[PATCH] iommu: Up front sanity check in the arm_lpae_map

[PATCH] iommu: Up front sanity check in the arm_lpae_map

[Keqian Zhu]

... then we have more chance to detect wrong code logic.

Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
---
 drivers/iommu/io-pgtable-arm.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
index a7a9bc08dcd1..8ade72adab31 100644
--- a/drivers/iommu/io-pgtable-arm.c
+++ b/drivers/iommu/io-pgtable-arm.c
@@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
 	arm_lpae_iopte prot;
 	long iaext = (s64)iova >> cfg->ias;
 
-	/* If no access, then nothing to do */
-	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
-		return 0;
-
 	if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
 		return -EINVAL;
 
@@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
 	if (WARN_ON(iaext || paddr >> cfg->oas))
 		return -ERANGE;
 
+	/* If no access, then nothing to do */
+	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
+		return 0;
+
 	prot = arm_lpae_prot_to_pte(data, iommu_prot);
 	ret = __arm_lpae_map(data, iova, paddr, size, prot, lvl, ptep, gfp);
 	/*
-- 
2.23.0

[PATCH] iommu: Up front sanity check in the arm_lpae_map

[Keqian Zhu]

... then we have more chance to detect wrong code logic.

Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
---
 drivers/iommu/io-pgtable-arm.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
index a7a9bc08dcd1..8ade72adab31 100644
--- a/drivers/iommu/io-pgtable-arm.c
+++ b/drivers/iommu/io-pgtable-arm.c
@@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
 	arm_lpae_iopte prot;
 	long iaext = (s64)iova >> cfg->ias;
 
-	/* If no access, then nothing to do */
-	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
-		return 0;
-
 	if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
 		return -EINVAL;
 
@@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
 	if (WARN_ON(iaext || paddr >> cfg->oas))
 		return -ERANGE;
 
+	/* If no access, then nothing to do */
+	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
+		return 0;
+
 	prot = arm_lpae_prot_to_pte(data, iommu_prot);
 	ret = __arm_lpae_map(data, iova, paddr, size, prot, lvl, ptep, gfp);
 	/*
-- 
2.23.0

_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

[PATCH] iommu: Up front sanity check in the arm_lpae_map

[Keqian Zhu]

... then we have more chance to detect wrong code logic.

Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
---
 drivers/iommu/io-pgtable-arm.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
index a7a9bc08dcd1..8ade72adab31 100644
--- a/drivers/iommu/io-pgtable-arm.c
+++ b/drivers/iommu/io-pgtable-arm.c
@@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
 	arm_lpae_iopte prot;
 	long iaext = (s64)iova >> cfg->ias;
 
-	/* If no access, then nothing to do */
-	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
-		return 0;
-
 	if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
 		return -EINVAL;
 
@@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
 	if (WARN_ON(iaext || paddr >> cfg->oas))
 		return -ERANGE;
 
+	/* If no access, then nothing to do */
+	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
+		return 0;
+
 	prot = arm_lpae_prot_to_pte(data, iommu_prot);
 	ret = __arm_lpae_map(data, iova, paddr, size, prot, lvl, ptep, gfp);
 	/*
-- 
2.23.0


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map

[Will Deacon]

On Sat, Dec 05, 2020 at 04:29:57PM +0800, Keqian Zhu wrote:
> ... then we have more chance to detect wrong code logic.

This could do with being a bit more explicit. Something like:

	Although handling a mapping request with no permissions is a
	trivial no-op, defer the early return until after the size/range
	checks so that we are consistent with other mapping requests.

> Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
> ---
>  drivers/iommu/io-pgtable-arm.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
> index a7a9bc08dcd1..8ade72adab31 100644
> --- a/drivers/iommu/io-pgtable-arm.c
> +++ b/drivers/iommu/io-pgtable-arm.c
> @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>  	arm_lpae_iopte prot;
>  	long iaext = (s64)iova >> cfg->ias;
>  
> -	/* If no access, then nothing to do */
> -	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
> -		return 0;
> -
>  	if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
>  		return -EINVAL;
>  
> @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>  	if (WARN_ON(iaext || paddr >> cfg->oas))
>  		return -ERANGE;
>  
> +	/* If no access, then nothing to do */
> +	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
> +		return 0;

This looks sensible to me, but please can you make the same change for
io-pgtable-arm-v7s.c so that the behaviour is consistent across the two
formats?

Thanks,

Will

Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map

[Will Deacon]

On Sat, Dec 05, 2020 at 04:29:57PM +0800, Keqian Zhu wrote:
> ... then we have more chance to detect wrong code logic.

This could do with being a bit more explicit. Something like:

	Although handling a mapping request with no permissions is a
	trivial no-op, defer the early return until after the size/range
	checks so that we are consistent with other mapping requests.

> Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
> ---
>  drivers/iommu/io-pgtable-arm.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
> index a7a9bc08dcd1..8ade72adab31 100644
> --- a/drivers/iommu/io-pgtable-arm.c
> +++ b/drivers/iommu/io-pgtable-arm.c
> @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>  	arm_lpae_iopte prot;
>  	long iaext = (s64)iova >> cfg->ias;
>  
> -	/* If no access, then nothing to do */
> -	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
> -		return 0;
> -
>  	if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
>  		return -EINVAL;
>  
> @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>  	if (WARN_ON(iaext || paddr >> cfg->oas))
>  		return -ERANGE;
>  
> +	/* If no access, then nothing to do */
> +	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
> +		return 0;

This looks sensible to me, but please can you make the same change for
io-pgtable-arm-v7s.c so that the behaviour is consistent across the two
formats?

