From: Nicolin Chen <nicolinc@nvidia.com>
To: Jason Gunthorpe <jgg@nvidia.com>
Cc: <kevin.tian@intel.com>, <will@kernel.org>, <joro@8bytes.org>,
<suravee.suthikulpanit@amd.com>, <robin.murphy@arm.com>,
<dwmw2@infradead.org>, <baolu.lu@linux.intel.com>,
<shuah@kernel.org>, <linux-kernel@vger.kernel.org>,
<iommu@lists.linux.dev>, <linux-arm-kernel@lists.infradead.org>,
<linux-kselftest@vger.kernel.org>
Subject: Re: [PATCH v1 01/16] iommufd/viommu: Add IOMMUFD_OBJ_VIOMMU and IOMMU_VIOMMU_ALLOC ioctl
Date: Thu, 15 Aug 2024 11:20:35 -0700 [thread overview]
Message-ID: <Zr5G86A2OwjAl/JI@Asurada-Nvidia> (raw)
In-Reply-To: <20240815181117.GN2032816@nvidia.com>
On Thu, Aug 15, 2024 at 03:11:17PM -0300, Jason Gunthorpe wrote:
> On Wed, Aug 07, 2024 at 01:10:42PM -0700, Nicolin Chen wrote:
>
> > +int iommufd_viommu_alloc_ioctl(struct iommufd_ucmd *ucmd)
> > +{
> > + struct iommu_viommu_alloc *cmd = ucmd->cmd;
> > + struct iommufd_hwpt_paging *hwpt_paging;
> > + struct iommufd_viommu *viommu;
> > + struct iommufd_device *idev;
> > + int rc;
> > +
> > + if (cmd->flags)
> > + return -EOPNOTSUPP;
> > +
> > + idev = iommufd_get_device(ucmd, cmd->dev_id);
> > + if (IS_ERR(idev))
> > + return PTR_ERR(idev);
> > +
> > + hwpt_paging = iommufd_get_hwpt_paging(ucmd, cmd->hwpt_id);
> > + if (IS_ERR(hwpt_paging)) {
> > + rc = PTR_ERR(hwpt_paging);
> > + goto out_put_idev;
> > + }
> > +
> > + if (!hwpt_paging->nest_parent) {
> > + rc = -EINVAL;
> > + goto out_put_hwpt;
> > + }
> > +
> > + if (cmd->type != IOMMU_VIOMMU_TYPE_DEFAULT) {
> > + rc = -EOPNOTSUPP;
> > + goto out_put_hwpt;
> > + }
> > +
> > + viommu = iommufd_object_alloc(ucmd->ictx, viommu, IOMMUFD_OBJ_VIOMMU);
> > + if (IS_ERR(viommu)) {
> > + rc = PTR_ERR(viommu);
> > + goto out_put_hwpt;
> > + }
> > +
> > + viommu->type = cmd->type;
> > + viommu->ictx = ucmd->ictx;
> > + viommu->hwpt = hwpt_paging;
> > + viommu->iommu_dev = idev->dev->iommu->iommu_dev;
>
> Pedantically this is troublesome because we don't have any lifetime
> control on this pointer.
>
> iommu unplug is fairly troubled on real HW, but the selftest does do
> it.
>
> At least for this series the value isn't used so lets remove it.
I recall one of my local versions had a validation using that, but
not that crucial either. Will drop it.
> I don't have an easy solution in mind though later as surely we will
> need this when we start to create more iommu bound objects. I'm pretty
> sure syzkaller would eventually find such a UAF using the iommufd
> selftest framework.
Would adding a user count in struct iommu_device help?
