Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp6072242rdb;
        Mon, 18 Sep 2023 03:22:51 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHieu6vnf0J5hMz6kQKW6xszq02A4T352cOTZrKMMo44k82YujhOGEmFFczu44PyQK4CENe
X-Received: by 2002:a05:6a00:2313:b0:68c:b30:8fcc with SMTP id h19-20020a056a00231300b0068c0b308fccmr7695413pfh.20.1695032571108;
        Mon, 18 Sep 2023 03:22:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695032571; cv=none;
        d=google.com; s=arc-20160816;
        b=i1OYl4D3RqILVQW24S4kNUGzNtSg01JRqhHSTI97Ff4mWzp/ub8ubh4LUbXM+/NVRQ
         zqZMI9949A41s9NH0nHBCJi4cxkYq7cK0xnaFHsSCCrG62W63fGqNxj8sohN5+1ggnZU
         lP9j2ZvuIiMqBXq+EjprywhCN6pl6mR1U3wNlo/XnggjTfukNCC3UMbRxBpvlAdSHwJL
         YoUrMpzaAUSJIRGsSDlZwi7npJOU8Mu32LK6ai1WklUt8YOVYbcAwCnuJDCldEhWNnYc
         L0XcWHsrgxPh2WJLwyTXNAgYHLmYsaFTm/jfFtyNcz1XJnppyznBED/BLKuQ1MRWRjW+
         IP2g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id;
        bh=N5r/UzYaLRyT7tFEmtMOeCA7i7s/+pTmQnfm8m4WWjw=;
        fh=ADkLrnZ0P5w4aR8AOw9jcP6NdKVhxKDtfsZB8K4/d98=;
        b=Cv2s4Snu41gPjBnw8uup/00+EsJoou8Ii7G1223EEdX+7rSK7vQLSGL/pLKGP/ofaV
         jGqQBySxhmmxI/o4rIKJ5bKbv1NHzy5zhYROGeXoLYGy+hdzBZKDS0H2N9twiTUfqyr/
         O9+YIhM5RMMY2zvPbssJV1+gr/5ct3eIVIr+F+/LGS1B19T7t8QRPNfZXimPEtmXNcwL
         kuzR2k/pVRk1AhWB43EV8E6njHca1A21WvyEczWm1oEmzJfLB+RDazVOZS+QdwWsUupw
         oTAIGP1/MXojHdTN2uLfwpTtD6o7HMCeHwP6repI5/n9FSorHhFuZ6jKGURBddT5mnyv
         QIVQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from howler.vger.email (howler.vger.email. [2620:137:e000::3:4])
        by mx.google.com with ESMTPS id g7-20020a056a0023c700b006902507d409si8174072pfc.174.2023.09.18.03.22.38
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 18 Sep 2023 03:22:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) client-ip=2620:137:e000::3:4;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by howler.vger.email (Postfix) with ESMTP id 82E388320DF0;
	Mon, 18 Sep 2023 03:09:51 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235542AbjIRKJN (ORCPT <rfc822;berger.sven@gmail.com>
        + 99 others); Mon, 18 Sep 2023 06:09:13 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48714 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232988AbjIRKIm (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 18 Sep 2023 06:08:42 -0400
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id D3F06A6
        for <linux-kernel@vger.kernel.org>; Mon, 18 Sep 2023 03:08:35 -0700 (PDT)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
        by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id DBE211FB;
        Mon, 18 Sep 2023 03:09:12 -0700 (PDT)
Received: from [10.57.94.165] (unknown [10.57.94.165])
        by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 5E0C63F67D;
        Mon, 18 Sep 2023 03:08:34 -0700 (PDT)
Message-ID: <1f9088b5-b52a-3fa0-2bb1-90ee83294d46@arm.com>
Date:   Mon, 18 Sep 2023 11:08:34 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101
 Thunderbird/102.15.1
Subject: Re: [PATCH v3 3/7] iommu: Validate that devices match domains
Content-Language: en-GB
To:     Baolu Lu <baolu.lu@linux.intel.com>, joro@8bytes.org,
        will@kernel.org
Cc:     iommu@lists.linux.dev, linux-kernel@vger.kernel.org,
        linux-arm-kernel@lists.infradead.org, jgg@nvidia.com
References: <cover.1694693889.git.robin.murphy@arm.com>
 <d29334e44c0e6489629dbe13c969c47d4285a877.1694693889.git.robin.murphy@arm.com>
 <a39dcdcb-e904-a09d-f553-66bac5257205@linux.intel.com>
From:   Robin Murphy <robin.murphy@arm.com>
In-Reply-To: <a39dcdcb-e904-a09d-f553-66bac5257205@linux.intel.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,NICE_REPLY_A,
        RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_NONE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Mon, 18 Sep 2023 03:09:51 -0700 (PDT)

