From: Fenghua Yu <fenghua.yu@intel.com>
To: Dave Hansen <dave.hansen@intel.com>
Cc: Jean-Philippe Brucker <jean-philippe@linaro.org>,
Jacob Pan <jacob.jun.pan@linux.intel.com>,
Tony Luck <tony.luck@intel.com>, Ashok Raj <ashok.raj@intel.com>,
Ravi V Shankar <ravi.v.shankar@intel.com>,
Peter Zijlstra <peterz@infradead.org>,
robin.murphy@arm.com, Dave Hansen <dave.hansen@linux.intel.com>,
x86 <x86@kernel.org>, linux-kernel <linux-kernel@vger.kernel.org>,
iommu <iommu@lists.linux-foundation.org>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Andy Lutomirski <luto@kernel.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
zhangfei.gao@linaro.org, Thomas Gleixner <tglx@linutronix.de>,
will@kernel.org
Subject: Re: [PATCH v4 05/11] iommu/sva: Assign a PASID to mm on PASID allocation and free it on mm exit
Date: Thu, 28 Apr 2022 08:28:41 -0700 [thread overview]
Message-ID: <YmqyeBfCuDXAMDlZ@fyu1.sc.intel.com> (raw)
In-Reply-To: <bc18351c-27f2-17ae-e781-6b60fbb72541@intel.com>
Hi, Dave,
On Thu, Apr 28, 2022 at 08:09:04AM -0700, Dave Hansen wrote:
> On 4/25/22 21:20, Fenghua Yu wrote:
> >>From 84aa68f6174439d863c40cdc2db0e1b89d620dd0 Mon Sep 17 00:00:00 2001
> > From: Fenghua Yu <fenghua.yu@intel.com>
> > Date: Fri, 15 Apr 2022 00:51:33 -0700
> > Subject: [PATCH] iommu/sva: Fix PASID use-after-free issue
> >
> > A PASID might be still used on ARM after it is freed in __mmput().
>
> Is it really just ARM?
Actually it should happen on X86 as well. I will remove "on ARM" in the
changelog.
>
> > process:
> > open()->sva_bind()->ioasid_alloc() = N; // Get PASID N for the mm
> > exit();
> > exit_mm()->__mmput()->mm_pasid_drop()->mm->pasid = -1; // PASID -1
> > exit_files()->release(dev)->sva_unbind()->use mm->pasid; // Failure
> >
> > To avoid the use-after-free issue, free the PASID after no device uses it,
> > i.e. after all devices are unbound from the mm.
> >
> > sva_bind()/sva_unbind() call mmgrab()/mmdrop() to track mm->mm_count.
> > __mmdrop() is called only after mm->mm_count is zero. So freeing the PASID
> > in __mmdrop() guarantees the PASID is safely freed only after no device
> > is bound to the mm.
>
> Does this changelog work for everyone?
>
> ==
>
> tl;dr: The PASID is being freed too early. It needs to stay around
> until after device drivers that might be using it have had a chance to
> clear it out of the hardware.
>
Do you want me to change the changlog to add both this paragraph and the
following paragraph?
> --
>
> As a reminder:
>
> mmget() /mmput() refcount the mm's address space
> mmgrab()/mmdrop() refcount the mm itself
>
> The PASID is currently tied to the life of the mm's address space and
> freed in __mmput(). This makes logical sense because the PASID can't be
> used once the address space is gone.
>
> But, this misses an important point: even after the address space is
> gone, the PASID will still be programmed into a device. Device drivers
> might, for instance, still need to flush operations that are outstanding
> and need to use that PASID. They do this at ->release() time.
>
> Device drivers hold a reference on the mm itself and drop it at
> ->release() time. But, the device driver holds a reference mm itself,
> not the address space. The address space (and the PASID) is long gone
> by the time the driver tries to clean up. This is effectively a
> use-after-free bug on the PASID.
>
> To fix this, move the PASID free operation from __mmput() to __mmdrop().
> This ensures that the device drivers' existing mmgrab() keeps the PASID
> allocated until they drop their mm reference.
>
Thank you very much!
