From: Jacob Pan <jacob.jun.pan-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
To: Jean-Philippe Brucker
<jean-philippe.brucker-5wv7dgnIgG8@public.gmane.org>
Cc: "linux-pci-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-pci-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Will Deacon <Will.Deacon-5wv7dgnIgG8@public.gmane.org>,
"okaya-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org"
<okaya-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org>,
"ashok.raj-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org"
<ashok.raj-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>,
"kevin.tian-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org"
<kevin.tian-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>,
"alex.williamson-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org"
<alex.williamson-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Robin Murphy <Robin.Murphy-5wv7dgnIgG8@public.gmane.org>,
"ilias.apalodimas-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org"
<ilias.apalodimas-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>,
"iommu-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org"
<iommu-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
"liguozhu-C8/M+/jPZTeaMJb+Lgu22Q@public.gmane.org"
<liguozhu-C8/M+/jPZTeaMJb+Lgu22Q@public.gmane.org>,
"christian.koenig-5C7GfCeVMHo@public.gmane.org"
<christian.koenig-5C7GfCeVMHo@public.gmane.org>
Subject: Re: [PATCH v3 02/10] iommu/sva: Bind process address spaces to devices
Date: Wed, 26 Sep 2018 11:01:03 -0700 [thread overview]
Message-ID: <20180926110103.45b57f75@jacob-builder> (raw)
In-Reply-To: <7cbd503a-c79e-3c40-7388-ce6c23f7f536-5wv7dgnIgG8@public.gmane.org>
On Mon, 24 Sep 2018 13:07:47 +0100
Jean-Philippe Brucker <jean-philippe.brucker@arm.com> wrote:
> On 23/09/2018 04:05, Lu Baolu wrote:
> > Hi,
> >
> > On 09/21/2018 01:00 AM, Jean-Philippe Brucker wrote:
> >> Add bind() and unbind() operations to the IOMMU API. Bind()
> >> returns a PASID that drivers can program in hardware, to let their
> >> devices access an mm. This patch only adds skeletons for the
> >> device driver API, most of the implementation is still missing.
> >
> > Is it possible that a malicious process can unbind a pasid which is
> > used by another normal process?
>
> Yes, it's up to the device driver that calls unbind() to check that
> the caller is allowed to unbind this PASID. We can't do it ourselves
> since unbind() could also be called from a kernel thread for example
> from a cleanup function in some workqueue, outside the context of the
> process to unbind.
>
I am wondering if we can avoid the complexity around permission
checking by simply _only_ allow bind/unbind() on current mm? what would
be the missing use cases if we bind current only?
It can also avoid other race such as unbind and mmu_notifier release
call.
> Jean
>
> >
> > It might happen in below sequence:
> >
> >
> > Process A Process B
> > ========= =========
> > iommu_sva_init_device(dev)
> > iommu_sva_bind_device(dev)
> > ....
> > device access mm of A with
> > #PASID returned above
> > ....
> > iommu_sva_unbind_device(dev, #PASID)
> > ....
> > [unrecoverable errors]
> >
> > I didn't have a thorough consideration of this. Sorry if this has
> > been prevented.
