Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp4281891pxk; Tue, 8 Sep 2020 16:01:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyaIyu75yQp68W787X0rcB779nY86GmONROHdwi+T3yEYDUs4TBuX1KElnyXavH1m4bHp93 X-Received: by 2002:a17:906:76c7:: with SMTP id q7mr767346ejn.541.1599606079466; Tue, 08 Sep 2020 16:01:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599606079; cv=none; d=google.com; s=arc-20160816; b=cO23rm5HvNh5nEmjxPlG6KzfmFcHbnwrOfvUtretrO5i+cJAG6bX7SZ7k/BsIKS+Ru AJk2BMkBzYlexvTzYdaRlazABhIfIN0HD1lKh4BKDgFyJaahSqIhYrwBuqleM/2thCIM 3oHzvC48N5zfL7zpzYTxFzEQfF4omT4zDp8PuAAVbRR8N87sUqv+GVNvoAJjWkg5Fff2 +PV43m0xcsNiqepSMd5w7EvBtig8HP9lO8EtgSo1p4GN29lgqNiWyaPkZFOexkM6ujZz pRcyZyj+9FZQwDERF7jqTgB/LsKrKgyGOcQUAqVFfwg5UtXbjDXt7iiawSmIVG+g4kTX 3QeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=NjaAPz/53E7aYrWyxCQjZTxDyoxQV6y3oThqQsNK6xc=; b=OLs7KYPPnsJ6B/iDuTGCWlh6xY3pPPi6ose5LqM6stFCnVnwPjlFxt1TZIhEezaK2c Pq4F0jiCbppZDFadaxEK3S40U1Xo2XdShKfpg+4AvVnbzKQhJkwB+JMAhV7HEFHQsC/T tAblWKWre2KC/0N375EyVJPOXIKIhIIjF7cxpkKj4AmMvyBqI6ELpAYSVon9E1HPP9WM u2cNvsVCd9DbeGXhdbORJX2JQ6MjUDf6VhHtaCq8plj4StdxC7TLqI0D6M6//VVsuoBW abCYWwsuzZ8B6tBVZ9esY60/z6PD47KNfsrUGtgT74ibfjpZ9PrDyvYSkUUvlRvbsH0B WjVA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ckpEQ3Gd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p1si304407ejr.342.2020.09.08.16.00.55; Tue, 08 Sep 2020 16:01:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ckpEQ3Gd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728164AbgIHXAO (ORCPT + 99 others); Tue, 8 Sep 2020 19:00:14 -0400 Received: from us-smtp-1.mimecast.com ([207.211.31.81]:27318 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726657AbgIHXAM (ORCPT ); Tue, 8 Sep 2020 19:00:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1599606009; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NjaAPz/53E7aYrWyxCQjZTxDyoxQV6y3oThqQsNK6xc=; b=ckpEQ3Gdt/vIpofYrow83JBj4HxuTEunGlEFzVbSYcVs8cci4783re5lH9Bljnp8fffUdV MA3Ozeg8fee//irTNR5Zn7X6sHDglTDuLnwIUbIt02TEk39xW5MbBr5kSQ0G+DhPOPy6d8 PK15WPFexkzfyB6I0ASfzTMU5C9mOxw= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-125-G1xAUME9Ny-qhfbTYSvchQ-1; Tue, 08 Sep 2020 19:00:04 -0400 X-MC-Unique: G1xAUME9Ny-qhfbTYSvchQ-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 53AB818B9F0B; Tue, 8 Sep 2020 23:00:02 +0000 (UTC) Received: from w520.home (ovpn-112-71.phx2.redhat.com [10.3.112.71]) by smtp.corp.redhat.com (Postfix) with ESMTP id A87121002D50; Tue, 8 Sep 2020 22:59:55 +0000 (UTC) Date: Tue, 8 Sep 2020 16:59:55 -0600 From: Alex Williamson To: Jacob Pan Cc: iommu@lists.linux-foundation.org, LKML , Joerg Roedel , "Lu Baolu" , David Woodhouse , Yi Liu , "Tian, Kevin" , Raj Ashok , "Christoph Hellwig" , Jean-Philippe Brucker , Eric Auger , Jonathan Corbet , Jacob Pan Subject: Re: [PATCH v8 6/7] iommu/uapi: Handle data and argsz filled by users Message-ID: <20200908165955.4589b0fa@w520.home> In-Reply-To: <1598898300-65475-7-git-send-email-jacob.jun.pan@linux.intel.com> References: <1598898300-65475-1-git-send-email-jacob.jun.pan@linux.intel.com> <1598898300-65475-7-git-send-email-jacob.jun.pan@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 31 Aug 2020 11:24:59 -0700 Jacob Pan wrote: > IOMMU user APIs are responsible for processing user data. This patch > changes the interface such that user pointers can be passed into IOMMU > code directly. Separate kernel APIs without user pointers are introduced > for in-kernel users of the UAPI functionality. > > IOMMU UAPI data has a