Re: [PATCH 1/9] vfio/pci: Fix vfio_pci_dma_buf_cleanup() double-put

Next message: Paul Elder: "Re: [RFC PATCH 1/5] media: dt-bindings: Add rockchip rkisp2 bindings"
Previous message: Kairui Song: "Re: [PATCH v5 00/21] Virtual Swap Space"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jason Gunthorpe

Date: Fri Apr 24 2026 - 14:06:04 EST

On Thu, Apr 16, 2026 at 06:17:44AM -0700, Matt Evans wrote:
> vfio_pci_dma_buf_cleanup() assumed all VFIO device DMABUFs need to be
> revoked. However, if vfio_pci_dma_buf_move() revokes DMABUFs before
> the fd/device closes, then vfio_pci_dma_buf_cleanup() would do a
> second/underflowing kref_put() then wait_for_completion() on a
> completion that never fires. Fixed by predicating on revocation
> status.
>
> This could happen if PCI_COMMAND_MEMORY is cleared before closing the
> device fd (but the scenario is more likely to hit when future commits
> add more methods to revoke DMABUFs).
>
> Fixes: 1a8a5227f2299 ("vfio: Wait for dma-buf invalidation to complete")
> Signed-off-by: Matt Evans <mattev@xxxxxxxx>
> ---
>
> (Just a fix, but later "vfio/pci: Convert BAR mmap() to use a DMABUF"
> and "vfio/pci: Permanently revoke a DMABUF on request" depend on this
> context, so including in this series.)
>
> drivers/vfio/pci/vfio_pci_dmabuf.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)

Reviewed-by: Jason Gunthorpe <jgg@xxxxxxxxxx>

Jason