From: zhukeqian <zhukeqian1@huawei.com>
To: Will Deacon <will@kernel.org>, Robin Murphy <robin.murphy@arm.com>
Cc: <linux-kernel@vger.kernel.org>,
<linux-arm-kernel@lists.infradead.org>,
<iommu@lists.linux-foundation.org>, Marc Zyngier <maz@kernel.org>,
"Joerg Roedel" <joro@8bytes.org>,
Catalin Marinas <catalin.marinas@arm.com>,
"James Morse" <james.morse@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
"Sean Christopherson" <sean.j.christopherson@intel.com>,
Julien Thierry <julien.thierry.kdev@gmail.com>,
Mark Brown <broonie@kernel.org>,
"Thomas Gleixner" <tglx@linutronix.de>,
Andrew Morton <akpm@linux-foundation.org>,
Alexios Zavras <alexios.zavras@intel.com>,
<wanghaibin.wang@huawei.com>, <jiangkunkun@huawei.com>
Subject: Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map
Date: Mon, 7 Dec 2020 20:15:21 +0800 [thread overview]
Message-ID: <2b0ec25b-0fa4-65ca-7c1b-109ce766197f@huawei.com> (raw)
In-Reply-To: <20201207120527.GA4474@willie-the-truck>
Hi,
On 2020/12/7 20:05, Will Deacon wrote:
> On Mon, Dec 07, 2020 at 12:01:09PM +0000, Robin Murphy wrote:
>> On 2020-12-05 08:29, Keqian Zhu wrote:
>>> ... then we have more chance to detect wrong code logic.
>>
>> I don't follow that justification - it's still the same check with the same
>> outcome, so how does moving it have any effect on the chance to detect
>> errors?
>>
>> AFAICS the only difference it would make is to make some errors *less*
>> obvious - if a sufficiently broken caller passes an empty prot value
>> alongside an invalid size or already-mapped address, this will now quietly
>> hide the warnings from the more serious condition(s).
>>
>> Yes, it will bail out a bit faster in the specific case where the prot value
>> is the only thing wrong, but since when do we optimise for fundamentally
>> incorrect API usage?
>
> I thought it was the other way round -- doesn't this patch move the "empty
> prot" check later, so we have a chance to check the size and addresses
> first?
Yes, this is my original idea.
For that we treat iommu_prot with no permission as success at early start, defer
this early return can expose hidden errors.
Thanks,
Keqian
>
> Will
>
>>> Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
>>> ---
>>> drivers/iommu/io-pgtable-arm.c | 8 ++++----
>>> 1 file changed, 4 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
>>> index a7a9bc08dcd1..8ade72adab31 100644
>>> --- a/drivers/iommu/io-pgtable-arm.c
>>> +++ b/drivers/iommu/io-pgtable-arm.c
>>> @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>> arm_lpae_iopte prot;
>>> long iaext = (s64)iova >> cfg->ias;
>>> - /* If no access, then nothing to do */
>>> - if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>>> - return 0;
>>> -
>>> if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
>>> return -EINVAL;
>>> @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>> if (WARN_ON(iaext || paddr >> cfg->oas))
>>> return -ERANGE;
>>> + /* If no access, then nothing to do */
>>> + if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>>> + return 0;
>>> +
>>> prot = arm_lpae_prot_to_pte(data, iommu_prot);
>>> ret = __arm_lpae_map(data, iova, paddr, size, prot, lvl, ptep, gfp);
>>> /*
>>>
> .
>
WARNING: multiple messages have this Message-ID (diff)
From: zhukeqian <zhukeqian1@huawei.com>
To: Will Deacon <will@kernel.org>, Robin Murphy <robin.murphy@arm.com>
Cc: Suzuki K Poulose <suzuki.poulose@arm.com>,
Marc Zyngier <maz@kernel.org>,
jiangkunkun@huawei.com, linux-kernel@vger.kernel.org,
Sean Christopherson <sean.j.christopherson@intel.com>,
Alexios Zavras <alexios.zavras@intel.com>,
iommu@lists.linux-foundation.org, Mark Brown <broonie@kernel.org>,
James Morse <james.morse@arm.com>,
Julien Thierry <julien.thierry.kdev@gmail.com>,
Catalin Marinas <catalin.marinas@arm.com>,
wanghaibin.wang@huawei.com, Thomas Gleixner <tglx@linutronix.de>,
Andrew Morton <akpm@linux-foundation.org>,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map
Date: Mon, 7 Dec 2020 20:15:21 +0800 [thread overview]
Message-ID: <2b0ec25b-0fa4-65ca-7c1b-109ce766197f@huawei.com> (raw)
In-Reply-To: <20201207120527.GA4474@willie-the-truck>
Hi,
On 2020/12/7 20:05, Will Deacon wrote:
> On Mon, Dec 07, 2020 at 12:01:09PM +0000, Robin Murphy wrote:
>> On 2020-12-05 08:29, Keqian Zhu wrote:
>>> ... then we have more chance to detect wrong code logic.
>>
>> I don't follow that justification - it's still the same check with the same
>> outcome, so how does moving it have any effect on the chance to detect
>> errors?
>>
>> AFAICS the only difference it would make is to make some errors *less*
>> obvious - if a sufficiently broken caller passes an empty prot value
>> alongside an invalid size or already-mapped address, this will now quietly
>> hide the warnings from the more serious condition(s).
>>
>> Yes, it will bail out a bit faster in the specific case where the prot value
>> is the only thing wrong, but since when do we optimise for fundamentally
>> incorrect API usage?
>
> I thought it was the other way round -- doesn't this patch move the "empty
> prot" check later, so we have a chance to check the size and addresses
> first?
Yes, this is my original idea.
For that we treat iommu_prot with no permission as success at early start, defer
this early return can expose hidden errors.
Thanks,
Keqian
>
> Will
>
>>> Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
>>> ---
>>> drivers/iommu/io-pgtable-arm.c | 8 ++++----
>>> 1 file changed, 4 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
>>> index a7a9bc08dcd1..8ade72adab31 100644
>>> --- a/drivers/iommu/io-pgtable-arm.c
>>> +++ b/drivers/iommu/io-pgtable-arm.c
>>> @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>> arm_lpae_iopte prot;
>>> long iaext = (s64)iova >> cfg->ias;
>>> - /* If no access, then nothing to do */
>>> - if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>>> - return 0;
>>> -
>>> if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
>>> return -EINVAL;
>>> @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>> if (WARN_ON(iaext || paddr >> cfg->oas))
>>> return -ERANGE;
>>> + /* If no access, then nothing to do */
>>> + if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>>> + return 0;
>>> +
>>> prot = arm_lpae_prot_to_pte(data, iommu_prot);
>>> ret = __arm_lpae_map(data, iova, paddr, size, prot, lvl, ptep, gfp);
>>> /*
>>>
> .
>
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
WARNING: multiple messages have this Message-ID (diff)
From: zhukeqian <zhukeqian1@huawei.com>
To: Will Deacon <will@kernel.org>, Robin Murphy <robin.murphy@arm.com>
Cc: Suzuki K Poulose <suzuki.poulose@arm.com>,
Marc Zyngier <maz@kernel.org>, Joerg Roedel <joro@8bytes.org>,
jiangkunkun@huawei.com, linux-kernel@vger.kernel.org,
Sean Christopherson <sean.j.christopherson@intel.com>,
Alexios Zavras <alexios.zavras@intel.com>,
iommu@lists.linux-foundation.org, Mark Brown <broonie@kernel.org>,
James Morse <james.morse@arm.com>,
Julien Thierry <julien.thierry.kdev@gmail.com>,
Catalin Marinas <catalin.marinas@arm.com>,
wanghaibin.wang@huawei.com, Thomas Gleixner <tglx@linutronix.de>,
Andrew Morton <akpm@linux-foundation.org>,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map
Date: Mon, 7 Dec 2020 20:15:21 +0800 [thread overview]
Message-ID: <2b0ec25b-0fa4-65ca-7c1b-109ce766197f@huawei.com> (raw)
In-Reply-To: <20201207120527.GA4474@willie-the-truck>
Hi,
On 2020/12/7 20:05, Will Deacon wrote:
> On Mon, Dec 07, 2020 at 12:01:09PM +0000, Robin Murphy wrote:
>> On 2020-12-05 08:29, Keqian Zhu wrote:
>>> ... then we have more chance to detect wrong code logic.
