IOMMU user API header was introduced to support nested DMA translation and related fault handling. The current UAPI data structures consist of three areas that cover the interactions between host kernel and guest: - fault handling - cache invalidation - bind guest page tables, i.e. guest PASID Future extensions are likely to support more architectures and vIOMMU features. In the previous discussion, using user-filled data size and feature flags is made a preferred approach over a unified version number. https://lkml.org/lkml/2020/1/29/45 In addition to introduce argsz field to data structures, this patchset is also trying to document the UAPI design, usage, and extension rules. VT-d driver changes to utilize the new argsz field is included, VFIO usage is to follow. This set is available at: https://github.com/jacobpan/linux.git vsva_v5.8_uapi_v6 Thanks, Jacob Changeog: v6 - Renamed all UAPI functions with iommu_uapi_ prefix - Replaced argsz maxsz checking with flag specific size checks - Documentation improvements based on suggestions by Eric Auger Replaced example code with a pointer to the actual code - Added more checks for illegal flags combinations - Added doc file to MAINTAINERS v5 - Addjusted paddings in UAPI data to be 8 byte aligned - Do not clobber argsz in IOMMU core before passing on to vendor driver - Removed pr_warn_ for invalid UAPI data check, just return -EINVAL - Clarified VFIO responsibility in UAPI data handling - Use iommu_uapi prefix to differentiate APIs has in-kernel caller - Added comment for unchecked flags of invalidation granularity - Added example in doc to show vendor data checking v4 - Added checks of UAPI data for reserved fields, version, and flags. - Removed version check from vendor driver (vt-d) - Relaxed argsz check to match the UAPI struct size instead of variable union size - Updated documentation v3: - Rewrote backward compatibility rule to support existing code re-compiled with newer kernel UAPI header that runs on older kernel. Based on review comment from Alex W. https://lore.kernel.org/linux-iommu/20200611094741.6d118fa8@w520.home/ - Take user pointer directly in UAPI functions. Perform argsz check and copy_from_user() in IOMMU driver. Eliminate the need for VFIO or other upper layer to parse IOMMU data. - Create wrapper function for in-kernel users of UAPI functions v2: - Removed unified API version and helper - Introduced argsz for each UAPI data - Introduced UAPI doc Jacob Pan (6): docs: IOMMU user API iommu/uapi: Add argsz for user filled data iommu/uapi: Use named union for user data iommu/uapi: Rename uapi functions iommu/uapi: Handle data and argsz filled by users iommu/vt-d: Check UAPI data processed by IOMMU core Documentation/userspace-api/iommu.rst | 231 ++++++++++++++++++++++++++++++++++ MAINTAINERS | 1 + drivers/iommu/intel/iommu.c | 25 ++-- drivers/iommu/intel/svm.c | 9 +- drivers/iommu/iommu.c | 206 ++++++++++++++++++++++++++++-- include/linux/iommu.h | 35 ++++-- include/uapi/linux/iommu.h | 16 ++- 7 files changed, 480 insertions(+), 43 deletions(-) create mode 100644 Documentation/userspace-api/iommu.rst -- 2.7.4 _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
IOMMU UAPI is newly introduced to support communications between guest virtual IOMMU and host IOMMU. There has been lots of discussions on how it should work with VFIO UAPI and userspace in general. This document is intended to clarify the UAPI design and usage. The mechanics of how future extensions should be achieved are also covered in this documentation. Signed-off-by: Liu Yi L <yi.l.liu@intel.com> Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com> --- Documentation/userspace-api/iommu.rst | 231 ++++++++++++++++++++++++++++++++++ MAINTAINERS | 1 + 2 files changed, 232 insertions(+) create mode 100644 Documentation/userspace-api/iommu.rst diff --git a/Documentation/userspace-api/iommu.rst b/Documentation/userspace-api/iommu.rst new file mode 100644 index 000000000000..0821b263edc1 --- /dev/null +++ b/Documentation/userspace-api/iommu.rst @@ -0,0 +1,231 @@ +.. SPDX-License-Identifier: GPL-2.0 +.. iommu: + +===================================== +IOMMU Userspace API +===================================== + +IOMMU UAPI is used for virtualization cases where communications are +needed between physical and virtual IOMMU drivers. For baremetal +usage, the IOMMU is a system device which does not need to communicate +with user space directly. + +The primary use cases are guest Shared Virtual Address (SVA) and +guest IO virtual address (IOVA), wherin the vIOMMU implementation +relies on the physical IOMMU and for this reason requires interactions +with the host driver. + +.. contents:: :local: + +Functionalities +=============== +Communications of user and kernel involve both directions. The +supported user-kernel APIs are as follows: + +1. Alloc/Free PASID +2. Bind/unbind guest PASID (e.g. Intel VT-d) +3. Bind/unbind guest PASID table (e.g. ARM SMMU) +4. Invalidate IOMMU caches requested by guests +5. Report errors to the guest and serve page requests + +Requirements +============ +The IOMMU UAPIs are generic and extensible to meet the following +requirements: + +1. Emulated and para-virtualised vIOMMUs +2. Multiple vendors (Intel VT-d, ARM SMMU, etc.) +3. Extensions to the UAPI shall not break existing user space + +Interfaces +========== +Although the data structures defined in IOMMU UAPI are self-contained, +there is no user API functions introduced. Instead, IOMMU UAPI is +designed to work with existing user driver frameworks such as VFIO. + +Extension Rules & Precautions +----------------------------- +When IOMMU UAPI gets extended, the data structures can *only* be +modified in two ways: + +1. Adding new fields by re-purposing the padding[] field. No size change. +2. Adding new union members at the end. May increase the structure sizes. + +No new fields can be added *after* the variable sized union in that it +will break backward compatibility when offset moves. A new flag must +be introduced whenever a change affects the structure using either +method. The IOMMU driver processes the data based on flags which +ensures backward compatibility. + +Version field is only reserved for the unlikely event of UAPI upgrade +at its entirety. + +It's *always* the caller's responsibility to indicate the size of the +structure passed by setting argsz appropriately. +Though at the same time, argsz is user provided data which is not +trusted. The argsz field allows the user app to indicate how much data +it is providing, it's still the kernel's responsibility to validate +whether it's correct and sufficient for the requested operation. + +Compatibility Checking +---------------------- +When IOMMU UAPI extension results in some structure size increase, +IOMMU UAPI code shall handle the following cases: + +1. User and kernel has exact size match +2. An older user with older kernel header (smaller UAPI size) running on a + newer kernel (larger UAPI size) +3. A newer user with newer kernel header (larger UAPI size) running + on an older kernel. +4. A malicious/misbehaving user pass illegal/invalid size but within + range. The data may contain garbage. + +Feature Checking +---------------- +While launching a guest with vIOMMU, it is important to ensure that host +can support the UAPI data structures to be used for vIOMMU-pIOMMU +communications. Without upfront compatibility checking, future failures +are difficult to report even in normal conditions. +A capability getter is offered to discover the feature support and +potential API incompatibility support at an early stage. Detecting +this later, when performing the actual cache/descriptor handling +operations appears to be tricky and difficult to escalate to the +guest. + +For example, IOTLB invalidations should always succeed. There is no +architectural way to report back to the vIOMMU if the UAPI data is +incompatible. If that happens, in order to guarantee IOMMU iosolation, +we have to resort to not giving completion status in vIOMMU. This may +result in VM hang. + +For this reason the following IOMMU UAPIs cannot fail without +catastrophic effect: + +1. Free PASID +2. Unbind guest PASID +3. Unbind guest PASID table (SMMU) +4. Cache invalidate + +User applications such as QEMU are expected to import kernel UAPI +headers. Backward compatibility is supported per feature flags. +For example, an older QEMU (with older kernel header) can run on newer +kernel. Newer QEMU (with new kernel header) may refuse to initialize +on an older kernel if new feature flags are not supported by older +kernel. Simply recompiling existing code with newer kernel header should +not be an issue in that only existing flags are used. + +IOMMU vendor driver should report the below features to IOMMU UAPI +consumers (e.g. via VFIO). + +1. IOMMU_NESTING_FEAT_SYSWIDE_PASID +2. IOMMU_NESTING_FEAT_BIND_PGTBL +3. IOMMU_NESTING_FEAT_BIND_PASID_TABLE +4. IOMMU_NESTING_FEAT_CACHE_INVLD +5. IOMMU_NESTING_FEAT_PAGE_REQUEST + +Take VFIO as example, upon request from VFIO user space (e.g. QEMU), +VFIO kernel code shall query IOMMU vendor driver for the support of +the above features. Query result can then be reported back to the +user-space caller. Details can be found in +Documentation/driver-api/vfio.rst. + + +Data Passing Example with VFIO +------------------------------ +As the ubiquitous userspace driver framework, VFIO is already IOMMU +aware and shares many key concepts such as device model, group, and +protection domain. Other user driver frameworks can also be extended +to support IOMMU UAPI but it is outside the scope of this document. + +In this tight-knit VFIO-IOMMU interface, the ultimate consumer of the +IOMMU UAPI data is the host IOMMU driver. VFIO facilitates user-kernel +transport, capability checking, security, and life cycle management of +process address space ID (PASID). + +Unlike normal user data passed via VFIO UAPI IOTCL, IOMMU driver is the +ultimate consumer of its UAPI data. At VFIO layer, the IOMMU UAPI data +is wrapped in a VFIO UAPI data. It follows the +pattern below:: + + struct { + __u32 argsz; + __u32 flags; + __u8 data[]; + }; + +Here data[] contains the IOMMU UAPI data structures. VFIO has the +freedom to bundle the data as well as parse data size based on its own flags. + +In order to determine the size and feature set of the user data, argsz +and flags (or the equivalent) are also embedded in the IOMMU UAPI data +structures. + +A "__u32 argsz" field is *always* at the beginning of each structure. + +For example: +:: + + struct iommu_cache_invalidate_info { + __u32 argsz; + #define IOMMU_CACHE_INVALIDATE_INFO_VERSION_1 1 + __u32 version; + /* IOMMU paging structure cache */ + #define IOMMU_CACHE_INV_TYPE_IOTLB (1 << 0) /* IOMMU IOTLB */ + #define IOMMU_CACHE_INV_TYPE_DEV_IOTLB (1 << 1) /* Device IOTLB */ + #define IOMMU_CACHE_INV_TYPE_PASID (1 << 2) /* PASID cache */ + #define IOMMU_CACHE_INV_TYPE_NR (3) + __u8 cache; + __u8 granularity; + __u8 padding[6]; + union { + struct iommu_inv_pasid_info pasid_info; + struct iommu_inv_addr_info addr_info; + } granu; + }; + +VFIO is responsible for checking its own argsz and flags. It then +invokes appropriate IOMMU UAPI functions. The user pointers are passed +to the IOMMU layer for further processing. The responsibilities are +divided as follows: + +- Generic IOMMU layer checks argsz range based on UAPI data in the + current kernel version + +- Generic IOMMU layer checks content of the UAPI data for non-zero + reserved bits in flags, padding fields, and unsupported version. + This is to ensure not breaking userspace in the future when these + fields or flags are used. + +- Vendor IOMMU driver checks argsz based on vendor flags, UAPI data + is consumed based on flags. Vendor driver has access to + unadulterated argsz value in case of vendor specific future + extensions. Currently, it does not perform the copy_from_user() + itself. A __user pointer can be provided in some future scenarios + where there's vendor data outside of the structure definition. + +IOMMU code treats UAPI data into two categories: + +- structure contains vendor data + (Example: iommu_uapi_cache_invalidate()) + +- structure contains only generic data + (Example: iommu_uapi_sva_bind_gpasid()) + + + +Sharing UAPI with in-kernel users +--------------------------------- +For UAPIs that are shared with in-kernel users, a wrapper function is +provided to distinguish the callers. For example, + +Userspace caller :: + + int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, + struct device *dev, + void __user *udata) + +In-kernel caller :: + + int iommu_sva_unbind_gpasid(struct iommu_domain *domain, + struct device *dev, + struct iommu_gpasid_bind_data *data) diff --git a/MAINTAINERS b/MAINTAINERS index d53db30d1365..11f907b11f12 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -9010,6 +9010,7 @@ L: iommu@lists.linux-foundation.org S: Maintained T: git git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu.git F: Documentation/devicetree/bindings/iommu/ +F: Documentation/userspace-api/iommu.rst F: drivers/iommu/ F: include/linux/iommu.h F: include/linux/iova.h -- 2.7.4 _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
As IOMMU UAPI gets extended, user data size may increase. To support backward compatibiliy, this patch introduces a size field to each UAPI data structures. It is *always* the responsibility for the user to fill in the correct size. Padding fields are adjusted to ensure 8 byte alignment. Specific scenarios for user data handling are documented in: Documentation/userspace-api/iommu.rst Signed-off-by: Liu Yi L <yi.l.liu@intel.com> Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com> --- include/uapi/linux/iommu.h | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/include/uapi/linux/iommu.h b/include/uapi/linux/iommu.h index e907b7091a46..d5e9014f690e 100644 --- a/include/uapi/linux/iommu.h +++ b/include/uapi/linux/iommu.h @@ -135,6 +135,7 @@ enum iommu_page_response_code { /** * struct iommu_page_response - Generic page response information + * @argsz: User filled size of this data * @version: API version of this structure * @flags: encodes whether the corresponding fields are valid * (IOMMU_FAULT_PAGE_RESPONSE_* values) @@ -143,6 +144,7 @@ enum iommu_page_response_code { * @code: response code from &enum iommu_page_response_code */ struct iommu_page_response { + __u32 argsz; #define IOMMU_PAGE_RESP_VERSION_1 1 __u32 version; #define IOMMU_PAGE_RESP_PASID_VALID (1 << 0) @@ -218,6 +220,7 @@ struct iommu_inv_pasid_info { /** * struct iommu_cache_invalidate_info - First level/stage invalidation * information + * @argsz: User filled size of this data * @version: API version of this structure * @cache: bitfield that allows to select which caches to invalidate * @granularity: defines the lowest granularity used for the invalidation: @@ -246,6 +249,7 @@ struct iommu_inv_pasid_info { * must support the used granularity. */ struct iommu_cache_invalidate_info { + __u32 argsz; #define IOMMU_CACHE_INVALIDATE_INFO_VERSION_1 1 __u32 version; /* IOMMU paging structure cache */ @@ -255,7 +259,7 @@ struct iommu_cache_invalidate_info { #define IOMMU_CACHE_INV_TYPE_NR (3) __u8 cache; __u8 granularity; - __u8 padding[2]; + __u8 padding[6]; union { struct iommu_inv_pasid_info pasid_info; struct iommu_inv_addr_info addr_info; @@ -292,6 +296,7 @@ struct iommu_gpasid_bind_data_vtd { /** * struct iommu_gpasid_bind_data - Information about device and guest PASID binding + * @argsz: User filled size of this data * @version: Version of this data structure * @format: PASID table entry format * @flags: Additional information on guest bind request @@ -309,17 +314,18 @@ struct iommu_gpasid_bind_data_vtd { * PASID to host PASID based on this bind data. */ struct iommu_gpasid_bind_data { + __u32 argsz; #define IOMMU_GPASID_BIND_VERSION_1 1 __u32 version; #define IOMMU_PASID_FORMAT_INTEL_VTD 1 __u32 format; + __u32 addr_width; #define IOMMU_SVA_GPASID_VAL (1 << 0) /* guest PASID valid */ __u64 flags; __u64 gpgd; __u64 hpasid; __u64 gpasid; - __u32 addr_width; - __u8 padding[12]; + __u8 padding[8]; /* Vendor specific data */ union { struct iommu_gpasid_bind_data_vtd vtd; -- 2.7.4 _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
IOMMU UAPI data size is filled by the user space which must be validated by the kernel. To ensure backward compatibility, user data can only be extended by either re-purpose padding bytes or extend the variable sized union at the end. No size change is allowed before the union. Therefore, the minimum size is the offset of the union. To use offsetof() on the union, we must make it named. Link: https://lore.kernel.org/linux-iommu/20200611145518.0c2817d6@x1.home/ Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com> Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> --- drivers/iommu/intel/iommu.c | 22 +++++++++++----------- drivers/iommu/intel/svm.c | 2 +- include/uapi/linux/iommu.h | 4 ++-- 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c index 92c7ad66e64c..021f62078f52 100644 --- a/drivers/iommu/intel/iommu.c +++ b/drivers/iommu/intel/iommu.c @@ -5417,8 +5417,8 @@ intel_iommu_sva_invalidate(struct iommu_domain *domain, struct device *dev, /* Size is only valid in address selective invalidation */ if (inv_info->granularity == IOMMU_INV_GRANU_ADDR) - size = to_vtd_size(inv_info->addr_info.granule_size, - inv_info->addr_info.nb_granules); + size = to_vtd_size(inv_info->granu.addr_info.granule_size, + inv_info->granu.addr_info.nb_granules); for_each_set_bit(cache_type, (unsigned long *)&inv_info->cache, @@ -5439,20 +5439,20 @@ intel_iommu_sva_invalidate(struct iommu_domain *domain, struct device *dev, * granularity. */ if (inv_info->granularity == IOMMU_INV_GRANU_PASID && - (inv_info->pasid_info.flags & IOMMU_INV_PASID_FLAGS_PASID)) - pasid = inv_info->pasid_info.pasid; + (inv_info->granu.pasid_info.flags & IOMMU_INV_PASID_FLAGS_PASID)) + pasid = inv_info->granu.pasid_info.pasid; else if (inv_info->granularity == IOMMU_INV_GRANU_ADDR && - (inv_info->addr_info.flags & IOMMU_INV_ADDR_FLAGS_PASID)) - pasid = inv_info->addr_info.pasid; + (inv_info->granu.addr_info.flags & IOMMU_INV_ADDR_FLAGS_PASID)) + pasid = inv_info->granu.addr_info.pasid; switch (BIT(cache_type)) { case IOMMU_CACHE_INV_TYPE_IOTLB: /* HW will ignore LSB bits based on address mask */ if (inv_info->granularity == IOMMU_INV_GRANU_ADDR && size && - (inv_info->addr_info.addr & ((BIT(VTD_PAGE_SHIFT + size)) - 1))) { + (inv_info->granu.addr_info.addr & ((BIT(VTD_PAGE_SHIFT + size)) - 1))) { pr_err_ratelimited("User address not aligned, 0x%llx, size order %llu\n", - inv_info->addr_info.addr, size); + inv_info->granu.addr_info.addr, size); } /* @@ -5460,9 +5460,9 @@ intel_iommu_sva_invalidate(struct iommu_domain *domain, struct device *dev, * We use npages = -1 to indicate that. */ qi_flush_piotlb(iommu, did, pasid, - mm_to_dma_pfn(inv_info->addr_info.addr), + mm_to_dma_pfn(inv_info->granu.addr_info.addr), (granu == QI_GRAN_NONG_PASID) ? -1 : 1 << size, - inv_info->addr_info.flags & IOMMU_INV_ADDR_FLAGS_LEAF); + inv_info->granu.addr_info.flags & IOMMU_INV_ADDR_FLAGS_LEAF); if (!info->ats_enabled) break; @@ -5485,7 +5485,7 @@ intel_iommu_sva_invalidate(struct iommu_domain *domain, struct device *dev, size = 64 - VTD_PAGE_SHIFT; addr = 0; } else if (inv_info->granularity == IOMMU_INV_GRANU_ADDR) - addr = inv_info->addr_info.addr; + addr = inv_info->granu.addr_info.addr; if (info->ats_enabled) qi_flush_dev_iotlb_pasid(iommu, sid, diff --git a/drivers/iommu/intel/svm.c b/drivers/iommu/intel/svm.c index d386853121a2..713b3a218483 100644 --- a/drivers/iommu/intel/svm.c +++ b/drivers/iommu/intel/svm.c @@ -338,7 +338,7 @@ int intel_svm_bind_gpasid(struct iommu_domain *domain, struct device *dev, spin_lock(&iommu->lock); ret = intel_pasid_setup_nested(iommu, dev, (pgd_t *)(uintptr_t)data->gpgd, - data->hpasid, &data->vtd, dmar_domain, + data->hpasid, &data->vendor.vtd, dmar_domain, data->addr_width); spin_unlock(&iommu->lock); if (ret) { diff --git a/include/uapi/linux/iommu.h b/include/uapi/linux/iommu.h index d5e9014f690e..7c8e075c2b29 100644 --- a/include/uapi/linux/iommu.h +++ b/include/uapi/linux/iommu.h @@ -263,7 +263,7 @@ struct iommu_cache_invalidate_info { union { struct iommu_inv_pasid_info pasid_info; struct iommu_inv_addr_info addr_info; - }; + } granu; }; /** @@ -329,7 +329,7 @@ struct iommu_gpasid_bind_data { /* Vendor specific data */ union { struct iommu_gpasid_bind_data_vtd vtd; - }; + } vendor; }; #endif /* _UAPI_IOMMU_H */ -- 2.7.4 _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
User APIs such as iommu_sva_unbind_gpasid() may also be used by the kernel. Since we introduced user pointer to the UAPI functions, in-kernel callers cannot share the same APIs. In-kernel callers are also trusted, there is no need to validate the data. This patch renames all UAPI functions with iommu_uapi_ prefix such that is clear to the intended callers. Suggested-by: Alex Williamson <alex.williamson@redhat.com> Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com> --- drivers/iommu/iommu.c | 18 +++++++++--------- include/linux/iommu.h | 31 ++++++++++++++++--------------- 2 files changed, 25 insertions(+), 24 deletions(-) diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c index b6858adc4f17..3a913ce94a3d 100644 --- a/drivers/iommu/iommu.c +++ b/drivers/iommu/iommu.c @@ -1950,35 +1950,35 @@ int iommu_attach_device(struct iommu_domain *domain, struct device *dev) } EXPORT_SYMBOL_GPL(iommu_attach_device); -int iommu_cache_invalidate(struct iommu_domain *domain, struct device *dev, - struct iommu_cache_invalidate_info *inv_info) +int iommu_uapi_cache_invalidate(struct iommu_domain *domain, struct device *dev, + struct iommu_cache_invalidate_info *inv_info) { if (unlikely(!domain->ops->cache_invalidate)) return -ENODEV; return domain->ops->cache_invalidate(domain, dev, inv_info); } -EXPORT_SYMBOL_GPL(iommu_cache_invalidate); +EXPORT_SYMBOL_GPL(iommu_uapi_cache_invalidate); -int iommu_sva_bind_gpasid(struct iommu_domain *domain, - struct device *dev, struct iommu_gpasid_bind_data *data) +int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, + struct device *dev, struct iommu_gpasid_bind_data *data) { if (unlikely(!domain->ops->sva_bind_gpasid)) return -ENODEV; return domain->ops->sva_bind_gpasid(domain, dev, data); } -EXPORT_SYMBOL_GPL(iommu_sva_bind_gpasid); +EXPORT_SYMBOL_GPL(iommu_uapi_sva_bind_gpasid); -int iommu_sva_unbind_gpasid(struct iommu_domain *domain, struct device *dev, - ioasid_t pasid) +int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, struct device *dev, + ioasid_t pasid) { if (unlikely(!domain->ops->sva_unbind_gpasid)) return -ENODEV; return domain->ops->sva_unbind_gpasid(dev, pasid); } -EXPORT_SYMBOL_GPL(iommu_sva_unbind_gpasid); +EXPORT_SYMBOL_GPL(iommu_uapi_sva_unbind_gpasid); static void __iommu_detach_device(struct iommu_domain *domain, struct device *dev) diff --git a/include/linux/iommu.h b/include/linux/iommu.h index 5f0b7859d2eb..2dcc1a33f6dc 100644 --- a/include/linux/iommu.h +++ b/include/linux/iommu.h @@ -430,13 +430,13 @@ extern int iommu_attach_device(struct iommu_domain *domain, struct device *dev); extern void iommu_detach_device(struct iommu_domain *domain, struct device *dev); -extern int iommu_cache_invalidate(struct iommu_domain *domain, - struct device *dev, - struct iommu_cache_invalidate_info *inv_info); -extern int iommu_sva_bind_gpasid(struct iommu_domain *domain, - struct device *dev, struct iommu_gpasid_bind_data *data); -extern int iommu_sva_unbind_gpasid(struct iommu_domain *domain, - struct device *dev, ioasid_t pasid); +extern int iommu_uapi_cache_invalidate(struct iommu_domain *domain, + struct device *dev, + struct iommu_cache_invalidate_info *inv_info); +extern int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, + struct device *dev, struct iommu_gpasid_bind_data *data); +extern int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, + struct device *dev, ioasid_t pasid); extern struct iommu_domain *iommu_get_domain_for_dev(struct device *dev); extern struct iommu_domain *iommu_get_dma_domain(struct device *dev); extern int iommu_map(struct iommu_domain *domain, unsigned long iova, @@ -1054,21 +1054,22 @@ static inline int iommu_sva_get_pasid(struct iommu_sva *handle) return IOMMU_PASID_INVALID; } -static inline int -iommu_cache_invalidate(struct iommu_domain *domain, - struct device *dev, - struct iommu_cache_invalidate_info *inv_info) +static inline int iommu_uapi_cache_invalidate(struct iommu_domain *domain, + struct device *dev, + struct iommu_cache_invalidate_info *inv_info) { return -ENODEV; } -static inline int iommu_sva_bind_gpasid(struct iommu_domain *domain, - struct device *dev, struct iommu_gpasid_bind_data *data) + +static inline int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, + struct device *dev, + struct iommu_gpasid_bind_data *data) { return -ENODEV; } -static inline int iommu_sva_unbind_gpasid(struct iommu_domain *domain, - struct device *dev, int pasid) +static inline int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, + struct device *dev, int pasid) { return -ENODEV; } -- 2.7.4 _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
IOMMU user APIs are responsible for processing user data. This patch changes the interface such that user pointers can be passed into IOMMU code directly. Separate kernel APIs without user pointers are introduced for in-kernel users of the UAPI functionality. IOMMU UAPI data has a user filled argsz field which indicates the data length of the structure. User data is not trusted, argsz must be validated based on the current kernel data size, mandatory data size, and feature flags. User data may also be extended, resulting in possible argsz increase. Backward compatibility is ensured based on size and flags (or the functional equivalent fields) checking. This patch adds sanity checks in the IOMMU layer. In addition to argsz, reserved/unused fields in padding, flags, and version are also checked. Details are documented in Documentation/userspace-api/iommu.rst Signed-off-by: Liu Yi L <yi.l.liu@intel.com> Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com> --- drivers/iommu/iommu.c | 202 ++++++++++++++++++++++++++++++++++++++++++++++++-- include/linux/iommu.h | 28 ++++--- 2 files changed, 213 insertions(+), 17 deletions(-) diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c index 3a913ce94a3d..1ce2a61058c6 100644 --- a/drivers/iommu/iommu.c +++ b/drivers/iommu/iommu.c @@ -1950,33 +1950,219 @@ int iommu_attach_device(struct iommu_domain *domain, struct device *dev) } EXPORT_SYMBOL_GPL(iommu_attach_device); +/* + * Check flags and other user provided data for valid combinations. We also + * make sure no reserved fields or unused flags are set. This is to ensure + * not breaking userspace in the future when these fields or flags are used. + */ +static int iommu_check_cache_invl_data(struct iommu_cache_invalidate_info *info) +{ + u32 mask; + int i; + + if (info->version != IOMMU_CACHE_INVALIDATE_INFO_VERSION_1) + return -EINVAL; + + mask = (1 << IOMMU_CACHE_INV_TYPE_NR) - 1; + if (info->cache & ~mask) + return -EINVAL; + + if (info->granularity >= IOMMU_INV_GRANU_NR) + return -EINVAL; + + switch (info->granularity) { + case IOMMU_INV_GRANU_ADDR: + if (info->cache & IOMMU_CACHE_INV_TYPE_PASID) + return -EINVAL; + + mask = IOMMU_INV_ADDR_FLAGS_PASID | + IOMMU_INV_ADDR_FLAGS_ARCHID | + IOMMU_INV_ADDR_FLAGS_LEAF; + + if (info->granu.addr_info.flags & ~mask) + return -EINVAL; + break; + case IOMMU_INV_GRANU_PASID: + mask = IOMMU_INV_PASID_FLAGS_PASID | + IOMMU_INV_PASID_FLAGS_ARCHID; + if (info->granu.pasid_info.flags & ~mask) + return -EINVAL; + + break; + case IOMMU_INV_GRANU_DOMAIN: + if (info->cache & IOMMU_CACHE_INV_TYPE_DEV_IOTLB) + return -EINVAL; + break; + default: + return -EINVAL; + } + + /* Check reserved padding fields */ + for (i = 0; i < 6; i++) { + if (info->padding[i]) + return -EINVAL; + } + + return 0; +} + int iommu_uapi_cache_invalidate(struct iommu_domain *domain, struct device *dev, - struct iommu_cache_invalidate_info *inv_info) + void __user *uinfo) { + struct iommu_cache_invalidate_info inv_info = { 0 }; + u32 minsz; + int ret = 0; + if (unlikely(!domain->ops->cache_invalidate)) return -ENODEV; - return domain->ops->cache_invalidate(domain, dev, inv_info); + /* + * No new spaces can be added before the variable sized union, the + * minimum size is the offset to the union. + */ + minsz = offsetof(struct iommu_cache_invalidate_info, granu); + + /* Copy minsz from user to get flags and argsz */ + if (copy_from_user(&inv_info, uinfo, minsz)) + return -EFAULT; + + /* Fields before variable size union is mandatory */ + if (inv_info.argsz < minsz) + return -EINVAL; + + /* PASID and address granu require additional info beyond minsz */ + if (inv_info.argsz == minsz && + ((inv_info.granularity == IOMMU_INV_GRANU_PASID) || + (inv_info.granularity == IOMMU_INV_GRANU_ADDR))) + return -EINVAL; + + if (inv_info.granularity == IOMMU_INV_GRANU_PASID && + inv_info.argsz < offsetofend(struct iommu_cache_invalidate_info, granu.pasid_info)) + return -EINVAL; + + if (inv_info.granularity == IOMMU_INV_GRANU_ADDR && + inv_info.argsz < offsetofend(struct iommu_cache_invalidate_info, granu.addr_info)) + return -EINVAL; + + /* + * User might be using a newer UAPI header which has a larger data + * size, we shall support the existing flags within the current + * size. Copy the remaining user data _after_ minsz but not more + * than the current kernel supported size. + */ + if (copy_from_user((void *)&inv_info + minsz, uinfo + minsz, + min(inv_info.argsz, (u32)sizeof(inv_info)) - minsz)) + return -EFAULT; + + /* Now the argsz is validated, check the content */ + ret = iommu_check_cache_invl_data(&inv_info); + if (ret) + return ret; + + return domain->ops->cache_invalidate(domain, dev, &inv_info); } EXPORT_SYMBOL_GPL(iommu_uapi_cache_invalidate); -int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, - struct device *dev, struct iommu_gpasid_bind_data *data) +static int iommu_check_bind_data(struct iommu_gpasid_bind_data *data) +{ + u32 mask; + int i; + + if (data->version != IOMMU_GPASID_BIND_VERSION_1) + return -EINVAL; + + /* Check all supported format, for now just VT-d */ + mask = IOMMU_PASID_FORMAT_INTEL_VTD; + if (data->format & ~mask) + return -EINVAL; + + /* Check all flags */ + mask = IOMMU_SVA_GPASID_VAL; + if (data->flags & ~mask) + return -EINVAL; + + /* Check reserved padding fields */ + for (i = 0; i < 8; i++) { + if (data->padding[i]) + return -EINVAL; + } + + return 0; +} + +static int iommu_sva_prepare_bind_data(void __user *udata, + struct iommu_gpasid_bind_data *data) { + u32 minsz; + + /* + * No new spaces can be added before the variable sized union, the + * minimum size is the offset to the union. + */ + minsz = offsetof(struct iommu_gpasid_bind_data, vendor); + + /* Copy minsz from user to get flags and argsz */ + if (copy_from_user(data, udata, minsz)) + return -EFAULT; + + /* Fields before variable size union is mandatory */ + if (data->argsz < minsz) + return -EINVAL; + /* + * User might be using a newer UAPI header, we shall let IOMMU vendor + * driver decide on what size it needs. Since the guest PASID bind data + * can be vendor specific, larger argsz could be the result of extension + * for one vendor but it should not affect another vendor. + * Copy the remaining user data _after_ minsz + */ + if (copy_from_user((void *)data + minsz, udata + minsz, + min(data->argsz, (u32)sizeof(*data)) - minsz)) + return -EFAULT; + + return iommu_check_bind_data(data); +} + +int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, struct device *dev, + void __user *udata) +{ + struct iommu_gpasid_bind_data data = { 0 }; + int ret; + if (unlikely(!domain->ops->sva_bind_gpasid)) return -ENODEV; - return domain->ops->sva_bind_gpasid(domain, dev, data); + ret = iommu_sva_prepare_bind_data(udata, &data); + if (ret) + return ret; + + return domain->ops->sva_bind_gpasid(domain, dev, &data); } EXPORT_SYMBOL_GPL(iommu_uapi_sva_bind_gpasid); -int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, struct device *dev, - ioasid_t pasid) +int iommu_sva_unbind_gpasid(struct iommu_domain *domain, struct device *dev, + struct iommu_gpasid_bind_data *data) { if (unlikely(!domain->ops->sva_unbind_gpasid)) return -ENODEV; - return domain->ops->sva_unbind_gpasid(dev, pasid); + return domain->ops->sva_unbind_gpasid(dev, data->hpasid); +} +EXPORT_SYMBOL_GPL(iommu_sva_unbind_gpasid); + +int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, struct device *dev, + void __user *udata) +{ + struct iommu_gpasid_bind_data data = { 0 }; + int ret; + + if (unlikely(!domain->ops->sva_bind_gpasid)) + return -ENODEV; + + ret = iommu_sva_prepare_bind_data(udata, &data); + if (ret) + return ret; + + return iommu_sva_unbind_gpasid(domain, dev, &data); } EXPORT_SYMBOL_GPL(iommu_uapi_sva_unbind_gpasid); diff --git a/include/linux/iommu.h b/include/linux/iommu.h index 2dcc1a33f6dc..4a02c9e09048 100644 --- a/include/linux/iommu.h +++ b/include/linux/iommu.h @@ -432,11 +432,14 @@ extern void iommu_detach_device(struct iommu_domain *domain, struct device *dev); extern int iommu_uapi_cache_invalidate(struct iommu_domain *domain, struct device *dev, - struct iommu_cache_invalidate_info *inv_info); + void __user *uinfo); + extern int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, - struct device *dev, struct iommu_gpasid_bind_data *data); + struct device *dev, void __user *udata); extern int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, - struct device *dev, ioasid_t pasid); + struct device *dev, void __user *udata); +extern int iommu_sva_unbind_gpasid(struct iommu_domain *domain, + struct device *dev, struct iommu_gpasid_bind_data *data); extern struct iommu_domain *iommu_get_domain_for_dev(struct device *dev); extern struct iommu_domain *iommu_get_dma_domain(struct device *dev); extern int iommu_map(struct iommu_domain *domain, unsigned long iova, @@ -1054,22 +1057,29 @@ static inline int iommu_sva_get_pasid(struct iommu_sva *handle) return IOMMU_PASID_INVALID; } -static inline int iommu_uapi_cache_invalidate(struct iommu_domain *domain, - struct device *dev, - struct iommu_cache_invalidate_info *inv_info) +static inline int +iommu_uapi_cache_invalidate(struct iommu_domain *domain, + struct device *dev, + struct iommu_cache_invalidate_info *inv_info) { return -ENODEV; } static inline int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, - struct device *dev, - struct iommu_gpasid_bind_data *data) + struct device *dev, void __user *udata) { return -ENODEV; } static inline int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, - struct device *dev, int pasid) + struct device *dev, void __user *udata) +{ + return -ENODEV; +} + +static inline int iommu_sva_unbind_gpasid(struct iommu_domain *domain, + struct device *dev, + struct iommu_gpasid_bind_data *data) { return -ENODEV; } -- 2.7.4 _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
IOMMU generic layer already does sanity checks UAPI data for version match and argsz range under generic information. Remove the redundant version check from VT-d driver and check for vendor specific data size. Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com> --- drivers/iommu/intel/iommu.c | 3 +-- drivers/iommu/intel/svm.c | 7 +++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c index 021f62078f52..7e03cca31a0e 100644 --- a/drivers/iommu/intel/iommu.c +++ b/drivers/iommu/intel/iommu.c @@ -5391,8 +5391,7 @@ intel_iommu_sva_invalidate(struct iommu_domain *domain, struct device *dev, int ret = 0; u64 size = 0; - if (!inv_info || !dmar_domain || - inv_info->version != IOMMU_CACHE_INVALIDATE_INFO_VERSION_1) + if (!inv_info || !dmar_domain) return -EINVAL; if (!dev || !dev_is_pci(dev)) diff --git a/drivers/iommu/intel/svm.c b/drivers/iommu/intel/svm.c index 713b3a218483..55ea11e9c0f5 100644 --- a/drivers/iommu/intel/svm.c +++ b/drivers/iommu/intel/svm.c @@ -240,8 +240,11 @@ int intel_svm_bind_gpasid(struct iommu_domain *domain, struct device *dev, if (WARN_ON(!iommu) || !data) return -EINVAL; - if (data->version != IOMMU_GPASID_BIND_VERSION_1 || - data->format != IOMMU_PASID_FORMAT_INTEL_VTD) + if (data->format != IOMMU_PASID_FORMAT_INTEL_VTD) + return -EINVAL; + + /* IOMMU core ensures argsz is more than the start of the union */ + if (data->argsz < offsetofend(struct iommu_gpasid_bind_data, vendor.vtd)) return -EINVAL; if (!dev_is_pci(dev)) -- 2.7.4 _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
On Thu, 23 Jul 2020 10:25:39 -0700 Jacob Pan <jacob.jun.pan@linux.intel.com> wrote: > IOMMU user APIs are responsible for processing user data. This patch > changes the interface such that user pointers can be passed into IOMMU > code directly. Separate kernel APIs without user pointers are introduced > for in-kernel users of the UAPI functionality. > > IOMMU UAPI data has a user filled argsz field which indicates the data > length of the structure. User data is not trusted, argsz must be > validated based on the current kernel data size, mandatory data size, > and feature flags. > > User data may also be extended, resulting in possible argsz increase. > Backward compatibility is ensured based on size and flags (or > the functional equivalent fields) checking. > > This patch adds sanity checks in the IOMMU layer. In addition to argsz, > reserved/unused fields in padding, flags, and version are also checked. > Details are documented in Documentation/userspace-api/iommu.rst > > Signed-off-by: Liu Yi L <yi.l.liu@intel.com> > Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com> > --- > drivers/iommu/iommu.c | 202 ++++++++++++++++++++++++++++++++++++++++++++++++-- > include/linux/iommu.h | 28 ++++--- > 2 files changed, 213 insertions(+), 17 deletions(-) > > diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c > index 3a913ce94a3d..1ce2a61058c6 100644 > --- a/drivers/iommu/iommu.c > +++ b/drivers/iommu/iommu.c > @@ -1950,33 +1950,219 @@ int iommu_attach_device(struct iommu_domain *domain, struct device *dev) > } > EXPORT_SYMBOL_GPL(iommu_attach_device); > > +/* > + * Check flags and other user provided data for valid combinations. We also > + * make sure no reserved fields or unused flags are set. This is to ensure > + * not breaking userspace in the future when these fields or flags are used. > + */ > +static int iommu_check_cache_invl_data(struct iommu_cache_invalidate_info *info) > +{ > + u32 mask; > + int i; > + > + if (info->version != IOMMU_CACHE_INVALIDATE_INFO_VERSION_1) > + return -EINVAL; > + > + mask = (1 << IOMMU_CACHE_INV_TYPE_NR) - 1; > + if (info->cache & ~mask) > + return -EINVAL; > + > + if (info->granularity >= IOMMU_INV_GRANU_NR) > + return -EINVAL; > + > + switch (info->granularity) { > + case IOMMU_INV_GRANU_ADDR: > + if (info->cache & IOMMU_CACHE_INV_TYPE_PASID) > + return -EINVAL; > + > + mask = IOMMU_INV_ADDR_FLAGS_PASID | > + IOMMU_INV_ADDR_FLAGS_ARCHID | > + IOMMU_INV_ADDR_FLAGS_LEAF; > + > + if (info->granu.addr_info.flags & ~mask) > + return -EINVAL; > + break; > + case IOMMU_INV_GRANU_PASID: > + mask = IOMMU_INV_PASID_FLAGS_PASID | > + IOMMU_INV_PASID_FLAGS_ARCHID; > + if (info->granu.pasid_info.flags & ~mask) > + return -EINVAL; > + > + break; > + case IOMMU_INV_GRANU_DOMAIN: > + if (info->cache & IOMMU_CACHE_INV_TYPE_DEV_IOTLB) > + return -EINVAL; > + break; > + default: > + return -EINVAL; > + } > + > + /* Check reserved padding fields */ > + for (i = 0; i < 6; i++) { We could use sizeof(info->padding) here to avoid future issues relative to the number of padding bytes. > + if (info->padding[i]) > + return -EINVAL; > + } > + > + return 0; > +} > + > int iommu_uapi_cache_invalidate(struct iommu_domain *domain, struct device *dev, > - struct iommu_cache_invalidate_info *inv_info) > + void __user *uinfo) > { > + struct iommu_cache_invalidate_info inv_info = { 0 }; > + u32 minsz; > + int ret = 0; > + > if (unlikely(!domain->ops->cache_invalidate)) > return -ENODEV; > > - return domain->ops->cache_invalidate(domain, dev, inv_info); > + /* > + * No new spaces can be added before the variable sized union, the > + * minimum size is the offset to the union. > + */ > + minsz = offsetof(struct iommu_cache_invalidate_info, granu); > + > + /* Copy minsz from user to get flags and argsz */ > + if (copy_from_user(&inv_info, uinfo, minsz)) > + return -EFAULT; > + > + /* Fields before variable size union is mandatory */ > + if (inv_info.argsz < minsz) > + return -EINVAL; > + > + /* PASID and address granu require additional info beyond minsz */ > + if (inv_info.argsz == minsz && > + ((inv_info.granularity == IOMMU_INV_GRANU_PASID) || > + (inv_info.granularity == IOMMU_INV_GRANU_ADDR))) > + return -EINVAL; > + > + if (inv_info.granularity == IOMMU_INV_GRANU_PASID && > + inv_info.argsz < offsetofend(struct iommu_cache_invalidate_info, granu.pasid_info)) > + return -EINVAL; > + > + if (inv_info.granularity == IOMMU_INV_GRANU_ADDR && > + inv_info.argsz < offsetofend(struct iommu_cache_invalidate_info, granu.addr_info)) > + return -EINVAL; > + > + /* > + * User might be using a newer UAPI header which has a larger data > + * size, we shall support the existing flags within the current > + * size. Copy the remaining user data _after_ minsz but not more > + * than the current kernel supported size. > + */ > + if (copy_from_user((void *)&inv_info + minsz, uinfo + minsz, > + min(inv_info.argsz, (u32)sizeof(inv_info)) - minsz)) Could use min_t() to cast both args to the specified type. > + return -EFAULT; > + > + /* Now the argsz is validated, check the content */ > + ret = iommu_check_cache_invl_data(&inv_info); > + if (ret) > + return ret; > + > + return domain->ops->cache_invalidate(domain, dev, &inv_info); > } > EXPORT_SYMBOL_GPL(iommu_uapi_cache_invalidate); > > -int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, > - struct device *dev, struct iommu_gpasid_bind_data *data) > +static int iommu_check_bind_data(struct iommu_gpasid_bind_data *data) > +{ > + u32 mask; > + int i; > + > + if (data->version != IOMMU_GPASID_BIND_VERSION_1) > + return -EINVAL; > + > + /* Check all supported format, for now just VT-d */ > + mask = IOMMU_PASID_FORMAT_INTEL_VTD; > + if (data->format & ~mask) data->format is not a bitmask though, it's an index, right? Should defined formats be put into an enum with a last entry place holder for this code to test against? If we end up with holes in the enum, I guess we'd need to use special cases, ex: switch (data->format) { case IOMMU_PASID_FORMAT_DEPRECATED0: return -EINVAL; case 0 ... IOMMU_PASID_FORMAT_LAST: break; default: return -EINVAL; } It seems strange and error prone anyway for common code to check against a specific vendor format here. > + return -EINVAL; > + > + /* Check all flags */ > + mask = IOMMU_SVA_GPASID_VAL; > + if (data->flags & ~mask) > + return -EINVAL; > + > + /* Check reserved padding fields */ > + for (i = 0; i < 8; i++) { sizeof(data->padding) > + if (data->padding[i]) > + return -EINVAL; > + } > + > + return 0; > +} > + > +static int iommu_sva_prepare_bind_data(void __user *udata, > + struct iommu_gpasid_bind_data *data) > { > + u32 minsz; > + > + /* > + * No new spaces can be added before the variable sized union, the > + * minimum size is the offset to the union. > + */ > + minsz = offsetof(struct iommu_gpasid_bind_data, vendor); > + > + /* Copy minsz from user to get flags and argsz */ > + if (copy_from_user(data, udata, minsz)) > + return -EFAULT; > + > + /* Fields before variable size union is mandatory */ > + if (data->argsz < minsz) > + return -EINVAL; > + /* > + * User might be using a newer UAPI header, we shall let IOMMU vendor > + * driver decide on what size it needs. Since the guest PASID bind data > + * can be vendor specific, larger argsz could be the result of extension > + * for one vendor but it should not affect another vendor. > + * Copy the remaining user data _after_ minsz > + */ > + if (copy_from_user((void *)data + minsz, udata + minsz, > + min(data->argsz, (u32)sizeof(*data)) - minsz)) min_t() here too. Thanks, Alex > + return -EFAULT; > + > + return iommu_check_bind_data(data); > +} > + > +int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, struct device *dev, > + void __user *udata) > +{ > + struct iommu_gpasid_bind_data data = { 0 }; > + int ret; > + > if (unlikely(!domain->ops->sva_bind_gpasid)) > return -ENODEV; > > - return domain->ops->sva_bind_gpasid(domain, dev, data); > + ret = iommu_sva_prepare_bind_data(udata, &data); > + if (ret) > + return ret; > + > + return domain->ops->sva_bind_gpasid(domain, dev, &data); > } > EXPORT_SYMBOL_GPL(iommu_uapi_sva_bind_gpasid); > > -int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, struct device *dev, > - ioasid_t pasid) > +int iommu_sva_unbind_gpasid(struct iommu_domain *domain, struct device *dev, > + struct iommu_gpasid_bind_data *data) > { > if (unlikely(!domain->ops->sva_unbind_gpasid)) > return -ENODEV; > > - return domain->ops->sva_unbind_gpasid(dev, pasid); > + return domain->ops->sva_unbind_gpasid(dev, data->hpasid); > +} > +EXPORT_SYMBOL_GPL(iommu_sva_unbind_gpasid); > + > +int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, struct device *dev, > + void __user *udata) > +{ > + struct iommu_gpasid_bind_data data = { 0 }; > + int ret; > + > + if (unlikely(!domain->ops->sva_bind_gpasid)) > + return -ENODEV; > + > + ret = iommu_sva_prepare_bind_data(udata, &data); > + if (ret) > + return ret; > + > + return iommu_sva_unbind_gpasid(domain, dev, &data); > } > EXPORT_SYMBOL_GPL(iommu_uapi_sva_unbind_gpasid); > > diff --git a/include/linux/iommu.h b/include/linux/iommu.h > index 2dcc1a33f6dc..4a02c9e09048 100644 > --- a/include/linux/iommu.h > +++ b/include/linux/iommu.h > @@ -432,11 +432,14 @@ extern void iommu_detach_device(struct iommu_domain *domain, > struct device *dev); > extern int iommu_uapi_cache_invalidate(struct iommu_domain *domain, > struct device *dev, > - struct iommu_cache_invalidate_info *inv_info); > + void __user *uinfo); > + > extern int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, > - struct device *dev, struct iommu_gpasid_bind_data *data); > + struct device *dev, void __user *udata); > extern int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, > - struct device *dev, ioasid_t pasid); > + struct device *dev, void __user *udata); > +extern int iommu_sva_unbind_gpasid(struct iommu_domain *domain, > + struct device *dev, struct iommu_gpasid_bind_data *data); > extern struct iommu_domain *iommu_get_domain_for_dev(struct device *dev); > extern struct iommu_domain *iommu_get_dma_domain(struct device *dev); > extern int iommu_map(struct iommu_domain *domain, unsigned long iova, > @@ -1054,22 +1057,29 @@ static inline int iommu_sva_get_pasid(struct iommu_sva *handle) > return IOMMU_PASID_INVALID; > } > > -static inline int iommu_uapi_cache_invalidate(struct iommu_domain *domain, > - struct device *dev, > - struct iommu_cache_invalidate_info *inv_info) > +static inline int > +iommu_uapi_cache_invalidate(struct iommu_domain *domain, > + struct device *dev, > + struct iommu_cache_invalidate_info *inv_info) > { > return -ENODEV; > } > > static inline int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, > - struct device *dev, > - struct iommu_gpasid_bind_data *data) > + struct device *dev, void __user *udata) > { > return -ENODEV; > } > > static inline int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, > - struct device *dev, int pasid) > + struct device *dev, void __user *udata) > +{ > + return -ENODEV; > +} > + > +static inline int iommu_sva_unbind_gpasid(struct iommu_domain *domain, > + struct device *dev, > + struct iommu_gpasid_bind_data *data) > { > return -ENODEV; > } _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
On Thu, 23 Jul 2020 10:25:35 -0700 Jacob Pan <jacob.jun.pan@linux.intel.com> wrote: > IOMMU UAPI is newly introduced to support communications between guest > virtual IOMMU and host IOMMU. There has been lots of discussions on how > it should work with VFIO UAPI and userspace in general. > > This document is intended to clarify the UAPI design and usage. The > mechanics of how future extensions should be achieved are also covered > in this documentation. > > Signed-off-by: Liu Yi L <yi.l.liu@intel.com> > Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com> > --- > Documentation/userspace-api/iommu.rst | 231 ++++++++++++++++++++++++++++++++++ > MAINTAINERS | 1 + > 2 files changed, 232 insertions(+) > create mode 100644 Documentation/userspace-api/iommu.rst > > diff --git a/Documentation/userspace-api/iommu.rst b/Documentation/userspace-api/iommu.rst > new file mode 100644 > index 000000000000..0821b263edc1 > --- /dev/null > +++ b/Documentation/userspace-api/iommu.rst > @@ -0,0 +1,231 @@ > +.. SPDX-License-Identifier: GPL-2.0 > +.. iommu: > + > +===================================== > +IOMMU Userspace API > +===================================== > + > +IOMMU UAPI is used for virtualization cases where communications are > +needed between physical and virtual IOMMU drivers. For baremetal > +usage, the IOMMU is a system device which does not need to communicate > +with user space directly. > + > +The primary use cases are guest Shared Virtual Address (SVA) and > +guest IO virtual address (IOVA), wherin the vIOMMU implementation > +relies on the physical IOMMU and for this reason requires interactions > +with the host driver. > + > +.. contents:: :local: > + > +Functionalities > +=============== > +Communications of user and kernel involve both directions. The > +supported user-kernel APIs are as follows: > + > +1. Alloc/Free PASID > +2. Bind/unbind guest PASID (e.g. Intel VT-d) > +3. Bind/unbind guest PASID table (e.g. ARM SMMU) > +4. Invalidate IOMMU caches requested by guests > +5. Report errors to the guest and serve page requests > + > +Requirements > +============ > +The IOMMU UAPIs are generic and extensible to meet the following > +requirements: > + > +1. Emulated and para-virtualised vIOMMUs > +2. Multiple vendors (Intel VT-d, ARM SMMU, etc.) > +3. Extensions to the UAPI shall not break existing user space > + > +Interfaces > +========== > +Although the data structures defined in IOMMU UAPI are self-contained, > +there is no user API functions introduced. Instead, IOMMU UAPI is > +designed to work with existing user driver frameworks such as VFIO. > + > +Extension Rules & Precautions > +----------------------------- > +When IOMMU UAPI gets extended, the data structures can *only* be > +modified in two ways: > + > +1. Adding new fields by re-purposing the padding[] field. No size change. > +2. Adding new union members at the end. May increase the structure sizes. > + > +No new fields can be added *after* the variable sized union in that it > +will break backward compatibility when offset moves. A new flag must > +be introduced whenever a change affects the structure using either > +method. The IOMMU driver processes the data based on flags which > +ensures backward compatibility. > + > +Version field is only reserved for the unlikely event of UAPI upgrade > +at its entirety. > + > +It's *always* the caller's responsibility to indicate the size of the > +structure passed by setting argsz appropriately. > +Though at the same time, argsz is user provided data which is not > +trusted. The argsz field allows the user app to indicate how much data > +it is providing, it's still the kernel's responsibility to validate > +whether it's correct and sufficient for the requested operation. > + > +Compatibility Checking > +---------------------- > +When IOMMU UAPI extension results in some structure size increase, > +IOMMU UAPI code shall handle the following cases: > + > +1. User and kernel has exact size match > +2. An older user with older kernel header (smaller UAPI size) running on a > + newer kernel (larger UAPI size) > +3. A newer user with newer kernel header (larger UAPI size) running > + on an older kernel. > +4. A malicious/misbehaving user pass illegal/invalid size but within > + range. The data may contain garbage. > + > +Feature Checking > +---------------- > +While launching a guest with vIOMMU, it is important to ensure that host > +can support the UAPI data structures to be used for vIOMMU-pIOMMU > +communications. Without upfront compatibility checking, future failures > +are difficult to report even in normal conditions. > +A capability getter is offered to discover the feature support and > +potential API incompatibility support at an early stage. Detecting > +this later, when performing the actual cache/descriptor handling > +operations appears to be tricky and difficult to escalate to the > +guest. > + > +For example, IOTLB invalidations should always succeed. There is no > +architectural way to report back to the vIOMMU if the UAPI data is > +incompatible. If that happens, in order to guarantee IOMMU iosolation, isolation > +we have to resort to not giving completion status in vIOMMU. This may > +result in VM hang. > + > +For this reason the following IOMMU UAPIs cannot fail without > +catastrophic effect: > + > +1. Free PASID > +2. Unbind guest PASID > +3. Unbind guest PASID table (SMMU) > +4. Cache invalidate I'm not entirely sure what we're trying to assert here. Clearly cache invalidation can fail and patch 5/6 goes on to add over a dozen checks of the user provided data that return an -errno. Any user ioctl can fail if the user botches the parameters. So are we just trying to explain the feature checking that should allow the user to know supported combinations and if they adhere to them, these should not fail? It's not quite worded to that effect. Thanks, Alex > +User applications such as QEMU are expected to import kernel UAPI > +headers. Backward compatibility is supported per feature flags. > +For example, an older QEMU (with older kernel header) can run on newer > +kernel. Newer QEMU (with new kernel header) may refuse to initialize > +on an older kernel if new feature flags are not supported by older > +kernel. Simply recompiling existing code with newer kernel header should > +not be an issue in that only existing flags are used. > + > +IOMMU vendor driver should report the below features to IOMMU UAPI > +consumers (e.g. via VFIO). > + > +1. IOMMU_NESTING_FEAT_SYSWIDE_PASID > +2. IOMMU_NESTING_FEAT_BIND_PGTBL > +3. IOMMU_NESTING_FEAT_BIND_PASID_TABLE > +4. IOMMU_NESTING_FEAT_CACHE_INVLD > +5. IOMMU_NESTING_FEAT_PAGE_REQUEST > + > +Take VFIO as example, upon request from VFIO user space (e.g. QEMU), > +VFIO kernel code shall query IOMMU vendor driver for the support of > +the above features. Query result can then be reported back to the > +user-space caller. Details can be found in > +Documentation/driver-api/vfio.rst. > + > + > +Data Passing Example with VFIO > +------------------------------ > +As the ubiquitous userspace driver framework, VFIO is already IOMMU > +aware and shares many key concepts such as device model, group, and > +protection domain. Other user driver frameworks can also be extended > +to support IOMMU UAPI but it is outside the scope of this document. > + > +In this tight-knit VFIO-IOMMU interface, the ultimate consumer of the > +IOMMU UAPI data is the host IOMMU driver. VFIO facilitates user-kernel > +transport, capability checking, security, and life cycle management of > +process address space ID (PASID). > + > +Unlike normal user data passed via VFIO UAPI IOTCL, IOMMU driver is the > +ultimate consumer of its UAPI data. At VFIO layer, the IOMMU UAPI data > +is wrapped in a VFIO UAPI data. It follows the > +pattern below:: > + > + struct { > + __u32 argsz; > + __u32 flags; > + __u8 data[]; > + }; > + > +Here data[] contains the IOMMU UAPI data structures. VFIO has the > +freedom to bundle the data as well as parse data size based on its own flags. > + > +In order to determine the size and feature set of the user data, argsz > +and flags (or the equivalent) are also embedded in the IOMMU UAPI data > +structures. > + > +A "__u32 argsz" field is *always* at the beginning of each structure. > + > +For example: > +:: > + > + struct iommu_cache_invalidate_info { > + __u32 argsz; > + #define IOMMU_CACHE_INVALIDATE_INFO_VERSION_1 1 > + __u32 version; > + /* IOMMU paging structure cache */ > + #define IOMMU_CACHE_INV_TYPE_IOTLB (1 << 0) /* IOMMU IOTLB */ > + #define IOMMU_CACHE_INV_TYPE_DEV_IOTLB (1 << 1) /* Device IOTLB */ > + #define IOMMU_CACHE_INV_TYPE_PASID (1 << 2) /* PASID cache */ > + #define IOMMU_CACHE_INV_TYPE_NR (3) > + __u8 cache; > + __u8 granularity; > + __u8 padding[6]; > + union { > + struct iommu_inv_pasid_info pasid_info; > + struct iommu_inv_addr_info addr_info; > + } granu; > + }; > + > +VFIO is responsible for checking its own argsz and flags. It then > +invokes appropriate IOMMU UAPI functions. The user pointers are passed > +to the IOMMU layer for further processing. The responsibilities are > +divided as follows: > + > +- Generic IOMMU layer checks argsz range based on UAPI data in the > + current kernel version > + > +- Generic IOMMU layer checks content of the UAPI data for non-zero > + reserved bits in flags, padding fields, and unsupported version. > + This is to ensure not breaking userspace in the future when these > + fields or flags are used. > + > +- Vendor IOMMU driver checks argsz based on vendor flags, UAPI data > + is consumed based on flags. Vendor driver has access to > + unadulterated argsz value in case of vendor specific future > + extensions. Currently, it does not perform the copy_from_user() > + itself. A __user pointer can be provided in some future scenarios > + where there's vendor data outside of the structure definition. > + > +IOMMU code treats UAPI data into two categories: > + > +- structure contains vendor data > + (Example: iommu_uapi_cache_invalidate()) > + > +- structure contains only generic data > + (Example: iommu_uapi_sva_bind_gpasid()) > + > + > + > +Sharing UAPI with in-kernel users > +--------------------------------- > +For UAPIs that are shared with in-kernel users, a wrapper function is > +provided to distinguish the callers. For example, > + > +Userspace caller :: > + > + int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, > + struct device *dev, > + void __user *udata) > + > +In-kernel caller :: > + > + int iommu_sva_unbind_gpasid(struct iommu_domain *domain, > + struct device *dev, > + struct iommu_gpasid_bind_data *data) > diff --git a/MAINTAINERS b/MAINTAINERS > index d53db30d1365..11f907b11f12 100644 > --- a/MAINTAINERS > +++ b/MAINTAINERS > @@ -9010,6 +9010,7 @@ L: iommu@lists.linux-foundation.org > S: Maintained > T: git git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu.git > F: Documentation/devicetree/bindings/iommu/ > +F: Documentation/userspace-api/iommu.rst > F: drivers/iommu/ > F: include/linux/iommu.h > F: include/linux/iova.h _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
> From: Alex Williamson <alex.williamson@redhat.com> > Sent: Wednesday, July 29, 2020 3:20 AM > [...] > > + > > +For example, IOTLB invalidations should always succeed. There is no > > +architectural way to report back to the vIOMMU if the UAPI data is > > +incompatible. If that happens, in order to guarantee IOMMU iosolation, > > isolation > > > +we have to resort to not giving completion status in vIOMMU. This may > > +result in VM hang. > > + > > +For this reason the following IOMMU UAPIs cannot fail without > > +catastrophic effect: > > + > > +1. Free PASID > > +2. Unbind guest PASID > > +3. Unbind guest PASID table (SMMU) > > +4. Cache invalidate > > I'm not entirely sure what we're trying to assert here. Clearly cache > invalidation can fail and patch 5/6 goes on to add over a dozen checks > of the user provided data that return an -errno. Any user ioctl can > fail if the user botches the parameters. So are we just trying to > explain the feature checking that should allow the user to know > supported combinations and if they adhere to them, these should not > fail? It's not quite worded to that effect. Thanks, > I guess the above wording is messed by what a UAPI should behave and whether the vIOMMU reports associated errors. UAPI can always fail, as you pointed out. vIOMMU may not have a matching error code though, e.g. on Intel VT-d there is no error reporting mechanism for cache invalidation. However, it is not wise to assert UAPI behavior according to vIOMMU definition. An error is an error. vIOMMU should just react to UAPI errors according to its architecture definition (e.g. ignore, forward to guest, hang, etc.). From this matter I feel above section could better be removed. Thanks Kevin _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
On Wed, 29 Jul 2020 01:18:04 +0000 "Tian, Kevin" <kevin.tian@intel.com> wrote: > > From: Alex Williamson <alex.williamson@redhat.com> > > Sent: Wednesday, July 29, 2020 3:20 AM > > > [...] > > > + > > > +For example, IOTLB invalidations should always succeed. There is > > > no +architectural way to report back to the vIOMMU if the UAPI > > > data is +incompatible. If that happens, in order to guarantee > > > IOMMU iosolation, > > > > isolation > > > > > +we have to resort to not giving completion status in vIOMMU. > > > This may +result in VM hang. > > > + > > > +For this reason the following IOMMU UAPIs cannot fail without > > > +catastrophic effect: > > > + > > > +1. Free PASID > > > +2. Unbind guest PASID > > > +3. Unbind guest PASID table (SMMU) > > > +4. Cache invalidate > > > > I'm not entirely sure what we're trying to assert here. Clearly > > cache invalidation can fail and patch 5/6 goes on to add over a > > dozen checks of the user provided data that return an -errno. Any > > user ioctl can fail if the user botches the parameters. So are we > > just trying to explain the feature checking that should allow the > > user to know supported combinations and if they adhere to them, > > these should not fail? It's not quite worded to that effect. > > Thanks, > > I guess the above wording is messed by what a UAPI should > behave and whether the vIOMMU reports associated errors. > UAPI can always fail, as you pointed out. vIOMMU may not > have a matching error code though, e.g. on Intel VT-d there is no > error reporting mechanism for cache invalidation. However, > it is not wise to assert UAPI behavior according to vIOMMU > definition. An error is an error. vIOMMU should just react to > UAPI errors according to its architecture definition (e.g. ignore, > forward to guest, hang, etc.). From this matter I feel above > section could better be removed. > Yes, I agreed, the scope is not drawn clearly. This section is kind of the relic of a previous version where responsibility of feature checking lies with IOMMU UAPI instead of VFIO. How about just briefly mention that upfront feature checking is encouraged to avoid complex and catastrophic error at runtime? I will remove the rest. > Thanks > Kevin [Jacob Pan] _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
On Tue, 28 Jul 2020 13:19:44 -0600 Alex Williamson <alex.williamson@redhat.com> wrote: > On Thu, 23 Jul 2020 10:25:39 -0700 > Jacob Pan <jacob.jun.pan@linux.intel.com> wrote: > > > IOMMU user APIs are responsible for processing user data. This patch > > changes the interface such that user pointers can be passed into > > IOMMU code directly. Separate kernel APIs without user pointers are > > introduced for in-kernel users of the UAPI functionality. > > > > IOMMU UAPI data has a user filled argsz field which indicates the > > data length of the structure. User data is not trusted, argsz must > > be validated based on the current kernel data size, mandatory data > > size, and feature flags. > > > > User data may also be extended, resulting in possible argsz > > increase. Backward compatibility is ensured based on size and flags > > (or the functional equivalent fields) checking. > > > > This patch adds sanity checks in the IOMMU layer. In addition to > > argsz, reserved/unused fields in padding, flags, and version are > > also checked. Details are documented in > > Documentation/userspace-api/iommu.rst > > > > Signed-off-by: Liu Yi L <yi.l.liu@intel.com> > > Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com> > > --- > > drivers/iommu/iommu.c | 202 > > ++++++++++++++++++++++++++++++++++++++++++++++++-- > > include/linux/iommu.h | 28 ++++--- 2 files changed, 213 > > insertions(+), 17 deletions(-) > > > > diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c > > index 3a913ce94a3d..1ce2a61058c6 100644 > > --- a/drivers/iommu/iommu.c > > +++ b/drivers/iommu/iommu.c > > @@ -1950,33 +1950,219 @@ int iommu_attach_device(struct > > iommu_domain *domain, struct device *dev) } > > EXPORT_SYMBOL_GPL(iommu_attach_device); > > > > +/* > > + * Check flags and other user provided data for valid > > combinations. We also > > + * make sure no reserved fields or unused flags are set. This is > > to ensure > > + * not breaking userspace in the future when these fields or flags > > are used. > > + */ > > +static int iommu_check_cache_invl_data(struct > > iommu_cache_invalidate_info *info) +{ > > + u32 mask; > > + int i; > > + > > + if (info->version != IOMMU_CACHE_INVALIDATE_INFO_VERSION_1) > > + return -EINVAL; > > + > > + mask = (1 << IOMMU_CACHE_INV_TYPE_NR) - 1; > > + if (info->cache & ~mask) > > + return -EINVAL; > > + > > + if (info->granularity >= IOMMU_INV_GRANU_NR) > > + return -EINVAL; > > + > > + switch (info->granularity) { > > + case IOMMU_INV_GRANU_ADDR: > > + if (info->cache & IOMMU_CACHE_INV_TYPE_PASID) > > + return -EINVAL; > > + > > + mask = IOMMU_INV_ADDR_FLAGS_PASID | > > + IOMMU_INV_ADDR_FLAGS_ARCHID | > > + IOMMU_INV_ADDR_FLAGS_LEAF; > > + > > + if (info->granu.addr_info.flags & ~mask) > > + return -EINVAL; > > + break; > > + case IOMMU_INV_GRANU_PASID: > > + mask = IOMMU_INV_PASID_FLAGS_PASID | > > + IOMMU_INV_PASID_FLAGS_ARCHID; > > + if (info->granu.pasid_info.flags & ~mask) > > + return -EINVAL; > > + > > + break; > > + case IOMMU_INV_GRANU_DOMAIN: > > + if (info->cache & IOMMU_CACHE_INV_TYPE_DEV_IOTLB) > > + return -EINVAL; > > + break; > > + default: > > + return -EINVAL; > > + } > > + > > + /* Check reserved padding fields */ > > + for (i = 0; i < 6; i++) { > > We could use sizeof(info->padding) here to avoid future issues > relative to the number of padding bytes. > yes, much better. > > + if (info->padding[i]) > > + return -EINVAL; > > + } > > + > > + return 0; > > +} > > + > > int iommu_uapi_cache_invalidate(struct iommu_domain *domain, > > struct device *dev, > > - struct iommu_cache_invalidate_info > > *inv_info) > > + void __user *uinfo) > > { > > + struct iommu_cache_invalidate_info inv_info = { 0 }; > > + u32 minsz; > > + int ret = 0; > > + > > if (unlikely(!domain->ops->cache_invalidate)) > > return -ENODEV; > > > > - return domain->ops->cache_invalidate(domain, dev, > > inv_info); > > + /* > > + * No new spaces can be added before the variable sized > > union, the > > + * minimum size is the offset to the union. > > + */ > > + minsz = offsetof(struct iommu_cache_invalidate_info, > > granu); + > > + /* Copy minsz from user to get flags and argsz */ > > + if (copy_from_user(&inv_info, uinfo, minsz)) > > + return -EFAULT; > > + > > + /* Fields before variable size union is mandatory */ > > + if (inv_info.argsz < minsz) > > + return -EINVAL; > > + > > + /* PASID and address granu require additional info beyond > > minsz */ > > + if (inv_info.argsz == minsz && > > + ((inv_info.granularity == IOMMU_INV_GRANU_PASID) || > > + (inv_info.granularity == > > IOMMU_INV_GRANU_ADDR))) > > + return -EINVAL; > > + > > + if (inv_info.granularity == IOMMU_INV_GRANU_PASID && > > + inv_info.argsz < offsetofend(struct > > iommu_cache_invalidate_info, granu.pasid_info)) > > + return -EINVAL; > > + > > + if (inv_info.granularity == IOMMU_INV_GRANU_ADDR && > > + inv_info.argsz < offsetofend(struct > > iommu_cache_invalidate_info, granu.addr_info)) > > + return -EINVAL; > > + > > + /* > > + * User might be using a newer UAPI header which has a > > larger data > > + * size, we shall support the existing flags within the > > current > > + * size. Copy the remaining user data _after_ minsz but > > not more > > + * than the current kernel supported size. > > + */ > > + if (copy_from_user((void *)&inv_info + minsz, uinfo + > > minsz, > > + min(inv_info.argsz, > > (u32)sizeof(inv_info)) - minsz)) > > Could use min_t() to cast both args to the specified type. > will do. min_t(u32, > > + return -EFAULT; > > + > > + /* Now the argsz is validated, check the content */ > > + ret = iommu_check_cache_invl_data(&inv_info); > > + if (ret) > > + return ret; > > + > > + return domain->ops->cache_invalidate(domain, dev, > > &inv_info); } > > EXPORT_SYMBOL_GPL(iommu_uapi_cache_invalidate); > > > > -int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, > > - struct device *dev, struct > > iommu_gpasid_bind_data *data) +static int > > iommu_check_bind_data(struct iommu_gpasid_bind_data *data) +{ > > + u32 mask; > > + int i; > > + > > + if (data->version != IOMMU_GPASID_BIND_VERSION_1) > > + return -EINVAL; > > + > > + /* Check all supported format, for now just VT-d */ > > + mask = IOMMU_PASID_FORMAT_INTEL_VTD; > > + if (data->format & ~mask) > > data->format is not a bitmask though, it's an index, right? Should > defined formats be put into an enum with a last entry place holder for > this code to test against? If we end up with holes in the enum, I > guess we'd need to use special cases, ex: > > switch (data->format) { > case IOMMU_PASID_FORMAT_DEPRECATED0: > return -EINVAL; > case 0 ... IOMMU_PASID_FORMAT_LAST: > break; > default: > return -EINVAL; > } > > It seems strange and error prone anyway for common code to check > against a specific vendor format here. > Agreed, will change to enum with a last entry. > > + return -EINVAL; > > + > > + /* Check all flags */ > > + mask = IOMMU_SVA_GPASID_VAL; > > + if (data->flags & ~mask) > > + return -EINVAL; > > + > > + /* Check reserved padding fields */ > > + for (i = 0; i < 8; i++) { > > sizeof(data->padding) > will do. > > + if (data->padding[i]) > > + return -EINVAL; > > + } > > + > > + return 0; > > +} > > + > > +static int iommu_sva_prepare_bind_data(void __user *udata, > > + struct > > iommu_gpasid_bind_data *data) { > > + u32 minsz; > > + > > + /* > > + * No new spaces can be added before the variable sized > > union, the > > + * minimum size is the offset to the union. > > + */ > > + minsz = offsetof(struct iommu_gpasid_bind_data, vendor); > > + > > + /* Copy minsz from user to get flags and argsz */ > > + if (copy_from_user(data, udata, minsz)) > > + return -EFAULT; > > + > > + /* Fields before variable size union is mandatory */ > > + if (data->argsz < minsz) > > + return -EINVAL; > > + /* > > + * User might be using a newer UAPI header, we shall let > > IOMMU vendor > > + * driver decide on what size it needs. Since the guest > > PASID bind data > > + * can be vendor specific, larger argsz could be the > > result of extension > > + * for one vendor but it should not affect another vendor. > > + * Copy the remaining user data _after_ minsz > > + */ > > + if (copy_from_user((void *)data + minsz, udata + minsz, > > + min(data->argsz, (u32)sizeof(*data)) - > > minsz)) > > min_t() here too. Thanks, > will do. Thanks! > Alex > > > + return -EFAULT; > > + > > + return iommu_check_bind_data(data); > > +} > > + > > +int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, struct > > device *dev, > > + void __user *udata) > > +{ > > + struct iommu_gpasid_bind_data data = { 0 }; > > + int ret; > > + > > if (unlikely(!domain->ops->sva_bind_gpasid)) > > return -ENODEV; > > > > - return domain->ops->sva_bind_gpasid(domain, dev, data); > > + ret = iommu_sva_prepare_bind_data(udata, &data); > > + if (ret) > > + return ret; > > + > > + return domain->ops->sva_bind_gpasid(domain, dev, &data); > > } > > EXPORT_SYMBOL_GPL(iommu_uapi_sva_bind_gpasid); > > > > -int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, > > struct device *dev, > > - ioasid_t pasid) > > +int iommu_sva_unbind_gpasid(struct iommu_domain *domain, struct > > device *dev, > > + struct iommu_gpasid_bind_data *data) > > { > > if (unlikely(!domain->ops->sva_unbind_gpasid)) > > return -ENODEV; > > > > - return domain->ops->sva_unbind_gpasid(dev, pasid); > > + return domain->ops->sva_unbind_gpasid(dev, data->hpasid); > > +} > > +EXPORT_SYMBOL_GPL(iommu_sva_unbind_gpasid); > > + > > +int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, > > struct device *dev, > > + void __user *udata) > > +{ > > + struct iommu_gpasid_bind_data data = { 0 }; > > + int ret; > > + > > + if (unlikely(!domain->ops->sva_bind_gpasid)) > > + return -ENODEV; > > + > > + ret = iommu_sva_prepare_bind_data(udata, &data); > > + if (ret) > > + return ret; > > + > > + return iommu_sva_unbind_gpasid(domain, dev, &data); > > } > > EXPORT_SYMBOL_GPL(iommu_uapi_sva_unbind_gpasid); > > > > diff --git a/include/linux/iommu.h b/include/linux/iommu.h > > index 2dcc1a33f6dc..4a02c9e09048 100644 > > --- a/include/linux/iommu.h > > +++ b/include/linux/iommu.h > > @@ -432,11 +432,14 @@ extern void iommu_detach_device(struct > > iommu_domain *domain, struct device *dev); > > extern int iommu_uapi_cache_invalidate(struct iommu_domain *domain, > > struct device *dev, > > - struct > > iommu_cache_invalidate_info *inv_info); > > + void __user *uinfo); > > + > > extern int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, > > - struct device *dev, struct > > iommu_gpasid_bind_data *data); > > + struct device *dev, void > > __user *udata); extern int iommu_uapi_sva_unbind_gpasid(struct > > iommu_domain *domain, > > - struct device *dev, > > ioasid_t pasid); > > + struct device *dev, void > > __user *udata); +extern int iommu_sva_unbind_gpasid(struct > > iommu_domain *domain, > > + struct device *dev, struct > > iommu_gpasid_bind_data *data); extern struct iommu_domain > > *iommu_get_domain_for_dev(struct device *dev); extern struct > > iommu_domain *iommu_get_dma_domain(struct device *dev); extern int > > iommu_map(struct iommu_domain *domain, unsigned long iova, @@ > > -1054,22 +1057,29 @@ static inline int iommu_sva_get_pasid(struct > > iommu_sva *handle) return IOMMU_PASID_INVALID; } > > > > -static inline int iommu_uapi_cache_invalidate(struct iommu_domain > > *domain, > > - struct device *dev, > > - struct > > iommu_cache_invalidate_info *inv_info) +static inline int > > +iommu_uapi_cache_invalidate(struct iommu_domain *domain, > > + struct device *dev, > > + struct iommu_cache_invalidate_info > > *inv_info) { > > return -ENODEV; > > } > > > > static inline int iommu_uapi_sva_bind_gpasid(struct iommu_domain > > *domain, > > - struct device *dev, > > - struct > > iommu_gpasid_bind_data *data) > > + struct device *dev, > > void __user *udata) { > > return -ENODEV; > > } > > > > static inline int iommu_uapi_sva_unbind_gpasid(struct iommu_domain > > *domain, > > - struct device *dev, > > int pasid) > > + struct device *dev, > > void __user *udata) +{ > > + return -ENODEV; > > +} > > + > > +static inline int iommu_sva_unbind_gpasid(struct iommu_domain > > *domain, > > + struct device *dev, > > + struct > > iommu_gpasid_bind_data *data) { > > return -ENODEV; > > } > [Jacob Pan] _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu