Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1195620pxa; Thu, 13 Aug 2020 03:05:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzxqTXu5nDhvhCmdywtKVkss70z2Pr1lrlb7Vjt3v77NjlyqDLtr0wawRedhxqwIbgti9oM X-Received: by 2002:a17:906:7e4e:: with SMTP id z14mr3889191ejr.87.1597313118749; Thu, 13 Aug 2020 03:05:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597313118; cv=none; d=google.com; s=arc-20160816; b=N+ENfHRXZU5exD6kwfSYW1rsjoeeSs/EERUBNblRDIhaSsBzwrNjdptS9o+4pfos6x SKkAh2YXDuoAthNRpuHZhgMJjyx/3zXfPIk6tZzFc3/U3TN863GOhNhdzXPs1i4eNzcY JN7YcW+jJkDxmzv/Ec8AHr1sAC6gxoOL2aUJN77UM3muULDUbNt44b7AQbXXVqRSpbFH BfA1CLsw8/7xxCsiblqnF0nj4gCtNoe7jTj+fleF56mOIBRfNQTT5/oVgeWLIR52vDyt rzzs8b8albq5UjcMyYbjBpIidXekUql9oB/kqgpRtjee6yrqU79Db1A4FVQiyJCOD4zJ G4Jw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=LL79yZzzrRt6aHtmE2kGI+dk0Yql2c/9Qhyk7xgwz0I=; b=JiXQmQv80Honvqk5bZ+QSuKpok1hs/3g2i7FPrT/pD/keNMNRTrBJfNahPozXYAMep Insa1Q7kODwDrv0GWgwd8acnoR5IzhOrZ+42eBBr7Tcfo8epUIdbY5Hn919TbJ9ezSaE GFzeZ5e2h7TBFppUYVA1NCVuW8o9c7tIYOlw2eMMtM6OipdMxohUf2TZ9JKg0/35+0ux 7hjnTXvM+ChMEy4pdbwDwEdIB0BxruMG59qSoz2YvVNZMgDZpvLpRII+D1JkzgdHzF7z WfyR6v7LxVQEnf417sk9Rat97tMMJjt9EIHsLFJbHOaP8qGk5gWyMQD+4vyX2afr0IZ7 TfFw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=eRtl0qia; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g17si2845062eji.729.2020.08.13.03.04.55; Thu, 13 Aug 2020 03:05:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=eRtl0qia; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726102AbgHMKEN (ORCPT + 99 others); Thu, 13 Aug 2020 06:04:13 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:44665 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726048AbgHMKEN (ORCPT ); Thu, 13 Aug 2020 06:04:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1597313050; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LL79yZzzrRt6aHtmE2kGI+dk0Yql2c/9Qhyk7xgwz0I=; b=eRtl0qiay9V3JHG+wYZRdeXrVGbBdUfsdimXOc5uCp64Bx/x+35oeOm4HnkBSTIRkeT8yJ ZiyLtXT2qzODzhftgMBp/EA8Pk7RH1g84b+Hc8o1AwVnBnd81E3FkQ/7rOgnsjV8+GanmZ zl5rFuGQG4SYXBW72fBWwE8Nv8K/u7A= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-251-3VC6WoZEPdmuSnoRYPyTeQ-1; Thu, 13 Aug 2020 06:04:06 -0400 X-MC-Unique: 3VC6WoZEPdmuSnoRYPyTeQ-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 47D871800D41; Thu, 13 Aug 2020 10:04:04 +0000 (UTC) Received: from [10.36.113.93] (ovpn-113-93.ams2.redhat.com [10.36.113.93]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3977D705A0; Thu, 13 Aug 2020 10:03:58 +0000 (UTC) Subject: Re: [PATCH v7 6/7] iommu/uapi: Handle data and argsz filled by users To: "Liu, Yi L" , Jacob Pan , "iommu@lists.linux-foundation.org" , LKML , Joerg Roedel , Alex Williamson Cc: Lu Baolu , David Woodhouse , "Tian, Kevin" , "Raj, Ashok" , Christoph Hellwig , Jean-Philippe Brucker , Jonathan Corbet References: <1596068467-49322-1-git-send-email-jacob.jun.pan@linux.intel.com> <1596068467-49322-7-git-send-email-jacob.jun.pan@linux.intel.com> <55dc3e4c-2717-2c96-d676-708b94e8cf1f@redhat.com> From: Auger Eric Message-ID: Date: Thu, 13 Aug 2020 12:03:56 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Yi, On 8/13/20 11:38 AM, Liu, Yi L wrote: >> From: Auger Eric >> Sent: Thursday, August 13, 2020 5:31 PM >> >> Hi Yi, >> >> On 8/13/20 11:25 AM, Liu, Yi L wrote: >>> Hi Eric, >>> >>> >>>> From: Auger Eric >>>> Sent: Thursday, August 13, 2020 5:12 PM >>>> >>>> Hi Jacob, >>>> >>>> On 7/30/20 2:21 AM, Jacob Pan wrote: >>>>> IOMMU user APIs are responsible for processing user data. This patch >>>>> changes the interface such that user pointers can be passed into >>>>> IOMMU code directly. Separate kernel APIs without user pointers are >>>>> introduced for in-kernel users of the UAPI functionality. >>>> This is just done for a single function, ie. iommu_sva_unbind_gpasid. >>>> >>>> If I am not wrong there is no user of this latter after applying the >>>> whole series? If correct you may remove it at this stage? >>> >>> the user of this function is in vfio. And it is the same with >>> iommu_uapi_sva_bind/unbind_gpasid() and iommu_uapi_cache_invalidate(). >>> >>> https://lore.kernel.org/kvm/1595917664-33276-11-git-send-email-yi.l.li >>> u@intel.com/ >>> https://lore.kernel.org/kvm/1595917664-33276-12-git-send-email-yi.l.li >>> u@intel.com/ >> Yep I know ;-) But this series mostly deals with iommu uapi rework. >> That's not a big deal though. > > I see. btw. it's great if you can take a look on vfio v6 to see if your comments > are well addressed. :-) Yep I will do asap Thanks Eric > > Regards, > Yi Liu > >> Thanks >> >> Eric >>> >>> Regards, >>> Yi Liu >>> >>>>> >>>>> IOMMU UAPI data has a user filled argsz field which indicates the >>>>> data length of the structure. User data is not trusted, argsz must >>>>> be validated based on the current kernel data size, mandatory data >>>>> size, and feature flags. >>>>> >>>>> User data may also be extended, resulting in possible argsz increase. >>>>> Backward compatibility is ensured based on size and flags (or the >>>>> functional equivalent fields) checking. >>>>> >>>>> This patch adds sanity checks in the IOMMU layer. In addition to >>>>> argsz, reserved/unused fields in padding, flags, and version are also checked. >>>>> Details are documented in Documentation/userspace-api/iommu.rst >>>>> >>>>> Signed-off-by: Liu Yi L >>>>> Signed-off-by: Jacob Pan >>>>> --- >>>>> drivers/iommu/iommu.c | 201 >>>> ++++++++++++++++++++++++++++++++++++++++++++++++-- >>>>> include/linux/iommu.h | 28 ++++--- >>>>> 2 files changed, 212 insertions(+), 17 deletions(-) >>>>> >>>>> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c index >>>>> 3a913ce94a3d..1ee55c4b3a3a 100644 >>>>> --- a/drivers/iommu/iommu.c >>>>> +++ b/drivers/iommu/iommu.c >>>>> @@ -1950,33 +1950,218 @@ int iommu_attach_device(struct iommu_domain >>>> *domain, struct device *dev) >>>>> } >>>>> EXPORT_SYMBOL_GPL(iommu_attach_device); >>>>> >>>>> +/* >>>>> + * Check flags and other user provided data for valid combinations. >>>>> +We also >>>>> + * make sure no reserved fields or unused flags are set. This is to >>>>> +ensure >>>>> + * not breaking userspace in the future when these fields or flags are used. >>>>> + */ >>>>> +static int iommu_check_cache_invl_data(struct >>>>> +iommu_cache_invalidate_info >>>> *info) >>>>> +{ >>>>> + u32 mask; >>>>> + int i; >>>>> + >>>>> + if (info->version != IOMMU_CACHE_INVALIDATE_INFO_VERSION_1) >>>>> + return -EINVAL; >>>>> + >>>>> + mask = (1 << IOMMU_CACHE_INV_TYPE_NR) - 1; >>>>> + if (info->cache & ~mask) >>>>> + return -EINVAL; >>>>> + >>>>> + if (info->granularity >= IOMMU_INV_GRANU_NR) >>>>> + return -EINVAL; >>>>> + >>>>> + switch (info->granularity) { >>>>> + case IOMMU_INV_GRANU_ADDR: >>>>> + if (info->cache & IOMMU_CACHE_INV_TYPE_PASID) >>>>> + return -EINVAL; >>>>> + >>>>> + mask = IOMMU_INV_ADDR_FLAGS_PASID | >>>>> + IOMMU_INV_ADDR_FLAGS_ARCHID | >>>>> + IOMMU_INV_ADDR_FLAGS_LEAF; >>>>> + >>>>> + if (info->granu.addr_info.flags & ~mask) >>>>> + return -EINVAL; >>>>> + break; >>>>> + case IOMMU_INV_GRANU_PASID: >>>>> + mask = IOMMU_INV_PASID_FLAGS_PASID | >>>>> + IOMMU_INV_PASID_FLAGS_ARCHID; >>>>> + if (info->granu.pasid_info.flags & ~mask) >>>>> + return -EINVAL; >>>>> + >>>>> + break; >>>>> + case IOMMU_INV_GRANU_DOMAIN: >>>>> + if (info->cache & IOMMU_CACHE_INV_TYPE_DEV_IOTLB) >>>>> + return -EINVAL; >>>>> + break; >>>>> + default: >>>>> + return -EINVAL; >>>>> + } >>>>> + >>>>> + /* Check reserved padding fields */ >>>>> + for (i = 0; i < sizeof(info->padding); i++) { >>>>> + if (info->padding[i]) >>>>> + return -EINVAL; >>>>> + } >>>>> + >>>>> + return 0; >>>>> +} >>>>> + >>>>> int iommu_uapi_cache_invalidate(struct iommu_domain *domain, struct >>>>> device >>>> *dev, >>>>> - struct iommu_cache_invalidate_info *inv_info) >>>>> + void __user *uinfo) >>>>> { >>>>> + struct iommu_cache_invalidate_info inv_info = { 0 }; >>>>> + u32 minsz; >>>>> + int ret = 0; >>>>> + >>>>> if (unlikely(!domain->ops->cache_invalidate)) >>>>> return -ENODEV; >>>>> > - return domain->ops->cache_invalidate(domain, dev, inv_info); >>>>> + /* >>>>> + * No new spaces can be added before the variable sized union, the >>>>> + * minimum size is the offset to the union. >>>>> + */ >>>>> + minsz = offsetof(struct iommu_cache_invalidate_info, granu); >>>>> + >>>>> + /* Copy minsz from user to get flags and argsz */ >>>>> + if (copy_from_user(&inv_info, uinfo, minsz)) >>>>> + return -EFAULT; >>>>> + >>>>> + /* Fields before variable size union is mandatory */ >>>>> + if (inv_info.argsz < minsz) >>>>> + return -EINVAL; >>>>> + >>>>> + /* PASID and address granu require additional info beyond minsz */ >>>>> + if (inv_info.argsz == minsz && >>>>> + ((inv_info.granularity == IOMMU_INV_GRANU_PASID) || >>>>> + (inv_info.granularity == IOMMU_INV_GRANU_ADDR))) >>>>> + return -EINVAL; >>>>> + >>>>> + if (inv_info.granularity == IOMMU_INV_GRANU_PASID && >>>>> + inv_info.argsz < offsetofend(struct >>>>> +iommu_cache_invalidate_info, >>>> granu.pasid_info)) >>>>> + return -EINVAL; >>>>> + >>>>> + if (inv_info.granularity == IOMMU_INV_GRANU_ADDR && >>>>> + inv_info.argsz < offsetofend(struct >>>>> +iommu_cache_invalidate_info, >>>> granu.addr_info)) >>>>> + return -EINVAL; >>>>> + >>>>> + /* >>>>> + * User might be using a newer UAPI header which has a larger data >>>>> + * size, we shall support the existing flags within the current >>>>> + * size. Copy the remaining user data _after_ minsz but not more >>>>> + * than the current kernel supported size. >>>>> + */ >>>>> + if (copy_from_user((void *)&inv_info + minsz, uinfo + minsz, >>>>> + min_t(u32, inv_info.argsz, sizeof(inv_info)) - minsz)) >>>>> + return -EFAULT; >>>>> + >>>>> + /* Now the