>>
>> I don't follow that justification - it's still the same check with the same
>> outcome, so how does moving it have any effect on the chance to detect
>> errors?
>>
>> AFAICS the only difference it would make is to make some errors *less*
>> obvious - if a sufficiently broken caller passes an empty prot value
>> alongside an invalid size or already-mapped address, this will now quietly
>> hide the warnings from the more serious condition(s).
>>
>> Yes, it will bail out a bit faster in the specific case where the prot value
>> is the only thing wrong, but since when do we optimise for fundamentally
>> incorrect API usage?
>
> I thought it was the other way round -- doesn't this patch move the "empty
> prot" check later, so we have a chance to check the size and addresses
> first?
Yes, this is my original idea.
For that we treat iommu_prot with no permission as success at early start, defer
this early return can expose hidden errors.
Thanks,
Keqian
>
> Will
>
>>> Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
>>> ---
>>> drivers/iommu/io-pgtable-arm.c | 8 ++++----
>>> 1 file changed, 4 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
>>> index a7a9bc08dcd1..8ade72adab31 100644
>>> --- a/drivers/iommu/io-pgtable-arm.c
>>> +++ b/drivers/iommu/io-pgtable-arm.c
>>> @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>> arm_lpae_iopte prot;
>>> long iaext = (s64)iova >> cfg->ias;
>>> - /* If no access, then nothing to do */
>>> - if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>>> - return 0;
>>> -
>>> if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
>>> return -EINVAL;
>>> @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>> if (WARN_ON(iaext || paddr >> cfg->oas))
>>> return -ERANGE;
>>> + /* If no access, then nothing to do */
>>> + if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>>> + return 0;
>>> +
>>> prot = arm_lpae_prot_to_pte(data, iommu_prot);
>>> ret = __arm_lpae_map(data, iova, paddr, size, prot, lvl, ptep, gfp);
>>> /*
>>>
> .
>
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-12-07 12:16 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-05 8:29 [PATCH] iommu: Up front sanity check in the arm_lpae_map Keqian Zhu
2020-12-05 8:29 ` Keqian Zhu
2020-12-05 8:29 ` Keqian Zhu
2020-12-07 10:59 ` Will Deacon
2020-12-07 10:59 ` Will Deacon
2020-12-07 10:59 ` Will Deacon
2020-12-07 11:37 ` zhukeqian
2020-12-07 11:37 ` zhukeqian
2020-12-07 11:37 ` zhukeqian
2020-12-07 12:01 ` Robin Murphy
2020-12-07 12:01 ` Robin Murphy
2020-12-07 12:01 ` Robin Murphy
2020-12-07 12:05 ` Will Deacon
2020-12-07 12:05 ` Will Deacon
2020-12-07 12:05 ` Will Deacon
2020-12-07 12:15 ` zhukeqian [this message]
2020-12-07 12:15 ` zhukeqian
2020-12-07 12:15 ` zhukeqian
2020-12-07 12:46 ` Robin Murphy
2020-12-07 12:46 ` Robin Murphy
2020-12-07 12:46 ` Robin Murphy
2020-12-07 13:36 ` zhukeqian
2020-12-07 13:36 ` zhukeqian
2020-12-07 13:36 ` zhukeqian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2b0ec25b-0fa4-65ca-7c1b-109ce766197f@huawei.com \
--to=zhukeqian1@huawei.com \
--cc=akpm@linux-foundation.org \
--cc=alexios.zavras@intel.com \
--cc=broonie@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=iommu@lists.linux-foundation.org \
--cc=james.morse@arm.com \
--cc=jiangkunkun@huawei.com \
--cc=joro@8bytes.org \
--cc=julien.thierry.kdev@gmail.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maz@kernel.org \
--cc=robin.murphy@arm.com \
--cc=sean.j.christopherson@intel.com \
--cc=suzuki.poulose@arm.com \
--cc=tglx@linutronix.de \
--cc=wanghaibin.wang@huawei.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.