-Fenghua
WARNING: multiple messages have this Message-ID (diff)
From: Fenghua Yu <fenghua.yu@intel.com>
To: Dave Hansen <dave.hansen@intel.com>
Cc: Jean-Philippe Brucker <jean-philippe@linaro.org>,
Ashok Raj <ashok.raj@intel.com>,
Ravi V Shankar <ravi.v.shankar@intel.com>,
Peter Zijlstra <peterz@infradead.org>,
will@kernel.org, Dave Hansen <dave.hansen@linux.intel.com>,
x86 <x86@kernel.org>, linux-kernel <linux-kernel@vger.kernel.org>,
iommu <iommu@lists.linux-foundation.org>,
Tony Luck <tony.luck@intel.com>, Borislav Petkov <bp@alien8.de>,
Andy Lutomirski <luto@kernel.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
zhangfei.gao@linaro.org, Thomas Gleixner <tglx@linutronix.de>,
robin.murphy@arm.com, Ingo Molnar <mingo@redhat.com>
Subject: Re: [PATCH v4 05/11] iommu/sva: Assign a PASID to mm on PASID allocation and free it on mm exit
Date: Thu, 28 Apr 2022 08:28:41 -0700 [thread overview]
Message-ID: <YmqyeBfCuDXAMDlZ@fyu1.sc.intel.com> (raw)
In-Reply-To: <bc18351c-27f2-17ae-e781-6b60fbb72541@intel.com>
Hi, Dave,
On Thu, Apr 28, 2022 at 08:09:04AM -0700, Dave Hansen wrote:
> On 4/25/22 21:20, Fenghua Yu wrote:
> >>From 84aa68f6174439d863c40cdc2db0e1b89d620dd0 Mon Sep 17 00:00:00 2001
> > From: Fenghua Yu <fenghua.yu@intel.com>
> > Date: Fri, 15 Apr 2022 00:51:33 -0700
> > Subject: [PATCH] iommu/sva: Fix PASID use-after-free issue
> >
> > A PASID might be still used on ARM after it is freed in __mmput().
>
> Is it really just ARM?
Actually it should happen on X86 as well. I will remove "on ARM" in the
changelog.
>
> > process:
> > open()->sva_bind()->ioasid_alloc() = N; // Get PASID N for the mm
> > exit();
> > exit_mm()->__mmput()->mm_pasid_drop()->mm->pasid = -1; // PASID -1
> > exit_files()->release(dev)->sva_unbind()->use mm->pasid; // Failure
> >
> > To avoid the use-after-free issue, free the PASID after no device uses it,
> > i.e. after all devices are unbound from the mm.
> >
> > sva_bind()/sva_unbind() call mmgrab()/mmdrop() to track mm->mm_count.
> > __mmdrop() is called only after mm->mm_count is zero. So freeing the PASID
> > in __mmdrop() guarantees the PASID is safely freed only after no device
> > is bound to the mm.
>
> Does this changelog work for everyone?
>
> ==
>
> tl;dr: The PASID is being freed too early. It needs to stay around
> until after device drivers that might be using it have had a chance to
> clear it out of the hardware.
>
Do you want me to change the changlog to add both this paragraph and the
following paragraph?
> --
>
> As a reminder:
>
> mmget() /mmput() refcount the mm's address space
> mmgrab()/mmdrop() refcount the mm itself
>
> The PASID is currently tied to the life of the mm's address space and
> freed in __mmput(). This makes logical sense because the PASID can't be
> used once the address space is gone.
>
> But, this misses an important point: even after the address space is
> gone, the PASID will still be programmed into a device. Device drivers
> might, for instance, still need to flush operations that are outstanding
> and need to use that PASID. They do this at ->release() time.
>
> Device drivers hold a reference on the mm itself and drop it at
> ->release() time. But, the device driver holds a reference mm itself,
> not the address space. The address space (and the PASID) is long gone
> by the time the driver tries to clean up. This is effectively a
> use-after-free bug on the PASID.
>
> To fix this, move the PASID free operation from __mmput() to __mmdrop().
> This ensures that the device drivers' existing mmgrab() keeps the PASID
> allocated until they drop their mm reference.
>
Thank you very much!
