From: Jason Gunthorpe <jgg@nvidia.com>
To: Robin Murphy <robin.murphy@arm.com>
Cc: joro@8bytes.org, will@kernel.org, iommu@lists.linux.dev,
baolu.lu@linux.intel.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v5 3/7] iommu: Validate that devices match domains
Date: Wed, 25 Oct 2023 13:15:05 -0300 [thread overview]
Message-ID: <20231025161505.GJ3952@nvidia.com> (raw)
In-Reply-To: <6da52dd4-b3fe-46f8-9a38-c4315b989139@arm.com>
On Wed, Oct 25, 2023 at 05:05:08PM +0100, Robin Murphy wrote:
> On 25/10/2023 1:55 pm, Jason Gunthorpe wrote:
> > On Wed, Oct 25, 2023 at 01:39:56PM +0100, Robin Murphy wrote:
> > > On 24/10/2023 7:52 pm, Jason Gunthorpe wrote:
> > > > On Wed, Oct 11, 2023 at 07:14:50PM +0100, Robin Murphy wrote:
> > > >
> > > > > @@ -2279,10 +2280,16 @@ struct iommu_domain *iommu_get_dma_domain(struct device *dev)
> > > > > static int __iommu_attach_group(struct iommu_domain *domain,
> > > > > struct iommu_group *group)
> > > > > {
> > > > > + struct device *dev;
> > > > > +
> > > > > if (group->domain && group->domain != group->default_domain &&
> > > > > group->domain != group->blocking_domain)
> > > > > return -EBUSY;
> > > > > + dev = iommu_group_first_dev(group);
> > > > > + if (!dev_has_iommu(dev) || dev_iommu_ops(dev) != domain->owner)
> > > > > + return -EINVAL;
> > > >
> > > > I was thinking about this later, how does this work for the global
> > > > static domains? domain->owner will not be set?
> > > >
> > > > if (alloc_type == IOMMU_DOMAIN_IDENTITY && ops->identity_domain)
> > > > return ops->identity_domain;
> > > > else if (alloc_type == IOMMU_DOMAIN_BLOCKED && ops->blocked_domain)
> > > > return ops->blocked_domain;
> > > >
> > > > Seems like it will break everything?
> > >
> > > I don't believe it makes any significant difference - as the commit message
> > > points out, this validation is only applied at the public interface
> > > boundaries of iommu_attach_group(), iommu_attach_device(),
> >
> > Oh, making it only work for on domain type seems kind of hacky..
> >
> > If that is the intention maybe the owner set should be moved into
> > iommu_domain_alloc() with a little comment noting that it is limited
> > to work in only a few cases?
> >
> > I certainly didn't understand from the commit message to mean it was
> > only actually working for one domain type and this also blocks using
> > other types with the public interface.
>
> It's not about one particular domain type, it's about the scope of what we
> consider valid usage. External API users should almost always be attaching
> to their own domain which they have allocated, however we also tolerate
> co-attaching additional groups to the same DMA domain in rare cases where
> it's reasonable. The fact is that those users cannot allocate blocking or
> identity domains, and I can't see that they would ever have any legitimate
> business trying to do anything with them anyway. So although yes, we
> technically lose some functionality once this intersects with the static
> domain optimisation, it's only questionable functionality which was never
> explicitly intended anyway.
I have no problem with that argument, I'm saying this is a subtle
emergent property. Lets document it, lets be more explicit. The owner
checks would do well to go along with specific domain type checks as
well to robustly enforce what you just explained.
Thanks,
Jason
next prev parent reply other threads:[~2023-10-25 16:15 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-11 18:14 [PATCH v5 0/7] iommu: Retire bus ops Robin Murphy
2023-10-11 18:14 ` [PATCH v5 1/7] iommu: Factor out some helpers Robin Murphy
2023-10-11 23:34 ` Jason Gunthorpe
2023-10-18 23:04 ` Jerry Snitselaar
2023-10-11 18:14 ` [PATCH v5 2/7] iommu: Decouple iommu_present() from bus ops Robin Murphy
2023-10-12 6:05 ` Baolu Lu
2023-10-12 11:40 ` Robin Murphy
2023-10-12 12:37 ` Jason Gunthorpe
2023-10-12 12:57 ` Baolu Lu
2023-10-12 12:58 ` Baolu Lu
2023-10-18 23:05 ` Jerry Snitselaar
2023-10-11 18:14 ` [PATCH v5 3/7] iommu: Validate that devices match domains Robin Murphy
2023-10-18 23:14 ` Jerry Snitselaar
2023-10-24 18:52 ` Jason Gunthorpe
2023-10-25 12:39 ` Robin Murphy
2023-10-25 12:55 ` Jason Gunthorpe
2023-10-25 16:05 ` Robin Murphy
2023-10-25 16:15 ` Jason Gunthorpe [this message]
2023-10-11 18:14 ` [PATCH v5 4/7] iommu: Decouple iommu_domain_alloc() from bus ops Robin Murphy
2023-10-11 23:38 ` Jason Gunthorpe
2023-10-18 23:15 ` Jerry Snitselaar
2023-10-11 18:14 ` [PATCH v5 5/7] iommu/arm-smmu: Don't register fwnode for legacy binding Robin Murphy
2023-10-12 12:56 ` Will Deacon
2023-10-18 23:29 ` Jerry Snitselaar
2023-10-11 18:14 ` [PATCH v5 6/7] iommu: Retire bus ops Robin Murphy
2023-10-18 23:36 ` Jerry Snitselaar
2023-10-11 18:14 ` [PATCH v5 7/7] iommu: Clean up open-coded ownership checks Robin Murphy
2023-10-12 12:57 ` Will Deacon
2023-10-18 23:40 ` Jerry Snitselaar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231025161505.GJ3952@nvidia.com \
--to=jgg@nvidia.com \
--cc=baolu.lu@linux.intel.com \
--cc=iommu@lists.linux.dev \
--cc=joro@8bytes.org \
--cc=linux-kernel@vger.kernel.org \
--cc=robin.murphy@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).