>-----Original Message----- >From: CLEMENT MATHIEU--DRIF <clement.mathieu--d...@eviden.com> >Subject: Re: [PATCH v6 18/19] intel_iommu: Implement >[set|unset]_iommu_device() callbacks > > >On 03/06/2024 08:10, Zhenzhong Duan wrote: >> Caution: External email. Do not open attachments or click links, unless this >email comes from a known sender and you know the content is safe. >> >> >> From: Yi Liu <yi.l....@intel.com> >> >> Implement [set|unset]_iommu_device() callbacks in Intel vIOMMU. >> In set call, a new structure VTDHostIOMMUDevice which holds >> a reference to HostIOMMUDevice is stored in hash table >> indexed by PCI BDF. >> >> Signed-off-by: Yi Liu <yi.l....@intel.com> >> Signed-off-by: Yi Sun <yi.y....@linux.intel.com> >> Signed-off-by: Zhenzhong Duan <zhenzhong.d...@intel.com> >> --- >> hw/i386/intel_iommu_internal.h | 9 ++++ >> include/hw/i386/intel_iommu.h | 2 + >> hw/i386/intel_iommu.c | 76 >++++++++++++++++++++++++++++++++++ >> 3 files changed, 87 insertions(+) >> >> diff --git a/hw/i386/intel_iommu_internal.h >b/hw/i386/intel_iommu_internal.h >> index f8cf99bddf..b800d62ca0 100644 >> --- a/hw/i386/intel_iommu_internal.h >> +++ b/hw/i386/intel_iommu_internal.h >> @@ -28,6 +28,7 @@ >> #ifndef HW_I386_INTEL_IOMMU_INTERNAL_H >> #define HW_I386_INTEL_IOMMU_INTERNAL_H >> #include "hw/i386/intel_iommu.h" >> +#include "sysemu/host_iommu_device.h" >> >> /* >> * Intel IOMMU register specification >> @@ -537,4 +538,12 @@ typedef struct VTDRootEntry VTDRootEntry; >> #define VTD_SL_IGN_COM 0xbff0000000000000ULL >> #define VTD_SL_TM (1ULL << 62) >> >> + >> +typedef struct VTDHostIOMMUDevice { >> + IntelIOMMUState *iommu_state; >> + PCIBus *bus; >> + uint8_t devfn; >> + HostIOMMUDevice *dev; >> + QLIST_ENTRY(VTDHostIOMMUDevice) next; >> +} VTDHostIOMMUDevice; >> #endif >> diff --git a/include/hw/i386/intel_iommu.h >b/include/hw/i386/intel_iommu.h >> index 7d694b0813..2bbde41e45 100644 >> --- a/include/hw/i386/intel_iommu.h >> +++ b/include/hw/i386/intel_iommu.h >> @@ -293,6 +293,8 @@ struct IntelIOMMUState { >> /* list of registered notifiers */ >> QLIST_HEAD(, VTDAddressSpace) vtd_as_with_notifiers; >> >> + GHashTable *vtd_host_iommu_dev; /* VTDHostIOMMUDevice >*/ >> + >> /* interrupt remapping */ >> bool intr_enabled; /* Whether guest enabled IR */ >> dma_addr_t intr_root; /* Interrupt remapping table pointer */ >> diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c >> index 519063c8f8..747c988bc4 100644 >> --- a/hw/i386/intel_iommu.c >> +++ b/hw/i386/intel_iommu.c >> @@ -237,6 +237,13 @@ static gboolean vtd_as_equal(gconstpointer v1, >gconstpointer v2) >> (key1->pasid == key2->pasid); >> } >> >> +static gboolean vtd_as_idev_equal(gconstpointer v1, gconstpointer v2) >> +{ >> + const struct vtd_as_key *key1 = v1; >> + const struct vtd_as_key *key2 = v2; >> + >> + return (key1->bus == key2->bus) && (key1->devfn == key2->devfn); >> +} >> /* >> * Note that we use