Thanks
Nicolin
next prev parent reply other threads:[~2024-08-15 18:22 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-07 20:10 [PATCH v1 00/16] iommufd: Add VIOMMU infrastructure (Part-1) Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 01/16] iommufd/viommu: Add IOMMUFD_OBJ_VIOMMU and IOMMU_VIOMMU_ALLOC ioctl Nicolin Chen
2024-08-14 16:50 ` Nicolin Chen
2024-08-15 18:11 ` Jason Gunthorpe
2024-08-15 18:20 ` Nicolin Chen [this message]
2024-08-15 23:37 ` Jason Gunthorpe
2024-08-15 18:31 ` Jason Gunthorpe
2024-08-07 20:10 ` [PATCH v1 02/16] iommu: Pass in a viommu pointer to domain_alloc_user op Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 03/16] iommufd: Allow pt_id to carry viommu_id for IOMMU_HWPT_ALLOC Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 04/16] iommufd/selftest: Add IOMMU_VIOMMU_ALLOC test coverage Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 05/16] iommufd/viommu: Add IOMMU_VIOMMU_SET/UNSET_VDEV_ID ioctl Nicolin Chen
2024-08-14 17:09 ` Nicolin Chen
2024-08-14 22:02 ` Jason Gunthorpe
2024-08-15 19:08 ` Jason Gunthorpe
2024-08-15 19:46 ` Nicolin Chen
2024-08-15 19:53 ` Nicolin Chen
2024-08-15 23:42 ` Jason Gunthorpe
2024-08-15 23:41 ` Jason Gunthorpe
2024-08-16 0:21 ` Nicolin Chen
2024-08-19 17:33 ` Jason Gunthorpe
2024-08-19 18:10 ` Nicolin Chen
2024-08-19 18:26 ` Jason Gunthorpe
2024-08-07 20:10 ` [PATCH v1 06/16] iommufd/selftest: Add IOMMU_VIOMMU_SET/UNSET_VDEV_ID test coverage Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 07/16] iommufd/viommu: Add cache_invalidate for IOMMU_VIOMMU_TYPE_DEFAULT Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 08/16] iommufd/viommu: Add IOMMU_VIOMMU_INVALIDATE ioctl Nicolin Chen
2024-08-15 23:24 ` Jason Gunthorpe
2024-08-15 23:51 ` Nicolin Chen
2024-08-19 17:30 ` Jason Gunthorpe
2024-08-19 17:49 ` Nicolin Chen
2024-08-19 18:20 ` Jason Gunthorpe
2024-08-19 18:22 ` Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 09/16] iommufd/viommu: Make iommufd_viommu_find_device a public API Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 10/16] iommufd/selftest: Add mock_viommu_invalidate_user op Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 11/16] iommufd/selftest: Add IOMMU_TEST_OP_DEV_CHECK_CACHE test command Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 12/16] iommufd/selftest: Add coverage for IOMMU_VIOMMU_INVALIDATE ioctl Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 13/16] iommufd/viommu: Add iommufd_viommu_to_parent_domain helper Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 14/16] iommu/arm-smmu-v3: Extract an __arm_smmu_cache_invalidate_user helper Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 15/16] iommu/arm-smmu-v3: Add viommu cache invalidation support Nicolin Chen
2024-08-15 23:36 ` Jason Gunthorpe
2024-08-16 0:50 ` Nicolin Chen
2024-08-19 17:36 ` Jason Gunthorpe
2024-08-19 18:19 ` Nicolin Chen
2024-08-19 18:28 ` Jason Gunthorpe
2024-08-19 18:38 ` Nicolin Chen
2024-08-19 18:47 ` Jason Gunthorpe
2024-08-19 18:54 ` Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 16/16] iommu/arm-smmu-v3: Allow ATS for IOMMU_DOMAIN_NESTED Nicolin Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zr5G86A2OwjAl/JI@Asurada-Nvidia \
--to=nicolinc@nvidia.com \
--cc=baolu.lu@linux.intel.com \
--cc=dwmw2@infradead.org \
--cc=iommu@lists.linux.dev \
--cc=jgg@nvidia.com \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=robin.murphy@arm.com \
--cc=shuah@kernel.org \
--cc=suravee.suthikulpanit@amd.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox