Hi All, This is v4 of a follow up to Matt's recent series[0] where he tackled a race that turned out to be outside of the s390 IOMMU driver itself as well as duplicate device attachments. After an internal discussion we came up with what I believe is a cleaner fix. Instead of actively checking for duplicates we instead detach from any previous domain on attach. From my cursory reading of the code this seems to be what the Intel IOMMU driver is doing as well. Moreover we drop the attempt to re-attach the device to its previous IOMMU domain on failure. This was fragile, unlikely to help and unexpected for calling code. Thanks Jason for the suggestion. During development of this fix we realized that we can get rid of struct s390_domain_device entirely if we instead thread the list through the attached struct zpci_devs. This saves us from having to allocate during attach and gets rid of one level of indirection during IOMMU operations. Additionally 3 more fixes have been added in v3 that weren't in v2 of this series. One is for a potential situation where the aperture of a domain could shrink and leave invalid translations. The next one fixes an off by one in checking validity of an IOVA and the last one fixes a wrong value for pgsize_bitmap. *Note*: This series is against the s390 features branch[1] which already contains the bus_next field removal that was part of v2. Best regards, Niklas Changes since v3: - Drop s390_domain from __s390_iommu_detach_device() (Jason) - WARN_ON() mismatched domain in s390_iommu_detach_device() (Jason) - Use __s390_iommu_detach_device() in s390_iommu_release_device() (Jason) - Make aperture check resistant against overflow (Jason) Changes since v2: - The patch removing the unused bus_next field has been spun out and already made it into the s390 feature branch on git.kernel.org - Make __s390_iommu_detach_device() return void (Jason) - Remove the re-attach on failure dance as it is unlikely to help and complicates debug and recovery (Jason) - Ignore attempts to detach from domain that is not the active one - Add patch to fix potential shrinking of the aperture and use reserved ranges per device instead of the aperture to respect IOVA range restrictions (Jason) - Add a fix for an off by one error on checking an IOVA against the aperture - Add a fix for wrong pgsize_bitmap Changes since v1: - After patch 3 we don't have to search in the devices list on detach as we alreadz have hold of the zpci_dev (Jason) - Add a WARN_ON() if somehow ended up detaching a device from a domain that isn't the device's current domain. - Removed the iteration and list delete from s390_domain_free() instead just WARN_ON() when we're freeing without having detached - The last two points should help catching sequencing errors much more quickly in the future. [0] https://lore.kernel.org/linux-iommu/20220831201236.77595-1-mjrosato@xxxxxxxxxxxxx/ [1] https://git.kernel.org/pub/scm/linux/kernel/git/s390/linux.git/ Niklas Schnelle (5): iommu/s390: Fix duplicate domain attachments iommu/s390: Get rid of s390_domain_device iommu/s390: Fix potential s390_domain aperture shrinking iommu/s390: Fix incorrect aperture check iommu/s390: Fix incorrect pgsize_bitmap arch/s390/include/asm/pci.h | 1 + drivers/iommu/s390-iommu.c | 169 +++++++++++++++--------------------- 2 files changed, 70 insertions(+), 100 deletions(-) -- 2.34.1