user filled argsz field which indicates the data > length of the structure. User data is not trusted, argsz must be > validated based on the current kernel data size, mandatory data size, > and feature flags. > > User data may also be extended, resulting in possible argsz increase. > Backward compatibility is ensured based on size and flags (or > the functional equivalent fields) checking. > > This patch adds sanity checks in the IOMMU layer. In addition to argsz, > reserved/unused fields in padding, flags, and version are also checked. > Details are documented in Documentation/userspace-api/iommu.rst > > Signed-off-by: Liu Yi L > Signed-off-by: Jacob Pan > --- > drivers/iommu/iommu.c | 201 ++++++++++++++++++++++++++++++++++++++++++++++++-- > include/linux/iommu.h | 28 ++++--- > 2 files changed, 212 insertions(+), 17 deletions(-) > > diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c > index 4ae02291ccc2..3bc263ae31ed 100644 > --- a/drivers/iommu/iommu.c > +++ b/drivers/iommu/iommu.c > @@ -1961,33 +1961,218 @@ int iommu_attach_device(struct iommu_domain *domain, struct device *dev) > } > EXPORT_SYMBOL_GPL(iommu_attach_device); > > +/* > + * Check flags and other user provided data for valid combinations. We also > + * make sure no reserved fields or unused flags are set. This is to ensure > + * not breaking userspace in the future when these fields or flags are used. > + */ > +static int iommu_check_cache_invl_data(struct iommu_cache_invalidate_info *info) > +{ > + u32 mask; > + int i; > + > + if (info->version != IOMMU_CACHE_INVALIDATE_INFO_VERSION_1) > + return -EINVAL; > + > + mask = (1 << IOMMU_CACHE_INV_TYPE_NR) - 1; > + if (info->cache & ~mask) > + return -EINVAL; > + > + if (info->granularity >= IOMMU_INV_GRANU_NR) > + return -EINVAL; > + > + switch (info->granularity) { > + case IOMMU_INV_GRANU_ADDR: > + if (info->cache & IOMMU_CACHE_INV_TYPE_PASID) > + return -EINVAL; > + > + mask = IOMMU_INV_ADDR_FLAGS_PASID | > + IOMMU_INV_ADDR_FLAGS_ARCHID | > + IOMMU_INV_ADDR_FLAGS_LEAF; > + > + if (info->granu.addr_info.flags & ~mask) > + return -EINVAL; > + break; > + case IOMMU_INV_GRANU_PASID: > + mask = IOMMU_INV_PASID_FLAGS_PASID | > + IOMMU_INV_PASID_FLAGS_ARCHID; > + if (info->granu.pasid_info.flags & ~mask) > + return -EINVAL; > + > + break; > + case IOMMU_INV_GRANU_DOMAIN: > + if (info->cache & IOMMU_CACHE_INV_TYPE_DEV_IOTLB) > + return -EINVAL; > + break; > + default: > + return -EINVAL; > + } > + > + /* Check reserved padding fields */ > + for (i = 0; i < sizeof(info->padding); i++) { > + if (info->padding[i]) > + return -EINVAL; > + } > + > + return 0; > +} > + > int iommu_uapi_cache_invalidate(struct iommu_domain *domain, struct device *dev, > - struct iommu_cache_invalidate_info *inv_info) > + void __user *uinfo) > { > + struct iommu_cache_invalidate_info inv_info = { 0 }; > + u32 minsz; > + int ret = 0; > + > if (unlikely(!domain->ops->cache_invalidate)) > return -ENODEV; > > - return domain->ops->cache_invalidate(domain, dev, inv_info); > + /* > + * No new spaces can be added before the variable sized union, the > + * minimum size is the offset to the union. > + */ > + minsz = offsetof(struct iommu_cache_invalidate_info, granu); > + > + /* Copy minsz from user to get flags and argsz */ > + if (copy_from_user(&inv_info, uinfo, minsz)) > + return -EFAULT; > + > + /* Fields before variable size union is mandatory */ > + if (inv_info.argsz < minsz) > + return -EINVAL; > + > + /* PASID and address granu require additional info beyond