-Fenghua
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
next prev parent reply other threads:[~2022-04-28 15:28 UTC|newest]
Thread overview: 214+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-07 23:02 [PATCH v4 00/11] Re-enable ENQCMD and PASID MSR Fenghua Yu
2022-02-07 23:02 ` Fenghua Yu
2022-02-07 23:02 ` [PATCH v4 01/11] iommu/sva: Rename CONFIG_IOMMU_SVA_LIB to CONFIG_IOMMU_SVA Fenghua Yu
2022-02-07 23:02 ` Fenghua Yu
2022-02-08 2:39 ` Lu Baolu
2022-02-08 2:39 ` Lu Baolu
2022-02-15 10:54 ` [tip: x86/pasid] " tip-bot2 for Fenghua Yu
2022-02-07 23:02 ` [PATCH v4 02/11] mm: Change CONFIG option for mm->pasid field Fenghua Yu
2022-02-07 23:02 ` Fenghua Yu
2022-02-08 2:40 ` Lu Baolu
2022-02-08 2:40 ` Lu Baolu
2022-02-15 10:54 ` [tip: x86/pasid] " tip-bot2 for Fenghua Yu
2022-02-07 23:02 ` [PATCH v4 03/11] iommu/ioasid: Introduce a helper to check for valid PASIDs Fenghua Yu
2022-02-07 23:02 ` Fenghua Yu
2022-02-08 2:40 ` Lu Baolu
2022-02-08 2:40 ` Lu Baolu
2022-02-15 10:54 ` [tip: x86/pasid] " tip-bot2 for Fenghua Yu
2022-02-07 23:02 ` [PATCH v4 04/11] kernel/fork: Initialize mm's PASID Fenghua Yu
2022-02-07 23:02 ` Fenghua Yu
2022-02-14 17:23 ` Thomas Gleixner
2022-02-14 17:23 ` Thomas Gleixner
2022-02-15 10:54 ` [tip: x86/pasid] " tip-bot2 for Fenghua Yu
2022-02-07 23:02 ` [PATCH v4 05/11] iommu/sva: Assign a PASID to mm on PASID allocation and free it on mm exit Fenghua Yu
2022-02-07 23:02 ` Fenghua Yu
2022-02-08 2:41 ` Lu Baolu
2022-02-08 2:41 ` Lu Baolu
2022-02-08 15:01 ` Fenghua Yu
2022-02-08 15:01 ` Fenghua Yu
2022-02-10 3:16 ` Jacob Pan
2022-02-10 3:16 ` Jacob Pan
2022-02-10 16:27 ` Fenghua Yu
2022-02-10 16:27 ` Fenghua Yu
2022-02-10 17:24 ` Luck, Tony
2022-02-10 17:24 ` Luck, Tony
2022-02-10 18:31 ` Fenghua Yu
2022-02-10 18:31 ` Fenghua Yu
2022-02-10 23:52 ` Fenghua Yu
2022-02-10 23:52 ` Fenghua Yu
2022-02-10 18:49 ` Jacob Pan
2022-02-10 18:49 ` Jacob Pan
2022-02-10 23:15 ` Fenghua Yu
2022-02-10 23:15 ` Fenghua Yu
2022-02-11 22:00 ` Dave Hansen
2022-02-11 22:00 ` Dave Hansen
2022-02-14 17:24 ` Thomas Gleixner
2022-02-14 17:24 ` Thomas Gleixner
2022-02-15 9:55 ` Joerg Roedel
2022-02-15 9:55 ` Joerg Roedel
2022-04-11 14:00 ` Zhangfei Gao
2022-04-11 14:10 ` Dave Hansen
2022-04-11 14:10 ` Dave Hansen
2022-04-11 14:20 ` zhangfei.gao
2022-04-11 14:20 ` zhangfei.gao
2022-04-11 14:36 ` Dave Hansen
2022-04-11 14:36 ` Dave Hansen
2022-04-11 14:44 ` zhangfei.gao
2022-04-11 14:44 ` zhangfei.gao
2022-04-11 14:52 ` Dave Hansen
2022-04-11 14:52 ` Dave Hansen
2022-04-11 15:13 ` zhangfei.gao
2022-04-11 15:13 ` zhangfei.gao
2022-04-12 7:04 ` zhangfei.gao
2022-04-12 7:04 ` zhangfei.gao
2022-04-12 13:41 ` Fenghua Yu
2022-04-12 13:41 ` Fenghua Yu
2022-04-12 14:39 ` Dave Hansen
2022-04-12 14:39 ` Dave Hansen
2022-04-15 9:59 ` Fenghua Yu
2022-04-15 9:59 ` Fenghua Yu
2022-04-12 15:35 ` zhangfei.gao
2022-04-12 15:35 ` zhangfei.gao
2022-04-14 10:08 ` zhangfei.gao
2022-04-14 10:08 ` zhangfei.gao
2022-04-15 9:51 ` Fenghua Yu
