Patch "iommu/amd/iommu_v2: Fix pasid_state refcount dec hit 0 warning on pasid unbind" has been added to the 6.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 8 Sep 2023 18:34:38 -0400

This is a note to let you know that I've just added the patch titled

    iommu/amd/iommu_v2: Fix pasid_state refcount dec hit 0 warning on pasid unbind

to the 6.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     iommu-amd-iommu_v2-fix-pasid_state-refcount-dec-hit-.patch
and it can be found in the queue-6.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit e02e5d4a3ff1a1ba085d84a327348d81a4f845df
Author: Daniel Marcovitch <dmarcovitch@xxxxxxxxxx>
Date:   Fri Jun 9 10:51:45 2023 +0000

    iommu/amd/iommu_v2: Fix pasid_state refcount dec hit 0 warning on pasid unbind
    
    [ Upstream commit 534103bcd52ca9c1fecbc70e717b4a538dc4ded8 ]
    
    When unbinding pasid - a race condition exists vs outstanding page faults.
    
    To prevent this, the pasid_state object contains a refcount.
        * set to 1 on pasid bind
        * incremented on each ppr notification start
        * decremented on each ppr notification done
        * decremented on pasid unbind
    
    Since refcount_dec assumes that refcount will never reach 0:
      the current implementation causes the following to be invoked on
      pasid unbind:
            REFCOUNT_WARN("decrement hit 0; leaking memory")
    
    Fix this issue by changing refcount_dec to refcount_dec_and_test
    to explicitly handle refcount=1.
    
    Fixes: 8bc54824da4e ("iommu/amd: Convert from atomic_t to refcount_t on pasid_state->count")
    Signed-off-by: Daniel Marcovitch <dmarcovitch@xxxxxxxxxx>
    Signed-off-by: Vasant Hegde <vasant.hegde@xxxxxxx>
    Link: https://lore.kernel.org/r/20230609105146.7773-2-vasant.hegde@xxxxxxx
    Signed-off-by: Joerg Roedel <jroedel@xxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/iommu/amd/iommu_v2.c b/drivers/iommu/amd/iommu_v2.c
index 261352a232716..65d78d7e04408 100644
--- a/drivers/iommu/amd/iommu_v2.c
+++ b/drivers/iommu/amd/iommu_v2.c
@@ -262,8 +262,8 @@ static void put_pasid_state(struct pasid_state *pasid_state)
 
 static void put_pasid_state_wait(struct pasid_state *pasid_state)
 {
-	refcount_dec(&pasid_state->count);
-	wait_event(pasid_state->wq, !refcount_read(&pasid_state->count));
+	if (!refcount_dec_and_test(&pasid_state->count))
+		wait_event(pasid_state->wq, !refcount_read(&pasid_state->count));
 	free_pasid_state(pasid_state);
 }
 






