From: Auger Eric <eric.auger@redhat.com>
To: Jacob Pan <jacob.pan.linux@gmail.com>,
iommu@lists.linux-foundation.org,
LKML <linux-kernel@vger.kernel.org>,
Joerg Roedel <joro@8bytes.org>,
Alex Williamson <alex.williamson@redhat.com>
Cc: "Tian, Kevin" <kevin.tian@intel.com>,
Raj Ashok <ashok.raj@intel.com>, Jonathan Corbet <corbet@lwn.net>,
Jean-Philippe Brucker <jean-philippe@linaro.com>,
Christoph Hellwig <hch@infradead.org>,
David Woodhouse <dwmw2@infradead.org>
Subject: Re: [PATCH v8 6/7] iommu/uapi: Handle data and argsz filled by users
Date: Thu, 3 Sep 2020 11:06:54 +0200 [thread overview]
Message-ID: <25ddf853-680a-2931-1f04-73474fd54f9d@redhat.com> (raw)
In-Reply-To: <1598898300-65475-7-git-send-email-jacob.jun.pan@linux.intel.com>
Hi Jacob,
On 8/31/20 8:24 PM, Jacob Pan wrote:
> IOMMU user APIs are responsible for processing user data. This patch
> changes the interface such that user pointers can be passed into IOMMU
> code directly. Separate kernel APIs without user pointers are introduced
> for in-kernel users of the UAPI functionality.
>
> IOMMU UAPI data has a user filled argsz field which indicates the data
> length of the structure. User data is not trusted, argsz must be
> validated based on the current kernel data size, mandatory data size,
> and feature flags.
If I am not wrong there is no change compared to
https://lkml.org/lkml/2020/8/13/215, besides rebase.
So despite the minor comment(s) I had,
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Thanks
Eric
>
> User data may also be extended, resulting in possible argsz increase.
> Backward compatibility is ensured based on size and flags (or
> the functional equivalent fields) checking.
>
> This patch adds sanity checks in the IOMMU layer. In addition to argsz,
> reserved/unused fields in padding, flags, and version are also checked.
> Details are documented in Documentation/userspace-api/iommu.rst
>
> Signed-off-by: Liu Yi L <yi.l.liu@intel.com>
> Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
> ---
> drivers/iommu/iommu.c | 201 ++++++++++++++++++++++++++++++++++++++++++++++++--
> include/linux/iommu.h | 28 ++++---
> 2 files changed, 212 insertions(+), 17 deletions(-)
>
> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
> index 4ae02291ccc2..3bc263ae31ed 100644
> --- a/drivers/iommu/iommu.c
> +++ b/drivers/iommu/iommu.c
> @@ -1961,33 +1961,218 @@ int iommu_attach_device(struct iommu_domain *domain, struct device *dev)
> }
> EXPORT_SYMBOL_GPL(iommu_attach_device);
>
> +/*
> + * Check flags and other user provided data for valid combinations. We also
> + * make sure no reserved fields or unused flags are set. This is to ensure
> + * not breaking userspace in the future when these fields or flags are used.
