Received: by 2002:ab2:69cc:0:b0:1f4:be93:e15a with SMTP id n12csp2040620lqp; Tue, 16 Apr 2024 06:01:03 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXkUyT7wb1clA6YW/UManxQRvrrEmHAjCmPnC5T9ogvOJHxl7KuI2/Lw1B+QW1PDnuedBVNv40bYtx++2YIvArMV8KyQWVWkf667m5PkA== X-Google-Smtp-Source: AGHT+IFiCPwhRx83HtqePbWixqAFmTvLO3ei9a/1/Gc1ctMG5qqSDC5HSfQJbU55HA9WZNzvQmE3 X-Received: by 2002:a17:902:f548:b0:1e3:e6cb:a07f with SMTP id h8-20020a170902f54800b001e3e6cba07fmr2781456plf.26.1713272463347; Tue, 16 Apr 2024 06:01:03 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713272463; cv=pass; d=google.com; s=arc-20160816; b=0PTwgTsM2TcZ05se+RjRAsjfo58Has9YdxFxb/Q7QevxYS8IaCtU8SeC/CUXN6wIq7 cjGJ3ddfESAYv4wgpuQcBUl0U1W/6wbQCH6uEFbnAAKZ8IEEu7nBskHbXajT7eVaTFer My7GO1xjtGZk94fW6UlC8wrIImKAwdLl+0AnxgISVvX924rK3bZVyj5lY1eqN/Ha1Lp7 /4hutW5kFTVJOJlnK0rCctyrfUO16ku1asVRyVk4UQHGHUwlu2W5SwlF6IhlGHTyKPEN OrH6Ib6D/6BsA+tHhFOh8p+7m8ky6f4Pal+95CyJFmgysDljEWzbHGffi/HBKHMR3uOE MS1g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from; bh=Zw0BXXAMHI4/P1CkPYI+fntTLNSB2+H+k22dzK3fins=; fh=7S60ss7O1IIewZlk0Co/4LYbp2EX/Q6HNBe7QBrA3H8=; b=BdlSnXX6RgSgF1Y0pY4SUtL/cGSmlCUbH4GgWSvyT/DA7D4dn13wPIT3rsEpTXCy4o 14UWAIxfB1vQSAVTYvAkyAFch8ssZ336th8Vbnk02EC+2Wo7yoDrUWA/2rjhPW57CO8c 3qcCpbHw2Gr5lWOhrFp+U4tw7iLJMKlPyAMIfq+Dv5h0KQrvqosRy+9JuD8CnvgoVGwc EkYLcJCo3GxjRTajwazy2h7iZ0ivag4UMKKCZinwIkkqD9UWPbPtz60Ab0IrA1/DMHqE aB58hopU1RobqKS2VvdSOoWKZnrHzk9dFFpCYxTgKj5I21iKeJlzrH9/rbB3QiyoBds4 XoHA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=arm.com dmarc=pass fromdomain=arm.com); spf=pass (google.com: domain of linux-kernel+bounces-146842-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-146842-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id u14-20020a170903124e00b001e435d95c63si9662348plh.315.2024.04.16.06.01.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 Apr 2024 06:01:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-146842-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=arm.com dmarc=pass fromdomain=arm.com); spf=pass (google.com: domain of linux-kernel+bounces-146842-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-146842-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 197CC28837F for ; Tue, 16 Apr 2024 13:01:01 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 04F5F12BF30; Tue, 16 Apr 2024 13:00:57 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by smtp.subspace.kernel.org (Postfix) with ESMTP id AEEEF129A7C for ; Tue, 16 Apr 2024 13:00:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.140.110.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713272456; cv=none; b=FBRTBF+s7hJrdNyrKY2lyqsZHlSvpEA1+FfnJrCAQvaaeOoRCf5TwCqwT6CLK+OmzsPQNmFVvMlRglg2gkQ8zyjD8OjXS4LPMXLMGOns2O5hU2PJcFcjcrKuZGTkMtGA9m8GlTtiF/eK3vUWqdPJED7BfbVlx+4obK0Wyu/BGK8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713272456; c=relaxed/simple; bh=NkGV98SReVJjvmjh1PYxOXJR9XBB7H++66yf+9P/yFM=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=iTeuPQuQVoNpz6KQOrDV+FTSB5+7u0Yfa8driRKUiDA0dveA1jcdvrLad6772Ei/abQrCScSQfIaiP6SKbRlTtBnt+GYLiU3vJq9XbiN1bxHwmh4oTHberI7dU5FHYxJcrE4lwyUG3iEuQUlYyDR+yT8/e6N/LITpptQAISmKnI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com; spf=pass smtp.mailfrom=arm.com; arc=none smtp.client-ip=217.140.110.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=arm.com Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 2E43E339; Tue, 16 Apr 2024 06:01:19 -0700 (PDT) Received: from e121345-lin.cambridge.arm.com (e121345-lin.cambridge.arm.com [10.1.196.40]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id D217E3F738; Tue, 16 Apr 2024 06:00:49 -0700 (PDT) From: Robin Murphy To: joro@8bytes.org, will@kernel.org Cc: ewagner12@gmail.com, suravee.suthikulpanit@amd.com, vashegde@amd.com, jgg@ziepe.ca, iommu@lists.linux.dev, linux-kernel@vger.kernel.org, regressions@lists.linux.dev Subject: [PATCH] iommu: Fix def_domain_type interaction with untrusted devices Date: Tue, 16 Apr 2024 14:00:43 +0100 Message-Id: X-Mailer: git-send-email 2.39.2.101.g768bb238c484.dirty Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Previously, an untrusted device forcing IOMMU_DOMAIN_DMA always took precedence over whatever a driver's def_domain_type may have wanted to say. This was intentionally handled in core code since 3 years prior, to avoid drivers poking at the details of what is essentially a policy between the PCI core and the IOMMU core. Now, though, we go to the length of evaluating both constraints to check for any conflict, and if so throw our toys out of the pram and refuse to handle the device at all. Regardless of any intent, in practice this leaves the device, and potentially the rest of its group or even the whole IOMMU, in a largely undetermined state, which at worst may render the whole system unusable. Unfortunately it turns out that this is a realistic situation to run into by connecting a PASID-capable device (e.g. a GPU) to an AMD-based laptop via a Thunderbolt expansion box, since the AMD IOMMU driver needs an identity default domain for PASIDs to be usable, and thus sets a def_domain_type override based on PASID capability. In general, restoring the old behaviour of forcing translation will not make that device's operation any more broken than leaving it potentially blocked or subject to the rest of a group's translations would, nor will it be any less safe than leaving it potentially bypassed or subject to the rest of a group's translations would, so do that, and let eGPUs work again. Reported-by: Eric Wagner Link: https://lore.kernel.org/linux-iommu/CAHudX3zLH6CsRmLE-yb+gRjhh-v4bU5_1jW_xCcxOo_oUUZKYg@mail.gmail.com Fixes: 59ddce4418da ("iommu: Reorganize iommu_get_default_domain_type() to respect def_domain_type()") Signed-off-by: Robin Murphy --- drivers/iommu/iommu.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c index 996e79dc582d..90dbea14d4d6 100644 --- a/drivers/iommu/iommu.c +++ b/drivers/iommu/iommu.c @@ -1772,9 +1772,8 @@ static int iommu_get_default_domain_type(struct iommu_group *group, if (driver_type && driver_type != IOMMU_DOMAIN_DMA) { dev_err_ratelimited( untrusted, - "Device is not trusted, but driver is overriding group %u to %s, refusing to probe.\n", + "IOMMU_DOMAIN_DMA for untrusted device overrides driver request of %s for group %u, expect issues...\n", group->id, iommu_domain_type_str(driver_type)); - return -1; } driver_type = IOMMU_DOMAIN_DMA; } -- 2.39.2.101.g768bb238c484.dirty