From: Lu Baolu <baolu.lu@linux.intel.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Joerg Roedel <joro@8bytes.org>,
Alex Williamson <alex.williamson@redhat.com>,
Bjorn Helgaas <bhelgaas@google.com>,
Jason Gunthorpe <jgg@nvidia.com>,
Christoph Hellwig <hch@infradead.org>,
Kevin Tian <kevin.tian@intel.com>,
Ashok Raj <ashok.raj@intel.com>
Cc: Will Deacon <will@kernel.org>,
Robin Murphy <robin.murphy@arm.com>,
Dan Williams <dan.j.williams@intel.com>,
rafael@kernel.org, Diana Craciun <diana.craciun@oss.nxp.com>,
Cornelia Huck <cohuck@redhat.com>,
Eric Auger <eric.auger@redhat.com>, Liu Yi L <yi.l.liu@intel.com>,
Jacob jun Pan <jacob.jun.pan@intel.com>,
Chaitanya Kulkarni <kch@nvidia.com>,
Stuart Yoder <stuyoder@gmail.com>,
Laurentiu Tudor <laurentiu.tudor@nxp.com>,
Thierry Reding <thierry.reding@gmail.com>,
David Airlie <airlied@linux.ie>, Daniel Vetter <daniel@ffwll.ch>,
Jonathan Hunter <jonathanh@nvidia.com>,
Li Yang <leoyang.li@nxp.com>, Dmitry Osipenko <digetx@gmail.com>,
iommu@lists.linux-foundation.org, linux-pci@vger.kernel.org,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
Lu Baolu <baolu.lu@linux.intel.com>
Subject: [PATCH v3 09/18] PCI: portdrv: Suppress kernel DMA ownership auto-claiming
Date: Mon, 6 Dec 2021 09:58:54 +0800 [thread overview]
Message-ID: <20211206015903.88687-10-baolu.lu@linux.intel.com> (raw)
In-Reply-To: <20211206015903.88687-1-baolu.lu@linux.intel.com>
IOMMU grouping on PCI necessitates that if we lack isolation on a bridge
then all of the downstream devices will be part of the same IOMMU group
as the bridge. The existing vfio framework allows the portdrv driver to
be bound to the bridge while its downstream devices are assigned to user
space. The pci_dma_configure() marks the iommu_group as containing only
devices with kernel drivers that manage DMA. Avoid this default behavior
for the portdrv driver in order for compatibility with the current vfio
policy.
The commit 5f096b14d421b ("vfio: Whitelist PCI bridges") extended above
policy to all kernel drivers of bridge class. This is not always safe.
For example, The shpchp_core driver relies on the PCI MMIO access for the
controller functionality. With its downstream devices assigned to the
userspace, the MMIO might be changed through user initiated P2P accesses
without any notification. This might break the kernel driver integrity
and lead to some unpredictable consequences.
For any bridge driver, in order to avoiding default kernel DMA ownership
claiming, we should consider:
1) Does the bridge driver use DMA? Calling pci_set_master() or
a dma_map_* API is a sure indicate the driver is doing DMA
2) If the bridge driver uses MMIO, is it tolerant to hostile
userspace also touching the same MMIO registers via P2P DMA
attacks?
Conservatively if the driver maps an MMIO region at all, we can say that
it fails the test.
Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
Suggested-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
---
drivers/pci/pcie/portdrv_pci.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/pci/pcie/portdrv_pci.c b/drivers/pci/pcie/portdrv_pci.c
index 35eca6277a96..c66a83f2c987 100644
--- a/drivers/pci/pcie/portdrv_pci.c
+++ b/drivers/pci/pcie/portdrv_pci.c
@@ -202,6 +202,8 @@ static struct pci_driver pcie_portdriver = {
.err_handler = &pcie_portdrv_err_handler,
+ .suppress_auto_claim_dma_owner = true,
+
.driver.pm = PCIE_PORTDRV_PM_OPS,
};
--
2.25.1
next prev parent reply other threads:[~2021-12-06 2:00 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-06 1:58 [PATCH v3 00/18] Fix BUG_ON in vfio_iommu_group_notifier() Lu Baolu
