From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BA026C43382 for ; Wed, 26 Sep 2018 18:02:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 8261E21565 for ; Wed, 26 Sep 2018 18:02:48 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8261E21565 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.intel.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-pci-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726127AbeI0AQx convert rfc822-to-8bit (ORCPT ); Wed, 26 Sep 2018 20:16:53 -0400 Received: from mga01.intel.com ([192.55.52.88]:55749 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726032AbeI0AQx (ORCPT ); Wed, 26 Sep 2018 20:16:53 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Sep 2018 11:02:47 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,307,1534834800"; d="scan'208";a="76422090" Received: from jacob-builder.jf.intel.com (HELO jacob-builder) ([10.7.199.155]) by orsmga008.jf.intel.com with ESMTP; 26 Sep 2018 10:59:37 -0700 Date: Wed, 26 Sep 2018 11:01:03 -0700 From: Jacob Pan To: Jean-Philippe Brucker Cc: Lu Baolu , "iommu@lists.linux-foundation.org" , "joro@8bytes.org" , "linux-pci@vger.kernel.org" , "jcrouse@codeaurora.org" , "alex.williamson@redhat.com" , "Jonathan.Cameron@huawei.com" , "christian.koenig@amd.com" , "eric.auger@redhat.com" , "kevin.tian@intel.com" , "yi.l.liu@intel.com" , Andrew Murray , Will Deacon , Robin Murphy , "ashok.raj@intel.com" , "xuzaibo@huawei.com" , "liguozhu@hisilicon.com" , "okaya@codeaurora.org" , "bharatku@xilinx.com" , "ilias.apalodimas@linaro.org" , "shunyong.yang@hxt-semitech.com" , jacob.jun.pan@linux.intel.com Subject: Re: [PATCH v3 02/10] iommu/sva: Bind process address spaces to devices Message-ID: <20180926110103.45b57f75@jacob-builder> In-Reply-To: <7cbd503a-c79e-3c40-7388-ce6c23f7f536@arm.com> References: <20180920170046.20154-1-jean-philippe.brucker@arm.com> <20180920170046.20154-3-jean-philippe.brucker@arm.com> <7cbd503a-c79e-3c40-7388-ce6c23f7f536@arm.com> Organization: OTC X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.30; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Sender: linux-pci-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-pci@vger.kernel.org On Mon, 24 Sep 2018 13:07:47 +0100 Jean-Philippe Brucker wrote: > On 23/09/2018 04:05, Lu Baolu wrote: > > Hi, > > > > On 09/21/2018 01:00 AM, Jean-Philippe Brucker wrote: > >> Add bind() and unbind() operations to the IOMMU API. Bind() > >> returns a PASID that drivers can program in hardware, to let their > >> devices access an mm. This patch only adds skeletons for the > >> device driver API, most of the implementation is still missing. > > > > Is it possible that a malicious process can unbind a pasid which is > > used by another normal process? > > Yes, it's up to the device driver that calls unbind() to check that > the caller is allowed to unbind this PASID. We can't do it ourselves > since unbind() could also be called from a kernel thread for example > from a cleanup function in some workqueue, outside the context of the > process to unbind. > I am wondering if we can avoid the complexity around permission checking by simply _only_ allow bind/unbind() on current mm? what would be the missing use cases if we bind current only? It can also avoid other race such as unbind and mmu_notifier release call. > Jean > > > > > It might happen in below sequence: > > > > > > Process A                       Process B > > =========                       ========= > > iommu_sva_init_device(dev) > > iommu_sva_bind_device(dev) > > .... > > device access mm of A with > > #PASID returned above > > .... > >                                 iommu_sva_unbind_device(dev, #PASID) > > .... > > [unrecoverable errors] > > > > I didn't have a thorough consideration of this. Sorry if this has > > been prevented. > > > > Best regards, > > Lu Baolu [Jacob Pan] From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jacob