From: Jason Gunthorpe <jgg@nvidia.com>
To: Eric Auger <eric.auger@redhat.com>
Cc: Nicolin Chen <nicolinc@nvidia.com>,
will@kernel.org, robin.murphy@arm.com, kevin.tian@intel.com,
tglx@linutronix.de, maz@kernel.org, alex.williamson@redhat.com,
joro@8bytes.org, shuah@kernel.org, reinette.chatre@intel.com,
yebin10@huawei.com, apatel@ventanamicro.com,
shivamurthy.shastri@linutronix.de, bhelgaas@google.com,
anna-maria@linutronix.de, yury.norov@gmail.com,
nipun.gupta@amd.com, iommu@lists.linux.dev,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, kvm@vger.kernel.org,
linux-kselftest@vger.kernel.org, patches@lists.linux.dev,
jean-philippe@linaro.org, mdf@kernel.org, mshavit@google.com,
shameerali.kolothum.thodi@huawei.com, smostafa@google.com,
ddutile@redhat.com
Subject: Re: [PATCH RFCv2 01/13] genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie
Date: Thu, 23 Jan 2025 14:48:55 -0400 [thread overview]
Message-ID: <20250123184855.GU5556@nvidia.com> (raw)
In-Reply-To: <1b48e138-3134-442a-9796-e3a33b106221@redhat.com>
On Thu, Jan 23, 2025 at 06:10:48PM +0100, Eric Auger wrote:
> > However iommufd now permits the domain to change while the driver is
> > probed and VFIO userspace can create races with IRQ changes calling
> > iommu_dma_prepare/compose_msi_msg() and changing/freeing the iommu_domain.
> and is it safe in iommu_dma_prepare_msi()?
iommu_dma_prepare_msi() takes the group mutex:
int iommu_dma_prepare_msi(struct msi_desc *desc, phys_addr_t msi_addr)
{
struct device *dev = msi_desc_to_dev(desc);
struct iommu_group *group = dev->iommu_group;
mutex_lock(&group->mutex);
if (group->domain && group->domain->sw_msi)
ret = group->domain->sw_msi(group->domain, desc, msi_addr);
Which prevents changing domain attachments during execution.
For iommufd, if the domain attachment changes immediately after
iommu_dma_prepare_msi() unlocks, then the information given to
msi_desc_set_iommu_msi_iova() is still valid on the new domain.
This is because the iommufd implementation of sw_msi keeps the same
IOVA for the same ITS page globally across all domains. Any racing
change of domain will attach a new domain with the right ITS IOVA
already mapped and populated.
It is why this series stops using the domain pointer as a cookie
inside the msi_desc, immediately after the group->mutex is unlocked
a new domain can be attached and the old domain can be freed, which
would UAF the domain pointer in the cookie.
> > diff --git a/include/linux/msi.h b/include/linux/msi.h
> > index b10093c4d00e..d442b4a69d56 100644
> > --- a/include/linux/msi.h
> > +++ b/include/linux/msi.h
> > @@ -184,7 +184,8 @@ struct msi_desc {
> > struct msi_msg msg;
> > struct irq_affinity_desc *affinity;
> > #ifdef CONFIG_IRQ_MSI_IOMMU
> > - const void *iommu_cookie;
> you may add kernel doc comments above
I wondered if internal stuff was not being documented as the old
iommu_cookie didn't have a comment..
But sure:
* @iommu_msi_iova: Optional IOVA from the IOMMU to overide the msi_addr.
* Only used if iommu_msi_page_shift != 0
* @iommu_msi_page_shift: Indicates how many bits of the original address
* should be preserved when using iommu_msi_iova.
Jason
next prev parent reply other threads:[~2025-01-23 18:50 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-11 3:32 [PATCH RFCv2 00/13] iommu: Add MSI mapping support with nested SMMU Nicolin Chen
2025-01-11 3:32 ` [PATCH RFCv2 01/13] genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie Nicolin Chen
2025-01-23 17:10 ` Eric Auger
2025-01-23 18:48 ` Jason Gunthorpe [this message]
2025-01-29 12:11 ` Eric Auger
2025-01-11 3:32 ` [PATCH RFCv2 02/13] genirq/msi: Rename iommu_dma_compose_msi_msg() to msi_msg_set_msi_addr() Nicolin Chen
2025-01-23 17:10 ` Eric Auger
2025-01-23 18:50 ` Jason Gunthorpe
2025-01-29 10:44 ` Eric Auger
2025-01-11 3:32 ` [PATCH RFCv2 03/13] iommu: Make iommu_dma_prepare_msi() into a generic operation Nicolin Chen
2025-01-23 17:10 ` Eric Auger
2025-01-23 18:16 ` Jason Gunthorpe
2025-01-29 12:29 ` Eric Auger
2025-01-11 3:32 ` [PATCH RFCv2 04/13] irqchip: Have CONFIG_IRQ_MSI_IOMMU be selected by the irqchips that need it Nicolin Chen
2025-01-11 3:32 ` [PATCH RFCv2 05/13] iommu: Turn fault_data to iommufd private pointer Nicolin Chen
2025-01-23 9:54 ` Tian, Kevin
2025-01-23 13:25 ` Jason Gunthorpe
2025-01-29 12:40 ` Eric Auger
2025-02-03 17:48 ` Nicolin Chen
2025-01-11 3:32 ` [PATCH RFCv2 06/13] iommufd: Make attach_handle generic Nicolin Chen
2025-01-18 8:23 ` Yi Liu
2025-01-18 20:32 ` Nicolin Chen
2025-01-19 10:40 ` Yi Liu
2025-01-20 5:54 ` Nicolin Chen
2025-01-24 13:31 ` Yi Liu
2025-01-20 14:20 ` Jason Gunthorpe
2025-01-29 13:14 ` Eric Auger
2025-02-03 18:08 ` Nicolin Chen
2025-01-11 3:32 ` [PATCH RFCv2 07/13] iommufd: Implement sw_msi support natively Nicolin Chen
2025-01-15 4:21 ` Yury Norov
2025-01-16 20:21 ` Jason Gunthorpe
2025-01-23 19:30 ` Jason Gunthorpe
2025-01-11 3:32 ` [PATCH RFCv2 08/13] iommu: Turn iova_cookie to dma-iommu private pointer Nicolin Chen
2025-01-13 16:40 ` Jason Gunthorpe
2025-01-11 3:32 ` [PATCH RFCv2 09/13] iommufd: Add IOMMU_OPTION_SW_MSI_START/SIZE ioctls Nicolin Chen
2025-01-23 10:07 ` Tian, Kevin
2025-02-03 18:36 ` Nicolin Chen
2025-01-29 13:44 ` Eric Auger
2025-01-29 14:58 ` Jason Gunthorpe
2025-01-29 17:23 ` Eric Auger
2025-01-29 17:39 ` Jason Gunthorpe
2025-01-29 17:49 ` Eric Auger
2025-01-29 20:15 ` Jason Gunthorpe
2025-02-07 4:26 ` Nicolin Chen
2025-02-07 14:30 ` Jason Gunthorpe
2025-02-07 15:28 ` Jason Gunthorpe
2025-02-07 18:59 ` Nicolin Chen
2025-02-09 18:09 ` Jason Gunthorpe
2025-01-11 3:32 ` [PATCH RFCv2 10/13] iommufd/selftes: Add coverage for IOMMU_OPTION_SW_MSI_START/SIZE Nicolin Chen
2025-01-11 3:32 ` [PATCH RFCv2 11/13] iommufd/device: Allow setting IOVAs for MSI(x) vectors Nicolin Chen
2025-01-11 3:32 ` [PATCH RFCv2 12/13] vfio-iommufd: Provide another layer of msi_iova helpers Nicolin Chen
2025-01-11 3:32 ` [PATCH RFCv2 13/13] vfio/pci: Allow preset MSI IOVAs via VFIO_IRQ_SET_ACTION_PREPARE Nicolin Chen
2025-01-23 9:06 ` [PATCH RFCv2 00/13] iommu: Add MSI mapping support with nested SMMU Shameerali Kolothum Thodi
2025-01-23 13:24 ` Jason Gunthorpe
2025-01-29 14:54 ` Eric Auger
2025-01-29 15:04 ` Jason Gunthorpe
2025-01-29 17:46 ` Eric Auger
2025-01-29 20:13 ` Jason Gunthorpe
2025-02-04 12:55 ` Eric Auger
2025-02-04 13:02 ` Jason Gunthorpe
2025-02-05 22:49 ` Jacob Pan
2025-02-05 22:56 ` Nicolin Chen
2025-02-07 14:34 ` Jason Gunthorpe
2025-02-07 14:42 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250123184855.GU5556@nvidia.com \
--to=jgg@nvidia.com \
--cc=alex.williamson@redhat.com \
--cc=anna-maria@linutronix.de \
--cc=apatel@ventanamicro.com \
--cc=bhelgaas@google.com \
--cc=ddutile@redhat.com \
--cc=eric.auger@redhat.com \
--cc=iommu@lists.linux.dev \
--cc=jean-philippe@linaro.org \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=maz@kernel.org \
--cc=mdf@kernel.org \
--cc=mshavit@google.com \
--cc=nicolinc@nvidia.com \
--cc=nipun.gupta@amd.com \
--cc=patches@lists.linux.dev \
--cc=reinette.chatre@intel.com \
--cc=robin.murphy@arm.com \
--cc=shameerali.kolothum.thodi@huawei.com \
--cc=shivamurthy.shastri@linutronix.de \
--cc=shuah@kernel.org \
--cc=smostafa@google.com \
--cc=tglx@linutronix.de \
--cc=will@kernel.org \
--cc=yebin10@huawei.com \
--cc=yury.norov@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).