2021-12-06 1:58 ` [PATCH v3 01/18] iommu: Add device dma ownership set/release interfaces Lu Baolu
2021-12-06 13:35 ` Joerg Roedel
2021-12-06 14:29 ` Christoph Hellwig
2021-12-06 15:01 ` Jason Gunthorpe
2021-12-07 1:52 ` Lu Baolu
2021-12-06 14:42 ` Christoph Hellwig
2021-12-07 2:07 ` Lu Baolu
2021-12-06 1:58 ` [PATCH v3 02/18] driver core: Add dma_cleanup callback in bus_type Lu Baolu
2021-12-06 1:58 ` [PATCH v3 03/18] driver core: platform: Rename platform_dma_configure() Lu Baolu
2021-12-06 7:53 ` Greg Kroah-Hartman
2021-12-06 14:13 ` Christoph Hellwig
2021-12-06 14:43 ` Greg Kroah-Hartman
2021-12-06 14:45 ` Jason Gunthorpe
2021-12-06 14:47 ` Christoph Hellwig
2021-12-06 15:04 ` Jason Gunthorpe
2021-12-07 1:21 ` Lu Baolu
2021-12-07 23:09 ` Dan Williams
2021-12-06 1:58 ` [PATCH v3 04/18] driver core: platform: Add driver dma ownership management Lu Baolu
2021-12-06 7:54 ` Greg Kroah-Hartman
2021-12-06 14:36 ` Christoph Hellwig
2021-12-06 15:06 ` Jason Gunthorpe
2021-12-07 2:57 ` Lu Baolu
2021-12-07 13:16 ` Jason Gunthorpe
2021-12-07 13:25 ` Christoph Hellwig
2021-12-07 13:30 ` Jason Gunthorpe
2021-12-09 1:20 ` Lu Baolu
2021-12-10 1:23 ` Lu Baolu
2021-12-13 0:50 ` Lu Baolu
2021-12-13 13:24 ` Jason Gunthorpe
2021-12-15 12:24 ` Lu Baolu
2021-12-14 16:35 ` Christoph Hellwig
2021-12-06 1:58 ` [PATCH v3 05/18] amba: " Lu Baolu
2021-12-06 1:58 ` [PATCH v3 06/18] bus: fsl-mc: " Lu Baolu
2021-12-06 1:58 ` [PATCH v3 07/18] PCI: " Lu Baolu
2021-12-06 1:58 ` [PATCH v3 08/18] PCI: pci_stub: Suppress kernel DMA ownership auto-claiming Lu Baolu
2021-12-06 1:58 ` Lu Baolu [this message]
2021-12-06 1:58 ` [PATCH v3 10/18] iommu: Add security context management for assigned devices Lu Baolu
2021-12-06 1:58 ` [PATCH v3 11/18] iommu: Expose group variants of dma ownership interfaces Lu Baolu
2021-12-06 1:58 ` [PATCH v3 12/18] iommu: Add iommu_at[de]tach_device_shared() for multi-device groups Lu Baolu
2021-12-06 14:43 ` Christoph Hellwig
2021-12-07 2:33 ` Lu Baolu
2021-12-06 1:58 ` [PATCH v3 13/18] vfio: Set DMA USER ownership for VFIO devices Lu Baolu
2021-12-06 1:58 ` [PATCH v3 14/18] vfio: Remove use of vfio_group_viable() Lu Baolu
2021-12-06 1:59 ` [PATCH v3 15/18] vfio: Delete the unbound_list Lu Baolu
2021-12-06 1:59 ` [PATCH v3 16/18] vfio: Remove iommu group notifier Lu Baolu
2021-12-06 1:59 ` [PATCH v3 17/18] iommu: Remove iommu group changes notifier Lu Baolu
2021-12-06 1:59 ` [PATCH v3 18/18] drm/tegra: Use the iommu dma_owner mechanism Lu Baolu
2021-12-06 12:40 ` Jason Gunthorpe
2021-12-07 2:34 ` Lu Baolu
2021-12-17 6:41 ` [PATCH v3 00/18] Fix BUG_ON in vfio_iommu_group_notifier() Lu Baolu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211206015903.88687-10-baolu.lu@linux.intel.com \
--to=baolu.lu@linux.intel.com \
--cc=airlied@linux.ie \
--cc=alex.williamson@redhat.com \
--cc=ashok.raj@intel.com \
--cc=bhelgaas@google.com \
--cc=cohuck@redhat.com \
--cc=dan.j.williams@intel.com \
--cc=daniel@ffwll.ch \
--cc=diana.craciun@oss.nxp.com \
--cc=digetx@gmail.com \
--cc=eric.auger@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=iommu@lists.linux-foundation.org \
--cc=jacob.jun.pan@intel.com \
--cc=jgg@nvidia.com \
--cc=jonathanh@nvidia.com \
--cc=joro@8bytes.org \
--cc=kch@nvidia.com \
--cc=kevin.tian@intel.com \
--cc=kvm@vger.kernel.org \
--cc=laurentiu.tudor@nxp.com \
--cc=leoyang.li@nxp.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=robin.murphy@arm.com \
--cc=stuyoder@gmail.com \
--cc=thierry.reding@gmail.com \
--cc=will@kernel.org \
--cc=yi.l.liu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox