Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp984463pxb; Fri, 15 Apr 2022 17:25:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJybcgQiDyY5/LFDwmkc/NpLplwh1bcP8SnNEujHod9Zsg2hS43eYEEuXkHjNXw7MV1MuDfa X-Received: by 2002:a62:6dc3:0:b0:505:895a:d38b with SMTP id i186-20020a626dc3000000b00505895ad38bmr1355344pfc.7.1650068703564; Fri, 15 Apr 2022 17:25:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650068703; cv=none; d=google.com; s=arc-20160816; b=0xlA+mlO8+68kOP2Pczk6KuKCITz+93WHlT/4bD/AKEzRwc0r9JBEu+A1UcAs2ad9G YHIA8RkngLNqB44R6Zf6tTg8lXFrjrrryoFYRSorZxaApab+fGfjKCMognW1ZSKSjy87 o2bUMR/COQaEWWFpmYyXSa2egi/YahzPQv7fVcRdnD/bRfFubhgC9xXqFeh/QPkEjync OqBb27PVuySY3OL93Glhrk8IAEb7UOnkqEGsLVI22EvCoO4XpwuP0Wvd5LrJDRLtoXeA lBUTG8mXcc6SG9kQab/ERfCJLUOx3Vkpf5NHoLkAj+K4CZo+rYyB7CXUTqqJuMbRn5rf Du3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:from:references:cc:to :subject:message-id:dkim-signature; bh=Zq+vaNpRqP4VrswkHOyz0dXQz+AjsR8Pi4S6W+jeGU4=; b=FuIm95jmsetwdkYsfVOkXYct0W01NotHsUydIELcKaA6c6gOuhc9uSXTCCx0Sq4RzQ vsrM1yIRVSmqgNLAuJdJC4JCfNQguq8238R+FpxxSKmPV0FPG8pH11LtqI67GH3D0SeR zMaCKIb/ePkMSyxMQoHsiRuC9JIHC5HpZ0lElFfkjJS+J4qb52Otizy45aWf8Nc3suz/ u23ZX19MkdYbNxQo6womAj+O81WutRGCju5h8dp7kFgKW97SYuSWV+Ast6FBeEbLP/nD zgsBWb5eiQ4gAirlaKhUvTD3zSzQp4MQ6Ny2t0+oGO7yYzA8nIoxkYzqswh7T4qkgFQw /vrw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@foxmail.com header.s=s201512 header.b=JhtXiWFz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=foxmail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id h11-20020a63120b000000b0038259e42e7csi2808280pgl.845.2022.04.15.17.25.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Apr 2022 17:25:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@foxmail.com header.s=s201512 header.b=JhtXiWFz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=foxmail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D2D25E3383; Fri, 15 Apr 2022 17:23:41 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1352734AbiDOL4P (ORCPT + 99 others); Fri, 15 Apr 2022 07:56:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51378 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236334AbiDOL4O (ORCPT ); Fri, 15 Apr 2022 07:56:14 -0400 Received: from out162-62-57-87.mail.qq.com (out162-62-57-87.mail.qq.com [162.62.57.87]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 04076A27C0 for ; Fri, 15 Apr 2022 04:53:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foxmail.com; s=s201512; t=1650023620; bh=Zq+vaNpRqP4VrswkHOyz0dXQz+AjsR8Pi4S6W+jeGU4=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=JhtXiWFzlfmlKaSTktBV6LVRlSK2ylGGJYGg1esMtGaXVZUf1MSjoDn27JsvbGS8Q UOx/KYP7Fwr52Ad+uyPbGhDY3Lu2vyJrMAiPTlYXbfF066GNP7zUfREs8UZu4v1siP kqdW+sWWouhn3RkzEctU+pDH+2P5YARjkuSFqbk4= Received: from [10.188.0.6] ([94.177.118.94]) by newxmesmtplogicsvrszb7.qq.com (NewEsmtp) with SMTP id D072B49F; Fri, 15 Apr 2022 19:52:07 +0800 X-QQ-mid: xmsmtpt1650023527tskd35efu Message-ID: X-QQ-XMAILINFO: NK7mH5+t7Gn7sK/Re4oRVkbcjXaWsb3WTzOpPSwFIW2fCDXKWFWmxIykuZkbJN pfhPLuaY3+ftdc6yrCYq5IxXroSK0nUQRO/Qjsp7fX7DXm63vSnerKPZjOxL1rkhvJvH59MwsYcp 68N8RvaN28KQiq2UM2gF6SvuySxyj2eQo3duSZL0YJ8fYr78XL4TaJ6c4jzHqwiUPLrK68E1T/uS bthagbPrrOl1hPkjmC0MLfdPC48dtJFTFDMpxlgte/vJBUsSZ3LcnrV9OoRDR8SGlmwgoYdW4lQO