pointer to PCIBus as the key, so hashing/shifting >> * based on the pointer value is intended. Note that we deal with >> @@ -3812,6 +3819,70 @@ VTDAddressSpace >*vtd_find_add_as(IntelIOMMUState *s, PCIBus *bus, >> return vtd_dev_as; >> } >> >> +static bool vtd_dev_set_iommu_device(PCIBus *bus, void *opaque, int >devfn, >> + HostIOMMUDevice *hiod, Error **errp) >> +{ >> + IntelIOMMUState *s = opaque; >> + VTDHostIOMMUDevice *vtd_hdev; >> + struct vtd_as_key key = { >> + .bus = bus, >> + .devfn = devfn, >> + }; >> + struct vtd_as_key *new_key; >> + >> + assert(hiod); >> + >> + vtd_iommu_lock(s); >> + >> + vtd_hdev = g_hash_table_lookup(s->vtd_host_iommu_dev, &key); >> + >> + if (vtd_hdev) { >> + error_setg(errp, "IOMMUFD device already exist"); >> + vtd_iommu_unlock(s); >> + return false; >> + } >> + >> + vtd_hdev = g_malloc0(sizeof(VTDHostIOMMUDevice)); >> + vtd_hdev->bus = bus; >> + vtd_hdev->devfn = (uint8_t)devfn; >> + vtd_hdev->iommu_state = s; >> + vtd_hdev->dev = hiod; >> + >> + new_key = g_malloc(sizeof(*new_key)); >> + new_key->bus = bus; >> + new_key->devfn = devfn; >> + >> + object_ref(hiod); >> + g_hash_table_insert(s->vtd_host_iommu_dev, new_key, vtd_hdev); >> + >> + vtd_iommu_unlock(s); >> + >> + return true; >> +} >> + >> +static void vtd_dev_unset_iommu_device(PCIBus *bus, void *opaque, int >devfn) >> +{ >> + IntelIOMMUState *s = opaque; >> + VTDHostIOMMUDevice *vtd_hdev; >> + struct vtd_as_key key = { >> + .bus = bus, >> + .devfn = devfn, >> + }; >> + >> + vtd_iommu_lock(s); >> + >> + vtd_hdev = g_hash_table_lookup(s->vtd_host_iommu_dev, &key); >> + if (!vtd_hdev) { >> + vtd_iommu_unlock(s); >> + return; >> + } >> + >> + g_hash_table_remove(s->vtd_host_iommu_dev, &key); >> + object_unref(vtd_hdev->dev); >Not sure but isn't that a potential use after free?
Good catch! Will fix. Should be: object_unref(vtd_hdev->dev); g_hash_table_remove(s->vtd_host_iommu_dev, &key); Thanks Zhenzhong >> + >> + vtd_iommu_unlock(s); >> +} >> + >> /* Unmap the whole range in the notifier's scope. */ >> static void vtd_address_space_unmap(VTDAddressSpace *as, >IOMMUNotifier *n) >> { >> @@ -4116,6 +4187,8 @@ static AddressSpace >*vtd_host_dma_iommu(PCIBus *bus, void *opaque, int devfn) >> >> static PCIIOMMUOps vtd_iommu_ops = { >> .get_address_space = vtd_host_dma_iommu, >> + .set_iommu_device = vtd_dev_set_iommu_device, >> + .unset_iommu_device = vtd_dev_unset_iommu_device, >> }; >> >> static bool vtd_decide_config(IntelIOMMUState *s, Error **errp) >> @@ -4235,6 +4308,9 @@ static void vtd_realize(DeviceState *dev, Error >**errp) >> g_free, g_free); >> s->vtd_address_spaces = g_hash_table_new_full(vtd_as_hash, >vtd_as_equal, >> g_free, g_free); >> + s->vtd_host_iommu_dev = g_hash_table_new_full(vtd_as_hash, >> + vtd_as_idev_equal, >> + g_free, g_free); >> vtd_init(s); >> pci_setup_iommu(bus, &vtd_iommu_ops, dev); >> /* Pseudo address space under root PCI bus. */ >> -- >> 2.34.1 >>