> + */
> +static int iommu_check_cache_invl_data(struct iommu_cache_invalidate_info *info)
> +{
> + u32 mask;
> + int i;
> +
> + if (info->version != IOMMU_CACHE_INVALIDATE_INFO_VERSION_1)
> + return -EINVAL;
> +
> + mask = (1 << IOMMU_CACHE_INV_TYPE_NR) - 1;
> + if (info->cache & ~mask)
> + return -EINVAL;
> +
> + if (info->granularity >= IOMMU_INV_GRANU_NR)
> + return -EINVAL;
> +
> + switch (info->granularity) {
> + case IOMMU_INV_GRANU_ADDR:
> + if (info->cache & IOMMU_CACHE_INV_TYPE_PASID)
> + return -EINVAL;
> +
> + mask = IOMMU_INV_ADDR_FLAGS_PASID |
> + IOMMU_INV_ADDR_FLAGS_ARCHID |
> + IOMMU_INV_ADDR_FLAGS_LEAF;
> +
> + if (info->granu.addr_info.flags & ~mask)
> + return -EINVAL;
> + break;
> + case IOMMU_INV_GRANU_PASID:
> + mask = IOMMU_INV_PASID_FLAGS_PASID |
> + IOMMU_INV_PASID_FLAGS_ARCHID;
> + if (info->granu.pasid_info.flags & ~mask)
> + return -EINVAL;
> +
> + break;
> + case IOMMU_INV_GRANU_DOMAIN:
> + if (info->cache & IOMMU_CACHE_INV_TYPE_DEV_IOTLB)
> + return -EINVAL;
> + break;
> + default:
> + return -EINVAL;
> + }
> +
> + /* Check reserved padding fields */
> + for (i = 0; i < sizeof(info->padding); i++) {
> + if (info->padding[i])
> + return -EINVAL;
> + }
> +
> + return 0;
> +}
> +
> int iommu_uapi_cache_invalidate(struct iommu_domain *domain, struct device *dev,
> - struct iommu_cache_invalidate_info *inv_info)
> + void __user *uinfo)
> {
> + struct iommu_cache_invalidate_info inv_info = { 0 };
> + u32 minsz;
> + int ret = 0;
> +
> if (unlikely(!domain->ops->cache_invalidate))
> return -ENODEV;
>
> - return domain->ops->cache_invalidate(domain, dev, inv_info);
> + /*
> + * No new spaces can be added before the variable sized union, the
> + * minimum size is the offset to the union.
> + */
> + minsz = offsetof(struct iommu_cache_invalidate_info, granu);
> +
> + /* Copy minsz from user to get flags and argsz */
> + if (copy_from_user(&inv_info, uinfo, minsz))
> + return -EFAULT;
> +
> + /* Fields before variable size union is mandatory */
> + if (inv_info.argsz < minsz)
> + return -EINVAL;
> +
> + /* PASID and address granu require additional info beyond minsz */
> + if (inv_info.argsz == minsz &&
> + ((inv_info.granularity == IOMMU_INV_GRANU_PASID) ||
> + (inv_info.granularity == IOMMU_INV_GRANU_ADDR)))
> + return -EINVAL;
> +
> + if (inv_info.granularity == IOMMU_INV_GRANU_PASID &&
> + inv_info.argsz < offsetofend(struct iommu_cache_invalidate_info, granu.pasid_info))
> + return -EINVAL;
> +
> + if (inv_info.granularity == IOMMU_INV_GRANU_ADDR &&
> + inv_info.argsz < offsetofend(struct iommu_cache_invalidate_info, granu.addr_info))
> + return -EINVAL;
> +
> + /*
> + * User might be using a newer UAPI header which has a larger data
> + * size, we shall support the existing flags within the current
> + * size. Copy the remaining user data _after_ minsz but not more
> + * than the current kernel supported size.
> + */
> + if (copy_from_user((void *)&inv_info + minsz, uinfo + minsz,
> + min_t(u32, inv_info.argsz, sizeof(inv_info)) - minsz))
> + return -EFAULT;
> +
> + /* Now the argsz is validated, check the content */
> + ret = iommu_check_cache_invl_data(&inv_info);
> + if (ret)
> + return ret;
> +
> + return domain->ops->cache_invalidate(domain, dev, &inv_info);
> }
> EXPORT_SYMBOL_GPL(iommu_uapi_cache_invalidate);
>
> -int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain,
> - struct device *dev, struct iommu_gpasid_bind_data *data)
> +static int iommu_check_bind_data(struct iommu_gpasid_bind_data *data)
> +{
> + u32 mask;
> + int i;
> +
> + if (data->version != IOMMU_GPASID_BIND_VERSION_1)
> + return -EINVAL;
> +
> + /* Check the range of supported formats */
> + if (data->format >= IOMMU_PASID_FORMAT_LAST)
> + return -EINVAL;
> +
> + /* Check all flags */
> + mask = IOMMU_SVA_GPASID_VAL;
> + if (data->flags & ~mask)
> + return -EINVAL;
> +
> + /* Check reserved padding fields */
> + for (i = 0; i < sizeof(data->padding); i++) {
> + if (data->padding[i])
> + return -EINVAL;
> + }
> +
> + return 0;
> +}
> +
> +static int iommu_sva_prepare_bind_data(void __user *udata,
> + struct iommu_gpasid_bind_data *data)
> {
> + u32 minsz;
> +
> + /*
> + * No new spaces can be added before the variable sized union, the
> + * minimum size is the offset to the union.
> + */
> + minsz = offsetof(struct iommu_gpasid_bind_data, vendor);
> +
> + /* Copy minsz from user to get flags and argsz */
> + if (copy_from_user(data, udata, minsz))
> + return -EFAULT;
> +
> + /* Fields before variable size union is mandatory */
> + if (data->argsz < minsz)
> + return -EINVAL;
> + /*
> + * User might be using a newer UAPI header, we shall let IOMMU vendor
> + * driver decide on what size it needs. Since the guest PASID bind data
> + * can be vendor specific, larger argsz could be the result of extension
> + * for one vendor but it should not affect another vendor.
> + * Copy the remaining user data _after_ minsz
> + */
> + if (copy_from_user((void *)data + minsz, udata + minsz,
> + min_t(u32, data->argsz, sizeof(*data)) - minsz))
> + return -EFAULT;
> +
> + return iommu_check_bind_data(data);
> +}
> +
> +int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, struct device *dev,
> + void __user *udata)
> +{
> + struct iommu_gpasid_bind_data data = { 0 };
> + int ret;
> +
> if (unlikely(!domain->ops->sva_bind_gpasid))
> return -ENODEV;
>
> - return domain->ops->sva_bind_gpasid(domain, dev, data);
> + ret = iommu_sva_prepare_bind_data(udata, &data);
> + if (ret)
> + return ret;
> +
> + return domain->ops->sva_bind_gpasid(domain, dev, &data);
> }
> EXPORT_SYMBOL_GPL(iommu_uapi_sva_bind_gpasid);
>
> -int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, struct device *dev,
> - ioasid_t pasid)
> +int iommu_sva_unbind_gpasid(struct iommu_domain *domain, struct device *dev,
> + struct iommu_gpasid_bind_data *data)
> {
> if (unlikely(!domain->ops->sva_unbind_gpasid))
> return -ENODEV;
>
> - return domain->ops->sva_unbind_gpasid(dev, pasid);
> + return domain->ops->sva_unbind_gpasid(dev, data->hpasid);
> +}
> +EXPORT_SYMBOL_GPL(iommu_sva_unbind_gpasid);
> +
> +int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain, struct device *dev,
> + void __user *udata)
> +{
> + struct iommu_gpasid_bind_data data = { 0 };
> + int ret;
> +
> + if (unlikely(!domain->ops->sva_bind_gpasid))
> + return -ENODEV;
> +
> + ret = iommu_sva_prepare_bind_data(udata, &data);
> + if (ret)
> + return ret;
> +
> + return iommu_sva_unbind_gpasid(domain, dev, &data);
> }
> EXPORT_SYMBOL_GPL(iommu_uapi_sva_unbind_gpasid);
>
> diff --git a/include/linux/iommu.h b/include/linux/iommu.h
> index 710d5d2691eb..c364b1c038da 100644
> --- a/include/linux/iommu.h
> +++ b/include/linux/iommu.h
> @@ -426,11 +426,14 @@ extern void iommu_detach_device(struct iommu_domain *domain,
> struct device *dev);
> extern int iommu_uapi_cache_invalidate(struct iommu_domain *domain,
> struct device *dev,
> - struct iommu_cache_invalidate_info *inv_info);
> + void __user *uinfo);
> +
> extern int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain,
> - struct device *dev, struct iommu_gpasid_bind_data *data);
> + struct device *dev, void __user *udata);
> extern int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain,