> >
> > Best regards,
> > Lu Baolu
[Jacob Pan]
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
WARNING: multiple messages have this Message-ID (diff)
From: Jacob Pan <jacob.jun.pan@linux.intel.com>
To: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
Cc: Lu Baolu <baolu.lu@linux.intel.com>,
"iommu@lists.linux-foundation.org"
<iommu@lists.linux-foundation.org>,
"joro@8bytes.org" <joro@8bytes.org>,
"linux-pci@vger.kernel.org" <linux-pci@vger.kernel.org>,
"jcrouse@codeaurora.org" <jcrouse@codeaurora.org>,
"alex.williamson@redhat.com" <alex.williamson@redhat.com>,
"Jonathan.Cameron@huawei.com" <Jonathan.Cameron@huawei.com>,
"christian.koenig@amd.com" <christian.koenig@amd.com>,
"eric.auger@redhat.com" <eric.auger@redhat.com>,
"kevin.tian@intel.com" <kevin.tian@intel.com>,
"yi.l.liu@intel.com" <yi.l.liu@intel.com>,
Andrew Murray <Andrew.Murray@arm.com>,
Will Deacon <Will.Deacon@arm.com>,
Robin Murphy <Robin.Murphy@arm.com>,
"ashok.raj@intel.com" <ashok.raj@intel.com>,
"xuzaibo@huawei.com" <xuzaibo@huawei.com>,
"liguozhu@hisilicon.com" <liguozhu@hisilicon.com>,
"okaya@codeaurora.org" <okaya@codeaurora.org>,
"bharatku@xilinx.com" <bharatku@xilinx.com>,
"ilias.apalodimas@linaro.org" <ilias.apalodimas@linaro.org>,
"shunyong.yang@hxt-semitech.com" <shunyong.yang@hxt-semitech.com>,
jacob.jun.pan@linux.intel.com
Subject: Re: [PATCH v3 02/10] iommu/sva: Bind process address spaces to devices
Date: Wed, 26 Sep 2018 11:01:03 -0700 [thread overview]
Message-ID: <20180926110103.45b57f75@jacob-builder> (raw)
In-Reply-To: <7cbd503a-c79e-3c40-7388-ce6c23f7f536@arm.com>
On Mon, 24 Sep 2018 13:07:47 +0100
Jean-Philippe Brucker <jean-philippe.brucker@arm.com> wrote:
> On 23/09/2018 04:05, Lu Baolu wrote:
> > Hi,
> >
> > On 09/21/2018 01:00 AM, Jean-Philippe Brucker wrote:
> >> Add bind() and unbind() operations to the IOMMU API. Bind()
> >> returns a PASID that drivers can program in hardware, to let their
> >> devices access an mm. This patch only adds skeletons for the
> >> device driver API, most of the implementation is still missing.
> >
> > Is it possible that a malicious process can unbind a pasid which is
> > used by another normal process?
>
> Yes, it's up to the device driver that calls unbind() to check that
> the caller is allowed to unbind this PASID. We can't do it ourselves
> since unbind() could also be called from a kernel thread for example
> from a cleanup function in some workqueue, outside the context of the
> process to unbind.
>
I am wondering if we can avoid the complexity around permission
checking by simply _only_ allow bind/unbind() on current mm? what would
be the missing use cases if we bind current only?
It can also avoid other race such as unbind and mmu_notifier release
call.
> Jean
>
> >
> > It might happen in below sequence:
> >
> >
> > Process A Process B
> > ========= =========
> > iommu_sva_init_device(dev)
> > iommu_sva_bind_device(dev)
> > ....
> > device access mm of A with
> > #PASID returned above
> > ....
> > iommu_sva_unbind_device(dev, #PASID)
> > ....
> > [unrecoverable errors]
> >
> > I didn't have a thorough consideration of this. Sorry if this has
> > been prevented.
> >
> > Best regards,
> > Lu Baolu
[Jacob Pan]
next prev parent reply other threads:[~2018-09-26 18:01 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-20 17:00 [PATCH v3 00/10] Shared Virtual Addressing for the IOMMU Jean-Philippe Brucker
2018-09-20 17:00 ` Jean-Philippe Brucker
[not found] ` <20180920170046.20154-1-jean-philippe.brucker-5wv7dgnIgG8@public.gmane.org>
2018-09-20 17:00 ` [PATCH v3 01/10] iommu: Introduce Shared Virtual Addressing API Jean-Philippe Brucker
2018-09-20 17:00 ` Jean-Philippe Brucker
[not found] ` <20180920170046.20154-2-jean-philippe.brucker-5wv7dgnIgG8@public.gmane.org>
2018-09-23 2:39 ` Lu Baolu
[not found] ` <f406bcf7-4e54-9f1b-88eb-03fc642ffede-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
2018-09-24 12:07 ` Jean-Philippe Brucker
2018-09-24 12:07 ` Jean-Philippe Brucker
2018-09-25 13:16 ` Joerg Roedel
2018-09-25 13:16 ` Joerg Roedel
[not found] ` <20180925131647.rygncwik5uszsm3n-zLv9SwRftAIdnm+yROfE0A@public.gmane.org>
2018-09-25 22:46 ` Jacob Pan
2018-09-25 22:46 ` Jacob Pan
2018-09-26 10:14 ` Jean-Philippe Brucker
2018-09-26 10:14 ` Jean-Philippe Brucker
2018-09-26 12:48 ` Joerg Roedel
2018-09-26 12:48 ` Joerg Roedel
2018-09-20 17:00 ` [PATCH v3 02/10] iommu/sva: Bind process address spaces to devices Jean-Philippe Brucker
2018-09-20 17:00 ` Jean-Philippe Brucker
[not found] ` <20180920170046.20154-3-jean-philippe.brucker-5wv7dgnIgG8@public.gmane.org>
2018-09-23 3:05 ` Lu Baolu
2018-09-23 3:05 ` Lu Baolu
[not found] ` <cdcd4083-ef28-4c5e-4a2c-5b93e61a86b4-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
2018-09-24 12:07 ` Jean-Philippe Brucker
2018-09-24 12:07 ` Jean-Philippe Brucker
[not found] ` <7cbd503a-c79e-3c40-7388-ce6c23f7f536-5wv7dgnIgG8@public.gmane.org>
2018-09-26 18:01 ` Jacob Pan [this message]
2018-09-26 18:01 ` Jacob Pan
2018-09-27 15:06 ` Jean-Philippe Brucker
2018-09-27 15:06 ` Jean-Philippe Brucker
[not found] ` <79c0e0e1-691e-b8e1-0e68-21876135d2ab-5wv7dgnIgG8@public.gmane.org>
2018-09-28 1:14 ` Tian, Kevin
2018-09-28 1:14 ` Tian, Kevin
2018-09-20 17:00 ` [PATCH v3 03/10] iommu/sva: Manage process address spaces Jean-Philippe Brucker
2018-09-20 17:00 ` Jean-Philippe Brucker
[not found] ` <20180920170046.20154-4-jean-philippe.brucker-5wv7dgnIgG8@public.gmane.org>
2018-09-25 3:15 ` Lu Baolu
2018-09-25 3:15 ` Lu Baolu
[not found] ` <09933fce-b959-32e1-b1f3-0d4389abf735-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
2018-09-25 10:32 ` Jean-Philippe Brucker
2018-09-25 10:32 ` Jean-Philippe Brucker
[not found] ` <5aff8dc0-9ce7-5018-e78e-770279681cbc-5wv7dgnIgG8@public.gmane.org>
2018-09-26 3:12 ` Lu Baolu
2018-09-26 3:12 ` Lu Baolu
2018-09-25 13:26 ` Joerg Roedel
2018-09-25 13:26 ` Joerg Roedel
[not found] ` <20180925132627.vbdotr23o7lqrmnd-zLv9SwRftAIdnm+yROfE0A@public.gmane.org>
2018-09-25 23:33 ` Lu Baolu
2018-09-25 23:33 ` Lu Baolu
[not found] ` <b33a1911-e100-586b-b8df-eb04312ecffd-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
2018-09-26 10:20 ` Jean-Philippe Brucker
2018-09-26 10:20 ` Jean-Philippe Brucker
[not found] ` <754d495d-d016-f42f-5682-ba4a75a618e0-5wv7dgnIgG8@public.gmane.org>
2018-09-26 12:45 ` Joerg Roedel
2018-09-26 12:45 ` Joerg Roedel
[not found] ` <20180926124527.GD18287-zLv9SwRftAIdnm+yROfE0A@public.gmane.org>
2018-09-26 13:50 ` Jean-Philippe Brucker
2018-09-26 13:50 ` Jean-Philippe Brucker
[not found] ` <1f53c6f1-4e7a-1451-1abc-a7bca4a2359d-5wv7dgnIgG8@public.gmane.org>
2018-09-27 3:22 ` Liu, Yi L
2018-09-27 3:22 ` Liu, Yi L
[not found] ` <A2975661238FB949B60364EF0F2C257439D0CC48-0J0gbvR4kTg/UvCtAeCM4rfspsVTdybXVpNB7YpNyf8@public.gmane.org>
