From: Dmytro Maluka <dmaluka@chromium.org>
To: Baolu Lu <baolu.lu@linux.intel.com>
Cc: iommu@lists.linux.dev, David Woodhouse <dwmw2@infradead.org>,
"Vineeth Pillai (Google)" <vineeth@bitbyteword.org>,
Aashish Sharma <aashish@aashishsharma.net>,
Grzegorz Jaszczyk <jaszczyk@chromium.org>,
Chuanxiao Dong <chuanxiao.dong@intel.com>,
Kevin Tian <kevin.tian@intel.com>
Subject: Re: [Intel IOMMU] Question about memory ordering in context/PASID entry updates
Date: Fri, 5 Dec 2025 15:09:57 +0100 [thread overview]
Message-ID: <aTLntWFSADz81_NF@google.com> (raw)
In-Reply-To: <b9c23895-ae8f-4c71-a0b4-5956e2719901@linux.intel.com>
On Fri, Dec 05, 2025 at 01:32:51PM +0800, Baolu Lu wrote:
> We didn't implement that primarily because we hadn't encountered any
> real issues, operating under the assumption that the root/context
> entries population is completed before DMA translation is really
> enabled.
>
> However, that assumption is incorrect, as users can change a device's
> default domain in VT-d legacy mode. This action triggers a context entry
> change while DMA translation is already running. So, yes, this is a bug.
I see, thanks. I might try to prepare a patch, though it seems not
exactly trivial to fix this all over the code. Roughly seems we could
just modify the context_set_*() helpers to use READ_ONCE/WRITE_ONCE
similarly to pasid_set_*(), plus add barrier() before
context_set_present() and pasid_set_present() calls, plus maybe we
should also correspondingly fix updating root table entries in
iommu_context_addr() etc.
BTW why exactly I'm concerned about this: even if no one has encountered
any functional issues caused by this, DMA isolation is also a security
thing, and an attacker might be able to exploit this (albeit only in
case those operations actually happen to be reordered by the compiler in
a dangerous way in the given kernel build).
> as users can change a device's
> default domain in VT-d legacy mode.
Not in scalable mode? I'd assume users can change it in both, and I
don't immediately see anything in the code that would limit it to legacy
mode only.
> Thanks,
> baolu
next prev parent reply other threads:[~2025-12-05 14:10 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-04 16:49 [Intel IOMMU] Question about memory ordering in context/PASID entry updates Dmytro Maluka
2025-12-05 5:32 ` Baolu Lu
2025-12-05 14:09 ` Dmytro Maluka [this message]
2025-12-07 3:35 ` Baolu Lu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aTLntWFSADz81_NF@google.com \
--to=dmaluka@chromium.org \
--cc=aashish@aashishsharma.net \
--cc=baolu.lu@linux.intel.com \
--cc=chuanxiao.dong@intel.com \
--cc=dwmw2@infradead.org \
--cc=iommu@lists.linux.dev \
--cc=jaszczyk@chromium.org \
--cc=kevin.tian@intel.com \
--cc=vineeth@bitbyteword.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.