2022-04-15 9:51 ` Fenghua Yu
2022-04-15 10:14 ` zhangfei.gao
2022-04-15 10:14 ` zhangfei.gao
2022-04-15 10:14 ` zhangfei.gao
2022-04-15 10:50 ` Fenghua Yu
2022-04-15 10:50 ` Fenghua Yu
2022-04-15 11:52 ` zhangfei.gao
2022-04-15 11:52 ` zhangfei.gao
2022-04-15 12:37 ` Fenghua Yu
2022-04-15 12:37 ` Fenghua Yu
2022-04-16 1:30 ` zhangfei.gao
2022-04-16 1:30 ` zhangfei.gao
2022-04-15 19:07 ` Fenghua Yu
2022-04-15 19:07 ` Fenghua Yu
2022-04-15 21:00 ` Jacob Pan
2022-04-15 21:00 ` Jacob Pan
2022-04-16 1:43 ` zhangfei.gao
2022-04-16 1:43 ` zhangfei.gao
2022-04-18 18:14 ` Jacob Pan
2022-04-18 18:14 ` Jacob Pan
2022-04-19 1:02 ` zhangfei.gao
2022-04-19 1:02 ` zhangfei.gao
2022-04-18 6:34 ` Tian, Kevin
2022-04-18 6:34 ` Tian, Kevin
2022-04-18 18:11 ` Jacob Pan
2022-04-18 18:11 ` Jacob Pan
2022-04-20 16:45 ` Jean-Philippe Brucker
2022-04-20 16:45 ` Jean-Philippe Brucker
2022-04-21 6:47 ` zhangfei.gao
2022-04-21 6:47 ` zhangfei.gao
2022-04-22 9:03 ` zhangfei.gao
2022-04-22 9:03 ` zhangfei.gao
2022-04-22 10:11 ` Jean-Philippe Brucker
2022-04-22 10:11 ` Jean-Philippe Brucker
2022-04-22 13:15 ` zhangfei.gao
2022-04-22 13:15 ` zhangfei.gao
2022-04-22 15:50 ` Jean-Philippe Brucker
2022-04-22 15:50 ` Jean-Philippe Brucker
2022-04-23 11:13 ` zhangfei.gao
2022-04-23 11:13 ` zhangfei.gao
2022-04-24 2:58 ` Zhangfei Gao
2022-04-24 2:58 ` Zhangfei Gao
2022-04-24 9:52 ` Zhangfei Gao
2022-04-24 9:52 ` Zhangfei Gao
2022-04-25 13:53 ` Jean-Philippe Brucker
2022-04-25 13:53 ` Jean-Philippe Brucker
2022-04-25 14:18 ` Dave Hansen
2022-04-25 14:18 ` Dave Hansen
2022-04-25 14:26 ` Jean-Philippe Brucker
2022-04-25 14:26 ` Jean-Philippe Brucker
2022-04-25 15:34 ` Jacob Pan
2022-04-25 15:34 ` Jacob Pan
2022-04-25 16:13 ` Jean-Philippe Brucker
2022-04-25 16:13 ` Jean-Philippe Brucker
2022-04-25 22:32 ` Jacob Pan
2022-04-25 22:32 ` Jacob Pan
2022-04-26 4:20 ` Fenghua Yu
2022-04-26 4:20 ` Fenghua Yu
2022-04-26 5:04 ` Zhangfei Gao
2022-04-26 5:04 ` Zhangfei Gao
2022-04-28 0:54 ` Fenghua Yu
2022-04-28 0:54 ` Fenghua Yu
2022-04-28 8:43 ` Jean-Philippe Brucker
2022-04-28 8:43 ` Jean-Philippe Brucker
2022-04-28 15:09 ` Dave Hansen
2022-04-28 15:09 ` Dave Hansen
2022-04-28 15:28 ` Fenghua Yu [this message]
2022-04-28 15:28 ` Fenghua Yu
2022-04-28 15:42 ` Dave Hansen
2022-04-28 15:42 ` Dave Hansen
2022-04-28 16:01 ` Jean-Philippe Brucker
2022-04-28 16:01 ` Jean-Philippe Brucker
2022-04-28 16:35 ` Dave Hansen
2022-04-28 16:35 ` Dave Hansen
2022-04-26 4:28 ` Zhangfei Gao
2022-04-26 4:28 ` Zhangfei Gao
2022-04-26 4:36 ` Fenghua Yu
2022-04-26 4:36 ` Fenghua Yu
2022-04-26 5:19 ` Zhangfei Gao
2022-04-26 5:19 ` Zhangfei Gao
2022-04-25 15:55 ` Dave Hansen
2022-04-25 15:55 ` Dave Hansen
2022-04-25 16:40 ` Jean-Philippe Brucker
2022-04-25 16:40 ` Jean-Philippe Brucker
2022-04-26 15:27 ` Dave Hansen
2022-04-26 15:27 ` Dave Hansen
2022-04-26 16:48 ` Jean-Philippe Brucker
2022-04-26 16:48 ` Jean-Philippe Brucker
2022-04-26 23:31 ` Dave Hansen
2022-04-26 23:31 ` Dave Hansen
2022-04-28 8:39 ` Jean-Philippe Brucker
2022-04-28 8:39 ` Jean-Philippe Brucker
2022-04-29 7:53 ` Baolu Lu
2022-04-29 7:53 ` Baolu Lu
2022-04-29 13:51 ` Fenghua Yu
2022-04-29 13:51 ` Fenghua Yu
2022-04-29 14:34 ` Jean-Philippe Brucker
2022-04-29 14:34 ` Jean-Philippe Brucker
2022-04-29 22:19 ` Fenghua Yu
2022-04-29 22:19 ` Fenghua Yu
2022-04-30 7:33 ` Baolu Lu
2022-04-30 7:33 ` Baolu Lu
2022-05-03 7:49 ` Jean-Philippe Brucker
2022-05-03 7:49 ` Jean-Philippe Brucker
2022-05-06 5:36 ` Baolu Lu
2022-05-06 5:36 ` Baolu Lu
2022-04-12 14:36 ` Dave Hansen
2022-04-12 14:36 ` Dave Hansen
2022-04-12 15:10 ` Jean-Philippe Brucker
2022-04-12 15:10 ` Jean-Philippe Brucker
2022-04-12 15:35 ` Dave Hansen
2022-04-12 15:35 ` Dave Hansen
2022-04-13 11:14 ` Lu Baolu
2022-04-13 11:14 ` Lu Baolu
2022-04-25 2:57 ` zhangfei.gao
2022-04-25 2:57 ` zhangfei.gao
2022-02-15 10:54 ` [tip: x86/pasid] " tip-bot2 for Fenghua Yu
2022-02-07 23:02 ` [PATCH v4 06/11] x86/fpu: Clear PASID when copying fpstate Fenghua Yu
2022-02-07 23:02 ` Fenghua Yu
2022-02-15 10:54 ` [tip: x86/pasid] " tip-bot2 for Fenghua Yu
2022-02-07 23:02 ` [PATCH v4 07/11] sched: Define and initialize a flag to identify valid PASID in the task Fenghua Yu
2022-02-07 23:02 ` Fenghua Yu
2022-02-15 10:54 ` [tip: x86/pasid] " tip-bot2 for Peter Zijlstra
2022-02-07 23:02 ` [PATCH v4 08/11] x86/traps: Demand-populate PASID MSR via #GP Fenghua Yu
2022-02-07 23:02 ` Fenghua Yu
2022-02-15 10:54 ` [tip: x86/pasid] " tip-bot2 for Fenghua Yu
2022-02-07 23:02 ` [PATCH v4 09/11] x86/cpufeatures: Re-enable ENQCMD Fenghua Yu
2022-02-07 23:02 ` Fenghua Yu
2022-02-15 10:54 ` [tip: x86/pasid] " tip-bot2 for Fenghua Yu
2022-02-07 23:02 ` [PATCH v4 10/11] tools/objtool: Check for use of the ENQCMD instruction in the kernel Fenghua Yu
2022-02-07 23:02 ` Fenghua Yu
2022-02-15 10:54 ` [tip: x86/pasid] " tip-bot2 for Fenghua Yu
2022-03-09 7:55 ` [tip: x86/core] " tip-bot2 for Fenghua Yu
2022-03-15 10:44 ` tip-bot2 for Fenghua Yu
2022-02-07 23:02 ` [PATCH v4 11/11] docs: x86: Change documentation for SVA (Shared Virtual Addressing) Fenghua Yu
2022-02-07 23:02 ` Fenghua Yu
2022-02-14 17:25 ` Thomas Gleixner
2022-02-14 17:25 ` Thomas Gleixner
2022-02-15 10:54 ` [tip: x86/pasid] Documentation/x86: Update " tip-bot2 for Fenghua Yu
2022-02-11 20:04 ` [PATCH v4 00/11] Re-enable ENQCMD and PASID MSR Fenghua Yu
2022-02-11 20:04 ` Fenghua Yu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YmqyeBfCuDXAMDlZ@fyu1.sc.intel.com \
--to=fenghua.yu@intel.com \
--cc=ashok.raj@intel.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=iommu@lists.linux-foundation.org \
--cc=jacob.jun.pan@linux.intel.com \
--cc=jean-philippe@linaro.org \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=ravi.v.shankar@intel.com \
--cc=robin.murphy@arm.com \
--cc=tglx@linutronix.de \
--cc=tony.luck@intel.com \
--cc=will@kernel.org \
--cc=x86@kernel.org \
--cc=zhangfei.gao@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.