Thanks,

Will
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map

[Will Deacon]

On Sat, Dec 05, 2020 at 04:29:57PM +0800, Keqian Zhu wrote:
> ... then we have more chance to detect wrong code logic.

This could do with being a bit more explicit. Something like:

	Although handling a mapping request with no permissions is a
	trivial no-op, defer the early return until after the size/range
	checks so that we are consistent with other mapping requests.

> Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
> ---
>  drivers/iommu/io-pgtable-arm.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
> index a7a9bc08dcd1..8ade72adab31 100644
> --- a/drivers/iommu/io-pgtable-arm.c
> +++ b/drivers/iommu/io-pgtable-arm.c
> @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>  	arm_lpae_iopte prot;
>  	long iaext = (s64)iova >> cfg->ias;
>  
> -	/* If no access, then nothing to do */
> -	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
> -		return 0;
> -
>  	if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
>  		return -EINVAL;
>  
> @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>  	if (WARN_ON(iaext || paddr >> cfg->oas))
>  		return -ERANGE;
>  
> +	/* If no access, then nothing to do */
> +	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
> +		return 0;

This looks sensible to me, but please can you make the same change for
io-pgtable-arm-v7s.c so that the behaviour is consistent across the two
formats?

Thanks,

Will

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map

[zhukeqian]

Hi Will,

On 2020/12/7 18:59, Will Deacon wrote:
> On Sat, Dec 05, 2020 at 04:29:57PM +0800, Keqian Zhu wrote:
>> ... then we have more chance to detect wrong code logic.
> 
> This could do with being a bit more explicit. Something like:
> 
> 	Although handling a mapping request with no permissions is a
> 	trivial no-op, defer the early return until after the size/range
> 	checks so that we are consistent with other mapping requests.
This looks well, thanks.

> 
>> Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
>> ---
>>  drivers/iommu/io-pgtable-arm.c | 8 ++++----
>>  1 file changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
>> index a7a9bc08dcd1..8ade72adab31 100644
>> --- a/drivers/iommu/io-pgtable-arm.c
>> +++ b/drivers/iommu/io-pgtable-arm.c
>> @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>  	arm_lpae_iopte prot;
>>  	long iaext = (s64)iova >> cfg->ias;
>>  
>> -	/* If no access, then nothing to do */
>> -	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>> -		return 0;
>> -
>>  	if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
>>  		return -EINVAL;
>>  
>> @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>  	if (WARN_ON(iaext || paddr >> cfg->oas))
>>  		return -ERANGE;
>>  
>> +	/* If no access, then nothing to do */
>> +	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>> +		return 0;
> 
> This looks sensible to me, but please can you make the same change for
> io-pgtable-arm-v7s.c so that the behaviour is consistent across the two
> formats?
> 
OK. I can do it right now.


Thanks,
Keqian
> Thanks,
> 
> Will
> .
> 

Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map

[zhukeqian]

Hi Will,

On 2020/12/7 18:59, Will Deacon wrote:
> On Sat, Dec 05, 2020 at 04:29:57PM +0800, Keqian Zhu wrote:
>> ... then we have more chance to detect wrong code logic.
> 
> This could do with being a bit more explicit. Something like:
> 
> 	Although handling a mapping request with no permissions is a
> 	trivial no-op, defer the early return until after the size/range
> 	checks so that we are consistent with other mapping requests.
This looks well, thanks.

> 
>> Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
>> ---
>>  drivers/iommu/io-pgtable-arm.c | 8 ++++----
>>  1 file changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
>> index a7a9bc08dcd1..8ade72adab31 100644
>> --- a/drivers/iommu/io-pgtable-arm.c
>> +++ b/drivers/iommu/io-pgtable-arm.c
>> @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>  	arm_lpae_iopte prot;
>>  	long iaext = (s64)iova >> cfg->ias;
>>  
>> -	/* If no access, then nothing to do */
>> -	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>> -		return 0;
>> -
>>  	if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
>>  		return -EINVAL;
>>  
>> @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>  	if (WARN_ON(iaext || paddr >> cfg->oas))
>>  		return -ERANGE;
>>  
>> +	/* If no access, then nothing to do */
>> +	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>> +		return 0;
> 
> This looks sensible to me, but please can you make the same change for
> io-pgtable-arm-v7s.c so that the behaviour is consistent across the two
> formats?
> 
OK. I can do it right now.


Thanks,
Keqian
> Thanks,
> 
> Will
> .
> 
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map

[zhukeqian]

Hi Will,

On 2020/12/7 18:59, Will Deacon wrote:
> On Sat, Dec 05, 2020 at 04:29:57PM +0800, Keqian Zhu wrote:
>> ... then we have more chance to detect wrong code logic.
> 
> This could do with being a bit more explicit. Something like:
> 
> 	Although handling a mapping request with no permissions is a
> 	trivial no-op, defer the early return until after the size/range
> 	checks so that we are consistent with other mapping requests.
This looks well, thanks.

> 
>> Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
>> ---
>>  drivers/iommu/io-pgtable-arm.c | 8 ++++----
>>  1 file changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
>> index a7a9bc08dcd1..8ade72adab31 100644
>> --- a/drivers/iommu/io-pgtable-arm.c
>> +++ b/drivers/iommu/io-pgtable-arm.c
>> @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>  	arm_lpae_iopte prot;
>>  	long iaext = (s64)iova >> cfg->ias;
>>  
>> -	/* If no access, then nothing to do */
>> -	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>> -		return 0;
>> -
>>  	if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
>>  		return -EINVAL;
>>  
>> @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>  	if (WARN_ON(iaext || paddr >> cfg->oas))
>>  		return -ERANGE;
>>  
>> +	/* If no access, then nothing to do */
>> +	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>> +		return 0;
> 
> This looks sensible to me, but please can you make the same change for
> io-pgtable-arm-v7s.c so that the behaviour is consistent across the two
> formats?
> 
OK. I can do it right now.


Thanks,
Keqian
> Thanks,
> 
> Will
> .
> 

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map

[Robin Murphy]

On 2020-12-05 08:29, Keqian Zhu wrote:
> ... then we have more chance to detect wrong code logic.

I don't follow that justification - it's still the same check with the 
same outcome, so how does moving it have any effect on the chance to 
detect errors?

AFAICS the only difference it would make is to make some errors *less* 
obvious - if a sufficiently broken caller passes an empty prot value 
alongside an invalid size or already-mapped address, this will now 
quietly hide the warnings from the more serious condition(s).

Yes, it will bail out a bit faster in the specific case where the prot 
value is the only thing wrong, but since when do we optimise for 
fundamentally incorrect API usage?

Robin.

> Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
> ---
>   drivers/iommu/io-pgtable-arm.c | 8 ++++----
>   1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
> index a7a9bc08dcd1..8ade72adab31 100644
> --- a/drivers/iommu/io-pgtable-arm.c
> +++ b/drivers/iommu/io-pgtable-arm.c
> @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>   	arm_lpae_iopte prot;
>   	long iaext = (s64)iova >> cfg->ias;
>   
> -	/* If no access, then nothing to do */
> -	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
> -		return 0;
> -
>   	if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
>   		return -EINVAL;
>   
> @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>   	if (WARN_ON(iaext || paddr >> cfg->oas))
>   		return -ERANGE;
>   
> +	/* If no access, then nothing to do */
> +	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
> +		return 0;
> +
>   	prot = arm_lpae_prot_to_pte(data, iommu_prot);
>   	ret = __arm_lpae_map(data, iova, paddr, size, prot, lvl, ptep, gfp);
>   	/*
> 

Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map

[Robin Murphy]

On 2020-12-05 08:29, Keqian Zhu wrote:
> ... then we have more chance to detect wrong code logic.

I don't follow that justification - it's still the same check with the 
same outcome, so how does moving it have any effect on the chance to 
detect errors?

AFAICS the only difference it would make is to make some errors *less* 
obvious - if a sufficiently broken caller passes an empty prot value 
alongside an invalid size or already-mapped address, this will now 
quietly hide the warnings from the more serious condition(s).

Yes, it will bail out a bit faster in the specific case where the prot 
value is the only thing wrong, but since when do we optimise for 
fundamentally incorrect API usage?

Robin.

> Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
> ---
>   drivers/iommu/io-pgtable-arm.c | 8 ++++----
>   1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
> index a7a9bc08dcd1..8ade72adab31 100644
> --- a/drivers/iommu/io-pgtable-arm.c
> +++ b/drivers/iommu/io-pgtable-arm.c
> @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>   	arm_lpae_iopte prot;
>   	long iaext = (s64)iova >> cfg->ias;
>   
> -	/* If no access, then nothing to do */
> -	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
> -		return 0;
> -
>   	if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
>   		return -EINVAL;
>   
> @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>   	if (WARN_ON(iaext || paddr >> cfg->oas))
>   		return -ERANGE;
>   
> +	/* If no access, then nothing to do */
> +	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
> +		return 0;
> +
>   	prot = arm_lpae_prot_to_pte(data, iommu_prot);
>   	ret = __arm_lpae_map(data, iova, paddr, size, prot, lvl, ptep, gfp);
>   	/*
> 
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map

[Robin Murphy]

On 2020-12-05 08:29, Keqian Zhu wrote:
> ... then we have more chance to detect wrong code logic.

I don't follow that justification - it's still the same check with the 
same outcome, so how does moving it have any effect on the chance to 
detect errors?

AFAICS the only difference it would make is to make some errors *less* 
obvious - if a sufficiently broken caller passes an empty prot value 
alongside an invalid size or already-mapped address, this will now 
quietly hide the warnings from the more serious condition(s).

Yes, it will bail out a bit faster in the specific case where the prot 
value is the only thing wrong, but since when do we optimise for 
fundamentally incorrect API usage?

Robin.

> Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
> ---
>   drivers/iommu/io-pgtable-arm.c | 8 ++++----
>   1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
> index a7a9bc08dcd1..8ade72adab31 100644
> --- a/drivers/iommu/io-pgtable-arm.c
> +++ b/drivers/iommu/io-pgtable-arm.c
> @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>   	arm_lpae_iopte prot;
>   	long iaext = (s64)iova >> cfg->ias;
>   
> -	/* If no access, then nothing to do */
> -	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
> -		return 0;
> -
>   	if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
>   		return -EINVAL;
>   
> @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>   	if (WARN_ON(iaext || paddr >> cfg->oas))
>   		return -ERANGE;
>   
> +	/* If no access, then nothing to do */
> +	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
> +		return 0;
> +
>   	prot = arm_lpae_prot_to_pte(data, iommu_prot);
>   	ret = __arm_lpae_map(data, iova, paddr, size, prot, lvl, ptep, gfp);
>   	/*
> 

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map

[Will Deacon]

On Mon, Dec 07, 2020 at 12:01:09PM +0000, Robin Murphy wrote:
> On 2020-12-05 08:29, Keqian Zhu wrote:
> > ... then we have more chance to detect wrong code logic.
> 
> I don't follow that justification - it's still the same check with the same
> outcome, so how does moving it have any effect on the chance to detect
> errors?
> 
> AFAICS the only difference it would make is to make some errors *less*
> obvious - if a sufficiently broken caller passes an empty prot value
> alongside an invalid size or already-mapped address, this will now quietly
> hide the warnings from the more serious condition(s).
> 
> Yes, it will bail out a bit faster in the specific case where the prot value
> is the only thing wrong, but since when do we optimise for fundamentally
> incorrect API usage?

I thought it was the other way round -- doesn't this patch move the "empty
prot" check later, so we have a chance to check the size and addresses
first?

Will

> > Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
> > ---
> >   drivers/iommu/io-pgtable-arm.c | 8 ++++----
> >   1 file changed, 4 insertions(+), 4 deletions(-)
> > 
> > diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
> > index a7a9bc08dcd1..8ade72adab31 100644
> > --- a/drivers/iommu/io-pgtable-arm.c
> > +++ b/drivers/iommu/io-pgtable-arm.c
> > @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
> >   	arm_lpae_iopte prot;
> >   	long iaext = (s64)iova >> cfg->ias;
> > -	/* If no access, then nothing to do */
> > -	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
> > -		return 0;
> > -
> >   	if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
> >   		return -EINVAL;
> > @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
> >   	if (WARN_ON(iaext || paddr >> cfg->oas))
> >   		return -ERANGE;
> > +	/* If no access, then nothing to do */
> > +	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
> > +		return 0;
> > +
> >   	prot = arm_lpae_prot_to_pte(data, iommu_prot);
> >   	ret = __arm_lpae_map(data, iova, paddr, size, prot, lvl, ptep, gfp);
> >   	/*
> > 

Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map

[Will Deacon]

On Mon, Dec 07, 2020 at 12:01:09PM +0000, Robin Murphy wrote:
> On 2020-12-05 08:29, Keqian Zhu wrote:
> > ... then we have more chance to detect wrong code logic.
> 
> I don't follow that justification - it's still the same check with the same
> outcome, so how does moving it have any effect on the chance to detect
> errors?
> 
> AFAICS the only difference it would make is to make some errors *less*
> obvious - if a sufficiently broken caller passes an empty prot value
> alongside an invalid size or already-mapped address, this will now quietly
> hide the warnings from the more serious condition(s).
> 
> Yes, it will bail out a bit faster in the specific case where the prot value
> is the only thing wrong, but since when do we optimise for fundamentally
> incorrect API usage?

I thought it was the other way round -- doesn't this patch move the "empty
prot" check later, so we have a chance to check the size and addresses
first?

Will

> > Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
> > ---
> >   drivers/iommu/io-pgtable-arm.c | 8 ++++----
> >   1 file changed, 4 insertions(+), 4 deletions(-)
> > 
> > diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
> > index a7a9bc08dcd1..8ade72adab31 100644
> > --- a/drivers/iommu/io-pgtable-arm.c
> > +++ b/drivers/iommu/io-pgtable-arm.c
> > @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
> >   	arm_lpae_iopte prot;
> >   	long iaext = (s64)iova >> cfg->ias;
> > -	/* If no access, then nothing to do */
> > -	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
> > -		return 0;
> > -
> >   	if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
> >   		return -EINVAL;
> > @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
> >   	if (WARN_ON(iaext || paddr >> cfg->oas))
> >   		return -ERANGE;
> > +	/* If no access, then nothing to do */
> > +	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
> > +		return 0;
> > +
> >   	prot = arm_lpae_prot_to_pte(data, iommu_prot);
> >   	ret = __arm_lpae_map(data, iova, paddr, size, prot, lvl, ptep, gfp);
> >   	/*
> > 
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map

[Will Deacon]

On Mon, Dec 07, 2020 at 12:01:09PM +0000, Robin Murphy wrote:
> On 2020-12-05 08:29, Keqian Zhu wrote:
> > ... then we have more chance to detect wrong code logic.
> 
> I don't follow that justification - it's still the same check with the same
> outcome, so how does moving it have any effect on the chance to detect
> errors?
> 
> AFAICS the only difference it would make is to make some errors *less*
> obvious - if a sufficiently broken caller passes an empty prot value
> alongside an invalid size or already-mapped address, this will now quietly
> hide the warnings from the more serious condition(s).
> 
> Yes, it will bail out a bit faster in the specific case where the prot value
> is the only thing wrong, but since when do we optimise for fundamentally
> incorrect API usage?

I thought it was the other way round -- doesn't this patch move the "empty
prot" check later, so we have a chance to check the size and addresses
first?

Will

> > Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
> > ---
> >   drivers/iommu/io-pgtable-arm.c | 8 ++++----
> >   1 file changed, 4 insertions(+), 4 deletions(-)
> > 
> > diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
> > index a7a9bc08dcd1..8ade72adab31 100644
> > --- a/drivers/iommu/io-pgtable-arm.c
> > +++ b/drivers/iommu/io-pgtable-arm.c
> > @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
> >   	arm_lpae_iopte prot;
> >   	long iaext = (s64)iova >> cfg->ias;
> > -	/* If no access, then nothing to do */
> > -	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
> > -		return 0;
> > -
> >   	if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
> >   		return -EINVAL;
> > @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
> >   	if (WARN_ON(iaext || paddr >> cfg->oas))
> >   		return -ERANGE;
> > +	/* If no access, then nothing to do */
> > +	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
> > +		return 0;
> > +
> >   	prot = arm_lpae_prot_to_pte(data, iommu_prot);
> >   	ret = __arm_lpae_map(data, iova, paddr, size, prot, lvl, ptep, gfp);
> >   	/*
> > 

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map

[zhukeqian]

Hi,

On 2020/12/7 20:05, Will Deacon wrote:
> On Mon, Dec 07, 2020 at 12:01:09PM +0000, Robin Murphy wrote:
>> On 2020-12-05 08:29, Keqian Zhu wrote:
>>> ... then we have more chance to detect wrong code logic.
>>
>> I don't follow that justification - it's still the same check with the same
>> outcome, so how does moving it have any effect on the chance to detect
>> errors?

>>
>> AFAICS the only difference it would make is to make some errors *less*
>> obvious - if a sufficiently broken caller passes an empty prot value
>> alongside an invalid size or already-mapped address, this will now quietly
>> hide the warnings from the more serious condition(s).
>>
>> Yes, it will bail out a bit faster in the specific case where the prot value
>> is the only thing wrong, but since when do we optimise for fundamentally
>> incorrect API usage?
> 
> I thought it was the other way round -- doesn't this patch move the "empty
> prot" check later, so we have a chance to check the size and addresses
> first?

Yes, this is my original idea.
For that we treat iommu_prot with no permission as success at early start, defer
this early return can expose hidden errors.

Thanks,
Keqian
> 
> Will
> 
>>> Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
>>> ---
>>>   drivers/iommu/io-pgtable-arm.c | 8 ++++----
>>>   1 file changed, 4 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
>>> index a7a9bc08dcd1..8ade72adab31 100644
>>> --- a/drivers/iommu/io-pgtable-arm.c
>>> +++ b/drivers/iommu/io-pgtable-arm.c
>>> @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>>   	arm_lpae_iopte prot;
>>>   	long iaext = (s64)iova >> cfg->ias;
>>> -	/* If no access, then nothing to do */
>>> -	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>>> -		return 0;
>>> -
>>>   	if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
>>>   		return -EINVAL;
>>> @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>>   	if (WARN_ON(iaext || paddr >> cfg->oas))
>>>   		return -ERANGE;
>>> +	/* If no access, then nothing to do */
>>> +	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>>> +		return 0;
>>> +
>>>   	prot = arm_lpae_prot_to_pte(data, iommu_prot);
>>>   	ret = __arm_lpae_map(data, iova, paddr, size, prot, lvl, ptep, gfp);
>>>   	/*
>>>
> .
> 

Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map

[zhukeqian]

Hi,

On 2020/12/7 20:05, Will Deacon wrote:
> On Mon, Dec 07, 2020 at 12:01:09PM +0000, Robin Murphy wrote:
>> On 2020-12-05 08:29, Keqian Zhu wrote:
>>> ... then we have more chance to detect wrong code logic.
>>
>> I don't follow that justification - it's still the same check with the same
>> outcome, so how does moving it have any effect on the chance to detect
>> errors?

>>
>> AFAICS the only difference it would make is to make some errors *less*
>> obvious - if a sufficiently broken caller passes an empty prot value
>> alongside an invalid size or already-mapped address, this will now quietly
>> hide the warnings from the more serious condition(s).
>>
>> Yes, it will bail out a bit faster in the specific case where the prot value
>> is the only thing wrong, but since when do we optimise for fundamentally
>> incorrect API usage?
> 
> I thought it was the other way round -- doesn't this patch move the "empty
> prot" check later, so we have a chance to check the size and addresses
> first?

Yes, this is my original idea.
For that we treat iommu_prot with no permission as success at early start, defer
this early return can expose hidden errors.

Thanks,
Keqian
> 
> Will
> 
>>> Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
>>> ---
>>>   drivers/iommu/io-pgtable-arm.c | 8 ++++----
>>>   1 file changed, 4 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
>>> index a7a9bc08dcd1..8ade72adab31 100644
>>> --- a/drivers/iommu/io-pgtable-arm.c
>>> +++ b/drivers/iommu/io-pgtable-arm.c
>>> @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>>   	arm_lpae_iopte prot;
>>>   	long iaext = (s64)iova >> cfg->ias;
>>> -	/* If no access, then nothing to do */
>>> -	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>>> -		return 0;
>>> -
>>>   	if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
>>>   		return -EINVAL;
>>> @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>>   	if (WARN_ON(iaext || paddr >> cfg->oas))
>>>   		return -ERANGE;
>>> +	/* If no access, then nothing to do */
>>> +	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>>> +		return 0;
>>> +
>>>   	prot = arm_lpae_prot_to_pte(data, iommu_prot);
>>>   	ret = __arm_lpae_map(data, iova, paddr, size, prot, lvl, ptep, gfp);
>>>   	/*
>>>
> .
> 
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map

[zhukeqian]

Hi,

On 2020/12/7 20:05, Will Deacon wrote:
> On Mon, Dec 07, 2020 at 12:01:09PM +0000, Robin Murphy wrote:
>> On 2020-12-05 08:29, Keqian Zhu wrote:
>>> ... then we have more chance to detect wrong code logic.
>>
>> I don't follow that justification - it's still the same check with the same
>> outcome, so how does moving it have any effect on the chance to detect
>> errors?

>>
>> AFAICS the only difference it would make is to make some errors *less*
>> obvious - if a sufficiently broken caller passes an empty prot value
>> alongside an invalid size or already-mapped address, this will now quietly
>> hide the warnings from the more serious condition(s).
>>
>> Yes, it will bail out a bit faster in the specific case where the prot value
>> is the only thing wrong, but since when do we optimise for fundamentally
>> incorrect API usage?
> 
> I thought it was the other way round -- doesn't this patch move the "empty
> prot" check later, so we have a chance to check the size and addresses
> first?

