| Message ID | 20230131145310.2069-1-longpeng2@huawei.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2796228wrn;
Tue, 31 Jan 2023 07:00:18 -0800 (PST)
X-Google-Smtp-Source:
AK7set8Evb7zDVeiSUnAqAlYNw1WFG137cPXaFawsmptn7437Wg533FRSCZtm/feppjkQZcl1/Pl
X-Received: by 2002:a17:906:9144:b0:878:7eb7:3488 with SMTP id
y4-20020a170906914400b008787eb73488mr19460826ejw.21.1675177217701;
Tue, 31 Jan 2023 07:00:17 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1675177217; cv=none;
d=google.com; s=arc-20160816;
b=xVrzNCbjQpA0A+TR/Rpc8UDJpQ/YRZFJYd/mHmMGxH4n8EiMHckMgx0w31tYnh7U1Y
G5h2vl/6bKaktLrw0dAH4OnAbOjZGmItKfSsNc+H3CSfCbLabuQ2B6oB5VQhoELIY0TS
f1vvnvVoysU93r2ovx9OyB1waBDD3qWvLu6EFjEY5OMkcLCps0c3YE6jJOjBjmCImaZ6
BNBPq3sgsJh2IdjyKj4j22RQrMQlKWJvT+6wEfeJS2hFS09TQsDX3kWSDghwbY2xCf2A
9f5QBPwJulcyrT8jcIr4yiCjJJSb3pVqLQVzjqmsg0973gpERJJQOkd1+e47EqF8Q6Aq
wEgg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from;
bh=ofiuOYqo+8LbVLF/Lk/knBs8BI+YpgEJRJBuOGbADqg=;
b=T5mZymh1KhMXaXuRYsSnvRtDWoiaXZ7/S8xemyTo1LDdoA/lwxYfaFWCo/EXO/rynL
uolK7iuBW77pMepox4kaIB5WObELQoE5rcHvdN3zWwKmLrsui7ta7bHlhyE50D0cpeAu
yrmRdclQwN+KRSrP503p1MKX4SSZthpT3cVvtqlJFDKj9oCPM1gsr3aJmZaooOsX+C7b
E6ERYUEf18/xduJh5X78xrejLBsDJIWUODEvedsw3wOxVGgvorCeudmfqaLhav4WAeEG
U2dwrkbdWux7vPbDlWgIxYOMp2vTg6Y3riZ6hfzJ96Mzi+VN9ETlY3g1FdMTgaj2heZn
50ZA==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
30-20020a170906005e00b0086f05817f4csi18480650ejg.69.2023.01.31.06.59.33;
Tue, 31 Jan 2023 07:00:17 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S232094AbjAaOx2 (ORCPT <rfc822;maxin.john@gmail.com> + 99 others);
Tue, 31 Jan 2023 09:53:28 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51536 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231723AbjAaOxZ (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 31 Jan 2023 09:53:25 -0500
Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7C2EFEF8D;
Tue, 31 Jan 2023 06:53:20 -0800 (PST)
Received: from kwepemi100025.china.huawei.com (unknown [172.30.72.55])
by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4P5nxB2Hc2zJqd4;
Tue, 31 Jan 2023 22:48:46 +0800 (CST)
Received: from DESKTOP-27KDQMV.china.huawei.com (10.174.148.223) by
kwepemi100025.china.huawei.com (7.221.188.158) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
15.1.2375.34; Tue, 31 Jan 2023 22:53:14 +0800
From: "Longpeng(Mike)" <longpeng2@huawei.com>
To: <mst@redhat.com>, <jasowang@redhat.com>
CC: <arei.gonglei@huawei.com>, <yechuan@huawei.com>,
<huangzhichao@huawei.com>,
<virtualization@lists.linux-foundation.org>,
<linux-kernel@vger.kernel.org>, <kvm@vger.kernel.org>,
Longpeng <longpeng2@huawei.com>
Subject: [PATCH] vhost-vdpa: cleanup memory maps when closing vdpa fds
Date: Tue, 31 Jan 2023 22:53:10 +0800
Message-ID: <20230131145310.2069-1-longpeng2@huawei.com>
X-Mailer: git-send-email 2.25.0.windows.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type: text/plain; charset=US-ASCII
X-Originating-IP: [10.174.148.223]
X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To
kwepemi100025.china.huawei.com (7.221.188.158)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1756550626173665483?=
X-GMAIL-MSGID: =?utf-8?q?1756550626173665483?=
|
| Series |
vhost-vdpa: cleanup memory maps when closing vdpa fds
|
|
Commit Message
Longpeng(Mike)
Jan. 31, 2023, 2:53 p.m. UTC
From: Longpeng <longpeng2@huawei.com> We must cleanup all memory maps when closing the vdpa fds, otherwise some critical resources (e.g. memory, iommu map) will leaked if the userspace exits unexpectedly (e.g. kill -9). Signed-off-by: Longpeng <longpeng2@huawei.com> --- drivers/vhost/vdpa.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)
Comments
