From: Marc Zyngier <maz@kernel.org>
To: Lu Baolu <baolu.lu@linux.intel.com>
Cc: Arnd Bergmann <arnd@kernel.org>, Will Deacon <will@kernel.org>,
Hector Martin <marcan@marcan.st>,
linux-kernel@vger.kernel.org, iommu@lists.linux-foundation.org,
Alexander Graf <graf@amazon.com>,
Mohamed Mediouni <mohamed.mediouni@caramail.com>,
Robin Murphy <robin.murphy@arm.com>,
Alyssa Rosenzweig <alyssa@rosenzweig.io>
Subject: Re: [PATCH v3 4/6] iommu: Move IOMMU pagesize check to attach_device
Date: Thu, 21 Oct 2021 09:10:49 +0100 [thread overview]
Message-ID: <87wnm6bxx2.wl-maz@kernel.org> (raw)
In-Reply-To: <6a886030-cbc6-9e92-bf79-77b659da2915@linux.intel.com>
On Thu, 21 Oct 2021 03:22:30 +0100,
Lu Baolu <baolu.lu@linux.intel.com> wrote:
>
> On 10/20/21 10:22 PM, Marc Zyngier wrote:
> > On Wed, 20 Oct 2021 06:21:44 +0100,
> > Lu Baolu <baolu.lu@linux.intel.com> wrote:
> >>
> >> On 2021/10/20 0:37, Sven Peter via iommu wrote:
> >>> + /*
> >>> + * Check that CPU pages can be represented by the IOVA granularity.
> >>> + * This has to be done after ops->attach_dev since many IOMMU drivers
> >>> + * only limit domain->pgsize_bitmap after having attached the first
> >>> + * device.
> >>> + */
> >>> + ret = iommu_check_page_size(domain);
> >>> + if (ret) {
> >>> + __iommu_detach_device(domain, dev);
> >>> + return ret;
> >>> + }
> >>
> >> It looks odd. __iommu_attach_device() attaches an I/O page table for a
> >> device. How does it relate to CPU pages? Why is it a failure case if CPU
> >> page size is not covered?
> >
> > If you allocate a CPU PAGE_SIZE'd region, and point it at a device
> > that now can DMA to more than what you have allocated because the
> > IOMMU's own page size is larger, the device has now access to data it
> > shouldn't see. In my book, that's a pretty bad thing.
>
> But even you enforce the CPU page size check here, this problem still
> exists unless all DMA buffers are PAGE_SIZE aligned and sized, right?
Let me take a CPU analogy: you have a page that contains some user
data *and* a kernel secret. How do you map this page into userspace
without leaking the kernel secret?
PAGE_SIZE allocations are the unit of isolation, and this applies to
both CPU and IOMMU. If you have allocated a DMA buffer that is less
than a page, you then have to resort to bounce buffering, or accept
that your data isn't safe.
M.
--
Without deviation from the norm, progress is not possible.
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
WARNING: multiple messages have this Message-ID (diff)
From: Marc Zyngier <maz@kernel.org>
To: Lu Baolu <baolu.lu@linux.intel.com>
Cc: Sven Peter <sven@svenpeter.dev>,
iommu@lists.linux-foundation.org,
Robin Murphy <robin.murphy@arm.com>,
Arnd Bergmann <arnd@kernel.org>, Hector Martin <marcan@marcan.st>,
linux-kernel@vger.kernel.org, Alexander Graf <graf@amazon.com>,
Mohamed Mediouni <mohamed.mediouni@caramail.com>,
Will Deacon <will@kernel.org>,
Alyssa Rosenzweig <alyssa@rosenzweig.io>
Subject: Re: [PATCH v3 4/6] iommu: Move IOMMU pagesize check to attach_device
Date: Thu, 21 Oct 2021 09:10:49 +0100 [thread overview]
Message-ID: <87wnm6bxx2.wl-maz@kernel.org> (raw)
In-Reply-To: <6a886030-cbc6-9e92-bf79-77b659da2915@linux.intel.com>
On Thu, 21 Oct 2021 03:22:30 +0100,
Lu Baolu <baolu.lu@linux.intel.com> wrote:
>
> On 10/20/21 10:22 PM, Marc Zyngier wrote:
> > On Wed, 20 Oct 2021 06:21:44 +0100,
> > Lu Baolu <baolu.lu@linux.intel.com> wrote:
> >>
> >> On 2021/10/20 0:37, Sven Peter via iommu wrote:
> >>> + /*
> >>> + * Check that CPU pages can be represented by the IOVA granularity.
