Re: [PATCH 2/5] iommu: Ensure device has the same iommu_ops as the domain

From: Robin Murphy <robin.murphy@arm.com>
To: Nicolin Chen <nicolinc@nvidia.com>,
	jgg@nvidia.com, joro@8bytes.org, will@kernel.org,
	marcan@marcan.st, sven@svenpeter.dev, robdclark@gmail.com,
	m.szyprowski@samsung.com, krzysztof.kozlowski@linaro.org,
	baolu.lu@linux.intel.com, agross@kernel.org,
	bjorn.andersson@linaro.org, matthias.bgg@gmail.com,
	heiko@sntech.de, orsonzhai@gmail.com, baolin.wang7@gmail.com,
	zhang.lyra@gmail.com, wens@csie.org, jernej.skrabec@gmail.com,
	samuel@sholland.org, jean-philippe@linaro.org,
	alex.williamson@redhat.com
Cc: mjrosato@linux.ibm.com,
	virtualization@lists.linux-foundation.org,
	thierry.reding@gmail.com, alim.akhtar@samsung.com,
	alyssa@rosenzweig.io, linux-s390@vger.kernel.org,
	linux-samsung-soc@vger.kernel.org, kvm@vger.kernel.org,
	jonathanh@nvidia.com, linux-rockchip@lists.infradead.org,
	yong.wu@mediatek.com, gerald.schaefer@linux.ibm.com,
	linux-sunxi@lists.linux.dev, linux-arm-msm@vger.kernel.org,
	linux-mediatek@lists.infradead.org, linux-tegra@vger.kernel.org,
	linux-arm-kernel@lists.infradead.org, cohuck@redhat.com,
	linux-kernel@vger.kernel.org, iommu@lists.linux-foundation.org,
	suravee.suthikulpanit@amd.com, dwmw2@infradead.org
Subject: Re: [PATCH 2/5] iommu: Ensure device has the same iommu_ops as the domain
Date: Mon, 6 Jun 2022 15:33:42 +0100	[thread overview]
Message-ID: <1e0e5403-1e65-db9a-c8e7-34e316bfda8e@arm.com> (raw)
In-Reply-To: <20220606061927.26049-3-nicolinc@nvidia.com>

On 2022-06-06 07:19, Nicolin Chen wrote:
> The core code should not call an iommu driver op with a struct device
> parameter unless it knows that the dev_iommu_priv_get() for that struct
> device was setup by the same driver. Otherwise in a mixed driver system
> the iommu_priv could be casted to the wrong type.

We don't have mixed-driver systems, and there are plenty more 
significant problems than this one to solve before we can (but thanks 
for pointing it out - I hadn't got as far as auditing the public 
interfaces yet). Once domains are allocated via a particular device's 
IOMMU instance in the first place, there will be ample opportunity for 
the core to stash suitable identifying information in the domain for 
itself. TBH even the current code could do it without needing the 
weirdly invasive changes here.

> Store the iommu_ops pointer in the iommu_domain and use it as a check to
> validate that the struct device is correct before invoking any domain op
> that accepts a struct device.

In fact this even describes exactly that - "Store the iommu_ops pointer 
in the iommu_domain", vs. the "Store the iommu_ops pointer in the 
iommu_domain_ops" which the patch is actually doing :/

[...]
> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
> index 19cf28d40ebe..8a1f437a51f2 100644
> --- a/drivers/iommu/iommu.c
> +++ b/drivers/iommu/iommu.c
> @@ -1963,6 +1963,10 @@ static int __iommu_attach_device(struct iommu_domain *domain,
>   {
>   	int ret;
>   
> +	/* Ensure the device was probe'd onto the same driver as the domain */
> +	if (dev->bus->iommu_ops != domain->ops->iommu_ops)

Nope, dev_iommu_ops(dev) please. Furthermore I think the logical place 
to put this is in iommu_group_do_attach_device(), since that's the 
gateway for the public interfaces - we shouldn't need to second-guess 
ourselves for internal default-domain-related calls.

Thanks,
Robin.

> +		return -EMEDIUMTYPE;
> +
>   	if (unlikely(domain->ops->attach_dev == NULL))
>   		return -ENODEV;

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel