Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753341AbdHQQ41 (ORCPT ); Thu, 17 Aug 2017 12:56:27 -0400 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:53012 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752236AbdHQQ40 (ORCPT ); Thu, 17 Aug 2017 12:56:26 -0400 Subject: Re: [PATCH] iommu: Avoid NULL group dereference To: Joerg Roedel Cc: iommu@lists.linux-foundation.org, shawn.lin@rock-chips.com, marc.zyngier@arm.com, linux-kernel@vger.kernel.org References: <59a6c4f0a790eea40e2b2f2be840b63317dd44e4.1502966326.git.robin.murphy@arm.com> <20170817154101.GL16908@8bytes.org> From: Robin Murphy Message-ID: Date: Thu, 17 Aug 2017 17:56:23 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <20170817154101.GL16908@8bytes.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1703 Lines: 40 On 17/08/17 16:41, Joerg Roedel wrote: > On Thu, Aug 17, 2017 at 11:40:08AM +0100, Robin Murphy wrote: >> The recently-removed FIXME in iommu_get_domain_for_dev() turns out to >> have been a little misleading, since that check is still worthwhile even >> when groups *are* universal. We have a few IOMMU-aware drivers which >> only care whether their device is already attached to an existing domain >> or not, for which the previous behaviour of iommu_get_domain_for_dev() >> was ideal, and who now crash if their device does not have an IOMMU. >> >> With IOMMU groups now serving as a reliable indicator of whether a >> device has an IOMMU or not (barring false-positives from VFIO no-IOMMU >> mode), drivers could arguably do this: >> >> group = iommu_group_get(dev); >> if (group) { >> domain = iommu_get_domain_for_dev(dev); >> iommu_group_put(group); >> } > > Okay, so just to check I got it right: Drivers do the above to check > whether a device is managed by an IOMMU, and that crashes now because > the 'group == NULL' check was removed? Indeed - the typical context is network descriptors that don't have space to store the CPU virtual address of the buffer, so when a packet arrives the driver has to work backwards from the DMA address, in this sort of pattern: addr = desc[idx]->addr; domain = iommu_get_domain_for_dev(dev); if (domain) addr = iommu_iova_to_phys(domain, addr) buf = phys_to_virt(addr) (the GIC thing is similar but in reverse, with a physical address which may or may not need replacing with an IOVA). Unless we were to change the interface to be iommu_get_domain_for_group(), I think it makes sense for it to remain valid to call for any device. Robin.