Pan Subject: Re: [PATCH v3 02/10] iommu/sva: Bind process address spaces to devices Date: Wed, 26 Sep 2018 11:01:03 -0700 Message-ID: <20180926110103.45b57f75@jacob-builder> References: <20180920170046.20154-1-jean-philippe.brucker@arm.com> <20180920170046.20154-3-jean-philippe.brucker@arm.com> <7cbd503a-c79e-3c40-7388-ce6c23f7f536@arm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <7cbd503a-c79e-3c40-7388-ce6c23f7f536-5wv7dgnIgG8@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: iommu-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: iommu-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Jean-Philippe Brucker Cc: "linux-pci-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , Will Deacon , "okaya-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org" , "ashok.raj-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org" , "kevin.tian-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org" , "alex.williamson-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org" , Robin Murphy , "ilias.apalodimas-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org" , "iommu-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org" , "liguozhu-C8/M+/jPZTeaMJb+Lgu22Q@public.gmane.org" , "christian.koenig-5C7GfCeVMHo@public.gmane.org" List-Id: iommu@lists.linux-foundation.org T24gTW9uLCAyNCBTZXAgMjAxOCAxMzowNzo0NyArMDEwMApKZWFuLVBoaWxpcHBlIEJydWNrZXIg PGplYW4tcGhpbGlwcGUuYnJ1Y2tlckBhcm0uY29tPiB3cm90ZToKCj4gT24gMjMvMDkvMjAxOCAw NDowNSwgTHUgQmFvbHUgd3JvdGU6Cj4gPiBIaSwKPiA+IAo+ID4gT24gMDkvMjEvMjAxOCAwMTow MCBBTSwgSmVhbi1QaGlsaXBwZSBCcnVja2VyIHdyb3RlOiAgCj4gPj4gQWRkIGJpbmQoKSBhbmQg dW5iaW5kKCkgb3BlcmF0aW9ucyB0byB0aGUgSU9NTVUgQVBJLiBCaW5kKCkKPiA+PiByZXR1cm5z IGEgUEFTSUQgdGhhdCBkcml2ZXJzIGNhbiBwcm9ncmFtIGluIGhhcmR3YXJlLCB0byBsZXQgdGhl aXIKPiA+PiBkZXZpY2VzIGFjY2VzcyBhbiBtbS4gVGhpcyBwYXRjaCBvbmx5IGFkZHMgc2tlbGV0 b25zIGZvciB0aGUKPiA+PiBkZXZpY2UgZHJpdmVyIEFQSSwgbW9zdCBvZiB0aGUgaW1wbGVtZW50 YXRpb24gaXMgc3RpbGwgbWlzc2luZy4gIAo+ID4gCj4gPiBJcyBpdCBwb3NzaWJsZSB0aGF0IGEg bWFsaWNpb3VzIHByb2Nlc3MgY2FuIHVuYmluZCBhIHBhc2lkIHdoaWNoIGlzCj4gPiB1c2VkIGJ5 IGFub3RoZXIgbm9ybWFsIHByb2Nlc3M/ICAKPiAKPiBZZXMsIGl0J3MgdXAgdG8gdGhlIGRldmlj ZSBkcml2ZXIgdGhhdCBjYWxscyB1bmJpbmQoKSB0byBjaGVjayB0aGF0Cj4gdGhlIGNhbGxlciBp cyBhbGxvd2VkIHRvIHVuYmluZCB0aGlzIFBBU0lELiBXZSBjYW4ndCBkbyBpdCBvdXJzZWx2ZXMK PiBzaW5jZSB1bmJpbmQoKSBjb3VsZCBhbHNvIGJlIGNhbGxlZCBmcm9tIGEga2VybmVsIHRocmVh ZCBmb3IgZXhhbXBsZQo+IGZyb20gYSBjbGVhbnVwIGZ1bmN0aW9uIGluIHNvbWUgd29ya3F1ZXVl LCBvdXRzaWRlIHRoZSBjb250ZXh0IG9mIHRoZQo+IHByb2Nlc3MgdG8gdW5iaW5kLgo+IApJIGFt IHdvbmRlcmluZyBpZiB3ZSBjYW4gYXZvaWQgdGhlIGNvbXBsZXhpdHkgYXJvdW5kIHBlcm1pc3Np b24KY2hlY2tpbmcgYnkgc2ltcGx5IF9vbmx5XyBhbGxvdyBiaW5kL3VuYmluZCgpIG9uIGN1cnJl bnQgbW0/IHdoYXQgd291bGQKYmUgdGhlIG1pc3NpbmcgdXNlIGNhc2VzIGlmIHdlIGJpbmQgY3Vy cmVudCBvbmx5PwpJdCBjYW4gYWxzbyBhdm9pZCBvdGhlciByYWNlIHN1Y2ggYXMgdW5iaW5kIGFu ZCBtbXVfbm90aWZpZXIgcmVsZWFzZQpjYWxsLgoKPiBKZWFuCj4gCj4gPiAKPiA+IEl0IG1pZ2h0 IGhhcHBlbiBpbiBiZWxvdyBzZXF1ZW5jZToKPiA+IAo+ID4gCj4gPiBQcm9jZXNzIEHCoMKgwqDC oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCBQcm9jZXNzIEIKPiA+ID09PT09 PT09PcKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgID09PT09PT09 PQo+ID4gaW9tbXVfc3ZhX2luaXRfZGV2aWNlKGRldikKPiA+IGlvbW11X3N2YV9iaW5kX2Rldmlj ZShkZXYpCj4gPiAuLi4uCj4gPiBkZXZpY2UgYWNjZXNzIG1tIG9mIEEgd2l0aAo+ID4gI1BBU0lE IHJldHVybmVkIGFib3ZlCj4gPiAuLi4uCj4gPiDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCBpb21tdV9zdmFfdW5iaW5kX2Rldmlj ZShkZXYsICNQQVNJRCkKPiA+IC4uLi4KPiA+IFt1bnJlY292ZXJhYmxlIGVycm9yc10KPiA+IAo+ ID4gSSBkaWRuJ3QgaGF2ZSBhIHRob3JvdWdoIGNvbnNpZGVyYXRpb24gb2YgdGhpcy4gU29ycnkg aWYgdGhpcyBoYXMKPiA+IGJlZW4gcHJldmVudGVkLgo+ID4gCj4gPiBCZXN0IHJlZ2FyZHMsCj4g PiBMdSBCYW9sdSAgCgpbSmFjb2IgUGFuXQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fXwppb21tdSBtYWlsaW5nIGxpc3QKaW9tbXVAbGlzdHMubGludXgtZm91 bmRhdGlvbi5vcmcKaHR0cHM6Ly9saXN0cy5saW51eGZvdW5kYXRpb24ub3JnL21haWxtYW4vbGlz dGluZm8vaW9tbXU=