minsz */ > + if (inv_info.argsz == minsz && > + ((inv_info.granularity == IOMMU_INV_GRANU_PASID) || > + (inv_info.granularity == IOMMU_INV_GRANU_ADDR))) > + return -EINVAL; > + > + if (inv_info.granularity == IOMMU_INV_GRANU_PASID && > + inv_info.argsz < offsetofend(struct iommu_cache_invalidate_info, granu.pasid_info)) > + return -EINVAL; > + > + if (inv_info.granularity == IOMMU_INV_GRANU_ADDR && > + inv_info.argsz < offsetofend(struct iommu_cache_invalidate_info, granu.addr_info)) > + return -EINVAL; > + > + /* > + * User might be using a newer UAPI header which has a larger data > + * size, we shall support the existing flags within the current > + * size. Copy the remaining user data _after_ minsz but not more > + * than the current kernel supported size. > + */ > + if (copy_from_user((void *)&inv_info + minsz, uinfo + minsz, > + min_t(u32, inv_info.argsz, sizeof(inv_info)) - minsz)) > + return -EFAULT; > + > + /* Now the argsz is validated, check the content */ > + ret = iommu_check_cache_invl_data(&inv_info); > + if (ret) > + return ret; > + > + return domain->ops->cache_invalidate(domain, dev, &inv_info); > } > EXPORT_SYMBOL_GPL(iommu_uapi_cache_invalidate); > > -int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, > - struct device *dev, struct iommu_gpasid_bind_data *data) > +static int iommu_check_bind_data(struct iommu_gpasid_bind_data *data) > +{ > + u32 mask; > + int i; > + > + if (data->version != IOMMU_GPASID_BIND_VERSION_1) > + return -EINVAL; > + > + /* Check the range of supported formats */ > + if (data->format >= IOMMU_PASID_FORMAT_LAST) > + return -EINVAL; > + > + /* Check all flags */ > + mask = IOMMU_SVA_GPASID_VAL; > + if (data->flags & ~mask) > + return -EINVAL; > + > + /* Check reserved padding fields */ > + for (i = 0; i < sizeof(data->padding); i++) { > + if (data->padding[i]) > + return -EINVAL; > + } > + > + return 0; > +} > + > +static int iommu_sva_prepare_bind_data(void __user *udata, > + struct iommu_gpasid_bind_data *data) > { > + u32 minsz; > + > + /* > + * No new spaces can be added before the variable sized union, the > + * minimum size is the offset to the union. > + */ > + minsz = offsetof(struct iommu_gpasid_bind_data, vendor); > + > + /* Copy minsz from user to get flags and argsz */ > + if (copy_from_user(data, udata, minsz)) > + return -EFAULT; > + > + /* Fields before variable size union is mandatory */ > + if (data->argsz < minsz) > + return -EINVAL; > + /* > + * User might be using a newer UAPI header, we shall let IOMMU vendor > + * driver decide on what size it needs. Since the guest PASID bind data > + * can be vendor specific, larger argsz could be the result of extension > + * for one vendor but it should not affect another vendor. > + * Copy the remaining user data _after_ minsz > + */ > + if (copy_from_user((void *)data + minsz, udata + minsz, > + min_t(u32, data->argsz, sizeof(*data)) - minsz)) > + return -EFAULT; > + > + return iommu_check_bind_data(data); > +} > + > +int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, struct device *dev, > + void __user *udata) > +{ > + struct iommu_gpasid_bind_data data = { 0 }; > + int ret; > + > if (unlikely(!domain->ops->sva_bind_gpasid)) > return -ENODEV; > > - return domain->ops->sva_bind_gpasid(domain, dev, data); > + ret = iommu_sva_prepare_bind_data(udata, &data); > + if (ret) > + return ret; > + > + return domain->ops->sva_bind_gpasid(domain, dev, &data); > } > EXPORT_SYMBOL_GPL(iommu_uapi_sva_bind_gpasid); > > -int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, struct