From: Alyssa Rosenzweig <alyssa@rosenzweig.io>
To: Sven Peter <sven@svenpeter.dev>
Cc: iommu@lists.linux-foundation.org, Joerg Roedel <joro@8bytes.org>,
Will Deacon <will@kernel.org>,
Robin Murphy <robin.murphy@arm.com>,
Arnd Bergmann <arnd@kernel.org>,
Mohamed Mediouni <mohamed.mediouni@caramail.com>,
Alexander Graf <graf@amazon.com>,
Hector Martin <marcan@marcan.st>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 3/8] iommu/dma: Disable get_sgtable for granule > PAGE_SIZE
Date: Wed, 1 Sep 2021 17:10:09 -0400 [thread overview]
Message-ID: <YS/sMckPUJRMYwYq@sunset> (raw)
In-Reply-To: <c8bc7f77-3b46-4675-a642-76871fcec963@www.fastmail.com>
> My biggest issue is that I do not understand how this function is supposed
> to be used correctly. It would work fine as-is if it only ever gets passed buffers
> allocated by the coherent API but there's not way to check or guarantee that.
> There may also be callers making assumptions that no longer hold when
> iovad->granule > PAGE_SIZE.
>
> Regarding your case: I'm not convinced the function is meant to be used there.
> If I understand it correctly, your code first allocates memory with dma_alloc_coherent
> (which possibly creates a sgt internally and then maps it with iommu_map_sg),
> then coerces that back into a sgt with dma_get_sgtable, and then maps that sgt to
> another iommu domain with dma_map_sg while assuming that the result will be contiguous
> in IOVA space. It'll work out because dma_alloc_coherent is the very thing
> meant to allocate pages that can be mapped into kernel and device VA space
> as a single contiguous block and because both of your IOMMUs are different
> instances of the same HW block. Anything allocated by dma_alloc_coherent for the
> first IOMMU will have the right shape that will allow it to be mapped as
> a single contiguous block for the second IOMMU.
>
> What could be done in your case is to instead use the IOMMU API,
> allocate the pages yourself (while ensuring the sgt your create is made up
> of blocks with size and physaddr aligned to max(domain_a->granule, domain_b->granule))
> and then just use iommu_map_sg for both domains which actually comes with the
> guarantee that the result will be a single contiguous block in IOVA space and
> doesn't required the sgt roundtrip.
In principle I agree. I am getting the sense this function can't be used
correctly in general, and yet is the function that's meant to be used.
If my interpretation of prior LKML discussion holds, the problems are
far deeper than my code or indeed page size problems...
If the right way to handle this is with the IOMMU and IOVA APIs, I really wish
that dance were wrapped up in a safe helper function instead of open
coding it in every driver that does cross device sharing.
We might even call that helper... hmm... dma_map_sg.... *ducks*
For context for people-other-than-Sven, the code in question from my
tree appears below the break.
---------------------------------------------------------------------------------
/*
* Allocate an IOVA contiguous buffer mapped to the DCP. The buffer need not be
* physically contigiuous, however we should save the sgtable in case the
* buffer needs to be later mapped for PIODMA.
*/
static bool dcpep_cb_allocate_buffer(struct apple_dcp *dcp, void *out, void *in)
{
struct dcp_allocate_buffer_resp *resp = out;
struct dcp_allocate_buffer_req *req = in;
void *buf;
resp->dva_size = ALIGN(req->size, 4096);
resp->mem_desc_id = ++dcp->nr_mappings;
if (resp->mem_desc_id >= ARRAY_SIZE(dcp->mappings)) {
dev_warn(dcp->dev, "DCP overflowed mapping table, ignoring");
return true;
}
buf = dma_alloc_coherent(dcp->dev, resp->dva_size, &resp->dva,
GFP_KERNEL);
dma_get_sgtable(dcp->dev, &dcp->mappings[resp->mem_desc_id], buf,
resp->dva, resp->dva_size);
WARN_ON(resp->mem_desc_id == 0);
return true;
}
/*
* Callback to map a buffer allocated with allocate_buf for PIODMA usage.
* PIODMA is separate from the main DCP and uses own IOVA space on a dedicated
* stream of the display DART, rather than the expected DCP DART.
*
* XXX: This relies on dma_get_sgtable in concert with dma_map_sgtable, which
* is a "fundamentally unsafe" operation according to the docs. And yet
* everyone does it...
*/
static bool dcpep_cb_map_piodma(struct apple_dcp *dcp, void *out, void *in)
{
struct dcp_map_buf_resp *resp = out;
struct dcp_map_buf_req *req = in;
struct sg_table *map;
if (req->buffer >= ARRAY_SIZE(dcp->mappings))
goto reject;
map = &dcp->mappings[req->buffer];
if (!map->sgl)
goto reject;
/* XNU leaks a kernel VA here, breaking kASLR. Don't do that. */
resp->vaddr = 0;
/* Use PIODMA device instead of DCP to map against the right IOMMU. */
resp->ret = dma_map_sgtable(dcp->piodma, map, DMA_BIDIRECTIONAL, 0);
if (resp->ret)
dev_warn(dcp->dev, "failed to map for piodma %d\n", resp->ret);
else
resp->dva = sg_dma_address(map->sgl);
resp->ret = 0;
return true;
reject:
dev_warn(dcp->dev, "denying map of invalid buffer %llx for pidoma\n",
req->buffer);
resp->ret = EINVAL;
return true;
}
WARNING: multiple messages have this Message-ID (diff)
From: Alyssa Rosenzweig <alyssa@rosenzweig.io>
To: Sven Peter <sven@svenpeter.dev>
Cc: Arnd Bergmann <arnd@kernel.org>, Will Deacon <will@kernel.org>,
Hector Martin <marcan@marcan.st>,
linux-kernel@vger.kernel.org, iommu@lists.linux-foundation.org,
Alexander Graf <graf@amazon.com>,
Mohamed Mediouni <mohamed.mediouni@caramail.com>,
Robin Murphy <robin.murphy@arm.com>
Subject: Re: [PATCH v2 3/8] iommu/dma: Disable get_sgtable for granule > PAGE_SIZE
Date: Wed, 1 Sep 2021 17:10:09 -0400 [thread overview]
Message-ID: <YS/sMckPUJRMYwYq@sunset> (raw)
In-Reply-To: <c8bc7f77-3b46-4675-a642-76871fcec963@www.fastmail.com>
> My biggest issue is that I do not understand how this function is supposed
> to be used correctly. It would work fine as-is if it only ever gets passed buffers
> allocated by the coherent API but there's not way to check or guarantee that.
> There may also be callers making assumptions that no longer hold when
> iovad->granule > PAGE_SIZE.
>
> Regarding your case: I'm not convinced the function is meant to be used there.
> If I understand it correctly, your code first allocates memory with dma_alloc_coherent
> (which possibly creates a sgt internally and then maps it with iommu_map_sg),
> then coerces that back into a sgt with dma_get_sgtable, and then maps that sgt to
> another iommu domain with dma_map_sg while assuming that the result will be contiguous
> in IOVA space. It'll work out because dma_alloc_coherent is the very thing
> meant to allocate pages that can be mapped into kernel and device VA space
> as a single contiguous block and because both of your IOMMUs are different
> instances of the same HW block. Anything allocated by dma_alloc_coherent for the
> first IOMMU will have the right shape that will allow it to be mapped as
> a single contiguous block for the second IOMMU.
>
> What could be done in your case is to instead use the IOMMU API,
> allocate the pages yourself (while ensuring the sgt your create is made up
> of blocks with size and physaddr aligned to max(domain_a->granule, domain_b->granule))
> and then just use iommu_map_sg for both domains which actually comes with the
> guarantee that the result will be a single contiguous block in IOVA space and
> doesn't required the sgt roundtrip.
