Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp2324742pxm; Sun, 27 Feb 2022 18:15:55 -0800 (PST) X-Google-Smtp-Source: ABdhPJxDOJa4xnQJq2+YgCUYrwCQjiloh39G+t+dj9yBvJINmZMFM5zYPtrM6AYnYQY0CPMoPgTz X-Received: by 2002:a17:902:b94b:b0:14e:f1a8:9b99 with SMTP id h11-20020a170902b94b00b0014ef1a89b99mr18676664pls.28.1646014555638; Sun, 27 Feb 2022 18:15:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646014555; cv=none; d=google.com; s=arc-20160816; b=avHZP7CBUqun1I4BL23kbHu0QXjXvQvz/s8gNtHvntVUe//yWdp0C4pJH3X/pkaise GLnLBYl3JdeYR9EDq8lkAESicbAHMs8uY3+sMWc7OGXNOF5iM4F5oOPXCj4WCh8+3VJx UckUjz4ATjTGT2MpupfmpT8t54HpvA9vyUO/P5XFzr0wv3DYT7a8nCC0VuoBZzbiaxxb XSYDoojA6HYnhuNTzqJ2DIWvQCFatQ4WsDJKJXZ01r8L2MLO1j2LQWYaYi342ysKJV2y p92E3WKQCwdZtx36l9zO+4S3bho1Yk/kqDllk/jKdLGHEn6J0H4/qShykjNL68opW8x/ Q+ag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=IXD0bhyY0c+21zfrfrpeSiS73tH65DH9UeE+fFEolqo=; b=RCkTm0kwo6b9lpn5A9gKkwiqEPvzdGdfLzizu/PSOy7LPfKddMip/7slb0zKtnuCb5 SkwmvPMBaNCf8RWxfWO/MnFDzicd+86Xfom47/GXXVvAKhSoQI3FBxitDRejcBfmVYfk kDNguc8W9GqJ5BRiF8Wj/3SgEaTC8QnO5dsHeqYLzUfH1nm9QNFOmRCVjzbpIUzE33wS TJL/Dxll6Kj9xumsUGaG+efyenZAnHG5xhC94K0Ldlv2ujJljbs9JJPCGBpJN24wMg/4 l6Eh9U229wq1Y043ohTlXnepkk0Il3CJITTeFTiy7YDl8SZjkaj+DooSqdYhV0SQwoU9 ncfg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=IAkzMxQM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z2-20020a17090a468200b001bba4104bccsi14111441pjf.87.2022.02.27.18.15.40; Sun, 27 Feb 2022 18:15:55 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=IAkzMxQM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232312AbiB1AyY (ORCPT + 99 others); Sun, 27 Feb 2022 19:54:24 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36244 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232286AbiB1AyR (ORCPT ); Sun, 27 Feb 2022 19:54:17 -0500 Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 89F4543EED; Sun, 27 Feb 2022 16:53:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1646009612; x=1677545612; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=j9KuFOwZAmrrjwuxj/73EZ2xQwmqveJx5e6HJqReqdI=; b=IAkzMxQMFgzOIuWFBuncKkzuLITKBSeNd5bBeOHeCcELXe/J7f3xseP/ R/eGzYoca+0O5/rvRKOEu4kbNEqniVmbetkUxg260C/C4X+GVvUwL8U+Q W/IN8MRr/6Akbv7dwSZ6Y5DZjOG6McFordF4eAmyUOm64DFsaiJkEy0ZV mKRtEZJcBkBoBb0XFhAA+T4n3XrI2cmlPR2BLzOf5RVBWsNvmfK4XrS1K K2Opx6zda41I8VB425ZC4du274/tV5kRrkgM93UlhFx5FIy4D732LoVSR lDBPKkUjS4Dy1DxwnnnV6A5GQyxxe5xFhkRkhPoxmpX0WHvEMohZMK/hw Q==; X-IronPort-AV: E=McAfee;i="6200,9189,10271"; a="313493032" X-IronPort-AV: E=Sophos;i="5.90,142,1643702400"; d="scan'208";a="313493032" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Feb 2022 16:53:32 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.90,142,1643702400"; d="scan'208";a="550020278" Received: from allen-box.sh.intel.com ([10.239.159.118]) by orsmga008.jf.intel.com with ESMTP; 27 Feb 2022 16:53:24 -0800 From: Lu Baolu To: Greg Kroah-Hartman , Joerg Roedel , Alex Williamson , Bjorn Helgaas , Jason Gunthorpe , Christoph Hellwig , Kevin Tian , Ashok Raj Cc: Will Deacon , Robin Murphy , Dan Williams , rafael@kernel.org, Diana Craciun , Cornelia Huck , Eric Auger , Liu Yi L , Jacob jun Pan , Chaitanya Kulkarni , Stuart Yoder , Laurentiu Tudor , Thierry Reding , David Airlie , Daniel Vetter , Jonathan Hunter , Li Yang , Dmitry Osipenko , iommu@lists.linux-foundation.org, linux-pci@vger.kernel.org, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Lu Baolu Subject: [PATCH v7 07/11] vfio: Set DMA ownership for VFIO devices Date: Mon, 28 Feb 2022 08:50:52 +0800 Message-Id: <20220228005056.599595-8-baolu.lu@linux.intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220228005056.599595-1-baolu.lu@linux.intel.com> References: <20220228005056.599595-1-baolu.lu@linux.