getting to the more expensive unmap operations. This is fine on
> > its own except the loop condition is based on the first area that matches
> > the unmap address range. If a concurrent call to map picks an area that was
> > unmapped in the previous iterations, this loop will try to mistakenly unmap
> > them.
> >
> > How to reproduce: I was able to reproduce this by having one userspace
> > thread mapping buffers and passing them to another thread that unmaps
> > them. The problem easily shows up as ebusy errors if you use single page
> > mappings.
> >
> > The fix: A simple fix that I implemented here is to advance the start
> > pointer after we unmap an area. That way we are only looking at the
> > IOVA range that is mapped and hence guaranteed to not have any overlaps
> > in each iteration.
> >
> > Test: I tested this against the repro mentioned above and it works fine.
> >
> > Cc: stable@xxxxxxxxxxxxxxx
> > Signed-off-by: Sina Hassani <sina@xxxxxxxxxx>
> > ---
> > drivers/iommu/iommufd/io_pagetable.c | 6 ++++++
> > 1 file changed, 6 insertions(+)
>
> The patch is corrupted but I fixed it up by hand and applied it
>
> Thanks,
> Jason