On Wed, Oct 30, 2024 at 02:35:27PM -0700, Nicolin Chen wrote:
> +void iommufd_vdevice_destroy(struct iommufd_object *obj)
> +{
> + struct iommufd_vdevice *vdev =
> + container_of(obj, struct iommufd_vdevice, obj);
> + struct iommufd_viommu *viommu = vdev->viommu;
> +
> + /* xa_cmpxchg is okay to fail if alloc returned -EEXIST previously */
> + xa_cmpxchg(&viommu->vdevs, vdev->id, vdev, NULL, GFP_KERNEL);
There are crazy races that would cause this not to work. Another
thread could have successfully destroyed whatever caused EEXIST and
the successfully registered this same vdev to the same id. Then this
will wrongly erase the other threads entry.
It would be better to skip the erase directly if the EEXIST unwind is
being taken.
Jason