Hi guys, any suggestions? 在 2023/1/31 22:53, Longpeng(Mike) 写道: > From: Longpeng <longpeng2@huawei.com> > > We must cleanup all memory maps when closing the vdpa fds, otherwise > some critical resources (e.g. memory, iommu map) will leaked if the > userspace exits unexpectedly (e.g. kill -9). > > Signed-off-by: Longpeng <longpeng2@huawei.com> > --- > drivers/vhost/vdpa.c | 13 +++++++++++++ > 1 file changed, 13 insertions(+) > > diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c > index a527eeeac637..37477cffa5aa 100644 > --- a/drivers/vhost/vdpa.c > +++ b/drivers/vhost/vdpa.c > @@ -823,6 +823,18 @@ static void vhost_vdpa_unmap(struct vhost_vdpa *v, > vhost_vdpa_remove_as(v, asid); > } > > +static void vhost_vdpa_clean_map(struct vhost_vdpa *v) > +{ > + struct vhost_vdpa_as *as; > + u32 asid; > + > + for (asid = 0; asid < v->vdpa->nas; asid++) { > + as = asid_to_as(v, asid); > + if (as) > + vhost_vdpa_unmap(v, &as->iotlb, 0ULL, 0ULL - 1); > + } > +} > + > static int vhost_vdpa_va_map(struct vhost_vdpa *v, > struct vhost_iotlb *iotlb, > u64 iova, u64 size, u64 uaddr, u32 perm) > @@ -1247,6 +1259,7 @@ static int vhost_vdpa_release(struct inode *inode, struct file *filep) > vhost_vdpa_clean_irq(v); > vhost_vdpa_reset(v); > vhost_dev_stop(&v->vdev); > + vhost_vdpa_clean_map(v); > vhost_vdpa_free_domain(v); > vhost_vdpa_config_put(v); > vhost_vdpa_cleanup(v);
在 2023/1/31 22:53, Longpeng(Mike) 写道: > From: Longpeng <longpeng2@huawei.com> > > We must cleanup all memory maps when closing the vdpa fds, otherwise > some critical resources (e.g. memory, iommu map) will leaked if the > userspace exits unexpectedly (e.g. kill -9). Sounds like a bug of the kernel, should we fix there? Thanks > > Signed-off-by: Longpeng <longpeng2@huawei.com> > --- > drivers/vhost/vdpa.c | 13 +++++++++++++ > 1 file changed, 13 insertions(+) > > diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c > index a527eeeac637..37477cffa5aa 100644 > --- a/drivers/vhost/vdpa.c > +++ b/drivers/vhost/vdpa.c > @@ -823,6 +823,18 @@ static void vhost_vdpa_unmap(struct vhost_vdpa *v, > vhost_vdpa_remove_as(v, asid); > } > > +static void vhost_vdpa_clean_map(struct vhost_vdpa *v) > +{ > + struct vhost_vdpa_as *as; > + u32 asid; > + > + for (asid = 0; asid < v->vdpa->nas; asid++) { > + as = asid_to_as(v, asid); > + if (as) > + vhost_vdpa_unmap(v, &as->iotlb, 0ULL, 0ULL - 1); > + } > +} > + > static int vhost_vdpa_va_map(struct vhost_vdpa *v, > struct vhost_iotlb *iotlb, > u64 iova, u64 size, u64 uaddr, u32 perm) > @@ -1247,6 +1259,7 @@ static int vhost_vdpa_release(struct inode *inode, struct file *filep) > vhost_vdpa_clean_irq(v); > vhost_vdpa_reset(v); > vhost_dev_stop(&v->vdev); > + vhost_vdpa_clean_map(v); > vhost_vdpa_free_domain(v); > vhost_vdpa_config_put(v); > vhost_vdpa_cleanup(v);
在 2023/2/14 14:16, Jason Wang 写道: > > 在 2023/1/31 22:53, Longpeng(Mike) 写道: >> From: Longpeng <longpeng2@huawei.com> >> >> We must cleanup all memory maps when closing the vdpa fds, otherwise >> some critical resources (e.g. memory, iommu map) will leaked if the >> userspace exits unexpectedly (e.g. kill -9). > > > Sounds like a bug of the kernel, should we fix there? > For example, the iommu map is setup when QEMU calls VHOST_IOTLB_UPDATE ioctl and it'll be freed if QEMU calls VHOST_IOTLB_INVALIDATE ioctl. So maybe we release these resources in vdpa framework in kernel is a suitable choice? By the way, Jason, can you reproduce the problem in your machine? > Thanks > > >> >> Signed-off-by: Longpeng <longpeng2@huawei.com> >> --- >> drivers/vhost/vdpa.c | 13 +++++++++++++ >> 1 file changed, 13 insertions(+) >> >> diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c >> index a527eeeac637..37477cffa5aa 100644 >> --- a/drivers/vhost/vdpa.c >> +++ b/drivers/vhost/vdpa.c >> @@ -823,6 +823,18 @@ static void vhost_vdpa_unmap(struct vhost_vdpa *v, >> vhost_vdpa_remove_as(v, asid); >> } >> +static void vhost_vdpa_clean_map(struct vhost_vdpa *v) >> +{ >> + struct vhost_vdpa_as *as; >> + u32 asid; >> + >> + for (asid = 0; asid < v->vdpa->nas; asid++) { >> + as = asid_to_as(v, asid); >> + if (as) >> + vhost_vdpa_unmap(v, &as->iotlb, 0ULL, 0ULL - 1); >> + } >> +} >> + >> static int vhost_vdpa_va_map(struct vhost_vdpa *v, >> struct vhost_iotlb *iotlb, >> u64 iova, u64 size, u64 uaddr, u32 perm) >> @@ -1247,6 +1259,7 @@ static int vhost_vdpa_release(struct inode >> *inode, struct file *filep) >> vhost_vdpa_clean_irq(v); >> vhost_vdpa_reset(v); >> vhost_dev_stop(&v->vdev); >> + vhost_vdpa_clean_map(v); >> vhost_vdpa_free_domain(v); >> vhost_vdpa_config_put(v); >> vhost_vdpa_cleanup(v); > > .
