From: Jason Gunthorpe <jgg@nvidia.com>
To: "Tian, Kevin" <kevin.tian@intel.com>
Cc: Nicolin Chen <nicolinc@nvidia.com>,
"corbet@lwn.net" <corbet@lwn.net>,
"will@kernel.org" <will@kernel.org>,
"robin.murphy@arm.com" <robin.murphy@arm.com>,
"joro@8bytes.org" <joro@8bytes.org>,
"thierry.reding@gmail.com" <thierry.reding@gmail.com>,
"vdumpa@nvidia.com" <vdumpa@nvidia.com>,
"jonathanh@nvidia.com" <jonathanh@nvidia.com>,
"shuah@kernel.org" <shuah@kernel.org>,
"praan@google.com" <praan@google.com>,
"nathan@kernel.org" <nathan@kernel.org>,
"peterz@infradead.org" <peterz@infradead.org>,
"Liu, Yi L" <yi.l.liu@intel.com>,
"jsnitsel@redhat.com" <jsnitsel@redhat.com>,
"mshavit@google.com" <mshavit@google.com>,
"zhangzekun11@huawei.com" <zhangzekun11@huawei.com>,
"iommu@lists.linux.dev" <iommu@lists.linux.dev>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"linux-tegra@vger.kernel.org" <linux-tegra@vger.kernel.org>,
"linux-kselftest@vger.kernel.org"
<linux-kselftest@vger.kernel.org>,
"patches@lists.linux.dev" <patches@lists.linux.dev>
Subject: Re: [PATCH v1 15/16] iommu/tegra241-cmdqv: Add user-space use support
Date: Wed, 23 Apr 2025 08:55:51 -0300 [thread overview]
Message-ID: <20250423115551.GC1648741@nvidia.com> (raw)
In-Reply-To: <BN9PR11MB5276220C7B2C5743DC8364CB8CBA2@BN9PR11MB5276.namprd11.prod.outlook.com>
On Wed, Apr 23, 2025 at 08:05:49AM +0000, Tian, Kevin wrote:
> It's not a good idea having the kernel trust the VMM.
It certainly shouldn't trust it, but it can validate the VMM's choice
and generate a failure if it isn't good.
> Also I'm not
> sure the contiguity is guaranteed all the time with huge page
> (e.g. if just using THP).
If things are aligned then the contiguity will work out. Ie a 64K
aligned allocation on a 2M GPA is fine. I don't think there are
edge cases where a GPA will be fragmented. It does rely on the VMM
always getting some kind of huge page and then pinning it in iommufd.
IMHO this is bad HW design, but it is what it is..
> btw does smmu only read the cmdq or also update some fields
> in the queue? If the latter, then it also brings a security hole
> as a malicious VMM could violate the contiguity requirement
> to instruct the smmu to touch pages which don't belong to
> it...
This really must be prevented. I haven't looked closely here, but the
GPA -> PA mapping should go through the IOAS and that should generate
a page list and that should be validated for contiguity.
It also needs to act like a mdev and lock down the part of the IOAS
that provides that memory so the pin can't be released and UAF things.
Jason
next prev parent reply other threads:[~2025-04-23 13:06 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-11 6:37 [PATCH v1 00/16] iommufd: Add vIOMMU infrastructure (Part-4 vCMDQ) Nicolin Chen
2025-04-11 6:37 ` [PATCH v1 01/16] iommu: Pass in a driver-level user data structure to viommu_alloc op Nicolin Chen
2025-04-23 13:16 ` Jason Gunthorpe
2025-04-11 6:37 ` [PATCH v1 02/16] iommufd/viommu: Allow driver-specific user data for a vIOMMU object Nicolin Chen
2025-04-23 13:16 ` Jason Gunthorpe
2025-04-11 6:37 ` [PATCH v1 03/16] iommu: Add iommu_copy_struct_to_user helper Nicolin Chen
2025-04-11 12:35 ` ALOK TIWARI
2025-04-14 18:03 ` Nicolin Chen
2025-04-14 15:25 ` Matt Ochs
2025-04-14 18:01 ` Nicolin Chen
2025-04-23 13:17 ` Jason Gunthorpe
2025-04-11 6:37 ` [PATCH v1 04/16] iommufd: Add iommufd_struct_destroy to revert iommufd_viommu_alloc Nicolin Chen
2025-04-23 13:18 ` Jason Gunthorpe
2025-04-11 6:37 ` [PATCH v1 05/16] iommufd/selftest: Support user_data in mock_viommu_alloc Nicolin Chen
2025-04-11 6:37 ` [PATCH v1 06/16] iommufd/selftest: Add covearge for viommu data Nicolin Chen
2025-04-11 6:37 ` [PATCH v1 07/16] iommufd/viommu: Add driver-allocated vDEVICE support Nicolin Chen
2025-04-21 8:00 ` Tian, Kevin
2025-04-21 15:35 ` Nicolin Chen
2025-04-23 13:36 ` Jason Gunthorpe
2025-04-11 6:37 ` [PATCH v1 08/16] iommufd/viommu: Introduce IOMMUFD_OBJ_VCMDQ and its related struct Nicolin Chen
2025-04-21 8:03 ` Tian, Kevin
2025-04-21 15:38 ` Nicolin Chen
2025-04-11 6:37 ` [PATCH v1 09/16] iommufd/viommmu: Add IOMMUFD_CMD_VCMDQ_ALLOC ioctl Nicolin Chen
2025-04-21 8:05 ` Tian, Kevin
2025-04-21 15:42 ` Nicolin Chen
2025-04-11 6:37 ` [PATCH v1 10/16] iommufd: Add mmap interface Nicolin Chen
2025-04-21 8:16 ` Tian, Kevin
2025-04-21 17:23 ` Nicolin Chen
2025-04-21 17:45 ` Nicolin Chen
2025-04-11 6:37 ` [PATCH v1 11/16] iommufd/selftest: Add coverage for the new " Nicolin Chen
2025-04-11 6:37 ` [PATCH v1 12/16] Documentation: userspace-api: iommufd: Update vCMDQ Nicolin Chen
2025-04-11 6:37 ` [PATCH v1 13/16] iommu/tegra241-cmdqv: Use request_threaded_irq Nicolin Chen
2025-04-11 6:37 ` [PATCH v1 14/16] iommu/arm-smmu-v3: Add vsmmu_alloc impl op Nicolin Chen
2025-04-21 8:23 ` Tian, Kevin
2025-04-21 17:47 ` Nicolin Chen
2025-04-11 6:37 ` [PATCH v1 15/16] iommu/tegra241-cmdqv: Add user-space use support Nicolin Chen
2025-04-21 8:37 ` Tian, Kevin
2025-04-21 19:14 ` Nicolin Chen
2025-04-23 8:05 ` Tian, Kevin
2025-04-23 11:55 ` Jason Gunthorpe [this message]
2025-04-23 18:31 ` Nicolin Chen
2025-04-23 23:13 ` Jason Gunthorpe
2025-04-24 6:51 ` Nicolin Chen
2025-04-24 8:04 ` Tian, Kevin
2025-04-24 13:40 ` Jason Gunthorpe
2025-04-24 15:46 ` Nicolin Chen
2025-04-11 6:37 ` [PATCH v1 16/16] iommu/tegra241-cmdqv: Add IOMMU_VEVENTQ_TYPE_TEGRA241_CMDQV support Nicolin Chen
2025-04-23 7:28 ` [PATCH v1 00/16] iommufd: Add vIOMMU infrastructure (Part-4 vCMDQ) Vasant Hegde
2025-04-23 7:45 ` Nicolin Chen
2025-04-24 11:21 ` Vasant Hegde
2025-04-24 8:21 ` Tian, Kevin
2025-04-24 15:54 ` Nicolin Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250423115551.GC1648741@nvidia.com \
--to=jgg@nvidia.com \
--cc=corbet@lwn.net \
--cc=iommu@lists.linux.dev \
--cc=jonathanh@nvidia.com \
--cc=joro@8bytes.org \
--cc=jsnitsel@redhat.com \
--cc=kevin.tian@intel.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-tegra@vger.kernel.org \
--cc=mshavit@google.com \
--cc=nathan@kernel.org \
--cc=nicolinc@nvidia.com \
--cc=patches@lists.linux.dev \
--cc=peterz@infradead.org \
--cc=praan@google.com \
--cc=robin.murphy@arm.com \
--cc=shuah@kernel.org \
--cc=thierry.reding@gmail.com \
--cc=vdumpa@nvidia.com \
--cc=will@kernel.org \
--cc=yi.l.liu@intel.com \
--cc=zhangzekun11@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).