All of lore.kernel.org
 help / color / mirror / Atom feed
From: Thomas Gleixner <tglx@linutronix.de>
To: Fenghua Yu <fenghua.yu@intel.com>
Cc: Ravi V Shankar <ravi.v.shankar@intel.com>,
	Tony Luck <tony.luck@intel.com>, Ashok Raj <ashok.raj@intel.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Dave Hansen <dave.hansen@linux.intel.com>, x86 <x86@kernel.org>,
	linux-kernel <linux-kernel@vger.kernel.org>,
	iommu@lists.linux-foundation.org, Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>,
	Josh Poimboeuf <jpoimboe@redhat.com>
Subject: Re: [PATCH v2 05/11] iommu/sva: Assign a PASID to mm on PASID allocation and free it on mm exit
Date: Wed, 26 Jan 2022 15:23:42 +0100	[thread overview]
Message-ID: <87k0em4lu9.ffs@tglx> (raw)
In-Reply-To: <YfAUutQhqS6ejUFU@otcwcpicx3.sc.intel.com>

On Tue, Jan 25 2022 at 07:18, Fenghua Yu wrote:
> On Mon, Jan 24, 2022 at 09:55:56PM +0100, Thomas Gleixner wrote:
>  /**
>   * ioasid_put - Release a reference to an ioasid
>   * @ioasid: the ID to remove

which in turn makes ioasid_put() a misnomer and the whole refcounting of
the ioasid a pointless exercise.

While looking at ioasid_put() usage I tripped over the following UAF
issue:

--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
@@ -4817,8 +4817,10 @@ static int aux_domain_add_dev(struct dma
 	auxiliary_unlink_device(domain, dev);
 link_failed:
 	spin_unlock_irqrestore(&device_domain_lock, flags);
-	if (list_empty(&domain->subdevices) && domain->default_pasid > 0)
+	if (list_empty(&domain->subdevices) && domain->default_pasid > 0) {
 		ioasid_put(domain->default_pasid);
+		domain->default_pasid = INVALID_IOASID;
+	}
 
 	return ret;
 }
@@ -4847,8 +4849,10 @@ static void aux_domain_remove_dev(struct
 
 	spin_unlock_irqrestore(&device_domain_lock, flags);
 
-	if (list_empty(&domain->subdevices) && domain->default_pasid > 0)
+	if (list_empty(&domain->subdevices) && domain->default_pasid > 0) {
 		ioasid_put(domain->default_pasid);
+		domain->default_pasid = INVALID_IOASID;
+	}
 }
 
 static int prepare_domain_attach_device(struct iommu_domain *domain,

Vs. ioasid_put() I think we should fold the following:

--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
@@ -4818,7 +4818,7 @@ static int aux_domain_add_dev(struct dma
 link_failed:
 	spin_unlock_irqrestore(&device_domain_lock, flags);
 	if (list_empty(&domain->subdevices) && domain->default_pasid > 0) {
-		ioasid_put(domain->default_pasid);
+		ioasid_free(domain->default_pasid);
 		domain->default_pasid = INVALID_IOASID;
 	}
 
@@ -4850,7 +4850,7 @@ static void aux_domain_remove_dev(struct
 	spin_unlock_irqrestore(&device_domain_lock, flags);
 
 	if (list_empty(&domain->subdevices) && domain->default_pasid > 0) {
-		ioasid_put(domain->default_pasid);
+		ioasid_free(domain->default_pasid);
 		domain->default_pasid = INVALID_IOASID;
 	}
 }
--- a/drivers/iommu/ioasid.c
+++ b/drivers/iommu/ioasid.c
@@ -2,7 +2,7 @@
 /*
  * I/O Address Space ID allocator. There is one global IOASID space, split into
  * subsets. Users create a subset with DECLARE_IOASID_SET, then allocate and
- * free IOASIDs with ioasid_alloc and ioasid_put.
+ * free IOASIDs with ioasid_alloc() and ioasid_free().
  */
 #include <linux/ioasid.h>
 #include <linux/module.h>
@@ -15,7 +15,6 @@ struct ioasid_data {
 	struct ioasid_set *set;
 	void *private;
 	struct rcu_head rcu;
-	refcount_t refs;
 };
 
 /*
@@ -315,7 +314,6 @@ ioasid_t ioasid_alloc(struct ioasid_set
 
 	data->set = set;
 	data->private = private;
-	refcount_set(&data->refs, 1);
 
 	/*
 	 * Custom allocator needs allocator data to perform platform specific
@@ -348,17 +346,11 @@ ioasid_t ioasid_alloc(struct ioasid_set
 EXPORT_SYMBOL_GPL(ioasid_alloc);
 
 /**
- * ioasid_put - Release a reference to an ioasid
+ * ioasid_free - Free an ioasid
  * @ioasid: the ID to remove
- *
- * Put a reference to the IOASID, free it when the number of references drops to
- * zero.
- *
- * Return: %true if the IOASID was freed, %false otherwise.
  */
-bool ioasid_put(ioasid_t ioasid)
+void ioasid_free(ioasid_t ioasid)
 {
-	bool free = false;
 	struct ioasid_data *ioasid_data;
 
 	spin_lock(&ioasid_allocator_lock);
@@ -368,10 +360,6 @@ bool ioasid_put(ioasid_t ioasid)
 		goto exit_unlock;
 	}
 
