> From: Jason Gunthorpe <jgg@xxxxxxxxxx>
> Sent: Tuesday, March 7, 2023 4:22 AM
>
> On Thu, Mar 02, 2023 at 08:01:00AM +0000, Tian, Kevin wrote:
> > > From: Jason Gunthorpe <jgg@xxxxxxxxxx>
> > > Sent: Saturday, February 25, 2023 8:28 AM
> > >
> > > +struct iommufd_hw_pagetable *
> > > +iommufd_hw_pagetable_detach(struct iommufd_device *idev)
> > > {
> > > - if (!iommufd_hw_pagetable_has_group(hwpt, idev->igroup))
> > > + struct iommufd_hw_pagetable *hwpt = idev->igroup->hwpt;
> > > +
> > > + lockdep_assert_held(&idev->igroup->lock);
> > > +
> > > + idev->igroup->devices--;
> > > + if (!idev->igroup->devices) {
> > > iommu_detach_group(hwpt->domain, idev->igroup->group);
> > > + idev->igroup->hwpt = NULL;
> >
> > hwpt->obj.users should be decremented here instead of leaving it
> > in iommufd_device_detach().
>
> It is like this because eventually we can't call
> iommufd_object_destroy_user() while holding the locks.
>
> So the lowest function returns the hwpt up the call chain and once
> everything is unlocked then it calls iommufd_hw_pagetable_put()
but don't we have unbalanced refcnt poke?
device_attach:
if (!idev->igroup->devices) {
rc = iommu_attach_group(hwpt->domain, idev->igroup->group);
if (rc)
goto err_unresv;
idev->igroup->hwpt = hwpt;
refcount_inc(&hwpt->obj.users); //first device increases refcnt
}
device_detach:
idev->igroup->devices--;
if (!idev->igroup->devices) {
iommu_detach_group(hwpt->domain, idev->igroup->group);
idev->igroup->hwpt = NULL;
}
...
if (hwpt->auto_domain)
iommufd_object_destroy_user(idev->ictx, &hwpt->obj);
else
refcount_dec(&hwpt->obj.users); //every device decrease refcnt