argsz is validated, check the content */ >>>>> + ret = iommu_check_cache_invl_data(&inv_info); >>>>> + if (ret) >>>>> + return ret; >>>>> + >>>>> + return domain->ops->cache_invalidate(domain, dev, &inv_info); >>>>> } >>>>> EXPORT_SYMBOL_GPL(iommu_uapi_cache_invalidate); >>>>> >>>>> -int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, >>>>> - struct device *dev, struct iommu_gpasid_bind_data >>>> *data) >>>>> +static int iommu_check_bind_data(struct iommu_gpasid_bind_data >>>>> +*data) { >>>>> + u32 mask; >>>>> + int i; >>>>> + >>>>> + if (data->version != IOMMU_GPASID_BIND_VERSION_1) >>>>> + return -EINVAL; >>>>> + >>>>> + /* Check the range of supported formats */ >>>>> + if (data->format >= IOMMU_PASID_FORMAT_LAST) >>>>> + return -EINVAL; >>>>> + >>>>> + /* Check all flags */ >>>>> + mask = IOMMU_SVA_GPASID_VAL; >>>>> + if (data->flags & ~mask) >>>>> + return -EINVAL; >>>>> + >>>>> + /* Check reserved padding fields */ >>>>> + for (i = 0; i < sizeof(data->padding); i++) { >>>>> + if (data->padding[i]) >>>>> + return -EINVAL; >>>>> + } >>>>> + >>>>> + return 0; >>>>> +} >>>>> + >>>>> +static int iommu_sva_prepare_bind_data(void __user *udata, >>>>> + struct iommu_gpasid_bind_data *data) >>>>> { >>>>> + u32 minsz; >>>>> + >>>>> + /* >>>>> + * No new spaces can be added before the variable sized union, the >>>>> + * minimum size is the offset to the union. >>>>> + */ >>>>> + minsz = offsetof(struct iommu_gpasid_bind_data, vendor); >>>>> + >>>>> + /* Copy minsz from user to get flags and argsz */ >>>>> + if (copy_from_user(data, udata, minsz)) >>>>> + return -EFAULT; >>>>> + >>>>> + /* Fields before variable size union is mandatory */ >>>>> + if (data->argsz < minsz) >>>>> + return -EINVAL; >>>>> + /* >>>>> + * User might be using a newer UAPI header, we shall let IOMMU vendor >>>>> + * driver decide on what size it needs. Since the guest PASID bind data >>>>> + * can be vendor specific, larger argsz could be the result of extension >>>>> + * for one vendor but it should not affect another vendor. >>>>> + * Copy the remaining user data _after_ minsz >>>>> + */ >>>>> + if (copy_from_user((void *)data + minsz, udata + minsz, >>>>> + min_t(u32, data->argsz, sizeof(*data)) - minsz)) >>>>> + return -EFAULT; >>>>> + >>>>> + return iommu_check_bind_data(data); } >>>>> + >>>>> +int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, struct >>>>> +device >>>> *dev, >>>>> + void __user *udata) >>>>> +{ >>>>> + struct iommu_gpasid_bind_data data = { 0 }; >>>>> + int ret; >>>>> + >>>>> if (unlikely(!domain->ops->sva_bind_gpasid)) >>>>> return -ENODEV; >>>>> >>>>> - return domain->ops->sva_bind_gpasid(domain, dev, data); >>>>> + ret = iommu_sva_prepare_bind_data(udata, &data); >>>>> + if (ret) >>>>> + return ret; >>>>> + >>>>> + return domain->ops->sva_bind_gpasid(domain, dev, &data); >>>>> } >>>>> EXPORT_SYMBOL_GPL(iommu_uapi_sva_bind_gpasid); >>>>> >>>>> -int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, >>>>> struct device >>>> *dev, >>>>> - ioasid_t pasid) >>>>> +int iommu_sva_unbind_gpasid(struct iommu_domain *domain, struct device >> *dev, >>>>> + struct iommu_gpasid_bind_data *data) >>>>> { >>>>> if (unlikely(!domain->ops->sva_unbind_gpasid)) >>>>> return -ENODEV; >>>>> >>>>> - return domain->ops->sva_unbind_gpasid(dev, pasid); >>>>> + return domain->ops->sva_unbind_gpasid(dev, data->hpasid); } >>>>> +EXPORT_SYMBOL_GPL(iommu_sva_unbind_gpasid); >>>>> + >>>>> +int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, >>>>> +struct device >>>> *dev, >>>>> + void __user *udata) >>>>> +{ >>>>> + struct iommu_gpasid_bind_data data = { 0 }; >>>>> + int ret; >>>>> + >>>>> + if (unlikely(!domain->ops->sva_bind_gpasid)) >>>>> + return -ENODEV; >>>>> + >>>>> + ret = iommu_sva_prepare_bind_data(udata, &data); >>>>> + if (ret) >>>>> + return ret; >>>>> + >>>>> + return iommu_sva_unbind_gpasid(domain, dev, &data); >>>>> } >>>>> EXPORT_SYMBOL_GPL(iommu_uapi_sva_unbind_gpasid); >>>>> >>>>> diff --git a/include/linux/iommu.h b/include/linux/iommu.h index >>>>> 2dcc1a33f6dc..4a02c9e09048 100644 >>>>> --- a/include/linux/iommu.h >>>>> +++ b/include/linux/iommu.h >>>>> @@ -432,11 +432,14 @@ extern void iommu_detach_device(struct >>>> iommu_domain *domain, >>>>> struct device *dev); >>>>> extern int iommu_uapi_cache_invalidate(struct iommu_domain *domain, >>>>> struct device *dev, >>>>> - struct iommu_cache_invalidate_info *inv_info); >>>>> + void __user *uinfo); >>>>> + >>>>> extern int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, >>>>> - struct device *dev, struct >>>> iommu_gpasid_bind_data *data); >>>>> + struct device *dev, void __user *udata); >>>>> extern int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, >>>>> - struct device *dev, ioasid_t pasid); >>>>> + struct device *dev, void __user *udata); >> extern int >>>>> +iommu_sva_unbind_gpasid(struct iommu_domain *domain, >>>>> + struct device *dev, struct >>>> iommu_gpasid_bind_data *data); >>>>> extern struct iommu_domain *iommu_get_domain_for_dev(struct device >>>>> *dev); extern struct iommu_domain *iommu_get_dma_domain(struct >>>>> device *dev); extern int iommu_map(struct iommu_domain *domain, >>>>> unsigned long iova, @@ -1054,22 +1057,29 @@ static inline int >>>>> iommu_sva_get_pasid(struct >>>> iommu_sva *handle) >>>>> return IOMMU_PASID_INVALID; >>>>> } >>>>> >>>>> -static inline int iommu_uapi_cache_invalidate(struct iommu_domain *domain, >>>>> - struct device *dev, >>>>> - struct iommu_cache_invalidate_info >>>> *inv_info) >>>>> +static inline int >>>>> +iommu_uapi_cache_invalidate(struct iommu_domain *domain, >>>>> + struct device *dev, >>>>> + struct iommu_cache_invalidate_info *inv_info) >>>>> { >>>>> return -ENODEV; >>>>> } >>>>> >>>>> static inline int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, >>>>> - struct device *dev, >>>>> - struct iommu_gpasid_bind_data *data) >>>>> + struct device *dev, void __user *udata) >>>>> { >>>>> return -ENODEV; >>>>> } >>>>> >>>>> static inline int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, >>>>> - struct device *dev, int pasid) >>>>> + struct device *dev, void __user *udata) >> { >>>>> + return -ENODEV; >>>>> +} >>>>> + >>>>> +static inline int iommu_sva_unbind_gpasid(struct iommu_domain *domain, >>>>> + struct device *dev, >>>>> + struct iommu_gpasid_bind_data *data) >>>>> { >>>>> return -ENODEV; >>>>> } >>>>> >>>> Otherwise looks good to me >>>> Reviewed-by: Eric Auger >>>> >>>> Thanks >>>> >>>> Eric >>> >