device *dev, > - ioasid_t pasid) > +int iommu_sva_unbind_gpasid(struct iommu_domain *domain, struct device *dev, > + struct iommu_gpasid_bind_data *data) > { > if (unlikely(!domain->ops->sva_unbind_gpasid)) > return -ENODEV; > > - return domain->ops->sva_unbind_gpasid(dev, pasid); > + return domain->ops->sva_unbind_gpasid(dev, data->hpasid); > +} > +EXPORT_SYMBOL_GPL(iommu_sva_unbind_gpasid); It seems a little awkward here for an internal caller to build a struct iommu_gpasid_bind_data only to extract this one field. The other uapi function here call the ops functions directly, maybe the internal interface should remain simple and the uapi function below should call ops->sva_unbind_gpasid() itself rather than trying to reuse the internal interface. I'm afraid this is only done this way so the above function has a caller until we have Yi's series. Thanks, Alex > + > +int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, struct device *dev, > + void __user *udata) > +{ > + struct iommu_gpasid_bind_data data = { 0 }; > + int ret; > + > + if (unlikely(!domain->ops->sva_bind_gpasid)) > + return -ENODEV; > + > + ret = iommu_sva_prepare_bind_data(udata, &data); > + if (ret) > + return ret; > + > + return iommu_sva_unbind_gpasid(domain, dev, &data); > } > EXPORT_SYMBOL_GPL(iommu_uapi_sva_unbind_gpasid); > > diff --git a/include/linux/iommu.h b/include/linux/iommu.h > index 710d5d2691eb..c364b1c038da 100644 > --- a/include/linux/iommu.h > +++ b/include/linux/iommu.h > @@ -426,11 +426,14 @@ extern void iommu_detach_device(struct iommu_domain *domain, > struct device *dev); > extern int iommu_uapi_cache_invalidate(struct iommu_domain *domain, > struct device *dev, > - struct iommu_cache_invalidate_info *inv_info); > + void __user *uinfo); > + > extern int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, > - struct device *dev, struct iommu_gpasid_bind_data *data); > + struct device *dev, void __user *udata); > extern int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, > - struct device *dev, ioasid_t pasid); > + struct device *dev, void __user *udata); > +extern int iommu_sva_unbind_gpasid(struct iommu_domain *domain, > + struct device *dev, struct iommu_gpasid_bind_data *data); > extern struct iommu_domain *iommu_get_domain_for_dev(struct device *dev); > extern struct iommu_domain *iommu_get_dma_domain(struct device *dev); > extern int iommu_map(struct iommu_domain *domain, unsigned long iova, > @@ -1032,22 +1035,29 @@ static inline int iommu_sva_get_pasid(struct iommu_sva *handle) > return IOMMU_PASID_INVALID; > } > > -static inline int iommu_uapi_cache_invalidate(struct iommu_domain *domain, > - struct device *dev, > - struct iommu_cache_invalidate_info *inv_info) > +static inline int > +iommu_uapi_cache_invalidate(struct iommu_domain *domain, > + struct device *dev, > + struct iommu_cache_invalidate_info *inv_info) > { > return -ENODEV; > } > > static inline int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, > - struct device *dev, > - struct iommu_gpasid_bind_data *data) > + struct device *dev, void __user *udata) > { > return -ENODEV; > } > > static inline int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, > - struct device *dev, int pasid) > + struct device *dev, void __user *udata) > +{ > + return -ENODEV; > +} > + > +static inline int iommu_sva_unbind_gpasid(struct iommu_domain *domain, > + struct device *dev, > + struct iommu_gpasid_bind_data *data) > { > return -ENODEV; > }