On Tue, Feb 14, 2023 at 2:28 PM Longpeng (Mike, Cloud Infrastructure Service Product Dept.) <longpeng2@huawei.com> wrote: > > > > 在 2023/2/14 14:16, Jason Wang 写道: > > > > 在 2023/1/31 22:53, Longpeng(Mike) 写道: > >> From: Longpeng <longpeng2@huawei.com> > >> > >> We must cleanup all memory maps when closing the vdpa fds, otherwise > >> some critical resources (e.g. memory, iommu map) will leaked if the > >> userspace exits unexpectedly (e.g. kill -9). > > > > > > Sounds like a bug of the kernel, should we fix there? > > > > For example, the iommu map is setup when QEMU calls VHOST_IOTLB_UPDATE > ioctl and it'll be freed if QEMU calls VHOST_IOTLB_INVALIDATE ioctl. > > So maybe we release these resources in vdpa framework in kernel is a > suitable choice? I think I need understand what does "resources" mean here: For iommu mapping, it should be freed by vhost_vdpa_free_domain() in vhost_vdpa_release()? static int vhost_vdpa_release(struct inode *inode, struct file *filep) { struct vhost_vdpa *v = filep->private_data; struct vhost_dev *d = &v->vdev; mutex_lock(&d->mutex); filep->private_data = NULL; vhost_vdpa_clean_irq(v); vhost_vdpa_reset(v); vhost_dev_stop(&v->vdev); vhost_vdpa_free_domain(v); vhost_vdpa_config_put(v); vhost_vdpa_cleanup(v); mutex_unlock(&d->mutex); atomic_dec(&v->opened); complete(&v->completion); return 0; } > > By the way, Jason, can you reproduce the problem in your machine? > Haven't got time in doing this but it should be the responsibility of the author to validate this anyhow. Thanks > > Thanks > > > > > >> > >> Signed-off-by: Longpeng <longpeng2@huawei.com> > >> --- > >> drivers/vhost/vdpa.c | 13 +++++++++++++ > >> 1 file changed, 13 insertions(+) > >> > >> diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c > >> index a527eeeac637..37477cffa5aa 100644 > >> --- a/drivers/vhost/vdpa.c > >> +++ b/drivers/vhost/vdpa.c > >> @@ -823,6 +823,18 @@ static void vhost_vdpa_unmap(struct vhost_vdpa *v, > >> vhost_vdpa_remove_as(v, asid); > >> } > >> +static void vhost_vdpa_clean_map(struct vhost_vdpa *v) > >> +{ > >> + struct vhost_vdpa_as *as; > >> + u32 asid; > >> + > >> + for (asid = 0; asid < v->vdpa->nas; asid++) { > >> + as = asid_to_as(v, asid); > >> + if (as) > >> + vhost_vdpa_unmap(v, &as->iotlb, 0ULL, 0ULL - 1); > >> + } > >> +} > >> + > >> static int vhost_vdpa_va_map(struct vhost_vdpa *v, > >> struct vhost_iotlb *iotlb, > >> u64 iova, u64 size, u64 uaddr, u32 perm) > >> @@ -1247,6 +1259,7 @@ static int vhost_vdpa_release(struct inode > >> *inode, struct file *filep) > >> vhost_vdpa_clean_irq(v); > >> vhost_vdpa_reset(v); > >> vhost_dev_stop(&v->vdev); > >> + vhost_vdpa_clean_map(v); > >> vhost_vdpa_free_domain(v); > >> vhost_vdpa_config_put(v); > >> vhost_vdpa_cleanup(v); > > > > . >
在 2023/2/15 10:00, Jason Wang 写道: > On Tue, Feb 14, 2023 at 2:28 PM Longpeng (Mike, Cloud Infrastructure > Service Product Dept.) <longpeng2@huawei.com> wrote: >> >> >> >> 在 2023/2/14 14:16, Jason Wang 写道: >>> >>> 在 2023/1/31 22:53, Longpeng(Mike) 写道: >>>> From: Longpeng <longpeng2@huawei.com> >>>> >>>> We must cleanup all memory maps when closing the vdpa fds, otherwise >>>> some critical resources (e.g. memory, iommu map) will leaked if the >>>> userspace exits unexpectedly (e.g. kill -9). >>> >>> >>> Sounds like a bug of the kernel, should we fix there? >>> >> >> For example, the iommu map is setup when QEMU calls VHOST_IOTLB_UPDATE >> ioctl and it'll be freed if QEMU calls VHOST_IOTLB_INVALIDATE ioctl. >> >> So maybe we release these resources in vdpa framework in kernel is a >> suitable choice? > > I think I need understand what does "resources" mean here: > > For iommu mapping, it should be freed by vhost_vdpa_free_domain() in > vhost_vdpa_release()? > Please consider the following lifecycle of the vdpa device: 1. vhost_vdpa_open vhost_vdpa_alloc_domain 2. vhost_vdpa_pa_map pin_user_pages vhost_vdpa_map iommu_map 3. kill QEMU 4. vhost_vdpa_release vhost_vdpa_free_domain In this case, we have no opportunity to invoke unpin_user_pages or iommu_unmap to free the memory. > static int vhost_vdpa_release(struct inode *inode, struct file *filep) > { > struct vhost_vdpa *v = filep->private_data; > struct vhost_dev *d = &v->vdev; > > mutex_lock(&d->mutex); > filep->private_data = NULL; > vhost_vdpa_clean_irq(v); > vhost_vdpa_reset(v); > vhost_dev_stop(&v->vdev); > vhost_vdpa_free_domain(v); > vhost_vdpa_config_put(v); > vhost_vdpa_cleanup(v); > mutex_unlock(&d->mutex); > > atomic_dec(&v->opened); > complete(&v->completion); > > return 0; > } > >> >> By the way, Jason, can you reproduce the problem in your machine? >> > > Haven't got time in doing this but it should be the responsibility of > the author to validate this anyhow. > > Thanks > >>> Thanks >>> >>> >>>> >>>> Signed-off-by: Longpeng <longpeng2@huawei.com> >>>> --- >>>> drivers/vhost/vdpa.c | 13 +++++++++++++ >>>> 1 file changed, 13 insertions(+) >>>> >>>> diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c >>>> index a527eeeac637..37477cffa5aa 100644 >>>> --- a/drivers/vhost/vdpa.c >>>> +++ b/drivers/vhost/vdpa.c >>>> @@ -823,6 +823,18 @@ static void vhost_vdpa_unmap(struct vhost_vdpa *v, >>>> vhost_vdpa_remove_as(v, asid); >>>> } >>>> +static void vhost_vdpa_clean_map(struct vhost_vdpa *v) >>>> +{ >>>> + struct vhost_vdpa_as *as; >>>> + u32 asid; >>>> + >>>> + for (asid = 0; asid < v->vdpa->nas; asid++) { >>>> + as = asid_to_as(v, asid); >>>> + if (as) >>>> + vhost_vdpa_unmap(v, &as->iotlb, 0ULL, 0ULL - 1); >>>> + } >>>> +} >>>> + >>>> static int vhost_vdpa_va_map(struct vhost_vdpa *v, >>>> struct vhost_iotlb *iotlb, >>>> u64 iova, u64 size, u64 uaddr, u32 perm) >>>> @@ -1247,6 +1259,7 @@ static int vhost_vdpa_release(struct inode >>>> *inode, struct file *filep) >>>> vhost_vdpa_clean_irq(v); >>>> vhost_vdpa_reset(v); >>>> vhost_dev_stop(&v->vdev); >>>> + vhost_vdpa_clean_map(v); >>>> vhost_vdpa_free_domain(v); >>>> vhost_vdpa_config_put(v); >>>> vhost_vdpa_cleanup(v); >>> >>> . >> > > .