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Claim group dma ownership when an IOMMU group is set to a container, and release the dma ownership once the iommu group is unset from the container. This change disallows some unsafe bridge drivers to bind to non-ACS bridges while devices under them are assigned to user space. This is an intentional enhancement and possibly breaks some existing configurations. The recommendation to such an affected user would be that the previously allowed host bridge driver was unsafe for this use case and to continue to enable assignment of devices within that group, the driver should be unbound from the bridge device or replaced with the pci-stub driver. For any bridge driver, we consider it unsafe if it satisfies any of the following conditions: 1) The bridge driver uses DMA. Calling pci_set_master() or calling any kernel DMA API (dma_map_*() and etc.) is an indicate that the driver is doing DMA. 2) If the bridge driver uses MMIO, it should be tolerant to hostile userspace also touching the same MMIO registers via P2P DMA attacks. If the bridge driver turns out to be a safe one, it could be used as before by setting the driver's .driver_managed_dma field, just like what we have done in the pcieport driver. Signed-off-by: Lu Baolu Reviewed-by: Jason Gunthorpe --- drivers/vfio/fsl-mc/vfio_fsl_mc.c | 1 + drivers/vfio/pci/vfio_pci.c | 1 + drivers/vfio/platform/vfio_amba.c | 1 + drivers/vfio/platform/vfio_platform.c | 1 + drivers/vfio/vfio.c | 10 +++++++++- 5 files changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/vfio/fsl-mc/vfio_fsl_mc.c b/drivers/vfio/fsl-mc/vfio_fsl_mc.c index 6e2e62c6f47a..3feff729f3ce 100644 --- a/drivers/vfio/fsl-mc/vfio_fsl_mc.c +++ b/drivers/vfio/fsl-mc/vfio_fsl_mc.c @@ -588,6 +588,7 @@ static struct fsl_mc_driver vfio_fsl_mc_driver = { .name = "vfio-fsl-mc", .owner = THIS_MODULE, }, + .driver_managed_dma = true, }; static int __init vfio_fsl_mc_driver_init(void) diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c index a5ce92beb655..941909d3918b 100644 --- a/drivers/vfio/pci/vfio_pci.c +++ b/drivers/vfio/pci/vfio_pci.c @@ -193,6 +193,7 @@ static struct pci_driver vfio_pci_driver = { .remove = vfio_pci_remove, .sriov_configure = vfio_pci_sriov_configure, .err_handler = &vfio_pci_core_err_handlers, + .driver_managed_dma = true, }; static void __init vfio_pci_fill_ids(void) diff --git a/drivers/vfio/platform/vfio_amba.c b/drivers/vfio/platform/vfio_amba.c index badfffea14fb..1aaa4f721bd2 100644 --- a/drivers/vfio/platform/vfio_amba.c +++ b/drivers/vfio/platform/vfio_amba.c @@ -95,6 +95,7 @@ static struct amba_driver vfio_amba_driver = { .name = "vfio-amba", .owner = THIS_MODULE, }, + .driver_managed_dma = true, }; module_amba_driver(vfio_amba_driver); diff --git a/drivers/vfio/platform/vfio_platform.c b/drivers/vfio/platform/vfio_platform.c index 68a1c87066d7..04f40c5acfd6 100644 --- a/drivers/vfio/platform/vfio_platform.c +++ b/drivers/vfio/platform/vfio_platform.c @@ -76,6 +76,7 @@ static struct platform_driver vfio_platform_driver = { .driver = { .name = "vfio-platform", }, + .driver_managed_dma = true, }; module_platform_driver(vfio_platform_driver); diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c index 735d1d344af9..df9d4b60e5ae 100644 --- a/drivers/vfio/vfio.c +++ b/drivers/vfio/vfio.c @@ -1198,6 +1198,8 @@ static void __vfio_group_unset_container(struct vfio_group *group) driver->ops->detach_group(container->iommu_data, group->iommu_group); + iommu_group_release_dma_owner(group->iommu_group); + group->container = NULL; wake_up(&group->container_q); list_del(&group->container_next); @@ -1282,13 +1284,19 @@ static int vfio_group_set_container(struct vfio_group *group, int container_fd) goto unlock_out; } + ret = iommu_group_claim_dma_owner(group->iommu_group, f.file); + if (ret) + goto unlock_out; + driver = container->iommu_driver; if (driver) { ret = driver->ops->attach_group(container->iommu_data, group->iommu_group, group->type); - if (ret) + if (ret) { + iommu_group_release_dma_owner(group->iommu_group); goto unlock_out; + } } group->container = container; -- 2.25.1