Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1718772ybh; Mon, 20 Jul 2020 05:39:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwXWJ5nyZuON7vyK3b0EtaPiba+Cg5RkUktBEesNrIq4UoPMc8EauPGplDRjhSuzYGjPEVt X-Received: by 2002:a50:e385:: with SMTP id b5mr20871693edm.130.1595248752037; Mon, 20 Jul 2020 05:39:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595248752; cv=none; d=google.com; s=arc-20160816; b=B5jqQVh3UwsN5AH1VJbPWrdL+bv/wJS+x5/z8+5NWEHD5Q/r+fzHrqzTTdQooiaSxX ADclZKo0VZp3q8dk3wewPVnCNgRKVm31bECPUd4seCMecnrYguKNHPfopCIOdgWTrX6D TMmSh3/vquboYgZkt218LFJHQPMXwycQrT3nGvcGFDNNcf8OkIIZf0dbf7OsolDOWYkw FJsiUjRk80uXZSMGCDoCBqfB+3ond+2mULg0IV2DJeUKYfvaKA+pvMegG+m0CdDJDrHy xn82Knp7g9PtBsOXg4VbgQcx3HhdpKTHcrn1AUXDlnQ05hC0Ts8YnRY7yZxbc0MjPOg7 EKgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=wlxgO/hjprq758LS3bEpP1ly/+KkksHeMXbfu4RGOqE=; b=bF7jmZzsNYHnX62SDz5e9tTccD9agQNL5nuDCqSVpTjfMXLpQwu/FHd1JgT8agDQrN Oyvdq+7RS/fWlyUhRGUOUACd9AN2NH34kIfExL5MtayRP6r2KzDD+r+08zoN6Md4iuoO qpQAtL/62BqULntinOUI64A7qOM78i9Ge06P0gZ4ezFv/TiOhyZpkQHKBk0OgUFYTpxn 6H+tvYWT9vFB5BEfEWzYqAtOHW3bbZ35sJhYIqrbHcAaKdZ0Ww4XwEZes03g7AhSnX/a JiYjDS8vHpozKdkVVJw7DEXTu0dLo4pd6woAHlx3MC6CSmsmyS+f9WJmQqHt7d8dLjfx tSOA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=QzlVw44U; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n16si11209270edb.399.2020.07.20.05.38.48; Mon, 20 Jul 2020 05:39:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=QzlVw44U; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728684AbgGTMiK (ORCPT + 99 others); Mon, 20 Jul 2020 08:38:10 -0400 Received: from us-smtp-delivery-1.mimecast.com ([205.139.110.120]:50894 "EHLO us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728200AbgGTMiK (ORCPT ); Mon, 20 Jul 2020 08:38:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1595248688; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wlxgO/hjprq758LS3bEpP1ly/+KkksHeMXbfu4RGOqE=; b=QzlVw44UTgeg2u207NjSOm9fI0ZrQ4xTpZybMCRyM6HUUAx1qvAocdMNyerGg2JAmCDe4T gFEutPpPiRIhxaf5bCEEi4m0TVFiQZ+xWfmWYoSwX2kJ0GtxTzMgozeGMorp1ua7x/JEox Tv2V76z87L3oVE5g7zO+4ePqw++iuWA= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-24-6fCf_g1VPKCI--6FnThA-Q-1; Mon, 20 Jul 2020 08:38:06 -0400 X-MC-Unique: 6fCf_g1VPKCI--6FnThA-Q-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 24E551DE1; Mon, 20 Jul 2020 12:38:04 +0000 (UTC) Received: from [10.36.115.54] (ovpn-115-54.ams2.redhat.com [10.36.115.54]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C7AC25C1D4; Mon, 20 Jul 2020 12:37:54 +0000 (UTC) Subject: Re: [PATCH v5 09/15] iommu/vt-d: Check ownership for PASIDs from user-space To: "Liu, Yi L" , "alex.williamson@redhat.com" , "baolu.lu@linux.intel.com" , "joro@8bytes.org" Cc: "Tian, Kevin" , "jacob.jun.pan@linux.intel.com" , "Raj, Ashok" , "Tian, Jun J" , "Sun, Yi Y" , "jean-philippe@linaro.org" , "peterx@redhat.com" , "Wu, Hao" , "stefanha@gmail.com" , "iommu@lists.linux-foundation.org" , "kvm@vger.kernel.org" , "linux-kernel@vger.kernel.org" References: <1594552870-55687-1-git-send-email-yi.l.liu@intel.com> <1594552870-55687-10-git-send-email-yi.l.liu@intel.com> From: Auger Eric Message-ID: Date: Mon, 20 Jul 2020 14:37:53 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Yi, On 7/20/20 12:18 PM, Liu, Yi L wrote: > Hi Eric, > >> From: Auger Eric >> Sent: Monday, July 20, 2020 12:06 AM >> >> Hi Yi, >> >> On 7/12/20 1:21 PM, Liu Yi L wrote: >>> When an IOMMU domain with nesting attribute is used for guest SVA, a >>> system-wide PASID is allocated for binding with the device and the domain. >>> For security reason, we need to check the PASID passsed from user-space. >> passed > > got it. > >>> e.g. page table bind/unbind and PASID related cache invalidation. >>> >>> Cc: Kevin Tian >>> CC: Jacob Pan >>> Cc: Alex Williamson >>> Cc: Eric Auger >>> Cc: Jean-Philippe Brucker >>> Cc: Joerg Roedel >>> Cc: Lu Baolu >>> Signed-off-by: Liu Yi L >>> Signed-off-by: Jacob Pan >>> --- >>> drivers/iommu/intel/iommu.c | 10 ++++++++++ >>> drivers/iommu/intel/svm.c | 7 +++++-- >>> 2 files changed, 15 insertions(+), 2 deletions(-) >>> >>> diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c >>> index 4d54198..a9504cb 100644 >>> --- a/drivers/iommu/intel/iommu.c >>> +++ b/drivers/iommu/intel/iommu.c >>> @@ -5436,6 +5436,7 @@ intel_iommu_sva_invalidate(struct iommu_domain >> *domain, struct device *dev, >>> int granu = 0; >>> u64 pasid = 0; >>> u64 addr = 0; >>> + void *pdata; >>> >>> granu = to_vtd_granularity(cache_type, inv_info->granularity); >>> if (granu == -EINVAL) { >>> @@ -5456,6 +5457,15 @@ intel_iommu_sva_invalidate(struct iommu_domain >> *domain, struct device *dev, >>> (inv_info->granu.addr_info.flags & >> IOMMU_INV_ADDR_FLAGS_PASID)) >>> pasid = inv_info->granu.addr_info.pasid; >>> >>> + pdata = ioasid_find(dmar_domain->ioasid_sid, pasid, NULL); >>> + if (!pdata) { >>> + ret = -EINVAL; >>> + goto out_unlock; >>> + } else if (IS_ERR(pdata)) { >>> + ret = PTR_ERR(pdata); >>> + goto out_unlock; >>> + } >>> + >>> switch (BIT(cache_type)) { >>> case IOMMU_CACHE_INV_TYPE_IOTLB: >>> /* HW will ignore LSB bits based on address mask */ >>> diff --git a/drivers/iommu/intel/svm.c b/drivers/iommu/intel/svm.c >>> index d2c0e1a..212dee0 100644 >>> --- a/drivers/iommu/intel/svm.c >>> +++ b/drivers/iommu/intel/svm.c >>> @@ -319,7 +319,7 @@ int intel_svm_bind_gpasid(struct iommu_domain *domain, >> struct device *dev, >>> dmar_domain = to_dmar_domain(domain); >>> >>> mutex_lock(&pasid_mutex); >>> - svm = ioasid_find(INVALID_IOASID_SET, data->hpasid, NULL); I meant while using INVALID_IOASID_SET instead of the actual dmar_domain->ioasid_sid. But I think I've now recovered, the asset is simply not used ;-) >> I do not get what the call was supposed to do before that patch? > > you mean patch 10/15 by "that patch", right? the ownership check should > be done as to prevent illegal bind request from userspace. before patch > 10/15, it should be added. > >>> + svm = ioasid_find(dmar_domain->ioasid_sid, data->hpasid, NULL); >>> if (IS_ERR(svm)) { >>> ret = PTR_ERR(svm); >>> goto out; >>> @@ -436,6 +436,7 @@ int intel_svm_unbind_gpasid(struct iommu_domain >> *domain, >>> struct device *dev, ioasid_t pasid) >>> { >>> struct intel_iommu *iommu = intel_svm_device_to_iommu(dev); >>> + struct dmar_domain *dmar_domain; >>> struct intel_svm_dev *sdev; >>> struct intel_svm *svm; >>> int ret = -EINVAL; >>> @@ -443,8 +444,10 @@ int intel_svm_unbind_gpasid(struct iommu_domain >> *domain, >>> if (WARN_ON(!iommu)) >>> return -EINVAL; >>> >>> + dmar_domain = to_dmar_domain(domain); >>> + >>> mutex_lock(&pasid_mutex); >>> - svm = ioasid_find(INVALID_IOASID_SET, pasid, NULL); >>> + svm = ioasid_find(dmar_domain->ioasid_sid, pasid, NULL); >> just to make sure, about the locking, can't domain->ioasid_sid change >> under the hood? > > I guess not. intel_svm_unbind_gpasid() and iommu_domain_set_attr() > is called by vfio today, and within vfio, there is vfio_iommu->lock. OK Thanks Eric > > Regards, > Yi Liu > >> >> Thanks >> >> Eric >>> if (!svm) { >>> ret = -EINVAL; >>> goto out; >>> >