In principle I agree. I am getting the sense this function can't be used
correctly in general, and yet is the function that's meant to be used.
If my interpretation of prior LKML discussion holds, the problems are
far deeper than my code or indeed page size problems...
If the right way to handle this is with the IOMMU and IOVA APIs, I really wish
that dance were wrapped up in a safe helper function instead of open
coding it in every driver that does cross device sharing.
We might even call that helper... hmm... dma_map_sg.... *ducks*
For context for people-other-than-Sven, the code in question from my
tree appears below the break.
---------------------------------------------------------------------------------
/*
* Allocate an IOVA contiguous buffer mapped to the DCP. The buffer need not be
* physically contigiuous, however we should save the sgtable in case the
* buffer needs to be later mapped for PIODMA.
*/
static bool dcpep_cb_allocate_buffer(struct apple_dcp *dcp, void *out, void *in)
{
struct dcp_allocate_buffer_resp *resp = out;
struct dcp_allocate_buffer_req *req = in;
void *buf;
resp->dva_size = ALIGN(req->size, 4096);
resp->mem_desc_id = ++dcp->nr_mappings;
if (resp->mem_desc_id >= ARRAY_SIZE(dcp->mappings)) {
dev_warn(dcp->dev, "DCP overflowed mapping table, ignoring");
return true;
}
buf = dma_alloc_coherent(dcp->dev, resp->dva_size, &resp->dva,
GFP_KERNEL);
dma_get_sgtable(dcp->dev, &dcp->mappings[resp->mem_desc_id], buf,
resp->dva, resp->dva_size);
WARN_ON(resp->mem_desc_id == 0);
return true;
}
/*
* Callback to map a buffer allocated with allocate_buf for PIODMA usage.
* PIODMA is separate from the main DCP and uses own IOVA space on a dedicated
* stream of the display DART, rather than the expected DCP DART.
*
* XXX: This relies on dma_get_sgtable in concert with dma_map_sgtable, which
* is a "fundamentally unsafe" operation according to the docs. And yet
* everyone does it...
*/
static bool dcpep_cb_map_piodma(struct apple_dcp *dcp, void *out, void *in)
{
struct dcp_map_buf_resp *resp = out;
struct dcp_map_buf_req *req = in;
struct sg_table *map;
if (req->buffer >= ARRAY_SIZE(dcp->mappings))
goto reject;
map = &dcp->mappings[req->buffer];
if (!map->sgl)
goto reject;
/* XNU leaks a kernel VA here, breaking kASLR. Don't do that. */
resp->vaddr = 0;
/* Use PIODMA device instead of DCP to map against the right IOMMU. */
resp->ret = dma_map_sgtable(dcp->piodma, map, DMA_BIDIRECTIONAL, 0);
if (resp->ret)
dev_warn(dcp->dev, "failed to map for piodma %d\n", resp->ret);
else
resp->dva = sg_dma_address(map->sgl);
resp->ret = 0;
return true;
reject:
dev_warn(dcp->dev, "denying map of invalid buffer %llx for pidoma\n",
req->buffer);
resp->ret = EINVAL;
return true;
}
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
next prev parent reply other threads:[~2021-09-02 1:32 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-28 15:36 [PATCH v2 0/8] Support IOMMU page sizes larger than the CPU page size Sven Peter
