Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp976156yba; Sat, 20 Apr 2019 18:34:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqxMNsNDskcQrbiKoEiBHVbPy0HRib8hb+AxM/Hnhz5jCQ6KTmT4rrNfpJ7hJgSP3PqB6eNw X-Received: by 2002:a17:902:864b:: with SMTP id y11mr11815030plt.1.1555810484972; Sat, 20 Apr 2019 18:34:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555810484; cv=none; d=google.com; s=arc-20160816; b=B8BpqQXMoLzIUU4JhcjR6OTdxLROzyLo+d6uXT43PYuMwYrnOX5X03FXehNJRHtsOo Rk8FZ2fmtwm0Nj3ZKvvCdjIIKjKTyIkm6fskW2eWXUoq9p0j6hRRlpgBn90exkUDK5c5 h30BDu+MS10kcJbVuo7i5kloT3dS/xsK4BcWNv8Q1cjoQLT9qTwWdpG2/LY9IjhaM53s 4geDCt3QBBflEnjxALjyVhw785ane+EvA9eIpWcxXTddvctvtEwoj3e25j5Hx/7LaBDA 4erLbSfCnxkkNnAJz2LHAD+I2N5oGTRKyxiFeZPeDbLKPOPJNWo6D8hNd2qw16xJwx9u aNgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from; bh=I+vtrKTsA1twsY7/ufFSj6z51HX2vqKHb7p2EZkAfbY=; b=xtsdp/H4PbIG3orRDil2qgdVXYIZEvlJtkxj3BdXW6gUZSyPDZvyA5HaLlbJkQlbUI kfWISrRb+kDNmFfSqkQqL9RlrP+ZIa5AOPLSSNL2hcvmlDQ+Pbo8IXdEMe0MqQ2NVIHX tL9Kmr3pONwko1vBqrlUNZPrSSCkKWo2rurOTt0XSy3wHv89FuIAmh1MKSKGS+kNaq8n uHhmYrD8qQ250VuSyRZu658Q7MKcNs2zPxYpsK/H+aKhLrN00JEfIOp4P422zkYma/eV HmgjBgbLRBIIsVQZfVGGNwEEnAv7ddhyuHp8URa3RY3KtNU9YwscCVgLkGYDxtkJFNU8 RBAQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 35si1250288ple.382.2019.04.20.18.34.30; Sat, 20 Apr 2019 18:34:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727789AbfDUB2t (ORCPT + 99 others); Sat, 20 Apr 2019 21:28:49 -0400 Received: from mga09.intel.com ([134.134.136.24]:18104 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727367AbfDUB2t (ORCPT ); Sat, 20 Apr 2019 21:28:49 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Apr 2019 18:28:47 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,376,1549958400"; d="scan'208";a="136008202" Received: from allen-box.sh.intel.com ([10.239.159.136]) by orsmga008.jf.intel.com with ESMTP; 20 Apr 2019 18:24:13 -0700 From: Lu Baolu To: David Woodhouse , Joerg Roedel Cc: ashok.raj@intel.com, jacob.jun.pan@intel.com, alan.cox@intel.com, kevin.tian@intel.com, mika.westerberg@linux.intel.com, pengfei.xu@intel.com, Konrad Rzeszutek Wilk , Christoph Hellwig , Marek Szyprowski , Robin Murphy , iommu@lists.linux-foundation.org, linux-kernel@vger.kernel.org, Lu Baolu , Jacob Pan Subject: [PATCH v3 10/10] iommu/vt-d: Use bounce buffer for untrusted devices Date: Sun, 21 Apr 2019 09:17:19 +0800 Message-Id: <20190421011719.14909-11-baolu.lu@linux.intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190421011719.14909-1-baolu.lu@linux.intel.com> References: <20190421011719.14909-1-baolu.lu@linux.intel.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The Intel VT-d hardware uses paging for DMA remapping. The minimum mapped window is a page size. The device drivers may map buffers not filling the whole IOMMU window. This allows the device to access to possibly unrelated memory and a malicious device could exploit this to perform DMA attacks. To address this, the Intel IOMMU driver will use bounce pages for those buffers which don't fill a whole IOMMU page. Cc: Ashok Raj Cc: Jacob Pan Cc: Kevin Tian Signed-off-by: Lu Baolu Tested-by: Xu Pengfei Tested-by: Mika Westerberg --- drivers/iommu/intel-iommu.c | 138 ++++++++++++++++++++++++++---------- 1 file changed, 99 insertions(+), 39 deletions(-) diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c index ed941ec9b9d5..52ccbd3f1425 100644 --- a/drivers/iommu/intel-iommu.c +++ b/drivers/iommu/intel-iommu.c @@ -52,6 +52,7 @@ #include #include #include +#include #include "irq_remapping.h" #include "intel-pasid.h" @@ -3410,15 +3411,17 @@ static int iommu_no_mapping(struct device *dev) } static dma_addr_t __intel_map_single(struct device *dev, phys_addr_t paddr, - size_t size, int dir, u64 dma_mask) + size_t size, enum dma_data_direction dir, + unsigned long attrs, u64 dma_mask) { struct dmar_domain *domain; - phys_addr_t start_paddr; + dma_addr_t start_dma; unsigned long iova_pfn; int prot = 0; int ret; struct intel_iommu *iommu; unsigned long paddr_pfn = paddr >> PAGE_SHIFT; + unsigned long nrpages; BUG_ON(dir == DMA_NONE); @@ -3430,9 +3433,10 @@ static dma_addr_t __intel_map_single(struct device *dev, phys_addr_t paddr, return DMA_MAPPING_ERROR; iommu = domain_get_iommu(domain); - size = aligned_nrpages(paddr, size); + nrpages = aligned_nrpages(paddr, size); - iova_pfn = intel_alloc_iova(dev, domain, dma_to_mm_pfn(size), dma_mask); + iova_pfn = intel_alloc_iova(dev, domain, + dma_to_mm_pfn(nrpages), dma_mask); if (!iova_pfn) goto error; @@ -3445,24 +3449,33 @@ static dma_addr_t __intel_map_single(struct device *dev, phys_addr_t paddr, prot |= DMA_PTE_READ; if (dir == DMA_FROM_DEVICE || dir == DMA_BIDIRECTIONAL) prot |= DMA_PTE_WRITE; + + start_dma = (dma_addr_t)iova_pfn << PAGE_SHIFT; + start_dma += offset_in_page(paddr); + /* * paddr - (paddr + size) might be partial page, we should map the whole * page. Note: if two part of one page are separately mapped, we * might have two guest_addr mapping to the same host paddr, but this * is not a big problem */ - ret = domain_pfn_mapping(domain, mm_to_dma_pfn(iova_pfn), - mm_to_dma_pfn(paddr_pfn), size, prot); + if (device_needs_bounce(dev)) { + ret = iommu_bounce_map(dev, start_dma, paddr, size, dir, attrs); + if (!ret) + trace_bounce_map_single(dev, start_dma, paddr, size); + } else { + ret = domain_pfn_mapping(domain, mm_to_dma_pfn(iova_pfn), + mm_to_dma_pfn(paddr_pfn), + nrpages, prot); + } if (ret) goto error; - start_paddr = (phys_addr_t)iova_pfn << PAGE_SHIFT; - start_paddr += paddr & ~PAGE_MASK; - return start_paddr; - + return start_dma; error: if (iova_pfn) - free_iova_fast(&domain->iovad, iova_pfn, dma_to_mm_pfn(size)); + free_iova_fast(&domain->iovad, iova_pfn, + dma_to_mm_pfn(nrpages)); dev_err(dev, "Device request: %zx@%llx dir %d --- failed\n", size, (unsigned long long)paddr, dir); return DMA_MAPPING_ERROR; @@ -3474,44 +3487,79 @@ static dma_addr_t intel_map_page(struct device *dev, struct page *page, unsigned long attrs) { return __intel_map_single(dev, page_to_phys(page) + offset, size, - dir, *dev->dma_mask); + dir, attrs, *dev->dma_mask); } static dma_addr_t intel_map_resource(struct device *dev, phys_addr_t phys_addr, size_t size, enum dma_data_direction dir, unsigned long attrs) { - return __intel_map_single(dev, phys_addr, size, dir, *dev->dma_mask); + return __intel_map_single(dev, phys_addr, size, + dir, attrs, *dev->dma_mask); } -static void intel_unmap(struct device *dev, dma_addr_t dev_addr, size_t size) +static void +intel_unmap(struct device *dev, dma_addr_t dev_addr, size_t size, + struct scatterlist *sglist, int nelems, + enum dma_data_direction dir, unsigned long attrs) { struct dmar_domain *domain; unsigned long start_pfn, last_pfn; - unsigned long nrpages; + unsigned long nrpages = 0; unsigned long iova_pfn; struct intel_iommu *iommu; - struct page *freelist; + struct page *freelist = NULL; + struct pci_dev *pdev = NULL; if (iommu_no_mapping(dev)) return; + if (dev_is_pci(dev)) + pdev = to_pci_dev(dev); + domain = find_domain(dev); BUG_ON(!domain); iommu = domain_get_iommu(domain); - iova_pfn = IOVA_PFN(dev_addr); - - nrpages = aligned_nrpages(dev_addr, size); - start_pfn = mm_to_dma_pfn(iova_pfn); - last_pfn = start_pfn + nrpages - 1; - - dev_dbg(dev, "Device unmapping: pfn %lx-%lx\n", start_pfn, last_pfn); + if (sglist) { + struct scatterlist *sg; + int i; - freelist = domain_unmap(domain, start_pfn, last_pfn); + dev_addr = sg_dma_address(sglist) & PAGE_MASK; + iova_pfn = IOVA_PFN(dev_addr); + for_each_sg(sglist, sg, nelems, i) { + nrpages += aligned_nrpages(sg_dma_address(sg), + sg_dma_len(sg)); + } + start_pfn = mm_to_dma_pfn(iova_pfn); + last_pfn = start_pfn + nrpages - 1; + + if (device_needs_bounce(dev)) + for_each_sg(sglist, sg, nelems, i) { + iommu_bounce_unmap(dev, sg_dma_address(sg), + sg->length, dir, attrs); + trace_bounce_unmap_sg(dev, i, nelems, + sg_dma_address(sg), + sg_phys(sg), sg->length); + } + else + freelist = domain_unmap(domain, start_pfn, last_pfn); + } else { + iova_pfn = IOVA_PFN(dev_addr); + nrpages = aligned_nrpages(dev_addr, size); + start_pfn = mm_to_dma_pfn(iova_pfn); + last_pfn = start_pfn + nrpages - 1; + + if (device_needs_bounce(dev)) { + iommu_bounce_unmap(dev, dev_addr, size, dir, attrs); + trace_bounce_unmap_single(dev, dev_addr, size); + } else { + freelist = domain_unmap(domain, start_pfn, last_pfn); + } + } - if (intel_iommu_strict) { + if (intel_iommu_strict || (pdev && pdev->untrusted)) { iommu_flush_iotlb_psi(iommu, domain, start_pfn, nrpages, !freelist, 0); /* free iova */ @@ -3531,7 +3579,7 @@ static void intel_unmap_page(struct device *dev, dma_addr_t dev_addr, size_t size, enum dma_data_direction dir, unsigned long attrs) { - intel_unmap(dev, dev_addr, size); + intel_unmap(dev, dev_addr, size, NULL, 0, dir, attrs); } static void *intel_alloc_coherent(struct device *dev, size_t size, @@ -3572,7 +3620,7 @@ static void *intel_alloc_coherent(struct device *dev, size_t size, memset(page_address(page), 0, size); *dma_handle = __intel_map_single(dev, page_to_phys(page), size, - DMA_BIDIRECTIONAL, + DMA_BIDIRECTIONAL, attrs, dev->coherent_dma_mask); if (*dma_handle != DMA_MAPPING_ERROR) return page_address(page); @@ -3591,7 +3639,7 @@ static void intel_free_coherent(struct device *dev, size_t size, void *vaddr, size = PAGE_ALIGN(size); order = get_order(size); - intel_unmap(dev, dma_handle, size); + intel_unmap(dev, dma_handle, size, NULL, 0, 0, attrs); if (!dma_release_from_contiguous(dev, page, size >> PAGE_SHIFT)) __free_pages(page, order); } @@ -3600,16 +3648,7 @@ static void intel_unmap_sg(struct device *dev, struct scatterlist *sglist, int nelems, enum dma_data_direction dir, unsigned long attrs) { - dma_addr_t startaddr = sg_dma_address(sglist) & PAGE_MASK; - unsigned long nrpages = 0; - struct scatterlist *sg; - int i; - - for_each_sg(sglist, sg, nelems, i) { - nrpages += aligned_nrpages(sg_dma_address(sg), sg_dma_len(sg)); - } - - intel_unmap(dev, startaddr, nrpages << VTD_PAGE_SHIFT); + intel_unmap(dev, 0, 0, sglist, nelems, dir, attrs); } static int intel_nontranslate_map_sg(struct device *hddev, @@ -3671,7 +3710,28 @@ static int intel_map_sg(struct device *dev, struct scatterlist *sglist, int nele start_vpfn = mm_to_dma_pfn(iova_pfn); - ret = domain_sg_mapping(domain, start_vpfn, sglist, size, prot); + if (device_needs_bounce(dev)) { + for_each_sg(sglist, sg, nelems, i) { + unsigned int pgoff = offset_in_page(sg->offset); + dma_addr_t addr; + + addr = ((dma_addr_t)iova_pfn << PAGE_SHIFT) + pgoff; + ret = iommu_bounce_map(dev, addr, sg_phys(sg), + sg->length, dir, attrs); + if (ret) + break; + + trace_bounce_map_sg(dev, i, nelems, addr, + sg_phys(sg), sg->length); + + sg->dma_address = addr; + sg->dma_length = sg->length; + iova_pfn += aligned_nrpages(sg->offset, sg->length); + } + } else { + ret = domain_sg_mapping(domain, start_vpfn, sglist, size, prot); + } + if (unlikely(ret)) { dma_pte_free_pagetable(domain, start_vpfn, start_vpfn + size - 1, -- 2.17.1