On 2023-09-18 06:49, Baolu Lu wrote:
> On 9/16/23 12:58 AM, Robin Murphy wrote:
>> Before we can allow drivers to coexist, we need to make sure that one
>> driver's domain ops can't misinterpret another driver's dev_iommu_priv
>> data. To that end, add a token to the domain so we can remember how it
>> was allocated - for now this may as well be the device ops, since they
>> still correlate 1:1 with drivers. We can trust ourselves for internal
>> default domain attachment, so add the check where it covers both the
>> external attach interfaces.
>>
>> Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
>> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
>> Signed-off-by: Robin Murphy <robin.murphy@arm.com>
>> ---
>>   drivers/iommu/iommu.c | 13 +++++++++----
>>   include/linux/iommu.h |  1 +
>>   2 files changed, 10 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
>> index 2f29ee9dea64..f4cc91227b22 100644
>> --- a/drivers/iommu/iommu.c
>> +++ b/drivers/iommu/iommu.c
>> @@ -2000,26 +2000,28 @@ EXPORT_SYMBOL_GPL(iommu_set_fault_handler);
>>   static struct iommu_domain *__iommu_domain_alloc(const struct 
>> bus_type *bus,
>>                            unsigned type)
>>   {
>> +    const struct iommu_ops *ops = bus ? bus->iommu_ops : NULL;
>>       struct iommu_domain *domain;
>>       unsigned int alloc_type = type & IOMMU_DOMAIN_ALLOC_FLAGS;
>> -    if (bus == NULL || bus->iommu_ops == NULL)
>> +    if (!ops)
>>           return NULL;
>> -    domain = bus->iommu_ops->domain_alloc(alloc_type);
>> +    domain = ops->domain_alloc(alloc_type);
>>       if (!domain)
>>           return NULL;
>>       domain->type = type;
>> +    domain->owner = ops;
>>       /*
>>        * If not already set, assume all sizes by default; the driver
>>        * may override this later
>>        */
>>       if (!domain->pgsize_bitmap)
>> -        domain->pgsize_bitmap = bus->iommu_ops->pgsize_bitmap;
>> +        domain->pgsize_bitmap = ops->pgsize_bitmap;
>>       if (!domain->ops)
>> -        domain->ops = bus->iommu_ops->default_domain_ops;
>> +        domain->ops = ops->default_domain_ops;
>>       if (iommu_is_dma_domain(domain) && iommu_get_dma_cookie(domain)) {
>>           iommu_domain_free(domain);
>> @@ -2176,6 +2178,9 @@ static int __iommu_attach_group(struct 
>> iommu_domain *domain,
>>           group->domain != group->blocking_domain)
>>           return -EBUSY;
>> +    if (dev_iommu_ops(iommu_group_first_dev(group)) != domain->owner)
>> +        return -EINVAL;
> 
> Should we apply this check in iommu_attach_device_pasid()?

Oh, probably - I don't think I've really noticed that we've grown yet 
another attach interface since I started this. Looks like current users 
are passing appropriate domains by construction, but I concur that that 
path wants covering as well for completeness.

Thanks,
Robin.

> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
> index 3bfc56df4f78..43acf1b8ed56 100644
> --- a/drivers/iommu/iommu.c
> +++ b/drivers/iommu/iommu.c
> @@ -3414,6 +3414,9 @@ int iommu_attach_device_pasid(struct iommu_domain 
> *domain,
>          if (!group)
>                  return -ENODEV;
> 
> +       if (dev_iommu_ops(dev) != domain->owner)
> +               return -EINVAL;
> +
>          mutex_lock(&group->mutex);
>          curr = xa_cmpxchg(&group->pasid_array, pasid, NULL, domain, 
> GFP_KERNEL);
>          if (curr) {
> 
>> +
>>       return __iommu_group_set_domain(group, domain);
>>   }
>> diff --git a/include/linux/iommu.h b/include/linux/iommu.h
>> index a249e10c8e9f..75ffcac199e3 100644
>> --- a/include/linux/iommu.h
>> +++ b/include/linux/iommu.h
>> @@ -95,6 +95,7 @@ struct iommu_domain_geometry {
>>   struct iommu_domain {
>>       unsigned type;
>>       const struct iommu_domain_ops *ops;
>> +    const struct iommu_ops *owner; /* Whose domain_alloc we came from */
>>       unsigned long pgsize_bitmap;    /* Bitmap of page sizes in use */
>>       struct iommu_domain_geometry geometry;
>>       struct iommu_dma_cookie *iova_cookie;
> 
> Best regards,
> baolu