On Wed, Feb 15, 2023 at 10:49 AM Longpeng (Mike, Cloud Infrastructure Service Product Dept.) <longpeng2@huawei.com> wrote: > > > > 在 2023/2/15 10:00, Jason Wang 写道: > > On Tue, Feb 14, 2023 at 2:28 PM Longpeng (Mike, Cloud Infrastructure > > Service Product Dept.) <longpeng2@huawei.com> wrote: > >> > >> > >> > >> 在 2023/2/14 14:16, Jason Wang 写道: > >>> > >>> 在 2023/1/31 22:53, Longpeng(Mike) 写道: > >>>> From: Longpeng <longpeng2@huawei.com> > >>>> > >>>> We must cleanup all memory maps when closing the vdpa fds, otherwise > >>>> some critical resources (e.g. memory, iommu map) will leaked if the > >>>> userspace exits unexpectedly (e.g. kill -9). > >>> > >>> > >>> Sounds like a bug of the kernel, should we fix there? > >>> > >> > >> For example, the iommu map is setup when QEMU calls VHOST_IOTLB_UPDATE > >> ioctl and it'll be freed if QEMU calls VHOST_IOTLB_INVALIDATE ioctl. > >> > >> So maybe we release these resources in vdpa framework in kernel is a > >> suitable choice? > > > > I think I need understand what does "resources" mean here: > > > > For iommu mapping, it should be freed by vhost_vdpa_free_domain() in > > vhost_vdpa_release()? > > > > Please consider the following lifecycle of the vdpa device: > > 1. vhost_vdpa_open > vhost_vdpa_alloc_domain > > 2. vhost_vdpa_pa_map > pin_user_pages > vhost_vdpa_map > iommu_map > > 3. kill QEMU > > 4. vhost_vdpa_release > vhost_vdpa_free_domain > > In this case, we have no opportunity to invoke unpin_user_pages or > iommu_unmap to free the memory. We do: vhost_vdpa_cleanup() vhost_vdpa_remove_as() vhost_vdpa_iotlb_unmap() vhost_vdpa_pa_unmap() unpin_user_pages() vhost_vdpa_general_unmap() iommu_unmap() ? Btw, it looks like we should call vhost_vdpa_free_domain() *after* vhost_vdpa_cleanup() otherwise it's a UAF? Thanks > > > static int vhost_vdpa_release(struct inode *inode, struct file *filep) > > { > > struct vhost_vdpa *v = filep->private_data; > > struct vhost_dev *d = &v->vdev; > > > > mutex_lock(&d->mutex); > > filep->private_data = NULL; > > vhost_vdpa_clean_irq(v); > > vhost_vdpa_reset(v); > > vhost_dev_stop(&v->vdev); > > vhost_vdpa_free_domain(v); > > vhost_vdpa_config_put(v); > > vhost_vdpa_cleanup(v); > > mutex_unlock(&d->mutex); > > > > atomic_dec(&v->opened); > > complete(&v->completion); > > > > return 0; > > } > > > >> > >> By the way, Jason, can you reproduce the problem in your machine? > >> > > > > Haven't got time in doing this but it should be the responsibility of > > the author to validate this anyhow. > > > > Thanks > > > >>> Thanks > >>> > >>> > >>>> > >>>> Signed-off-by: Longpeng <longpeng2@huawei.com> > >>>> --- > >>>> drivers/vhost/vdpa.c | 13 +++++++++++++ > >>>> 1 file changed, 13 insertions(+) > >>>> > >>>> diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c > >>>> index a527eeeac637..37477cffa5aa 100644 > >>>> --- a/drivers/vhost/vdpa.c > >>>> +++ b/drivers/vhost/vdpa.c > >>>> @@ -823,6 +823,18 @@ static void vhost_vdpa_unmap(struct vhost_vdpa *v, > >>>> vhost_vdpa_remove_as(v, asid); > >>>> } > >>>> +static void vhost_vdpa_clean_map(struct vhost_vdpa *v) > >>>> +{ > >>>> + struct vhost_vdpa_as *as; > >>>> + u32 asid; > >>>> + > >>>> + for (asid = 0; asid < v->vdpa->nas; asid++) { > >>>> + as = asid_to_as(v, asid); > >>>> + if (as) > >>>> + vhost_vdpa_unmap(v, &as->iotlb, 0ULL, 0ULL - 1); > >>>> + } > >>>> +} > >>>> + > >>>> static int vhost_vdpa_va_map(struct vhost_vdpa *v, > >>>> struct vhost_iotlb *iotlb, > >>>> u64 iova, u64 size, u64 uaddr, u32 perm) > >>>> @@ -1247,6 +1259,7 @@ static int vhost_vdpa_release(struct inode > >>>> *inode, struct file *filep) > >>>> vhost_vdpa_clean_irq(v); > >>>> vhost_vdpa_reset(v); > >>>> vhost_dev_stop(&v->vdev); > >>>> + vhost_vdpa_clean_map(v); > >>>> vhost_vdpa_free_domain(v); > >>>> vhost_vdpa_config_put(v); > >>>> vhost_vdpa_cleanup(v); > >>> > >>> . > >> > > > > . >