-	free = refcount_dec_and_test(&ioasid_data->refs);
-	if (!free)
-		goto exit_unlock;
-
 	active_allocator->ops->free(ioasid, active_allocator->ops->pdata);
 	/* Custom allocator needs additional steps to free the xa element */
 	if (active_allocator->flags & IOASID_ALLOCATOR_CUSTOM) {
@@ -381,9 +369,8 @@ bool ioasid_put(ioasid_t ioasid)
 
 exit_unlock:
 	spin_unlock(&ioasid_allocator_lock);
-	return free;
 }
-EXPORT_SYMBOL_GPL(ioasid_put);
+EXPORT_SYMBOL_GPL(ioasid_free);
 
 /**
  * ioasid_find - Find IOASID data
--- a/include/linux/ioasid.h
+++ b/include/linux/ioasid.h
@@ -34,7 +34,7 @@ struct ioasid_allocator_ops {
 #if IS_ENABLED(CONFIG_IOASID)
 ioasid_t ioasid_alloc(struct ioasid_set *set, ioasid_t min, ioasid_t max,
 		      void *private);
-bool ioasid_put(ioasid_t ioasid);
+void ioasid_free(ioasid_t ioasid);
 void *ioasid_find(struct ioasid_set *set, ioasid_t ioasid,
 		  bool (*getter)(void *));
 int ioasid_register_allocator(struct ioasid_allocator_ops *allocator);
@@ -52,10 +52,7 @@ static inline ioasid_t ioasid_alloc(stru
 	return INVALID_IOASID;
 }
 
-static inline bool ioasid_put(ioasid_t ioasid)
-{
-	return false;
-}
+static inline void ioasid_free(ioasid_t ioasid) { }
 
 static inline void *ioasid_find(struct ioasid_set *set, ioasid_t ioasid,
 				bool (*getter)(void *))
--- a/include/linux/sched/mm.h
+++ b/include/linux/sched/mm.h
@@ -423,7 +423,7 @@ static inline void mm_pasid_set(struct m
 static inline void mm_pasid_drop(struct mm_struct *mm)
 {
 	if (pasid_valid(mm->pasid)) {
-		ioasid_put(mm->pasid);
+		ioasid_free(mm->pasid);
 		mm->pasid = INVALID_IOASID;
 	}
 }
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

  reply	other threads:[~2022-01-26 14:23 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-12-17 22:01 [PATCH v2 00/11] Re-enable ENQCMD and PASID MSR Fenghua Yu
2021-12-17 22:01 ` [PATCH v2 01/11] iommu/sva: Rename CONFIG_IOMMU_SVA_LIB to CONFIG_IOMMU_SVA Fenghua Yu
2021-12-17 22:01 ` [PATCH v2 02/11] mm: Change CONFIG option for mm->pasid field Fenghua Yu
2021-12-17 22:01 ` [PATCH v2 03/11] iommu/ioasid: Introduce a helper to check for valid PASIDs Fenghua Yu
2021-12-17 22:01 ` [PATCH v2 04/11] kernel/fork: Initialize mm's PASID Fenghua Yu
2021-12-17 22:01 ` [PATCH v2 05/11] iommu/sva: Assign a PASID to mm on PASID allocation and free it on mm exit Fenghua Yu
2022-01-24 20:21   ` Thomas Gleixner
2022-01-24 20:33     ` Fenghua Yu
2022-01-24 20:36     ` Thomas Gleixner
2022-01-24 20:52       ` Fenghua Yu
2022-01-24 20:55         ` Thomas Gleixner
2022-01-25 15:18           ` Fenghua Yu
2022-01-26 14:23             ` Thomas Gleixner [this message]
2022-01-26 17:36               ` Fenghua Yu
2022-01-26 21:38                 ` Thomas Gleixner
2022-01-28  2:42                   ` Fenghua Yu
2022-01-28 14:53                     ` Thomas Gleixner
2021-12-17 22:01 ` [PATCH v2 06/11] x86/fpu: Clear PASID when copying fpstate Fenghua Yu
2021-12-17 22:01 ` [PATCH v2 07/11] sched: Define and initialize a flag to identify valid PASID in the task Fenghua Yu
2021-12-17 22:01 ` [PATCH v2 08/11] x86/traps: Demand-populate PASID MSR via #GP Fenghua Yu
2021-12-17 22:01 ` [PATCH v2 09/11] x86/cpufeatures: Re-enable ENQCMD Fenghua Yu
2021-12-17 22:01 ` [PATCH v2 10/11] tools/objtool: Check for use of the ENQCMD instruction in the kernel Fenghua Yu
2021-12-17 22:57   ` Josh Poimboeuf
2021-12-27 17:50     ` Fenghua Yu
2021-12-17 22:01 ` [PATCH v2 11/11] docs: x86: Change documentation for SVA (Shared Virtual Addressing) Fenghua Yu
2021-12-27 17:52 ` [PATCH v2 00/11] Re-enable ENQCMD and PASID MSR Fenghua Yu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87k0em4lu9.ffs@tglx \
    --to=tglx@linutronix.de \
    --cc=ashok.raj@intel.com \
    --cc=bp@alien8.de \
    --cc=dave.hansen@linux.intel.com \
    --cc=fenghua.yu@intel.com \
    --cc=iommu@lists.linux-foundation.org \
    --cc=jpoimboe@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=mingo@redhat.com \
    --cc=peterz@infradead.org \
    --cc=ravi.v.shankar@intel.com \
    --cc=tony.luck@intel.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.