On Wed, Oct 16, 2024 at 09:56:51AM +0800, Zhangfei Gao wrote:
On Wed, 16 Oct 2024 at 02:44, Nicolin Chen nicolinc@nvidia.com wrote:
On Mon, Oct 14, 2024 at 07:01:40PM -0700, Nicolin Chen wrote:
On Tue, Oct 15, 2024 at 09:15:01AM +0800, Zhangfei Gao wrote:
iommufd_device_bind iommufd_device_attach iommufd_vdevice_alloc_ioctl
iommufd_device_detach iommufd_device_unbind // refcount check fail iommufd_vdevice_destroy ref--
Things should be symmetric. As you suspected, vdevice should be destroyed before iommufd_device_detach.
I am trying based on your for_iommufd_viommu_p2-v3 branch, do you have this issue? In checking whether close fd before unbind?
Oops, my bad. I will provide a fix.
This should fix the problem:
diff --git a/drivers/iommu/iommufd/device.c b/drivers/iommu/iommufd/device.c index 5fd3dd420290..13100cfea29d 100644 --- a/drivers/iommu/iommufd/device.c +++ b/drivers/iommu/iommufd/device.c @@ -277,6 +277,11 @@ EXPORT_SYMBOL_NS_GPL(iommufd_ctx_has_group, IOMMUFD); */ void iommufd_device_unbind(struct iommufd_device *idev) {
mutex_lock(&idev->igroup->lock);
/* idev->vdev object should be destroyed prior, yet just in case.. */
if (idev->vdev)
iommufd_object_remove(idev->ictx, NULL, idev->vdev->obj.id, 0);
mutex_unlock(&idev->igroup->lock); iommufd_object_destroy_user(idev->ictx, &idev->obj);
} EXPORT_SYMBOL_NS_GPL(iommufd_device_unbind, IOMMUFD);
Not yet [ 574.162112] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004 [ 574.261102] pc : iommufd_object_remove+0x7c/0x278 [ 574.265795] lr : iommufd_device_unbind+0x44/0x98 in check
Hmm, it's kinda odd it crashes inside iommufd_object_remove(). Did you happen to change something there?
The added iommufd_object_remove() is equivalent to userspace calling the destroy ioctl on the vDEVICE object.
Nicolin