Re: [PATCH v5 5/9] iommu/arm-smmu-v3: Refactor write_ctx_desc

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jason Gunthorpe <jgg@nvidia.com>
To: Michael Shavit <mshavit@google.com>
Cc: Will Deacon <will@kernel.org>,
	iommu@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
	linux-kernel@vger.kernel.org, robin.murphy@arm.com,
	nicolinc@nvidia.com, jean-philippe@linaro.org
Subject: Re: [PATCH v5 5/9] iommu/arm-smmu-v3: Refactor write_ctx_desc
Date: Tue, 15 Aug 2023 08:22:55 -0300	[thread overview]
Message-ID: <ZNtgD3LKwS4eatoe@nvidia.com> (raw)
In-Reply-To: <CAKHBV24SLBNw-yWn3m6BtvvHUgD0h1e1QkEb1LrUcWSwpR85Yg@mail.gmail.com>

On Tue, Aug 15, 2023 at 01:20:04PM +0800, Michael Shavit wrote:
> On Thu, Aug 10, 2023 at 11:39 PM Jason Gunthorpe <jgg@nvidia.com> wrote:
> >
> > Actually, I don't think this even works as nothing on the PASID path
> > adds to the list that arm_smmu_write_ctx_desc_devices() iterates over ??
> >
> > Then the remaining two calls:
> >
> > arm_smmu_share_asid(struct mm_struct *mm, u16 asid)
> >         arm_smmu_write_ctx_desc_devices(smmu_domain, 0, cd);
> >
> >         This is OK only if the sketchy assumption that the CD
> >         we extracted for a conflicting ASID is not asigned to a PASID.
> >
> > static void arm_smmu_mm_release(struct mmu_notifier *mn, struct mm_struct *mm)
> >         arm_smmu_write_ctx_desc_devices(smmu_domain, mm->pasid, &quiet_cd);
> >
> >         This doesn't work because we didn't add the master to the list
> >         during __arm_smmu_sva_bind and this path is expressly working
> >         on the PASID binds, not the RID binds.
> 
> Actually it is working on the RID attached domain (as returned by
> iommu_get_domain_for_dev() at sva_bind time) not the SVA domain
> here...

That can't be right, the purpose of that call and arm_smmu_mm_release is to
disable the PASID that is about the UAF the mm's page table.

Jason

WARNING: multiple messages have this Message-ID (diff)

From: Jason Gunthorpe <jgg@nvidia.com>
To: Michael Shavit <mshavit@google.com>
Cc: Will Deacon <will@kernel.org>,
	iommu@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
	linux-kernel@vger.kernel.org, robin.murphy@arm.com,
	nicolinc@nvidia.com, jean-philippe@linaro.org
Subject: Re: [PATCH v5 5/9] iommu/arm-smmu-v3: Refactor write_ctx_desc
Date: Tue, 15 Aug 2023 08:22:55 -0300	[thread overview]
Message-ID: <ZNtgD3LKwS4eatoe@nvidia.com> (raw)
In-Reply-To: <CAKHBV24SLBNw-yWn3m6BtvvHUgD0h1e1QkEb1LrUcWSwpR85Yg@mail.gmail.com>

On Tue, Aug 15, 2023 at 01:20:04PM +0800, Michael Shavit wrote:
> On Thu, Aug 10, 2023 at 11:39 PM Jason Gunthorpe <jgg@nvidia.com> wrote:
> >
> > Actually, I don't think this even works as nothing on the PASID path
> > adds to the list that arm_smmu_write_ctx_desc_devices() iterates over ??
> >
> > Then the remaining two calls:
> >
> > arm_smmu_share_asid(struct mm_struct *mm, u16 asid)
> >         arm_smmu_write_ctx_desc_devices(smmu_domain, 0, cd);
> >
> >         This is OK only if the sketchy assumption that the CD
> >         we extracted for a conflicting ASID is not asigned to a PASID.
> >
> > static void arm_smmu_mm_release(struct mmu_notifier *mn, struct mm_struct *mm)
> >         arm_smmu_write_ctx_desc_devices(smmu_domain, mm->pasid, &quiet_cd);
> >
> >         This doesn't work because we didn't add the master to the list
> >         during __arm_smmu_sva_bind and this path is expressly working
> >         on the PASID binds, not the RID binds.
> 
> Actually it is working on the RID attached domain (as returned by
> iommu_get_domain_for_dev() at sva_bind time) not the SVA domain
> here...

That can't be right, the purpose of that call and arm_smmu_mm_release is to
disable the PASID that is about the UAF the mm's page table.

Jason

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

next prev parent reply	other threads:[~2023-08-15 11:38 UTC|newest]

Thread overview: 90+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-08 17:11 [PATCH v5 0/9] Refactor the SMMU's CD table ownership Michael Shavit
2023-08-08 17:11 ` Michael Shavit
2023-08-08 17:11 ` [PATCH v5 1/9] iommu/arm-smmu-v3: Move ctx_desc out of s1_cfg Michael Shavit
2023-08-08 17:11   ` Michael Shavit
2023-08-08 17:11 ` [PATCH v5 2/9] iommu/arm-smmu-v3: Replace s1_cfg with cdtab_cfg Michael Shavit
2023-08-08 17:11   ` Michael Shavit
2023-08-09 13:49   ` Will Deacon
2023-08-09 13:49     ` Will Deacon
2023-08-09 13:59     ` Jason Gunthorpe
2023-08-09 13:59       ` Jason Gunthorpe
2023-08-09 14:55       ` Will Deacon
2023-08-09 14:55         ` Will Deacon
2023-08-09 15:08         ` Jason Gunthorpe
2023-08-09 15:08           ` Jason Gunthorpe
2023-08-09 16:22           ` Will Deacon
2023-08-09 16:22             ` Will Deacon
2023-08-09 16:26             ` Jason Gunthorpe
2023-08-09 16:26               ` Jason Gunthorpe
2023-08-09 16:27               ` Will Deacon
2023-08-09 16:27                 ` Will Deacon
2023-08-10  9:33                 ` Michael Shavit
2023-08-10  9:33                   ` Michael Shavit
2023-08-10  9:43                   ` Will Deacon
2023-08-10  9:43                     ` Will Deacon
2023-08-10 12:04                     ` Jason Gunthorpe
2023-08-10 12:04                       ` Jason Gunthorpe
2023-08-10 17:15                       ` Michael Shavit
2023-08-10 17:15                         ` Michael Shavit
2023-08-10 17:32                         ` Jason Gunthorpe
2023-08-10 17:32                           ` Jason Gunthorpe
2023-08-08 17:11 ` [PATCH v5 3/9] iommu/arm-smmu-v3: Encapsulate ctx_desc_cfg init in alloc_cd_tables Michael Shavit
2023-08-08 17:11   ` Michael Shavit
2023-08-08 17:12 ` [PATCH v5 4/9] iommu/arm-smmu-v3: move stall_enabled to the cd table Michael Shavit
2023-08-08 17:12   ` Michael Shavit
2023-08-08 17:12 ` [PATCH v5 5/9] iommu/arm-smmu-v3: Refactor write_ctx_desc Michael Shavit
2023-08-08 17:12   ` Michael Shavit
2023-08-09 13:50   ` Will Deacon
2023-08-09 13:50     ` Will Deacon
2023-08-10  9:15     ` Michael Shavit
2023-08-10  9:15       ` Michael Shavit
2023-08-10 14:40       ` Will Deacon
2023-08-10 14:40         ` Will Deacon
2023-08-10 15:39         ` Jason Gunthorpe
2023-08-10 15:39           ` Jason Gunthorpe
2023-08-15  5:20           ` Michael Shavit
2023-08-15  5:20             ` Michael Shavit
2023-08-15 11:22             ` Jason Gunthorpe [this message]
2023-08-15 11:22               ` Jason Gunthorpe
2023-08-15 12:03               ` Michael Shavit
2023-08-15 12:03                 ` Michael Shavit
2023-08-15 12:30                 ` Jason Gunthorpe
2023-08-15 12:30                   ` Jason Gunthorpe
2023-08-15 12:36                   ` Michael Shavit
2023-08-15 12:36                     ` Michael Shavit
2023-08-15 12:56                     ` Jason Gunthorpe
2023-08-15 12:56                       ` Jason Gunthorpe
2023-08-15  5:04       ` Michael Shavit
2023-08-15  5:04         ` Michael Shavit
2023-08-15 10:19         ` Will Deacon
2023-08-15 10:19           ` Will Deacon
2023-08-15 11:40           ` Michael Shavit
2023-08-15 11:40             ` Michael Shavit
2023-08-08 17:12 ` [PATCH v5 6/9] iommu/arm-smmu-v3: Move CD table to arm_smmu_master Michael Shavit
2023-08-08 17:12   ` Michael Shavit
2023-08-09 13:50   ` Will Deacon
2023-08-09 13:50     ` Will Deacon
2023-08-10  9:23     ` Michael Shavit
2023-08-10  9:23       ` Michael Shavit
2023-08-10 14:38       ` Will Deacon
2023-08-10 14:38         ` Will Deacon
2023-08-10  9:45     ` Michael Shavit
2023-08-10  9:45       ` Michael Shavit
2023-08-10 14:34       ` Will Deacon
2023-08-10 14:34         ` Will Deacon
2023-08-10 14:56         ` Jason Gunthorpe
2023-08-10 14:56           ` Jason Gunthorpe
2023-08-15 12:10   ` Michael Shavit
2023-08-15 12:10     ` Michael Shavit
2023-08-08 17:12 ` [PATCH v5 7/9] iommu/arm-smmu-v3: Cleanup arm_smmu_domain_finalise Michael Shavit
2023-08-08 17:12   ` Michael Shavit
2023-08-08 17:12 ` [PATCH v5 8/9] iommu/arm-smmu-v3: Skip cd sync if CD table isn't active Michael Shavit
2023-08-08 17:12   ` Michael Shavit
2023-08-09 13:50   ` Will Deacon
2023-08-09 13:50     ` Will Deacon
2023-08-10  8:34     ` Michael Shavit
2023-08-10  8:34       ` Michael Shavit
2023-08-10 16:27       ` Will Deacon
2023-08-10 16:27         ` Will Deacon
2023-08-08 17:12 ` [PATCH v5 9/9] iommu/arm-smmu-v3: Rename cdcfg to cd_table Michael Shavit
2023-08-08 17:12   ` Michael Shavit

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZNtgD3LKwS4eatoe@nvidia.com \
    --to=jgg@nvidia.com \
    --cc=iommu@lists.linux.dev \
    --cc=jean-philippe@linaro.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mshavit@google.com \
    --cc=nicolinc@nvidia.com \
    --cc=robin.murphy@arm.com \
    --cc=will@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.