2021-08-28 15:36 ` Sven Peter via iommu
2021-08-28 15:36 ` [PATCH v2 1/8] iommu/dma: Align size for untrusted devs to IOVA granule Sven Peter
2021-08-28 15:36 ` Sven Peter via iommu
2021-08-28 15:36 ` [PATCH v2 2/8] iommu/dma: Fail unaligned map requests for untrusted devs Sven Peter
2021-08-28 15:36 ` Sven Peter via iommu
2021-08-28 19:00 ` Sven Peter
2021-08-28 19:00 ` Sven Peter via iommu
2021-08-28 15:36 ` [PATCH v2 3/8] iommu/dma: Disable get_sgtable for granule > PAGE_SIZE Sven Peter
2021-08-28 15:36 ` Sven Peter via iommu
2021-08-31 21:30 ` Alyssa Rosenzweig
2021-08-31 21:30 ` Alyssa Rosenzweig
2021-09-01 17:06 ` Sven Peter
2021-09-01 17:06 ` Sven Peter via iommu
2021-09-01 21:10 ` Alyssa Rosenzweig [this message]
2021-09-01 21:10 ` Alyssa Rosenzweig
2021-09-02 18:19 ` Sven Peter
2021-09-02 18:19 ` Sven Peter via iommu
2021-09-02 19:42 ` Robin Murphy
2021-09-02 19:42 ` Robin Murphy
2021-09-03 13:11 ` Alyssa Rosenzweig
2021-09-03 13:11 ` Alyssa Rosenzweig
2021-09-03 15:16 ` Sven Peter
2021-09-03 15:16 ` Sven Peter via iommu
2021-09-03 15:45 ` Robin Murphy
2021-09-03 15:45 ` Robin Murphy
2021-09-03 16:51 ` Sven Peter
2021-09-03 16:51 ` Sven Peter via iommu
2021-08-28 15:36 ` [PATCH v2 4/8] iommu/dma: Support granule > PAGE_SIZE in dma_map_sg Sven Peter
2021-08-28 15:36 ` Sven Peter via iommu
2021-08-28 21:10 ` kernel test robot
2021-08-28 21:10 ` kernel test robot
2021-08-28 21:10 ` kernel test robot
2021-08-28 22:31 ` kernel test robot
2021-08-28 22:31 ` kernel test robot
2021-08-28 22:33 ` kernel test robot
2021-08-28 22:33 ` kernel test robot
2021-08-28 22:33 ` kernel test robot
2021-08-28 15:36 ` [PATCH v2 5/8] iommu/dma: Support PAGE_SIZE < iovad->granule allocations Sven Peter
2021-08-28 15:36 ` Sven Peter via iommu
2021-08-28 15:36 ` [PATCH v2 6/8] iommu: Move IOMMU pagesize check to attach_device Sven Peter
2021-08-28 15:36 ` Sven Peter via iommu
2021-08-31 21:39 ` Alyssa Rosenzweig
2021-08-31 21:39 ` Alyssa Rosenzweig
2021-09-01 17:14 ` Sven Peter
2021-09-01 17:14 ` Sven Peter via iommu
2021-09-01 18:53 ` Robin Murphy
2021-09-01 18:53 ` Robin Murphy
2021-08-28 15:36 ` [PATCH v2 7/8] iommu: Introduce __IOMMU_DOMAIN_LP Sven Peter
2021-08-28 15:36 ` Sven Peter via iommu
2021-08-28 15:36 ` [PATCH v2 8/8] iommu/dart: Remove force_bypass logic Sven Peter
2021-08-28 15:36 ` Sven Peter via iommu
2021-08-31 21:40 ` Alyssa Rosenzweig
2021-08-31 21:40 ` Alyssa Rosenzweig
2021-08-31 21:32 ` [PATCH v2 0/8] Support IOMMU page sizes larger than the CPU page size Alyssa Rosenzweig
2021-08-31 21:32 ` Alyssa Rosenzweig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YS/sMckPUJRMYwYq@sunset \
--to=alyssa@rosenzweig.io \
--cc=arnd@kernel.org \
--cc=graf@amazon.com \
--cc=iommu@lists.linux-foundation.org \
--cc=joro@8bytes.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcan@marcan.st \
--cc=mohamed.mediouni@caramail.com \
--cc=robin.murphy@arm.com \
--cc=sven@svenpeter.dev \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.