Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7;
Date:   Tue, 24 Oct 2023 15:52:13 -0300
From:   Jason Gunthorpe <jgg@nvidia.com>
To:     Robin Murphy <robin.murphy@arm.com>
Cc:     joro@8bytes.org, will@kernel.org, iommu@lists.linux.dev,
        baolu.lu@linux.intel.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v5 3/7] iommu: Validate that devices match domains
Message-ID: <20231024185213.GA1061115@nvidia.com>
References: <cover.1697047261.git.robin.murphy@arm.com>
 <4e8bda33aac4021b444e40389648deccf61c1f37.1697047261.git.robin.murphy@arm.com>
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4e8bda33aac4021b444e40389648deccf61c1f37.1697047261.git.robin.murphy@arm.com>
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?r1UUxXPFhCzZYRNmiPaOVwyC+CWg31CVL7htttvVUQXXMfXdrAetTSPPK3oz?=
 =?us-ascii?Q?I66+qYUhfGPBgAmJ4OkYfoEcloK8Xk6THgfYpgOPrsUqCeiu8uQYBJk2YkXO?=
 =?us-ascii?Q?Mfc2U7c+xdBMRJNdZ7howjLADxJIKgyALqf/PZhfTGsNCMfTCzLaJ8yt5jfO?=
 =?us-ascii?Q?alba9d4XTwy62njs2JnsB7wUJtwTAuRwEu5z74eJkUiMF8h3HwXDmGD3EPmd?=
 =?us-ascii?Q?qISKZcp1cL+6EcHKe2EEUqRUt+oBmsjNJP2T+5KrI347c9IW+Wn0kzUxFZ8k?=
 =?us-ascii?Q?rVOPFLMfo/R/Qndp4KAxrZ+1K/Tqm9XtFd/9Wf1cr/NVXducUFs1z75MQed7?=
 =?us-ascii?Q?tbZ1yfgMC1Px1H2yrYrfeB2UQuO474uWZBj5FjPkxLVESJZdSuq8/ldoed/Y?=
 =?us-ascii?Q?LhbSGH0mgm4Y1Us3jYMwzTidFLDCYqE0ipa7/MeTffRUopnI91kabTF292lm?=
 =?us-ascii?Q?qrnZXCrsLQ9QKz6D/T27s8nRhaMY8ZpFQV9QAW38OJvC/uJIclv7ALuMbnhU?=
 =?us-ascii?Q?GehzqA6QQOjRGTFX6hjyaaAsTeOEvExVJWuUg/q8/g0pv18vGrlqnyZkFygO?=
 =?us-ascii?Q?gmmB0kWdgkWVvOEJHbw5V+guiY4ZDSAEQq2Z2lNqkeEryL3JRzES1wtv8Fls?=
 =?us-ascii?Q?8aE+4SyLzsS9rVNydUf3ul17wf5nImPF10MvA2hUOHqyWrFMqwWzLpeczG+d?=
 =?us-ascii?Q?diLIJ9Rrii2G46FT4Irr/wiyHmGKRSEw1dZi3EKiE9z09Kq1LySOmqFBQv8S?=
 =?us-ascii?Q?vZHi4RBP98EkTlwFEbzYwaN0N2DqkbLO/e2/A6FgO1JcA4mqR5/8YdaNmJal?=
 =?us-ascii?Q?RemXdEm0kpnC/9U/+iz5cNO7V2he2nm1ntGAmRaW9PY/s/6iBcboE5huZkE9?=
 =?us-ascii?Q?kz4hjJO9lOurToei0jhiftajmztshNN+UWg8WgAuR2gQSD3Ittm0kbQtY/RR?=
 =?us-ascii?Q?wTmRKosNGovSo0cx1Btig+x8exM6bNG7z5NNRBwRPbWgqzwV9+LPWveBwiwU?=
 =?us-ascii?Q?tZgT96iyDGXSUtA1btbv4EPdhFsv91k3jE967IPhDbdLCoHHkBmFN5HfLveO?=
 =?us-ascii?Q?ieckuKAE6pLN39J4mOY0UY9o3XnH6kDiKV7/9aak/niS+kLXvzpoVjND96IL?=
 =?us-ascii?Q?zVRez1RDo2hTEvAsTcP7qv42rKiaUaorLjgJM8KGwxzCR8i+I5MhmL9Txesn?=
 =?us-ascii?Q?qbWqhYchZ5LVgi7nqEXi6HyqvwfGLZ/2qHyCV0H6dZIc/PEDdD3qqGoJAPqs?=
 =?us-ascii?Q?pEqy+87Jnpf4PmM2+b4H6j54EzZH4x72DZ5Fy6+k2zxllK9fPNagIUmR3o/r?=
 =?us-ascii?Q?TGH8UqYbGgqHAvr9S6dI4ZmVfqnyrw6Q+17aGtEYY9TyLpM4OueEqnmzgZLg?=
 =?us-ascii?Q?VUXWjuWVY83q/qIVLrmqFybooPW5dErluy9zOgYw9dnBex/9QuUs1OYOSvhj?=
 =?us-ascii?Q?FsmAG38V3KrWpkFv31zwIRvsnHpFp8aB6ytWailQ8AwGB1o5+3LPj+QKuXZ8?=
 =?us-ascii?Q?1l/drV1TkWRXturVGCgo4EofgqOBXbCT2t7WSv1WDMEEmRq6WVc0pjVbarI4?=
 =?us-ascii?Q?TdhA70COSPxjr3ivSrdCS7bNlhWeLwu6XZZqgSQ5?=
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 80b17e37-6bf1-4bf9-d430-08dbd4c2572b
X-MS-Exchange-CrossTenant-AuthSource: LV2PR12MB5869.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Oct 2023 18:52:15.6425
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: UC8V2masUhCiB+irWl0jXje8oMXUKV20RfPQmYfwG+3FZUJODaU28gsyNBdScFlb
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA0PR12MB7751
X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_SPF_HELO,
        RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE
        autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Tue, 24 Oct 2023 11:52:22 -0700 (PDT)

On Wed, Oct 11, 2023 at 07:14:50PM +0100, Robin Murphy wrote:

> @@ -2279,10 +2280,16 @@ struct iommu_domain *iommu_get_dma_domain(struct device *dev)
>  static int __iommu_attach_group(struct iommu_domain *domain,
>  				struct iommu_group *group)
>  {
> +	struct device *dev;
> +
>  	if (group->domain && group->domain != group->default_domain &&
>  	    group->domain != group->blocking_domain)
>  		return -EBUSY;
>  
> +	dev = iommu_group_first_dev(group);
> +	if (!dev_has_iommu(dev) || dev_iommu_ops(dev) != domain->owner)
> +		return -EINVAL;

I was thinking about this later, how does this work for the global
static domains? domain->owner will not be set?

	if (alloc_type == IOMMU_DOMAIN_IDENTITY && ops->identity_domain)
		return ops->identity_domain;
	else if (alloc_type == IOMMU_DOMAIN_BLOCKED && ops->blocked_domain)
		return ops->blocked_domain;

Seems like it will break everything?

I suggest we just put a simple void * tag in the const domain->ops at
compile time to indicate the owning driver.

Jason