Jean-Philippe Brucker
2022-Sep-13 12:27 UTC
[PATCH 4/5] iommu: Regulate errno in ->attach_dev callback functions
Hi Nicolin, On Tue, Sep 13, 2022 at 01:24:47AM -0700, Nicolin Chen wrote:> Following the new rules in include/linux/iommu.h kdocs, update all drivers > ->attach_dev callback functions to return ENODEV error code for all device > specific errors. It particularly excludes EINVAL from being used for such > error cases. For the same purpose, also replace one EINVAL with ENOMEM in > mtk_iommu driver. > > Note that the virtio-iommu does a viommu_domain_map_identity() call, which > returns either 0 or ENOMEM at this moment. Change to "return ret" directly > to allow it to pass an EINVAL in the future.[...]> diff --git a/drivers/iommu/virtio-iommu.c b/drivers/iommu/virtio-iommu.c > index 80151176ba12..874c01634d2b 100644 > --- a/drivers/iommu/virtio-iommu.c > +++ b/drivers/iommu/virtio-iommu.c > @@ -696,7 +696,7 @@ static int viommu_domain_finalise(struct viommu_endpoint *vdev, > if (ret) { > ida_free(&viommu->domain_ids, vdomain->id); > vdomain->viommu = NULL; > - return -EOPNOTSUPP; > + return ret;I think in the future it will be too easy to forget about the constrained return value of attach() while modifying some other part of the driver, and let an external helper return EINVAL. So I'd rather not propagate ret from outside of viommu_domain_attach() and finalise(). For the same reason I do prefer this solution over EMEDIUMTYPE, because it's too tempting to use exotic errno when they seem appropriate instead of boring ENODEV and EINVAL. The alternative would be adding a special purpose code to linux/errno.h, similarly to EPROBE_DEFER, but that might be excessive. Since we can't guarantee that APIs like virtio or ida won't ever return EINVAL, we should set all return values: --- 8< --->From 7b16796cb78d11971236f98fd2d3cd73ca769827 Mon Sep 17 00:00:00 2001From: Jean-Philippe Brucker <jean-philippe at linaro.org> Date: Tue, 13 Sep 2022 12:53:02 +0100 Subject: [PATCH] iommu/virtio: Constrain return value of viommu_attach_dev() Ensure viommu_attach_dev() only return errno values expected from the attach_dev() op. In particular, only return EINVAL when we're sure that the device is incompatible with the domain. Signed-off-by: Jean-Philippe Brucker <jean-philippe at linaro.org> --- drivers/iommu/virtio-iommu.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/iommu/virtio-iommu.c b/drivers/iommu/virtio-iommu.c index 08eeafc9529f..582ff5a33b52 100644 --- a/drivers/iommu/virtio-iommu.c +++ b/drivers/iommu/virtio-iommu.c @@ -669,13 +669,13 @@ static int viommu_domain_finalise(struct viommu_endpoint *vdev, dev_err(vdev->dev, "granule 0x%lx larger than system page size 0x%lx\n", viommu_page_size, PAGE_SIZE); - return -EINVAL; + return -ENODEV; } ret = ida_alloc_range(&viommu->domain_ids, viommu->first_domain, viommu->last_domain, GFP_KERNEL); if (ret < 0) - return ret; + return -ENOMEM; vdomain->id = (unsigned int)ret; @@ -696,7 +696,7 @@ static int viommu_domain_finalise(struct viommu_endpoint *vdev, if (ret) { ida_free(&viommu->domain_ids, vdomain->id); vdomain->viommu = NULL; - return -EOPNOTSUPP; + return -ENODEV; } } @@ -734,7 +734,7 @@ static int viommu_attach_dev(struct iommu_domain *domain, struct device *dev) ret = viommu_domain_finalise(vdev, domain); } else if (vdomain->viommu != vdev->viommu) { dev_err(dev, "cannot attach to foreign vIOMMU\n"); - ret = -EXDEV; + ret = -EINVAL; } mutex_unlock(&vdomain->mutex); @@ -769,7 +769,7 @@ static int viommu_attach_dev(struct iommu_domain *domain, struct device *dev) ret = viommu_send_req_sync(vdomain->viommu, &req, sizeof(req)); if (ret) - return ret; + return -ENODEV; } if (!vdomain->nr_endpoints) { @@ -779,7 +779,7 @@ static int viommu_attach_dev(struct iommu_domain *domain, struct device *dev) */ ret = viommu_replay_mappings(vdomain); if (ret) - return ret; + return -ENODEV; } vdomain->nr_endpoints++; -- 2.37.3