2018-09-27 13:37 ` Jean-Philippe Brucker
2018-09-27 13:37 ` Jean-Philippe Brucker
[not found] ` <9aedb22e-ff28-7bfd-feeb-ae86802e6400-5wv7dgnIgG8@public.gmane.org>
2018-10-08 8:29 ` Liu, Yi L
2018-10-08 8:29 ` Liu, Yi L
2018-09-26 22:58 ` Jacob Pan
2018-09-26 22:58 ` Jacob Pan
2018-09-26 22:35 ` Jacob Pan
2018-09-26 22:35 ` Jacob Pan
2018-10-03 17:52 ` Jean-Philippe Brucker
2018-10-03 17:52 ` Jean-Philippe Brucker
[not found] ` <8ebfd3b5-9e16-85f6-a9f9-2627fb4b5b03-5wv7dgnIgG8@public.gmane.org>
2018-10-15 20:53 ` Jacob Pan
2018-10-15 20:53 ` Jacob Pan
2018-09-20 17:00 ` [PATCH v3 04/10] iommu/sva: Add a mm_exit callback for device drivers Jean-Philippe Brucker
2018-09-20 17:00 ` Jean-Philippe Brucker
2018-09-20 17:00 ` [PATCH v3 05/10] iommu/sva: Track mm changes with an MMU notifier Jean-Philippe Brucker
2018-09-20 17:00 ` Jean-Philippe Brucker
2018-09-20 17:00 ` [PATCH v3 06/10] iommu/sva: Search mm by PASID Jean-Philippe Brucker
2018-09-20 17:00 ` Jean-Philippe Brucker
[not found] ` <20180920170046.20154-7-jean-philippe.brucker-5wv7dgnIgG8@public.gmane.org>
2018-09-25 4:59 ` Lu Baolu
2018-09-25 4:59 ` Lu Baolu
2018-09-20 17:00 ` [PATCH v3 07/10] iommu: Add a page fault handler Jean-Philippe Brucker
2018-09-20 17:00 ` Jean-Philippe Brucker
[not found] ` <20180920170046.20154-8-jean-philippe.brucker-5wv7dgnIgG8@public.gmane.org>
2018-09-27 20:37 ` Jacob Pan
2018-09-27 20:37 ` Jacob Pan
2018-10-03 17:46 ` Jean-Philippe Brucker
2018-10-03 17:46 ` Jean-Philippe Brucker
2018-09-20 17:00 ` [PATCH v3 08/10] iommu/iopf: Handle mm faults Jean-Philippe Brucker
2018-09-20 17:00 ` Jean-Philippe Brucker
2018-09-20 17:00 ` [PATCH v3 09/10] iommu/sva: Register page fault handler Jean-Philippe Brucker
2018-09-20 17:00 ` Jean-Philippe Brucker
2018-09-20 17:00 ` [RFC PATCH v3 10/10] iommu/sva: Add support for private PASIDs Jean-Philippe Brucker
2018-09-20 17:00 ` Jean-Philippe Brucker
[not found] ` <20180920170046.20154-11-jean-philippe.brucker-5wv7dgnIgG8@public.gmane.org>
2018-10-12 14:32 ` Jordan Crouse
2018-10-12 14:32 ` Jordan Crouse
[not found] ` <20181012143229.GI9977-9PYrDHPZ2Orvke4nUoYGnHL1okKdlPRT@public.gmane.org>
2018-10-17 14:21 ` Jean-Philippe Brucker
2018-10-17 14:21 ` Jean-Philippe Brucker
[not found] ` <3e1b58bb-eb16-5855-2922-2b15b37ba971-5wv7dgnIgG8@public.gmane.org>
2018-10-17 14:24 ` Jean-Philippe Brucker
2018-10-17 14:24 ` Jean-Philippe Brucker
2018-10-17 15:07 ` Jordan Crouse
2018-10-17 15:07 ` Jordan Crouse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180926110103.45b57f75@jacob-builder \
--to=jacob.jun.pan-vuqaysv1563yd54fqh9/ca@public.gmane.org \
--cc=Robin.Murphy-5wv7dgnIgG8@public.gmane.org \
--cc=Will.Deacon-5wv7dgnIgG8@public.gmane.org \
--cc=alex.williamson-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=ashok.raj-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \
--cc=christian.koenig-5C7GfCeVMHo@public.gmane.org \
--cc=ilias.apalodimas-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org \
--cc=iommu-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=jean-philippe.brucker-5wv7dgnIgG8@public.gmane.org \
--cc=kevin.tian-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \
--cc=liguozhu-C8/M+/jPZTeaMJb+Lgu22Q@public.gmane.org \
--cc=linux-pci-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=okaya-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.