Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1003500yba; Thu, 4 Apr 2019 02:11:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqyS+0xHFhCt65X3IgT5F9tPfmD664xs+muyNVWA3YFruSWAGRPc/SId0VDV7y0/jAxU/umU X-Received: by 2002:a65:648c:: with SMTP id e12mr4760305pgv.346.1554369076552; Thu, 04 Apr 2019 02:11:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554369076; cv=none; d=google.com; s=arc-20160816; b=Bs/geVOelBQKmaljGN4R3uW7TtET2vBku3uTlg5SypFTvr1qc4qHYg7jTPydKo/Nbl RaTa4bQKpV5XWH7zWCLxd+GFE6F9Q+/PyJgAEXfirKLah/4DMjhqnY74ppx6qdekn/jN vcvO4NLAUmAi+hbOqSusp6661rmusReYPeVacCvtDfPhPUD/YVmSZFHj9zmbVf695F/N j7ZTHkE12OBQD+UVbhPTsExvdT2JIbIyZNaqZcwstqGst6/Un9TJHDmj+/Vq3yMoRFzn Tk8Qqw4uE14DAYonIV4z7V32nT2rwR7EsVjng+dIHeGZXL2pM72shmVtzPPM4YjWp7rw Um1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=sOgYiPnDseaFzQiBOpzyq6CMUI02PgQNUqPcZj8woMI=; b=uFLbjtZtnN2QIRkGKdARpuqdsziVYYSnRf+jyg7Yh2tJJZQfR6pBnS5vRrw7DtXr28 RxNRFS4F2Ruh0RU337uNqZ+WtpQ5odjO20yYPEp/NQcAOFZJlej5g3eMoVV7rcQW+cVk WayvDjAgWVoDl146UjvHHe2r6/Mg/JUmsVddJ5ragoUTOXuH3DRAqpBSourJxuikfb2s ViDfvKiYW02D7NENN87QWA9gg1WxC9RbupvP2FsvIoU1U6iaa7XUGq7OvqzqIOvuv3ju wxaitFy6G3a0ccf/EGtQtZ8bEIf+Fd0jlVCIy3vPYYyjqoz8/mS3ZEJw8TqOZF8Xu5H4 WofA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="gXg5U/VA"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n79si16090119pfb.133.2019.04.04.02.11.01; Thu, 04 Apr 2019 02:11:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="gXg5U/VA"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733015AbfDDJKY (ORCPT + 99 others); Thu, 4 Apr 2019 05:10:24 -0400 Received: from mail.kernel.org ([198.145.29.99]:50044 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733003AbfDDJKX (ORCPT ); Thu, 4 Apr 2019 05:10:23 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 52EAD20652; Thu, 4 Apr 2019 09:10:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1554369022; bh=d5RwVlPz9BmFcnVJtSY8fE+nDJ8BYaCSDn8bRU/Ws5Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gXg5U/VACwp782cfcyD4TyuyWd0eVA/GJGtbk3NnI9cK5RYKx5BVUgQwR0r5AQk9U XAYz3mgYg+yhyUz6w88+EVnpelIG3e+HfgclitPaONXXufTmCOBv/um8HjvEd+P0lf YrNYEjvOPokh47SBV5hFlixJPWboq7zTrUK5OXzg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jacob Pan , Mika Westerberg , Kevin Tian , Ashok Raj , Lu Baolu , Joerg Roedel , Sasha Levin Subject: [PATCH 5.0 052/246] iommu/vt-d: Disable ATS support on untrusted devices Date: Thu, 4 Apr 2019 10:45:52 +0200 Message-Id: <20190404084620.839695349@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190404084619.236418459@linuxfoundation.org> References: <20190404084619.236418459@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 5.0-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit d8b8591054575f33237556c32762d54e30774d28 ] Commit fb58fdcd295b9 ("iommu/vt-d: Do not enable ATS for untrusted devices") disables ATS support on the devices which have been marked as untrusted. Unfortunately this is not enough to fix the DMA attack vulnerabiltiies because IOMMU driver allows translated requests as long as a device advertises the ATS capability. Hence a malicious peripheral device could use this to bypass IOMMU. This disables the ATS support on untrusted devices by clearing the internal per-device ATS mark. As the result, IOMMU driver will block any translated requests from any device marked as untrusted. Cc: Jacob Pan Cc: Mika Westerberg Suggested-by: Kevin Tian Suggested-by: Ashok Raj Fixes: fb58fdcd295b9 ("iommu/vt-d: Do not enable ATS for untrusted devices") Signed-off-by: Lu Baolu Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin --- drivers/iommu/intel-iommu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c index 78188bf7e90d..dbd6824dfffa 100644 --- a/drivers/iommu/intel-iommu.c +++ b/drivers/iommu/intel-iommu.c @@ -2485,7 +2485,8 @@ static struct dmar_domain *dmar_insert_one_dev_info(struct intel_iommu *iommu, if (dev && dev_is_pci(dev)) { struct pci_dev *pdev = to_pci_dev(info->dev); - if (!pci_ats_disabled() && + if (!pdev->untrusted && + !pci_ats_disabled() && ecap_dev_iotlb_support(iommu->ecap) && pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ATS) && dmar_find_matched_atsr_unit(pdev)) -- 2.19.1