Received: by 2002:a05:7412:251c:b0:e2:908c:2ebd with SMTP id w28csp2530494rda; Wed, 25 Oct 2023 05:40:16 -0700 (PDT) X-Google-Smtp-Source: AGHT+IElplm92QKBGdGaypmXyHLuyVXVl/hTRxWtsxkgfmoXEkaDx4SpyQiiLBVfy69cwpWeprlj X-Received: by 2002:a0d:cc4d:0:b0:5a7:d4c2:d59e with SMTP id o74-20020a0dcc4d000000b005a7d4c2d59emr17811741ywd.22.1698237616606; Wed, 25 Oct 2023 05:40:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698237616; cv=none; d=google.com; s=arc-20160816; b=saPICjFnN4abTjZxCl+0HSdj5rKq+R+JFx4zL8cV8t50wDAl5jOneUtXlinOQ5xgBZ xewLwUlcFr9i5ytw1NjINLGNRnaBiHuyXHDQB3xd7+MYDswIHFtm5eEP48FjH+zYoovU 9JveQve6+wh6y23GLd9Q3VM+EP9EpoZrVsf2s6/Hgq3awDFrQzfLr7zKlcwtqV39JCwf bkhJq2i2R684pJ5jKLaL+2EVfEWhSepLE+ixl++rTDHIevE/oU0sX5Q6AbE32rv/c+gj Ru+8XJbS2z3epxnRrkyKd1T0hf8OBuJgq2fTl76OqCpDXlk4ptfEqxdGsC527QblMgdQ 9Oww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=DeaUQ8y0Hii9wp7NzOV6hSODPEzRa0cnEELQkqgt5sw=; fh=05DobxX2JpcAgp2ZsQZ8xFHs0WsAJAN5I8bHUa82rls=; b=dtgWn4L+ovaPoQyyTIQv11QsRvgEb35r6w4SUV6WKpwWU2m5lD17n7PgaHAvnPtXOu AW7S9BXLRvunhgo7yJrh5zHx8RhNbo131yjRcuECOZ/UGGCvZFchWGp31VFLjYkOctnw msDTKJXhwkh16LLimZ5etisKMBfllb6ohlBDbiC8ayL5oGW5C8lYBOPrG2MHJ3qtZN1I EoZ3A13/ioWDS0PvDriIL39asgHkNr04U2bmftbGq7krHkVx5QaTQyWi13QT1bRw/zXy cSWCpCv1Et662V9ToTWQEK39qndVOkndWjY6x+eJaPziSIfBXhXlSGONVOTJtm/11wR9 z2qQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from pete.vger.email (pete.vger.email. [2620:137:e000::3:6]) by mx.google.com with ESMTPS id i191-20020a0ddfc8000000b005a50575e9fcsi11018747ywe.44.2023.10.25.05.40.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Oct 2023 05:40:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) client-ip=2620:137:e000::3:6; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id 7CE8B8022B3B; Wed, 25 Oct 2023 05:40:13 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344105AbjJYMkC (ORCPT + 99 others); Wed, 25 Oct 2023 08:40:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32972 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234863AbjJYMkB (ORCPT ); Wed, 25 Oct 2023 08:40:01 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id BFFAC13D for ; Wed, 25 Oct 2023 05:39:58 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id E53E72F4; Wed, 25 Oct 2023 05:40:39 -0700 (PDT) Received: from [10.1.196.40] (e121345-lin.cambridge.arm.com [10.1.196.40]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 9B84A3F738; Wed, 25 Oct 2023 05:39:57 -0700 (PDT) Message-ID: Date: Wed, 25 Oct 2023 13:39:56 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v5 3/7] iommu: Validate that devices match domains Content-Language: en-GB To: Jason Gunthorpe Cc: joro@8bytes.org, will@kernel.org, iommu@lists.linux.dev, baolu.lu@linux.intel.com, linux-kernel@vger.kernel.org References: <4e8bda33aac4021b444e40389648deccf61c1f37.1697047261.git.robin.murphy@arm.com> <20231024185213.GA1061115@nvidia.com> From: Robin Murphy In-Reply-To: <20231024185213.GA1061115@nvidia.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Wed, 25 Oct 2023 05:40:13 -0700 (PDT) On 24/10/2023 7:52 pm, Jason Gunthorpe wrote: > On Wed, Oct 11, 2023 at 07:14:50PM +0100, Robin Murphy wrote: > >> @@ -2279,10 +2280,16 @@ struct iommu_domain *iommu_get_dma_domain(struct device *dev) >> static int __iommu_attach_group(struct iommu_domain *domain, >> struct iommu_group *group) >> { >> + struct device *dev; >> + >> if (group->domain && group->domain != group->default_domain && >> group->domain != group->blocking_domain) >> return -EBUSY; >> >> + dev = iommu_group_first_dev(group); >> + if (!dev_has_iommu(dev) || dev_iommu_ops(dev) != domain->owner) >> + return -EINVAL; > > I was thinking about this later, how does this work for the global > static domains? domain->owner will not be set? > > if (alloc_type == IOMMU_DOMAIN_IDENTITY && ops->identity_domain) > return ops->identity_domain; > else if (alloc_type == IOMMU_DOMAIN_BLOCKED && ops->blocked_domain) > return ops->blocked_domain; > > Seems like it will break everything? I don't believe it makes any significant difference - as the commit message points out, this validation is only applied at the public interface boundaries of iommu_attach_group(), iommu_attach_device(), and iommu_attach_device_pasid(), which are only expected to be operating on explicitly-allocated unmanaged domains. For internal default domain attachment, the domain is initially derived from the device/group itself so we know it's appropriate by construction. I guess this *would* now prevent some external caller reaching in and trying to attach something to some other group's identity default domain, but frankly it feels like making that fail would be no bad thing anyway. Thanks, Robin.