Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp1344169rdb; Mon, 2 Oct 2023 06:59:11 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHNwkbWFvSwv70XWr+NQi9gZufcrhvz6NxzAsnfLELrPXH2kXsI2cLJTptaTjcsZNfVHBZ+ X-Received: by 2002:a17:902:e851:b0:1c5:ff18:98af with SMTP id t17-20020a170902e85100b001c5ff1898afmr10523856plg.4.1696255150948; Mon, 02 Oct 2023 06:59:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696255150; cv=none; d=google.com; s=arc-20160816; b=lvyPCdBZziyXgrqtJCEc0AyWYfkFyxK3IcD4AosNvcrILqLziU12wwwcZlbCWs8izO B6gGrgJ+2blWndQTk7r0PQrn5n6oX7mSPobsPAmfWaORhyaBxBfWRzS76TputBF2EdIT 0L9Ps6Ppp8t2QmJmdZey9+OiNSjSbvXgpNRgb1sivi7BGvWJhMiSOnvvKmIgQ/yuCorx LmIoCFP27XtB13aaYCubYidKFhZGBkhXx5XTidhzkbQOCjr2fkEclwJROdVd0R9SbFDt GGrUJrz1ZDtz6UrWxnDvKlSDaERn5A5vmMIrkD4SJJaLHT9v3xmS+4vhWywIqOzdAzXX gMxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=9YrHHH8ajCzIFe0wUxIXygVCcxvw+o14anuAv+WNDzk=; fh=3nQM0QufZPSZ94JO+WDmHkrFziuG1/NJr0OD1jy0Wvc=; b=PGhKvo12OKKxybPosPybPppecK0WyZVeXwM9IuJrLOdf1ORbiuUzHDQcNmWd4wpjYU n/4vdhonYZvQEvfK9qCf85lLeNDsbOR44s4Log43TloIpp6E5c1EdHkv+ZUqkFJlTNWx DOw0CMbZRIrwJEFXQbG2z2fbXjoWPeGIzTfBBkb9+7iTpLKON6hC6Txq8SnhXl/3pmO8 kJ90IcTzwwfZZ+rBV3BwbBl/IzHeNwXTvsUaec5ZRKEEEHONsqRhQmLQ9t7vDbE6aNts Pkg5I3oBZ8eaWX/54sF0oYEdIPfNfHwarfFC7Nb8cozT8ebNFS+voTVsvamihWbcI7xW denw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from pete.vger.email (pete.vger.email. [23.128.96.36]) by mx.google.com with ESMTPS id k17-20020a170902c41100b001b9ffda162csi1840942plk.441.2023.10.02.06.59.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Oct 2023 06:59:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) client-ip=23.128.96.36; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id 90533809B0BB; Mon, 2 Oct 2023 06:51:16 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237543AbjJBNte (ORCPT + 99 others); Mon, 2 Oct 2023 09:49:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34408 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237527AbjJBNt3 (ORCPT ); Mon, 2 Oct 2023 09:49:29 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 94706B7 for ; Mon, 2 Oct 2023 06:49:25 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id CB5E01474; Mon, 2 Oct 2023 06:50:03 -0700 (PDT) Received: from e121345-lin.cambridge.arm.com (e121345-lin.cambridge.arm.com [10.1.196.40]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 81A533F762; Mon, 2 Oct 2023 06:49:24 -0700 (PDT) From: Robin Murphy To: joro@8bytes.org, will@kernel.org Cc: iommu@lists.linux.dev, jgg@nvidia.com, baolu.lu@linux.intel.com, linux-kernel@vger.kernel.org Subject: [PATCH v4 3/7] iommu: Validate that devices match domains Date: Mon, 2 Oct 2023 14:49:11 +0100 Message-Id: <4dfa51b034327432793640189aa516038d3449e1.1696253096.git.robin.murphy@arm.com> X-Mailer: git-send-email 2.39.2.101.g768bb238c484.dirty In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Mon, 02 Oct 2023 06:51:16 -0700 (PDT) Before we can allow drivers to coexist, we need to make sure that one driver's domain ops can't misinterpret another driver's dev_iommu_priv data. To that end, add a token to the domain so we can remember how it was allocated - for now this may as well be the device ops, since they still correlate 1:1 with drivers. We can trust ourselves for internal default domain attachment, so add checks to cover all the public attach interfaces. Reviewed-by: Lu Baolu Reviewed-by: Jason Gunthorpe Signed-off-by: Robin Murphy --- v4: Cover iommu_attach_device_pasid() as well, and improve robustness against theoretical attempts to attach a noiommu group. --- drivers/iommu/iommu.c | 10 ++++++++++ include/linux/iommu.h | 1 + 2 files changed, 11 insertions(+) diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c index ef7feb0acc34..7c79a58ef010 100644 --- a/drivers/iommu/iommu.c +++ b/drivers/iommu/iommu.c @@ -2102,6 +2102,7 @@ static struct iommu_domain *__iommu_domain_alloc(const struct iommu_ops *ops, return NULL; domain->type = type; + domain->owner = ops; /* * If not already set, assume all sizes by default; the driver * may override this later @@ -2267,10 +2268,16 @@ struct iommu_domain *iommu_get_dma_domain(struct device *dev) static int __iommu_attach_group(struct iommu_domain *domain, struct iommu_group *group) { + struct device *dev; + if (group->domain && group->domain != group->default_domain && group->domain != group->blocking_domain) return -EBUSY; + dev = iommu_group_first_dev(group); + if (!dev_has_iommu(dev) || dev_iommu_ops(dev) != domain->owner) + return -EINVAL; + return __iommu_group_set_domain(group, domain); } @@ -3468,6 +3475,9 @@ int iommu_attach_device_pasid(struct iommu_domain *domain, if (!group) return -ENODEV; + if (!dev_has_iommu(dev) || dev_iommu_ops(dev) != domain->owner) + return -EINVAL; + mutex_lock(&group->mutex); curr = xa_cmpxchg(&group->pasid_array, pasid, NULL, domain, GFP_KERNEL); if (curr) { diff --git a/include/linux/iommu.h b/include/linux/iommu.h index 2d2802fb2c74..5c9560813d05 100644 --- a/include/linux/iommu.h +++ b/include/linux/iommu.h @@ -99,6 +99,7 @@ struct iommu_domain_geometry { struct iommu_domain { unsigned type; const struct iommu_domain_ops *ops; + const struct iommu_ops *owner; /* Whose domain_alloc we came from */ unsigned long pgsize_bitmap; /* Bitmap of page sizes in use */ struct iommu_domain_geometry geometry; struct iommu_dma_cookie *iova_cookie; -- 2.39.2.101.g768bb238c484.dirty