在 2023/2/15 10:56, Jason Wang 写道: > On Wed, Feb 15, 2023 at 10:49 AM Longpeng (Mike, Cloud Infrastructure > Service Product Dept.) <longpeng2@huawei.com> wrote: >> >> >> >> 在 2023/2/15 10:00, Jason Wang 写道: >>> On Tue, Feb 14, 2023 at 2:28 PM Longpeng (Mike, Cloud Infrastructure >>> Service Product Dept.) <longpeng2@huawei.com> wrote: >>>> >>>> >>>> >>>> 在 2023/2/14 14:16, Jason Wang 写道: >>>>> >>>>> 在 2023/1/31 22:53, Longpeng(Mike) 写道: >>>>>> From: Longpeng <longpeng2@huawei.com> >>>>>> >>>>>> We must cleanup all memory maps when closing the vdpa fds, otherwise >>>>>> some critical resources (e.g. memory, iommu map) will leaked if the >>>>>> userspace exits unexpectedly (e.g. kill -9). >>>>> >>>>> >>>>> Sounds like a bug of the kernel, should we fix there? >>>>> >>>> >>>> For example, the iommu map is setup when QEMU calls VHOST_IOTLB_UPDATE >>>> ioctl and it'll be freed if QEMU calls VHOST_IOTLB_INVALIDATE ioctl. >>>> >>>> So maybe we release these resources in vdpa framework in kernel is a >>>> suitable choice? >>> >>> I think I need understand what does "resources" mean here: >>> >>> For iommu mapping, it should be freed by vhost_vdpa_free_domain() in >>> vhost_vdpa_release()? >>> >> >> Please consider the following lifecycle of the vdpa device: >> >> 1. vhost_vdpa_open >> vhost_vdpa_alloc_domain >> >> 2. vhost_vdpa_pa_map >> pin_user_pages >> vhost_vdpa_map >> iommu_map >> >> 3. kill QEMU >> >> 4. vhost_vdpa_release >> vhost_vdpa_free_domain >> >> In this case, we have no opportunity to invoke unpin_user_pages or >> iommu_unmap to free the memory. > > We do: > > vhost_vdpa_cleanup() > vhost_vdpa_remove_as() > vhost_vdpa_iotlb_unmap() > vhost_vdpa_pa_unmap() > unpin_user_pages() > vhost_vdpa_general_unmap() > iommu_unmap() > ? > Oh, my codebase is linux-6.2-rc2 and the commit c070c1912a8 (vhost-vdpa: fix an iotlb memory leak) already fixed this bug in linux-6.2-rc3. > Btw, it looks like we should call vhost_vdpa_free_domain() *after* > vhost_vdpa_cleanup() otherwise it's a UAF? > I think so, the v->domain is set to NULL in vhost_vdpa_free_domain(), it seems would trigger null-pointer access in my case. > Thanks > >> >>> static int vhost_vdpa_release(struct inode *inode, struct file *filep) >>> { >>> struct vhost_vdpa *v = filep->private_data; >>> struct vhost_dev *d = &v->vdev; >>> >>> mutex_lock(&d->mutex); >>> filep->private_data = NULL; >>> vhost_vdpa_clean_irq(v); >>> vhost_vdpa_reset(v); >>> vhost_dev_stop(&v->vdev); >>> vhost_vdpa_free_domain(v); >>> vhost_vdpa_config_put(v); >>> vhost_vdpa_cleanup(v); >>> mutex_unlock(&d->mutex); >>> >>> atomic_dec(&v->opened); >>> complete(&v->completion); >>> >>> return 0; >>> } >>> >>>> >>>> By the way, Jason, can you reproduce the problem in your machine? >>>> >>> >>> Haven't got time in doing this but it should be the responsibility of >>> the author to validate this anyhow. >>> >>> Thanks >>> >>>>> Thanks >>>>> >>>>> >>>>>> >>>>>> Signed-off-by: Longpeng <longpeng2@huawei.com> >>>>>> --- >>>>>> drivers/vhost/vdpa.c | 13 +++++++++++++ >>>>>> 1 file changed, 13 insertions(+) >>>>>> >>>>>> diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c >>>>>> index a527eeeac637..37477cffa5aa 100644 >>>>>> --- a/drivers/vhost/vdpa.c >>>>>> +++ b/drivers/vhost/vdpa.c >>>>>> @@ -823,6 +823,18 @@ static void vhost_vdpa_unmap(struct vhost_vdpa *v, >>>>>> vhost_vdpa_remove_as(v, asid); >>>>>> } >>>>>> +static void vhost_vdpa_clean_map(struct vhost_vdpa *v) >>>>>> +{ >>>>>> + struct vhost_vdpa_as *as; >>>>>> + u32 asid; >>>>>> + >>>>>> + for (asid = 0; asid < v->vdpa->nas; asid++) { >>>>>> + as = asid_to_as(v, asid); >>>>>> + if (as) >>>>>> + vhost_vdpa_unmap(v, &as->iotlb, 0ULL, 0ULL - 1); >>>>>> + } >>>>>> +} >>>>>> + >>>>>> static int vhost_vdpa_va_map(struct vhost_vdpa *v, >>>>>> struct vhost_iotlb *iotlb, >>>>>> u64 iova, u64 size, u64 uaddr, u32 perm) >>>>>> @@ -1247,6 +1259,7 @@ static int vhost_vdpa_release(struct inode >>>>>> *inode, struct file *filep) >>>>>> vhost_vdpa_clean_irq(v); >>>>>> vhost_vdpa_reset(v); >>>>>> vhost_dev_stop(&v->vdev); >>>>>> + vhost_vdpa_clean_map(v); >>>>>> vhost_vdpa_free_domain(v); >>>>>> vhost_vdpa_config_put(v); >>>>>> vhost_vdpa_cleanup(v); >>>>> >>>>> . >>>> >>> >>> . >> > > .
On Wed, Feb 15, 2023 at 01:15:55PM +0800, Longpeng (Mike, Cloud Infrastructure Service Product Dept.) wrote: > > > 在 2023/2/15 10:56, Jason Wang 写道: > > On Wed, Feb 15, 2023 at 10:49 AM Longpeng (Mike, Cloud Infrastructure > > Service Product Dept.) <longpeng2@huawei.com> wrote: > > > > > > > > > > > > 在 2023/2/15 10:00, Jason Wang 写道: > > > > On Tue, Feb 14, 2023 at 2:28 PM Longpeng (Mike, Cloud Infrastructure > > > > Service Product Dept.) <longpeng2@huawei.com> wrote: > > > > > > > > > > > > > > > > > > > > 在 2023/2/14 14:16, Jason Wang 写道: > > > > > > > > > > > > 在 2023/1/31 22:53, Longpeng(Mike) 写道: > > > > > > > From: Longpeng <longpeng2@huawei.com> > > > > > > > > > > > > > > We must cleanup all memory maps when closing the vdpa fds, otherwise > > > > > > > some critical resources (e.g. memory, iommu map) will leaked if the > > > > > > > userspace exits unexpectedly (e.g. kill -9). > > > > > > > > > > > > > > > > > > Sounds like a bug of the kernel, should we fix there? > > > > > > > > > > > > > > > > For example, the iommu map is setup when QEMU calls VHOST_IOTLB_UPDATE > > > > > ioctl and it'll be freed if QEMU calls VHOST_IOTLB_INVALIDATE ioctl. > > > > > > > > > > So maybe we release these resources in vdpa framework in kernel is a > > > > > suitable choice? > > > > > > > > I think I need understand what does "resources" mean here: > > > > > > > > For iommu mapping, it should be freed by vhost_vdpa_free_domain() in > > > > vhost_vdpa_release()? > > > > > > > > > > Please consider the following lifecycle of the vdpa device: > > > > > > 1. vhost_vdpa_open > > > vhost_vdpa_alloc_domain > > > > > > 2. vhost_vdpa_pa_map > > > pin_user_pages > > > vhost_vdpa_map > > > iommu_map > > > > > > 3. kill QEMU > > > > > > 4. vhost_vdpa_release > > > vhost_vdpa_free_domain > > > > > > In this case, we have no opportunity to invoke unpin_user_pages or > > > iommu_unmap to free the memory. > > > > We do: > > > > vhost_vdpa_cleanup() > > vhost_vdpa_remove_as() > > vhost_vdpa_iotlb_unmap() > > vhost_vdpa_pa_unmap() > > unpin_user_pages() > > vhost_vdpa_general_unmap() > > iommu_unmap() > > ? > > > Oh, my codebase is linux-6.2-rc2 and the commit c070c1912a8 (vhost-vdpa: fix > an iotlb memory leak) already fixed this bug in linux-6.2-rc3. > > > Btw, it looks like we should call vhost_vdpa_free_domain() *after* > > vhost_vdpa_cleanup() otherwise it's a UAF? > > > I think so, the v->domain is set to NULL in vhost_vdpa_free_domain(), it > seems would trigger null-pointer access in my case. OK I'll drop this patch for now then? > > Thanks > > > > > > > > > static int vhost_vdpa_release(struct inode *inode, struct file *filep) > > > > { > > > > struct vhost_vdpa *v = filep->private_data; > > > > struct vhost_dev *d = &v->vdev; > > > > > > > > mutex_lock(&d->mutex); > > > > filep->private_data = NULL; > > > > vhost_vdpa_clean_irq(v); > > > > vhost_vdpa_reset(v); > > > > vhost_dev_stop(&v->vdev); > > > > vhost_vdpa_free_domain(v); > > > > vhost_vdpa_config_put(v); > > > > vhost_vdpa_cleanup(v); > > > > mutex_unlock(&d->mutex); > > > > > > > > atomic_dec(&v->opened); > > > > complete(&v->completion); > > > > > > > > return 0; > > > > } > > > > > > > > > > > > > > By the way, Jason, can you reproduce the problem in your machine? > > > > > > > > > > > > > Haven't got time in doing this but it should be the responsibility of > > > > the author to validate this anyhow. > > > > > > > > Thanks > > > > > > > > > > Thanks > > > > > > > > > > > > > > > > > > > > > > > > > > Signed-off-by: Longpeng <longpeng2@huawei.com> > > > > > > > --- > > > > > > > drivers/vhost/vdpa.c | 13 +++++++++++++ > > > > > > > 1 file changed, 13 insertions(+) > > > > > > > > > > > > > > diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c > > > > > > > index a527eeeac637..37477cffa5aa 100644 > > > > > > > --- a/drivers/vhost/vdpa.c > > > > > > > +++ b/drivers/vhost/vdpa.c > > > > > > > @@ -823,6 +823,18 @@ static void vhost_vdpa_unmap(struct vhost_vdpa *v, > > > > > > > vhost_vdpa_remove_as(v, asid); > > > > > > > } > > > > > > > +static void vhost_vdpa_clean_map(struct vhost_vdpa *v) > > > > > > > +{ > > > > > > > + struct vhost_vdpa_as *as; > > > > > > > + u32 asid; > > > > > > > + > > > > > > > + for (asid = 0; asid < v->vdpa->nas; asid++) { > > > > > > > + as = asid_to_as(v, asid); > > > > > > > + if (as) > > > > > > > + vhost_vdpa_unmap(v, &as->iotlb, 0ULL, 0ULL - 1); > > > > > > > + } > > > > > > > +} > > > > > > > + > > > > > > > static int vhost_vdpa_va_map(struct vhost_vdpa *v, > > > > > > > struct vhost_iotlb *iotlb, > > > > > > > u64 iova, u64 size, u64 uaddr, u32 perm) > > > > > > > @@ -1247,6 +1259,7 @@ static int vhost_vdpa_release(struct inode > > > > > > > *inode, struct file *filep) > > > > > > > vhost_vdpa_clean_irq(v); > > > > > > > vhost_vdpa_reset(v); > > > > > > > vhost_dev_stop(&v->vdev); > > > > > > > + vhost_vdpa_clean_map(v); > > > > > > > vhost_vdpa_free_domain(v); > > > > > > > vhost_vdpa_config_put(v); > > > > > > > vhost_vdpa_cleanup(v); > > > > > > > > > > > > . > > > > > > > > > > > > > . > > > > > > > .
