[PATCH v1 0/3] iommufd: Fix vDEVICE allocation lifecycle bugs

From: Nicolin Chen

Date: Mon Jun 29 2026 - 17:19:30 EST


Sashiko flagged a few bugs in how IOMMU_VDEVICE_ALLOC creates and validates
a vDEVICE on a vIOMMU:

- the core publishes a vDEVICE into the vIOMMU xarray before the driver's
vdevice_init() runs, so a concurrent invalidation can reach one it has
not yet accepted;
- the undersized-vdevice_size guard returns holding the igroup mutex,
deadlocking later vDEVICE operations on that group;
- the Arm SMMUv3 vIOMMU accepts a device without exactly one Stream ID:
an out-of-bounds streams[] read for none, stale ATC/IOTLB for several.

Fix each of them properly.

This is on Github:
https://github.com/nicolinc/iommufd/commits/fix_vdevice_sashiko-v1

Nicolin Chen (3):
iommufd/viommu: Release the igroup lock on the vdevice_size error path
iommufd/viommu: Publish a vDEVICE only after vdevice_init() succeeds
iommu/arm-smmu-v3-iommufd: Require exactly one Stream ID for a vDEVICE

.../iommu/arm/arm-smmu-v3/arm-smmu-v3-iommufd.c | 15 +++++++++++++++
drivers/iommu/iommufd/viommu.c | 17 +++++++++++------
2 files changed, 26 insertions(+), 6 deletions(-)


base-commit: dc59e4fea9d83f03bad6bddf3fa2e52491777482
--
2.43.0