Yes, this is my original idea.
For that we treat iommu_prot with no permission as success at early start, defer
this early return can expose hidden errors.

Thanks,
Keqian
> 
> Will
> 
>>> Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
>>> ---
>>>   drivers/iommu/io-pgtable-arm.c | 8 ++++----
>>>   1 file changed, 4 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
>>> index a7a9bc08dcd1..8ade72adab31 100644
>>> --- a/drivers/iommu/io-pgtable-arm.c
>>> +++ b/drivers/iommu/io-pgtable-arm.c
>>> @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>>   	arm_lpae_iopte prot;
>>>   	long iaext = (s64)iova >> cfg->ias;
>>> -	/* If no access, then nothing to do */
>>> -	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>>> -		return 0;
>>> -
>>>   	if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
>>>   		return -EINVAL;
>>> @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>>   	if (WARN_ON(iaext || paddr >> cfg->oas))
>>>   		return -ERANGE;
>>> +	/* If no access, then nothing to do */
>>> +	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>>> +		return 0;
>>> +
>>>   	prot = arm_lpae_prot_to_pte(data, iommu_prot);
>>>   	ret = __arm_lpae_map(data, iova, paddr, size, prot, lvl, ptep, gfp);
>>>   	/*
>>>
> .
> 

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map

[Robin Murphy]

On 2020-12-07 12:15, zhukeqian wrote:
> Hi,
> 
> On 2020/12/7 20:05, Will Deacon wrote:
>> On Mon, Dec 07, 2020 at 12:01:09PM +0000, Robin Murphy wrote:
>>> On 2020-12-05 08:29, Keqian Zhu wrote:
>>>> ... then we have more chance to detect wrong code logic.
>>>
>>> I don't follow that justification - it's still the same check with the same
>>> outcome, so how does moving it have any effect on the chance to detect
>>> errors?
> 
>>>
>>> AFAICS the only difference it would make is to make some errors *less*
>>> obvious - if a sufficiently broken caller passes an empty prot value
>>> alongside an invalid size or already-mapped address, this will now quietly
>>> hide the warnings from the more serious condition(s).
>>>
>>> Yes, it will bail out a bit faster in the specific case where the prot value
>>> is the only thing wrong, but since when do we optimise for fundamentally
>>> incorrect API usage?
>>
>> I thought it was the other way round -- doesn't this patch move the "empty
>> prot" check later, so we have a chance to check the size and addresses
>> first?
> 
> Yes, this is my original idea.
> For that we treat iommu_prot with no permission as success at early start, defer
> this early return can expose hidden errors.

...oh dear, my apologies. I've just had a week off and apparently in 
that time I lost the ability to read :(

I was somehow convinced that the existing check happened at the point 
where we go to install the PTE, and this patch was moving it earlier. 
Looking at the whole code in context now I see I got it completely 
backwards. Sorry for being an idiot.

I guess that only goes to show that a more descriptive commit message 
would definitely be a good thing :)

Robin.

> 
> Thanks,
> Keqian
>>
>> Will
>>
>>>> Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
>>>> ---
>>>>    drivers/iommu/io-pgtable-arm.c | 8 ++++----
>>>>    1 file changed, 4 insertions(+), 4 deletions(-)
>>>>
>>>> diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
>>>> index a7a9bc08dcd1..8ade72adab31 100644
>>>> --- a/drivers/iommu/io-pgtable-arm.c
>>>> +++ b/drivers/iommu/io-pgtable-arm.c
>>>> @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>>>    	arm_lpae_iopte prot;
>>>>    	long iaext = (s64)iova >> cfg->ias;
>>>> -	/* If no access, then nothing to do */
>>>> -	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>>>> -		return 0;
>>>> -
>>>>    	if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
>>>>    		return -EINVAL;
>>>> @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>>>    	if (WARN_ON(iaext || paddr >> cfg->oas))
>>>>    		return -ERANGE;
>>>> +	/* If no access, then nothing to do */
>>>> +	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>>>> +		return 0;
>>>> +
>>>>    	prot = arm_lpae_prot_to_pte(data, iommu_prot);
>>>>    	ret = __arm_lpae_map(data, iova, paddr, size, prot, lvl, ptep, gfp);
>>>>    	/*
>>>>
>> .
>>
> _______________________________________________
> iommu mailing list
> iommu@lists.linux-foundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/iommu
> 

Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map

[Robin Murphy]

On 2020-12-07 12:15, zhukeqian wrote:
> Hi,
> 
> On 2020/12/7 20:05, Will Deacon wrote:
>> On Mon, Dec 07, 2020 at 12:01:09PM +0000, Robin Murphy wrote:
>>> On 2020-12-05 08:29, Keqian Zhu wrote:
>>>> ... then we have more chance to detect wrong code logic.
>>>
>>> I don't follow that justification - it's still the same check with the same
>>> outcome, so how does moving it have any effect on the chance to detect
>>> errors?
> 
>>>
>>> AFAICS the only difference it would make is to make some errors *less*
>>> obvious - if a sufficiently broken caller passes an empty prot value
>>> alongside an invalid size or already-mapped address, this will now quietly
>>> hide the warnings from the more serious condition(s).
>>>
>>> Yes, it will bail out a bit faster in the specific case where the prot value
>>> is the only thing wrong, but since when do we optimise for fundamentally
>>> incorrect API usage?
>>
>> I thought it was the other way round -- doesn't this patch move the "empty
>> prot" check later, so we have a chance to check the size and addresses
>> first?
> 
> Yes, this is my original idea.
> For that we treat iommu_prot with no permission as success at early start, defer
> this early return can expose hidden errors.