On Wed, Feb 15, 2023 at 1:16 PM Longpeng (Mike, Cloud Infrastructure Service Product Dept.) <longpeng2@huawei.com> wrote: > > > > 在 2023/2/15 10:56, Jason Wang 写道: > > On Wed, Feb 15, 2023 at 10:49 AM Longpeng (Mike, Cloud Infrastructure > > Service Product Dept.) <longpeng2@huawei.com> wrote: > >> > >> > >> > >> 在 2023/2/15 10:00, Jason Wang 写道: > >>> On Tue, Feb 14, 2023 at 2:28 PM Longpeng (Mike, Cloud Infrastructure > >>> Service Product Dept.) <longpeng2@huawei.com> wrote: > >>>> > >>>> > >>>> > >>>> 在 2023/2/14 14:16, Jason Wang 写道: > >>>>> > >>>>> 在 2023/1/31 22:53, Longpeng(Mike) 写道: > >>>>>> From: Longpeng <longpeng2@huawei.com> > >>>>>> > >>>>>> We must cleanup all memory maps when closing the vdpa fds, otherwise > >>>>>> some critical resources (e.g. memory, iommu map) will leaked if the > >>>>>> userspace exits unexpectedly (e.g. kill -9). > >>>>> > >>>>> > >>>>> Sounds like a bug of the kernel, should we fix there? > >>>>> > >>>> > >>>> For example, the iommu map is setup when QEMU calls VHOST_IOTLB_UPDATE > >>>> ioctl and it'll be freed if QEMU calls VHOST_IOTLB_INVALIDATE ioctl. > >>>> > >>>> So maybe we release these resources in vdpa framework in kernel is a > >>>> suitable choice? > >>> > >>> I think I need understand what does "resources" mean here: > >>> > >>> For iommu mapping, it should be freed by vhost_vdpa_free_domain() in > >>> vhost_vdpa_release()? > >>> > >> > >> Please consider the following lifecycle of the vdpa device: > >> > >> 1. vhost_vdpa_open > >> vhost_vdpa_alloc_domain > >> > >> 2. vhost_vdpa_pa_map > >> pin_user_pages > >> vhost_vdpa_map > >> iommu_map > >> > >> 3. kill QEMU > >> > >> 4. vhost_vdpa_release > >> vhost_vdpa_free_domain > >> > >> In this case, we have no opportunity to invoke unpin_user_pages or > >> iommu_unmap to free the memory. > > > > We do: > > > > vhost_vdpa_cleanup() > > vhost_vdpa_remove_as() > > vhost_vdpa_iotlb_unmap() > > vhost_vdpa_pa_unmap() > > unpin_user_pages() > > vhost_vdpa_general_unmap() > > iommu_unmap() > > ? > > > Oh, my codebase is linux-6.2-rc2 and the commit c070c1912a8 (vhost-vdpa: > fix an iotlb memory leak) already fixed this bug in linux-6.2-rc3. > > > Btw, it looks like we should call vhost_vdpa_free_domain() *after* > > vhost_vdpa_cleanup() otherwise it's a UAF? > > > I think so, the v->domain is set to NULL in vhost_vdpa_free_domain(), it > seems would trigger null-pointer access in my case. Patch are welcomed. Thanks > > > Thanks > > > >> > >>> static int vhost_vdpa_release(struct inode *inode, struct file *filep) > >>> { > >>> struct vhost_vdpa *v = filep->private_data; > >>> struct vhost_dev *d = &v->vdev; > >>> > >>> mutex_lock(&d->mutex); > >>> filep->private_data = NULL; > >>> vhost_vdpa_clean_irq(v); > >>> vhost_vdpa_reset(v); > >>> vhost_dev_stop(&v->vdev); > >>> vhost_vdpa_free_domain(v); > >>> vhost_vdpa_config_put(v); > >>> vhost_vdpa_cleanup(v); > >>> mutex_unlock(&d->mutex); > >>> > >>> atomic_dec(&v->opened); > >>> complete(&v->completion); > >>> > >>> return 0; > >>> } > >>> > >>>> > >>>> By the way, Jason, can you reproduce the problem in your machine? > >>>> > >>> > >>> Haven't got time in doing this but it should be the responsibility of > >>> the author to validate this anyhow. > >>> > >>> Thanks > >>> > >>>>> Thanks > >>>>> > >>>>> > >>>>>> > >>>>>> Signed-off-by: Longpeng <longpeng2@huawei.com> > >>>>>> --- > >>>>>> drivers/vhost/vdpa.c | 13 +++++++++++++ > >>>>>> 1 file changed, 13 insertions(+) > >>>>>> > >>>>>> diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c > >>>>>> index a527eeeac637..37477cffa5aa 100644 > >>>>>> --- a/drivers/vhost/vdpa.c > >>>>>> +++ b/drivers/vhost/vdpa.c > >>>>>> @@ -823,6 +823,18 @@ static void vhost_vdpa_unmap(struct vhost_vdpa *v, > >>>>>> vhost_vdpa_remove_as(v, asid); > >>>>>> } > >>>>>> +static void vhost_vdpa_clean_map(struct vhost_vdpa *v) > >>>>>> +{ > >>>>>> + struct vhost_vdpa_as *as; > >>>>>> + u32 asid; > >>>>>> + > >>>>>> + for (asid = 0; asid < v->vdpa->nas; asid++) { > >>>>>> + as = asid_to_as(v, asid); > >>>>>> + if (as) > >>>>>> + vhost_vdpa_unmap(v, &as->iotlb, 0ULL, 0ULL - 1); > >>>>>> + } > >>>>>> +} > >>>>>> + > >>>>>> static int vhost_vdpa_va_map(struct vhost_vdpa *v, > >>>>>> struct vhost_iotlb *iotlb, > >>>>>> u64 iova, u64 size, u64 uaddr, u32 perm) > >>>>>> @@ -1247,6 +1259,7 @@ static int vhost_vdpa_release(struct inode > >>>>>> *inode, struct file *filep) > >>>>>> vhost_vdpa_clean_irq(v); > >>>>>> vhost_vdpa_reset(v); > >>>>>> vhost_dev_stop(&v->vdev); > >>>>>> + vhost_vdpa_clean_map(v); > >>>>>> vhost_vdpa_free_domain(v); > >>>>>> vhost_vdpa_config_put(v); > >>>>>> vhost_vdpa_cleanup(v); > >>>>> > >>>>> . > >>>> > >>> > >>> . > >> > > > > . >
On Wed, Feb 15, 2023 at 01:15:55PM +0800, Longpeng (Mike, Cloud Infrastructure Service Product Dept.) wrote: > > > 在 2023/2/15 10:56, Jason Wang 写道: > > On Wed, Feb 15, 2023 at 10:49 AM Longpeng (Mike, Cloud Infrastructure > > Service Product Dept.) <longpeng2@huawei.com> wrote: > > > > > > > > > > > > 在 2023/2/15 10:00, Jason Wang 写道: > > > > On Tue, Feb 14, 2023 at 2:28 PM Longpeng (Mike, Cloud Infrastructure > > > > Service Product Dept.) <longpeng2@huawei.com> wrote: > > > > > > > > > > > > > > > > > > > > 在 2023/2/14 14:16, Jason Wang 写道: > > > > > > > > > > > > 在 2023/1/31 22:53, Longpeng(Mike) 写道: > > > > > > > From: Longpeng <longpeng2@huawei.com> > > > > > > > > > > > > > > We must cleanup all memory maps when closing the vdpa fds, otherwise > > > > > > > some critical resources (e.g. memory, iommu map) will leaked if the > > > > > > > userspace exits unexpectedly (e.g. kill -9). > > > > > > > > > > > > > > > > > > Sounds like a bug of the kernel, should we fix there? > > > > > > > > > > > > > > > > For example, the iommu map is setup when QEMU calls VHOST_IOTLB_UPDATE > > > > > ioctl and it'll be freed if QEMU calls VHOST_IOTLB_INVALIDATE ioctl. > > > > > > > > > > So maybe we release these resources in vdpa framework in kernel is a > > > > > suitable choice? > > > > > > > > I think I need understand what does "resources" mean here: > > > > > > > > For iommu mapping, it should be freed by vhost_vdpa_free_domain() in > > > > vhost_vdpa_release()? > > > > > > > > > > Please consider the following lifecycle of the vdpa device: > > > > > > 1. vhost_vdpa_open > > > vhost_vdpa_alloc_domain > > > > > > 2. vhost_vdpa_pa_map > > > pin_user_pages > > > vhost_vdpa_map > > > iommu_map > > > > > > 3. kill QEMU > > > > > > 4. vhost_vdpa_release > > > vhost_vdpa_free_domain > > > > > > In this case, we have no opportunity to invoke unpin_user_pages or > > > iommu_unmap to free the memory. > > > > We do: > > > > vhost_vdpa_cleanup() > > vhost_vdpa_remove_as() > > vhost_vdpa_iotlb_unmap() > > vhost_vdpa_pa_unmap() > > unpin_user_pages() > > vhost_vdpa_general_unmap() > > iommu_unmap() > > ? > > > Oh, my codebase is linux-6.2-rc2 and the commit c070c1912a8 (vhost-vdpa: fix > an iotlb memory leak) already fixed this bug in linux-6.2-rc3. OK I dropped this. > > Btw, it looks like we should call vhost_vdpa_free_domain() *after* > > vhost_vdpa_cleanup() otherwise it's a UAF? > > > I think so, the v->domain is set to NULL in vhost_vdpa_free_domain(), it > seems would trigger null-pointer access in my case. > > > Thanks > > > > > > > > > static int vhost_vdpa_release(struct inode *inode, struct file *filep) > > > > { > > > > struct vhost_vdpa *v = filep->private_data; > > > > struct vhost_dev *d = &v->vdev; > > > > > > > > mutex_lock(&d->mutex); > > > > filep->private_data = NULL; > > > > vhost_vdpa_clean_irq(v); > > > > vhost_vdpa_reset(v); > > > > vhost_dev_stop(&v->vdev); > > > > vhost_vdpa_free_domain(v); > > > > vhost_vdpa_config_put(v); > > > > vhost_vdpa_cleanup(v); > > > > mutex_unlock(&d->mutex); > > > > > > > > atomic_dec(&v->opened); > > > > complete(&v->completion); > > > > > > > > return 0; > > > > } > > > > > > > > > > > > > > By the way, Jason, can you reproduce the problem in your machine? > > > > > > > > > > > > > Haven't got time in doing this but it should be the responsibility of > > > > the author to validate this anyhow. > > > > > > > > Thanks > > > > > > > > > > Thanks > > > > > > > > > > > > > > > > > > > > > > > > > > Signed-off-by: Longpeng <longpeng2@huawei.com> > > > > > > > --- > > > > > > > drivers/vhost/vdpa.c | 13 +++++++++++++ > > > > > > > 1 file changed, 13 insertions(+) > > > > > > > > > > > > > > diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c > > > > > > > index a527eeeac637..37477cffa5aa 100644 > > > > > > > --- a/drivers/vhost/vdpa.c > > > > > > > +++ b/drivers/vhost/vdpa.c > > > > > > > @@ -823,6 +823,18 @@ static void vhost_vdpa_unmap(struct vhost_vdpa *v, > > > > > > > vhost_vdpa_remove_as(v, asid); > > > > > > > } > > > > > > > +static void vhost_vdpa_clean_map(struct vhost_vdpa *v) > > > > > > > +{ > > > > > > > + struct vhost_vdpa_as *as; > > > > > > > + u32 asid; > > > > > > > + > > > > > > > + for (asid = 0; asid < v->vdpa->nas; asid++) { > > > > > > > + as = asid_to_as(v, asid); > > > > > > > + if (as) > > > > > > > + vhost_vdpa_unmap(v, &as->iotlb, 0ULL, 0ULL - 1); > > > > > > > + } > > > > > > > +} > > > > > > > + > > > > > > > static int vhost_vdpa_va_map(struct vhost_vdpa *v, > > > > > > > struct vhost_iotlb *iotlb, > > > > > > > u64 iova, u64 size, u64 uaddr, u32 perm) > > > > > > > @@ -1247,6 +1259,7 @@ static int vhost_vdpa_release(struct inode > > > > > > > *inode, struct file *filep) > > > > > > > vhost_vdpa_clean_irq(v); > > > > > > > vhost_vdpa_reset(v); > > > > > > > vhost_dev_stop(&v->vdev); > > > > > > > + vhost_vdpa_clean_map(v); > > > > > > > vhost_vdpa_free_domain(v); > > > > > > > vhost_vdpa_config_put(v); > > > > > > > vhost_vdpa_cleanup(v); > > > > > > > > > > > > . > > > > > > > > > > > > > . > > > > > > > .
diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c index a527eeeac637..37477cffa5aa 100644 --- a/drivers/vhost/vdpa.c +++ b/drivers/vhost/vdpa.c @@ -823,6 +823,18 @@ static void vhost_vdpa_unmap(struct vhost_vdpa *v, vhost_vdpa_remove_as(v, asid); } +static void vhost_vdpa_clean_map(struct vhost_vdpa *v) +{ + struct vhost_vdpa_as *as; + u32 asid; + + for (asid = 0; asid < v->vdpa->nas; asid++) { + as = asid_to_as(v, asid); + if (as) + vhost_vdpa_unmap(v, &as->iotlb, 0ULL, 0ULL - 1); + } +} + static int vhost_vdpa_va_map(struct vhost_vdpa *v, struct vhost_iotlb *iotlb, u64 iova, u64 size, u64 uaddr, u32 perm) @@ -1247,6 +1259,7 @@ static int vhost_vdpa_release(struct inode *inode, struct file *filep) vhost_vdpa_clean_irq(v); vhost_vdpa_reset(v); vhost_dev_stop(&v->vdev); + vhost_vdpa_clean_map(v); vhost_vdpa_free_domain(v); vhost_vdpa_config_put(v); vhost_vdpa_cleanup(v);