B/OlqfzRMwu49FzDJutg1CyMIeXSMHtovjTBauzEHgIhTSzL32qub3OQIunxMBxHYVUtqxmdpC6X vpzXA1bSZaib7LTnSNoH+MpiUwDa2yM0R89vjuWEbqjYZNNDFMm3NEuZS3+DsBTKsGkw65lqw636 8cpZ0ZhnJcN+J4DUF8Mag6/Ras94++CS7DaaIgytzxnFKtkbV7rkhWkbW3WwaA7v4Ly+eRgPiIgX LtOtY/fQz8jWq1ZGEQ+Lz/jm6Ra/6PFk6wA3doDoS4mZafQ8axR6e6PYWbOEdnJz7Sf8U5rPtsEO nB8ztR1kEC9ITMSK5yPq6rlwfuDO+NDaRLG+0NTat9rrjvbimOPvGlnq9xLyWxoC5g/v55LlnZHR UvJPcEeZbG5zC8JlDU+YKrXuwhnQKI0mhDa1o7SgYrdNmxfguI1HClAi0W+QTcCM9/wgvgiz+Ufy 0hNJwF1ORuz5rB0EX3B/tszJztAErxefEiwOKE5bYh/YDCh5lGCT4WFnaMPvVhV8GL85cf6F/UI/ mA2n1h+u3pTzTrInMLKzHzZPiz1cczZHniCczEq1Iztw676Fq/lzy2n7nCOUTXc84y8ogXrkEzWw YrsG3AXUcn8mYLz7nuP50YLQ2p5evUNXzmUEC4U1fV8nwmJKO/oc7prIzkZjfQoKT3fuKbnnwncO K1GWjczGIquPfYykmiHxYPy8annhuJZzjd3kdAYtp8m16LhwHHGXV01iTsCrH+ Subject: Re: [PATCH v4 05/11] iommu/sva: Assign a PASID to mm on PASID allocation and free it on mm exit To: Fenghua Yu Cc: Dave Hansen , Joerg Roedel , jean-philippe , Ravi V Shankar , Tony Luck , Ashok Raj , Peter Zijlstra , Dave Hansen , x86 , linux-kernel , iommu , Ingo Molnar , Borislav Petkov , Andy Lutomirski , Josh Poimboeuf , Thomas Gleixner References: <99bcb9f5-4776-9c40-a776-cdecfa9e1010@foxmail.com> From: "zhangfei.gao@foxmail.com" X-OQ-MSGID: <722d4991-4c0c-23ba-a533-f496c13458c7@foxmail.com> Date: Fri, 15 Apr 2022 19:52:03 +0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FORGED_MUA_MOZILLA,FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, NICE_REPLY_A,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022/4/15 下午6:50, Fenghua Yu wrote: > Hi, Zhangfei, > > On Fri, Apr 15, 2022 at 06:14:09PM +0800, zhangfei.gao@foxmail.com wrote: >> >> On 2022/4/15 下午5:51, Fenghua Yu wrote: >>> On Thu, Apr 14, 2022 at 06:08:09PM +0800, zhangfei.gao@foxmail.com wrote: >>>> On 2022/4/12 下午11:35, zhangfei.gao@foxmail.com wrote: >>>>> Hi, Fenghua >>>>> >>>>> On 2022/4/12 下午9:41, Fenghua Yu wrote: >>> From a6444e1e5bd8076f5e5c5e950d3192de327f0c9c Mon Sep 17 00:00:00 2001 >>> From: Fenghua Yu >>> Date: Fri, 15 Apr 2022 00:51:33 -0700 >>> Subject: [RFC PATCH] iommu/sva: Fix PASID use-after-free issue >>> >>> A PASID might be still used even though it is freed on mm exit. >>> >>> process A: >>> sva_bind(); >>> ioasid_alloc() = N; // Get PASID N for the mm >>> fork(): // spawn process B >>> exit(); >>> ioasid_free(N); >>> >>> process B: >>> device uses PASID N -> failure >>> sva_unbind(); >>> >>> Dave Hansen suggests to take a refcount on the mm whenever binding the >>> PASID to a device and drop the refcount on unbinding. The mm won't be >>> dropped if the PASID is still bound to it. >>> >>> Fixes: 701fac40384f ("iommu/sva: Assign a PASID to mm on PASID allocation and free it on mm exit") >>> >>> Reported-by: Zhangfei Gao >>> Suggested-by: Dave Hansen" >>> Signed-off-by: Fenghua Yu >>> --- >>> drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c | 6 ++++++ >>> drivers/iommu/intel/svm.c | 4 ++++ >>> 2 files changed, 10 insertions(+) >>> >>> diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c >>> index 22ddd05bbdcd..3fcb842a0df0 100644 >>> --- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c >>> +++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c >>> @@ -7,6 +7,7 @@ >>> #include >>> #include >>> #include >>> +#include >>> #include "arm-smmu-v3.h" >>> #include "../../iommu-sva-lib.h" >>> @@ -363,6 +364,9 @@ arm_smmu_sva_bind(struct device *dev, struct mm_struct *mm, void *drvdata) >>> mutex_lock(&sva_lock); >>> handle = __arm_smmu_sva_bind(dev, mm); >>> + /* Take an mm refcount on a successful bind. */ >>> + if (!IS_ERR(handle)) >>> + mmget(mm); >>> mutex_unlock(&sva_lock); >>> return handle; >>> } >>> @@ -372,6 +376,8 @@ void arm_smmu_sva_unbind(struct iommu_sva *handle) >>> struct arm_smmu_bond *bond = sva_to_bond(handle); >>> mutex_lock(&sva_lock); >>> + /* Drop an mm refcount. */ >>> + mmput(bond->mm); >>> if (refcount_dec_and_test(&bond->refs)) { >>> list_del(&bond->list); >>> arm_smmu_mmu_notifier_put(bond->smmu_mn); >>> diff --git a/drivers/iommu/intel/svm.c b/drivers/iommu/intel/svm.c >>> index 23a38763c1d1..345a0d5d7922 100644 >>> --- a/drivers/iommu/intel/svm.c >>> +++ b/drivers/iommu/intel/svm.c >>> @@ -403,6 +403,8 @@ static struct iommu_sva *intel_svm_bind_mm(struct intel_iommu *iommu, >>> goto free_sdev; >>> list_add_rcu(&sdev->list, &svm->devs); >>> + /* Take an mm refcount on binding mm. */ >>> + mmget(mm); >>> success: >>> return &sdev->sva; >>> @@ -465,6 +467,8 @@ static int intel_svm_unbind_mm(struct device *dev, u32 pasid) >>> kfree(svm); >>> } >>> } >>> + /* Drop an mm reference on unbinding mm. */ >>> + mmput(mm); >>> } >>> out: >>> return ret; >> This patch can not be applied on 5.18-rc2 for intel part. > What error do you see? Could you please send to me errors? > > I download this patch from: > https://lore.kernel.org/lkml/YllADL6uMoLllzQo@fyu1.sc.intel.com/raw > git am to either v5.18-rc2 or the latest upstream without any issue. It is my copy paste issue. I have tested, nginx woks well. Other than the following issue, Each time /sbin/nginx will alloc ioasid but not free. which I think it maybe nginx issue or the mis-usage, will ask there. Tested-by: Zhangfei Gao > >> It should work for arm. >> >> In fact I have a similar patch at hand but pending since I found an issue. >> >> I start & stop nginx via this cmd. >> //start >> sudo sbin/nginx                    // this alloc an ioasid=1 >> //stop >> sudo sbin/nginx -s quit    // this does not free ioasid=1, but still alloc >> ioasid=2. >> So ioasid will keep allocated but not freed if continue start/stop nginx, >> though not impact the nginx function. >> >> stop nginx with -s quit still calls >> src/core/nginx.c >> main -> ngx_ssl_init -> openssl engine:    bind_fn -> ... -> alloc asid >> But openssl engine: ENGINE_free is not called >> >> Still in checking nginx code. >> >> Or do you test with nginx? > On my X86 machine, nginx doesn't trigger the kernel sva binding function > to allocate ioasid. I tried pre- nstalled nginx/openssl and also tried my built > a few versions of nginx/openssl. nginx does call OPENSSL_init_ssl() but > doesn't go to the binding function. Don't know if it's my configuration issue. > Maybe you can give me some advice? I am using openssl engine, which use crypto driver and using sva via uacce. nginx -> openssl -> openssl engine -> sva related. > > I test the patch with a few internal test tools and observe mmget()/mmput() > works fine in various cases. OK, thanks