...oh dear, my apologies. I've just had a week off and apparently in 
that time I lost the ability to read :(

I was somehow convinced that the existing check happened at the point 
where we go to install the PTE, and this patch was moving it earlier. 
Looking at the whole code in context now I see I got it completely 
backwards. Sorry for being an idiot.

I guess that only goes to show that a more descriptive commit message 
would definitely be a good thing :)

Robin.

> 
> Thanks,
> Keqian
>>
>> Will
>>
>>>> Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
>>>> ---
>>>>    drivers/iommu/io-pgtable-arm.c | 8 ++++----
>>>>    1 file changed, 4 insertions(+), 4 deletions(-)
>>>>
>>>> diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
>>>> index a7a9bc08dcd1..8ade72adab31 100644
>>>> --- a/drivers/iommu/io-pgtable-arm.c
>>>> +++ b/drivers/iommu/io-pgtable-arm.c
>>>> @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>>>    	arm_lpae_iopte prot;
>>>>    	long iaext = (s64)iova >> cfg->ias;
>>>> -	/* If no access, then nothing to do */
>>>> -	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>>>> -		return 0;
>>>> -
>>>>    	if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
>>>>    		return -EINVAL;
>>>> @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>>>    	if (WARN_ON(iaext || paddr >> cfg->oas))
>>>>    		return -ERANGE;
>>>> +	/* If no access, then nothing to do */
>>>> +	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>>>> +		return 0;
>>>> +
>>>>    	prot = arm_lpae_prot_to_pte(data, iommu_prot);
>>>>    	ret = __arm_lpae_map(data, iova, paddr, size, prot, lvl, ptep, gfp);
>>>>    	/*
>>>>
>> .
>>
> _______________________________________________
> iommu mailing list
> iommu@lists.linux-foundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/iommu
> 
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map

[Robin Murphy]

On 2020-12-07 12:15, zhukeqian wrote:
> Hi,
> 
> On 2020/12/7 20:05, Will Deacon wrote:
>> On Mon, Dec 07, 2020 at 12:01:09PM +0000, Robin Murphy wrote:
>>> On 2020-12-05 08:29, Keqian Zhu wrote:
>>>> ... then we have more chance to detect wrong code logic.
>>>
>>> I don't follow that justification - it's still the same check with the same
>>> outcome, so how does moving it have any effect on the chance to detect
>>> errors?
> 
>>>
>>> AFAICS the only difference it would make is to make some errors *less*
>>> obvious - if a sufficiently broken caller passes an empty prot value
>>> alongside an invalid size or already-mapped address, this will now quietly
>>> hide the warnings from the more serious condition(s).
>>>
>>> Yes, it will bail out a bit faster in the specific case where the prot value
>>> is the only thing wrong, but since when do we optimise for fundamentally
>>> incorrect API usage?
>>
>> I thought it was the other way round -- doesn't this patch move the "empty
>> prot" check later, so we have a chance to check the size and addresses
>> first?
> 
> Yes, this is my original idea.
> For that we treat iommu_prot with no permission as success at early start, defer
> this early return can expose hidden errors.

...oh dear, my apologies. I've just had a week off and apparently in 
that time I lost the ability to read :(

I was somehow convinced that the existing check happened at the point 
where we go to install the PTE, and this patch was moving it earlier. 
Looking at the whole code in context now I see I got it completely 
backwards. Sorry for being an idiot.

I guess that only goes to show that a more descriptive commit message 
would definitely be a good thing :)

Robin.

> 
> Thanks,
> Keqian
>>
>> Will
>>
>>>> Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
>>>> ---
>>>>    drivers/iommu/io-pgtable-arm.c | 8 ++++----
>>>>    1 file changed, 4 insertions(+), 4 deletions(-)
>>>>
>>>> diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
>>>> index a7a9bc08dcd1..8ade72adab31 100644
>>>> --- a/drivers/iommu/io-pgtable-arm.c
>>>> +++ b/drivers/iommu/io-pgtable-arm.c
>>>> @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>>>    	arm_lpae_iopte prot;
>>>>    	long iaext = (s64)iova >> cfg->ias;
>>>> -	/* If no access, then nothing to do */
>>>> -	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>>>> -		return 0;
>>>> -
>>>>    	if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
>>>>    		return -EINVAL;
>>>> @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>>>    	if (WARN_ON(iaext || paddr >> cfg->oas))
>>>>    		return -ERANGE;
>>>> +	/* If no access, then nothing to do */
>>>> +	if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>>>> +		return 0;
>>>> +
>>>>    	prot = arm_lpae_prot_to_pte(data, iommu_prot);
>>>>    	ret = __arm_lpae_map(data, iova, paddr, size, prot, lvl, ptep, gfp);
>>>>    	/*
>>>>
>> .
>>
> _______________________________________________
> iommu mailing list
> iommu@lists.linux-foundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/iommu
> 

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map

[zhukeqian]