> >>> + * This has to be done after ops->attach_dev since many IOMMU drivers
> >>> + * only limit domain->pgsize_bitmap after having attached the first
> >>> + * device.
> >>> + */
> >>> + ret = iommu_check_page_size(domain);
> >>> + if (ret) {
> >>> + __iommu_detach_device(domain, dev);
> >>> + return ret;
> >>> + }
> >>
> >> It looks odd. __iommu_attach_device() attaches an I/O page table for a
> >> device. How does it relate to CPU pages? Why is it a failure case if CPU
> >> page size is not covered?
> >
> > If you allocate a CPU PAGE_SIZE'd region, and point it at a device
> > that now can DMA to more than what you have allocated because the
> > IOMMU's own page size is larger, the device has now access to data it
> > shouldn't see. In my book, that's a pretty bad thing.
>
> But even you enforce the CPU page size check here, this problem still
> exists unless all DMA buffers are PAGE_SIZE aligned and sized, right?
Let me take a CPU analogy: you have a page that contains some user
data *and* a kernel secret. How do you map this page into userspace
without leaking the kernel secret?
PAGE_SIZE allocations are the unit of isolation, and this applies to
both CPU and IOMMU. If you have allocated a DMA buffer that is less
than a page, you then have to resort to bounce buffering, or accept
that your data isn't safe.
M.
--
Without deviation from the norm, progress is not possible.
next prev parent reply other threads:[~2021-10-21 8:10 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-19 16:37 [PATCH v3 0/6] Support IOMMU page sizes larger than the CPU page size Sven Peter via iommu
2021-10-19 16:37 ` Sven Peter
2021-10-19 16:37 ` [PATCH v3 1/6] iommu/dma: Disable get_sgtable for granule > PAGE_SIZE Sven Peter via iommu
2021-10-19 16:37 ` Sven Peter
2021-10-19 16:37 ` [PATCH v3 2/6] iommu/dma: Support granule > PAGE_SIZE in dma_map_sg Sven Peter via iommu
2021-10-19 16:37 ` Sven Peter
2021-10-19 16:37 ` [PATCH v3 3/6] iommu/dma: Support granule > PAGE_SIZE allocations Sven Peter via iommu
2021-10-19 16:37 ` Sven Peter
2021-10-19 16:37 ` [PATCH v3 4/6] iommu: Move IOMMU pagesize check to attach_device Sven Peter via iommu
2021-10-19 16:37 ` Sven Peter
2021-10-20 5:21 ` Lu Baolu
2021-10-20 5:21 ` Lu Baolu
2021-10-20 14:22 ` Marc Zyngier
2021-10-20 14:22 ` Marc Zyngier
2021-10-21 2:22 ` Lu Baolu
2021-10-21 2:22 ` Lu Baolu
2021-10-21 8:10 ` Marc Zyngier [this message]
2021-10-21 8:10 ` Marc Zyngier
2021-10-22 2:52 ` Lu Baolu
2021-10-22 2:52 ` Lu Baolu
2021-10-22 8:06 ` Marc Zyngier
2021-10-22 8:06 ` Marc Zyngier
2021-10-22 13:39 ` Robin Murphy
2021-10-22 13:39 ` Robin Murphy
2021-10-23 8:40 ` Sven Peter via iommu
2021-10-21 8:31 ` Sven Peter via iommu
2021-10-21 8:31 ` Sven Peter
2021-10-19 16:37 ` [PATCH v3 5/6] iommu: Introduce __IOMMU_DOMAIN_LP Sven Peter via iommu
2021-10-19 16:37 ` Sven Peter
2021-10-19 16:37 ` [PATCH v3 6/6] iommu/dart: Remove force_bypass logic Sven Peter via iommu
2021-10-19 16:37 ` Sven Peter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wnm6bxx2.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=alyssa@rosenzweig.io \
--cc=arnd@kernel.org \
--cc=baolu.lu@linux.intel.com \
--cc=graf@amazon.com \
--cc=iommu@lists.linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcan@marcan.st \
--cc=mohamed.mediouni@caramail.com \
--cc=robin.murphy@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.