> - struct device *dev, ioasid_t pasid);
> + struct device *dev, void __user *udata);
> +extern int iommu_sva_unbind_gpasid(struct iommu_domain *domain,
> + struct device *dev, struct iommu_gpasid_bind_data *data);
> extern struct iommu_domain *iommu_get_domain_for_dev(struct device *dev);
> extern struct iommu_domain *iommu_get_dma_domain(struct device *dev);
> extern int iommu_map(struct iommu_domain *domain, unsigned long iova,
> @@ -1032,22 +1035,29 @@ static inline int iommu_sva_get_pasid(struct iommu_sva *handle)
> return IOMMU_PASID_INVALID;
> }
>
> -static inline int iommu_uapi_cache_invalidate(struct iommu_domain *domain,
> - struct device *dev,
> - struct iommu_cache_invalidate_info *inv_info)
> +static inline int
> +iommu_uapi_cache_invalidate(struct iommu_domain *domain,
> + struct device *dev,
> + struct iommu_cache_invalidate_info *inv_info)
> {
> return -ENODEV;
> }
>
> static inline int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain,
> - struct device *dev,
> - struct iommu_gpasid_bind_data *data)
> + struct device *dev, void __user *udata)
> {
> return -ENODEV;
> }
>
> static inline int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain,
> - struct device *dev, int pasid)
> + struct device *dev, void __user *udata)
> +{
> + return -ENODEV;
> +}
> +
> +static inline int iommu_sva_unbind_gpasid(struct iommu_domain *domain,
> + struct device *dev,
> + struct iommu_gpasid_bind_data *data)
> {
> return -ENODEV;
> }
>
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
next prev parent reply other threads:[~2020-09-03 9:07 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-31 18:24 [PATCH v8 0/7] IOMMU user API enhancement Jacob Pan
2020-08-31 18:24 ` [PATCH v8 1/7] docs: IOMMU user API Jacob Pan
2020-08-31 18:24 ` [PATCH v8 2/7] iommu/uapi: Add argsz for user filled data Jacob Pan
2020-08-31 18:24 ` [PATCH v8 3/7] iommu/uapi: Introduce enum type for PASID data format Jacob Pan
2020-08-31 18:24 ` [PATCH v8 4/7] iommu/uapi: Use named union for user data Jacob Pan
2020-08-31 18:24 ` [PATCH v8 5/7] iommu/uapi: Rename uapi functions Jacob Pan
2020-08-31 18:24 ` [PATCH v8 6/7] iommu/uapi: Handle data and argsz filled by users Jacob Pan
2020-09-03 9:06 ` Auger Eric [this message]
2020-09-08 22:59 ` Alex Williamson
2020-08-31 18:25 ` [PATCH v8 7/7] iommu/vt-d: Check UAPI data processed by IOMMU core Jacob Pan
2020-09-01 3:08 ` Lu Baolu
2020-09-03 8:56 ` Auger Eric
2020-09-08 17:33 ` [PATCH v8 0/7] IOMMU user API enhancement Jacob Pan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=25ddf853-680a-2931-1f04-73474fd54f9d@redhat.com \
--to=eric.auger@redhat.com \
--cc=alex.williamson@redhat.com \
--cc=ashok.raj@intel.com \
--cc=corbet@lwn.net \
--cc=dwmw2@infradead.org \
--cc=hch@infradead.org \
--cc=iommu@lists.linux-foundation.org \
--cc=jacob.pan.linux@gmail.com \
--cc=jean-philippe@linaro.com \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).