Hi Robin,

On 2020/12/7 20:46, Robin Murphy wrote:
> On 2020-12-07 12:15, zhukeqian wrote:
>> Hi,
>>
>> On 2020/12/7 20:05, Will Deacon wrote:
>>> On Mon, Dec 07, 2020 at 12:01:09PM +0000, Robin Murphy wrote:
>>>> On 2020-12-05 08:29, Keqian Zhu wrote:
>>>>> ... then we have more chance to detect wrong code logic.
>>>>
>>>> I don't follow that justification - it's still the same check with the same
>>>> outcome, so how does moving it have any effect on the chance to detect
>>>> errors?
>>
>>>>
>>>> AFAICS the only difference it would make is to make some errors *less*
>>>> obvious - if a sufficiently broken caller passes an empty prot value
>>>> alongside an invalid size or already-mapped address, this will now quietly
>>>> hide the warnings from the more serious condition(s).
>>>>
>>>> Yes, it will bail out a bit faster in the specific case where the prot value
>>>> is the only thing wrong, but since when do we optimise for fundamentally
>>>> incorrect API usage?
>>>
>>> I thought it was the other way round -- doesn't this patch move the "empty
>>> prot" check later, so we have a chance to check the size and addresses
>>> first?
>>
>> Yes, this is my original idea.
>> For that we treat iommu_prot with no permission as success at early start, defer
>> this early return can expose hidden errors.
> 
> ...oh dear, my apologies. I've just had a week off and apparently in that time I lost the ability to read :(
> 
> I was somehow convinced that the existing check happened at the point where we go to install the PTE, and this patch was moving it earlier. Looking at the whole code in context now I see I got it completely backwards. Sorry for being an idiot.
> 
I see :-) I should make a more descriptive commit message.

> I guess that only goes to show that a more descriptive commit message would definitely be a good thing :)
> 
I have adapted Will's suggestion and sent v2, please check whether it is OK to you?

Cheers,
Keqian

[...]
>> _______________________________________________
>> iommu mailing list
>> iommu@lists.linux-foundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/iommu
>>
> .
> 

Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map

[zhukeqian]

Hi Robin,

On 2020/12/7 20:46, Robin Murphy wrote:
> On 2020-12-07 12:15, zhukeqian wrote:
>> Hi,
>>
>> On 2020/12/7 20:05, Will Deacon wrote:
>>> On Mon, Dec 07, 2020 at 12:01:09PM +0000, Robin Murphy wrote:
>>>> On 2020-12-05 08:29, Keqian Zhu wrote:
>>>>> ... then we have more chance to detect wrong code logic.
>>>>
>>>> I don't follow that justification - it's still the same check with the same
>>>> outcome, so how does moving it have any effect on the chance to detect
>>>> errors?
>>
>>>>
>>>> AFAICS the only difference it would make is to make some errors *less*
>>>> obvious - if a sufficiently broken caller passes an empty prot value
>>>> alongside an invalid size or already-mapped address, this will now quietly
>>>> hide the warnings from the more serious condition(s).
>>>>
>>>> Yes, it will bail out a bit faster in the specific case where the prot value
>>>> is the only thing wrong, but since when do we optimise for fundamentally
>>>> incorrect API usage?
>>>
>>> I thought it was the other way round -- doesn't this patch move the "empty
>>> prot" check later, so we have a chance to check the size and addresses
>>> first?
>>
>> Yes, this is my original idea.
>> For that we treat iommu_prot with no permission as success at early start, defer
>> this early return can expose hidden errors.
> 
> ...oh dear, my apologies. I've just had a week off and apparently in that time I lost the ability to read :(
> 
> I was somehow convinced that the existing check happened at the point where we go to install the PTE, and this patch was moving it earlier. Looking at the whole code in context now I see I got it completely backwards. Sorry for being an idiot.
> 
I see :-) I should make a more descriptive commit message.

> I guess that only goes to show that a more descriptive commit message would definitely be a good thing :)
> 
I have adapted Will's suggestion and sent v2, please check whether it is OK to you?

Cheers,
Keqian

[...]
>> _______________________________________________
>> iommu mailing list
>> iommu@lists.linux-foundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/iommu
>>
> .
> 
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map

[zhukeqian]

Hi Robin,

On 2020/12/7 20:46, Robin Murphy wrote:
> On 2020-12-07 12:15, zhukeqian wrote:
>> Hi,
>>
>> On 2020/12/7 20:05, Will Deacon wrote:
>>> On Mon, Dec 07, 2020 at 12:01:09PM +0000, Robin Murphy wrote:
>>>> On 2020-12-05 08:29, Keqian Zhu wrote:
>>>>> ... then we have more chance to detect wrong code logic.
>>>>
>>>> I don't follow that justification - it's still the same check with the same
>>>> outcome, so how does moving it have any effect on the chance to detect
>>>> errors?
>>
>>>>
>>>> AFAICS the only difference it would make is to make some errors *less*
>>>> obvious - if a sufficiently broken caller passes an empty prot value
>>>> alongside an invalid size or already-mapped address, this will now quietly
>>>> hide the warnings from the more serious condition(s).
>>>>
>>>> Yes, it will bail out a bit faster in the specific case where the prot value
>>>> is the only thing wrong, but since when do we optimise for fundamentally
>>>> incorrect API usage?
>>>
>>> I thought it was the other way round -- doesn't this patch move the "empty
>>> prot" check later, so we have a chance to check the size and addresses
>>> first?
>>
>> Yes, this is my original idea.
>> For that we treat iommu_prot with no permission as success at early start, defer
>> this early return can expose hidden errors.
> 
> ...oh dear, my apologies. I've just had a week off and apparently in that time I lost the ability to read :(
> 
> I was somehow convinced that the existing check happened at the point where we go to install the PTE, and this patch was moving it earlier. Looking at the whole code in context now I see I got it completely backwards. Sorry for being an idiot.
> 
I see :-) I should make a more descriptive commit message.

> I guess that only goes to show that a more descriptive commit message would definitely be a good thing :)
> 
I have adapted Will's suggestion and sent v2, please check whether it is OK to you?

Cheers,
Keqian

[...]
>> _______________________________________________
>> iommu mailing list
>> iommu@lists.linux-foundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/iommu
>>
> .
> 

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel