From: Lu Baolu <baolu.lu@linux.intel.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Joerg Roedel <joro@8bytes.org>,
Alex Williamson <alex.williamson@redhat.com>,
Bjorn Helgaas <bhelgaas@google.com>,
Jason Gunthorpe <jgg@nvidia.com>,
Christoph Hellwig <hch@infradead.org>,
Kevin Tian <kevin.tian@intel.com>,
Ashok Raj <ashok.raj@intel.com>
Cc: kvm@vger.kernel.org, rafael@kernel.org,
David Airlie <airlied@linux.ie>,
linux-pci@vger.kernel.org,
Thierry Reding <thierry.reding@gmail.com>,
Diana Craciun <diana.craciun@oss.nxp.com>,
Will Deacon <will@kernel.org>, Stuart Yoder <stuyoder@gmail.com>,
Jonathan Hunter <jonathanh@nvidia.com>,
Chaitanya Kulkarni <kch@nvidia.com>,
Dan Williams <dan.j.williams@intel.com>,
Cornelia Huck <cohuck@redhat.com>,
linux-kernel@vger.kernel.org, Li Yang <leoyang.li@nxp.com>,
iommu@lists.linux-foundation.org,
Jacob jun Pan <jacob.jun.pan@intel.com>,
Daniel Vetter <daniel@ffwll.ch>,
Robin Murphy <robin.murphy@arm.com>
Subject: [PATCH v2 08/17] PCI: portdrv: Suppress kernel DMA ownership auto-claiming
Date: Sun, 28 Nov 2021 10:50:42 +0800 [thread overview]
Message-ID: <20211128025051.355578-9-baolu.lu@linux.intel.com> (raw)
In-Reply-To: <20211128025051.355578-1-baolu.lu@linux.intel.com>
IOMMU grouping on PCI necessitates that if we lack isolation on a bridge
then all of the downstream devices will be part of the same IOMMU group
as the bridge. The existing vfio framework allows the portdrv driver to
be bound to the bridge while its downstream devices are assigned to user
space. The pci_dma_configure() marks the iommu_group as containing only
devices with kernel drivers that manage DMA. Avoid this default behavior
for the portdrv driver in order for compatibility with the current vfio
policy.
The commit 5f096b14d421b ("vfio: Whitelist PCI bridges") extended above
policy to all kernel drivers of bridge class. This is not always safe.
For example, The shpchp_core driver relies on the PCI MMIO access for the
controller functionality. With its downstream devices assigned to the
userspace, the MMIO might be changed through user initiated P2P accesses
without any notification. This might break the kernel driver integrity
and lead to some unpredictable consequences.
For any bridge driver, in order to avoiding default kernel DMA ownership
claiming, we should consider:
1) Does the bridge driver use DMA? Calling pci_set_master() or
a dma_map_* API is a sure indicate the driver is doing DMA
2) If the bridge driver uses MMIO, is it tolerant to hostile
userspace also touching the same MMIO registers via P2P DMA
attacks?
Conservatively if the driver maps an MMIO region at all, we can say that
it fails the test.
Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
Suggested-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
---
drivers/pci/pcie/portdrv_pci.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/pci/pcie/portdrv_pci.c b/drivers/pci/pcie/portdrv_pci.c
index 35eca6277a96..c66a83f2c987 100644
--- a/drivers/pci/pcie/portdrv_pci.c
+++ b/drivers/pci/pcie/portdrv_pci.c
@@ -202,6 +202,8 @@ static struct pci_driver pcie_portdriver = {
.err_handler = &pcie_portdrv_err_handler,
+ .suppress_auto_claim_dma_owner = true,
+
.driver.pm = PCIE_PORTDRV_PM_OPS,
};
--
2.25.1
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
next prev parent reply other threads:[~2021-11-28 2:52 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-28 2:50 [PATCH v2 00/17] Fix BUG_ON in vfio_iommu_group_notifier() Lu Baolu
2021-11-28 2:50 ` [PATCH v2 01/17] iommu: Add device dma ownership set/release interfaces Lu Baolu
2021-11-28 2:50 ` [PATCH v2 02/17] driver core: Add dma_unconfigure callback in bus_type Lu Baolu
2021-11-28 8:02 ` Greg Kroah-Hartman
2021-11-29 4:03 ` Lu Baolu
2021-11-28 2:50 ` [PATCH v2 03/17] PCI: Add driver dma ownership management Lu Baolu
2021-11-28 2:50 ` [PATCH v2 04/17] driver core: platform: " Lu Baolu
2021-11-28 8:10 ` Greg Kroah-Hartman
2021-11-28 23:15 ` Jason Gunthorpe via iommu
2021-11-29 10:34 ` Greg Kroah-Hartman
2021-11-29 12:59 ` Jason Gunthorpe via iommu
2021-11-28 2:50 ` [PATCH v2 05/17] amba: " Lu Baolu
2021-11-28 2:50 ` [PATCH v2 06/17] bus: fsl-mc: " Lu Baolu
2021-11-28 2:50 ` [PATCH v2 07/17] PCI: pci_stub: Suppress kernel DMA ownership auto-claiming Lu Baolu
2021-11-28 2:50 ` Lu Baolu [this message]
2021-11-28 2:50 ` [PATCH v2 09/17] iommu: Add security context management for assigned devices Lu Baolu
2021-11-28 2:50 ` [PATCH v2 10/17] iommu: Expose group variants of dma ownership interfaces Lu Baolu
2021-11-28 2:50 ` [PATCH v2 11/17] iommu: Add iommu_at[de]tach_device_shared() for multi-device groups Lu Baolu
2021-11-28 2:50 ` [PATCH v2 12/17] vfio: Set DMA USER ownership for VFIO devices Lu Baolu
2021-11-28 2:50 ` [PATCH v2 13/17] vfio: Remove use of vfio_group_viable() Lu Baolu
2021-11-28 2:50 ` [PATCH v2 14/17] vfio: Delete the unbound_list Lu Baolu
2021-11-28 2:50 ` [PATCH v2 15/17] vfio: Remove iommu group notifier Lu Baolu
2021-11-28 2:50 ` [PATCH v2 16/17] iommu: Remove iommu group changes notifier Lu Baolu
2021-11-28 2:50 ` [PATCH v2 17/17] drm/tegra: Use the iommu dma_owner mechanism Lu Baolu
2021-11-28 8:10 ` [PATCH v2 00/17] Fix BUG_ON in vfio_iommu_group_notifier() Greg Kroah-Hartman
2021-11-29 3:59 ` Lu Baolu
2021-12-06 2:07 ` Lu Baolu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211128025051.355578-9-baolu.lu@linux.intel.com \
--to=baolu.lu@linux.intel.com \
--cc=airlied@linux.ie \
--cc=alex.williamson@redhat.com \
--cc=ashok.raj@intel.com \
--cc=bhelgaas@google.com \
--cc=cohuck@redhat.com \
--cc=dan.j.williams@intel.com \
--cc=daniel@ffwll.ch \
--cc=diana.craciun@oss.nxp.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=iommu@lists.linux-foundation.org \
--cc=jacob.jun.pan@intel.com \
--cc=jgg@nvidia.com \
--cc=jonathanh@nvidia.com \
--cc=joro@8bytes.org \
--cc=kch@nvidia.com \
--cc=kevin.tian@intel.com \
--cc=kvm@vger.kernel.org \
--cc=leoyang.li@nxp.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=robin.murphy@arm.com \
--cc=stuyoder@gmail.com \
--cc=thierry.reding@gmail.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox