Re: [PATCH v1 01/16] iommufd/viommu: Add IOMMUFD_OBJ_VIOMMU and IOMMU_VIOMMU_ALLOC ioctl

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Jason Gunthorpe <jgg@nvidia.com>
To: Nicolin Chen <nicolinc@nvidia.com>
Cc: kevin.tian@intel.com, will@kernel.org, joro@8bytes.org,
	suravee.suthikulpanit@amd.com, robin.murphy@arm.com,
	dwmw2@infradead.org, baolu.lu@linux.intel.com, shuah@kernel.org,
	linux-kernel@vger.kernel.org, iommu@lists.linux.dev,
	linux-arm-kernel@lists.infradead.org,
	linux-kselftest@vger.kernel.org
Subject: Re: [PATCH v1 01/16] iommufd/viommu: Add IOMMUFD_OBJ_VIOMMU and IOMMU_VIOMMU_ALLOC ioctl
Date: Thu, 15 Aug 2024 15:11:17 -0300	[thread overview]
Message-ID: <20240815181117.GN2032816@nvidia.com> (raw)
In-Reply-To: <536c5e908af3847649d1f4b7050af17d77d8b524.1723061378.git.nicolinc@nvidia.com>

On Wed, Aug 07, 2024 at 01:10:42PM -0700, Nicolin Chen wrote:

> +int iommufd_viommu_alloc_ioctl(struct iommufd_ucmd *ucmd)
> +{
> +	struct iommu_viommu_alloc *cmd = ucmd->cmd;
> +	struct iommufd_hwpt_paging *hwpt_paging;
> +	struct iommufd_viommu *viommu;
> +	struct iommufd_device *idev;
> +	int rc;
> +
> +	if (cmd->flags)
> +		return -EOPNOTSUPP;
> +
> +	idev = iommufd_get_device(ucmd, cmd->dev_id);
> +	if (IS_ERR(idev))
> +		return PTR_ERR(idev);
> +
> +	hwpt_paging = iommufd_get_hwpt_paging(ucmd, cmd->hwpt_id);
> +	if (IS_ERR(hwpt_paging)) {
> +		rc = PTR_ERR(hwpt_paging);
> +		goto out_put_idev;
> +	}
> +
> +	if (!hwpt_paging->nest_parent) {
> +		rc = -EINVAL;
> +		goto out_put_hwpt;
> +	}
> +
> +	if (cmd->type != IOMMU_VIOMMU_TYPE_DEFAULT) {
> +		rc = -EOPNOTSUPP;
> +		goto out_put_hwpt;
> +	}
> +
> +	viommu = iommufd_object_alloc(ucmd->ictx, viommu, IOMMUFD_OBJ_VIOMMU);
> +	if (IS_ERR(viommu)) {
> +		rc = PTR_ERR(viommu);
> +		goto out_put_hwpt;
> +	}
> +
> +	viommu->type = cmd->type;
> +	viommu->ictx = ucmd->ictx;
> +	viommu->hwpt = hwpt_paging;
> +	viommu->iommu_dev = idev->dev->iommu->iommu_dev;

Pedantically this is troublesome because we don't have any lifetime
control on this pointer. 

iommu unplug is fairly troubled on real HW, but the selftest does do
it.

At least for this series the value isn't used so lets remove it.

I don't have an easy solution in mind though later as surely we will
need this when we start to create more iommu bound objects. I'm pretty
sure syzkaller would eventually find such a UAF using the iommufd
selftest framework.

Jason

next prev parent reply	other threads:[~2024-08-15 18:11 UTC|newest]

Thread overview: 47+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-08-07 20:10 [PATCH v1 00/16] iommufd: Add VIOMMU infrastructure (Part-1) Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 01/16] iommufd/viommu: Add IOMMUFD_OBJ_VIOMMU and IOMMU_VIOMMU_ALLOC ioctl Nicolin Chen
2024-08-14 16:50   ` Nicolin Chen
2024-08-15 18:11   ` Jason Gunthorpe [this message]
2024-08-15 18:20     ` Nicolin Chen
2024-08-15 23:37       ` Jason Gunthorpe
2024-08-15 18:31   ` Jason Gunthorpe
2024-08-07 20:10 ` [PATCH v1 02/16] iommu: Pass in a viommu pointer to domain_alloc_user op Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 03/16] iommufd: Allow pt_id to carry viommu_id for IOMMU_HWPT_ALLOC Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 04/16] iommufd/selftest: Add IOMMU_VIOMMU_ALLOC test coverage Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 05/16] iommufd/viommu: Add IOMMU_VIOMMU_SET/UNSET_VDEV_ID ioctl Nicolin Chen
2024-08-14 17:09   ` Nicolin Chen
2024-08-14 22:02     ` Jason Gunthorpe
2024-08-15 19:08   ` Jason Gunthorpe
2024-08-15 19:46     ` Nicolin Chen
2024-08-15 19:53       ` Nicolin Chen
2024-08-15 23:42         ` Jason Gunthorpe
2024-08-15 23:41       ` Jason Gunthorpe
2024-08-16  0:21         ` Nicolin Chen
2024-08-19 17:33           ` Jason Gunthorpe
2024-08-19 18:10             ` Nicolin Chen
2024-08-19 18:26               ` Jason Gunthorpe
2024-08-07 20:10 ` [PATCH v1 06/16] iommufd/selftest: Add IOMMU_VIOMMU_SET/UNSET_VDEV_ID test coverage Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 07/16] iommufd/viommu: Add cache_invalidate for IOMMU_VIOMMU_TYPE_DEFAULT Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 08/16] iommufd/viommu: Add IOMMU_VIOMMU_INVALIDATE ioctl Nicolin Chen
2024-08-15 23:24   ` Jason Gunthorpe
2024-08-15 23:51     ` Nicolin Chen
2024-08-19 17:30       ` Jason Gunthorpe
2024-08-19 17:49         ` Nicolin Chen
2024-08-19 18:20           ` Jason Gunthorpe
2024-08-19 18:22             ` Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 09/16] iommufd/viommu: Make iommufd_viommu_find_device a public API Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 10/16] iommufd/selftest: Add mock_viommu_invalidate_user op Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 11/16] iommufd/selftest: Add IOMMU_TEST_OP_DEV_CHECK_CACHE test command Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 12/16] iommufd/selftest: Add coverage for IOMMU_VIOMMU_INVALIDATE ioctl Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 13/16] iommufd/viommu: Add iommufd_viommu_to_parent_domain helper Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 14/16] iommu/arm-smmu-v3: Extract an __arm_smmu_cache_invalidate_user helper Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 15/16] iommu/arm-smmu-v3: Add viommu cache invalidation support Nicolin Chen
2024-08-15 23:36   ` Jason Gunthorpe
2024-08-16  0:50     ` Nicolin Chen
2024-08-19 17:36       ` Jason Gunthorpe
2024-08-19 18:19         ` Nicolin Chen
2024-08-19 18:28           ` Jason Gunthorpe
2024-08-19 18:38             ` Nicolin Chen
2024-08-19 18:47               ` Jason Gunthorpe
2024-08-19 18:54                 ` Nicolin Chen
2024-08-07 20:10 ` [PATCH v1 16/16] iommu/arm-smmu-v3: Allow ATS for IOMMU_DOMAIN_NESTED Nicolin Chen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240815181117.GN2032816@nvidia.com \
    --to=jgg@nvidia.com \
    --cc=baolu.lu@linux.intel.com \
    --cc=dwmw2@infradead.org \
    --cc=iommu@lists.linux.dev \
    --cc=joro@8bytes.org \
    --cc=kevin.tian@intel.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=nicolinc@nvidia.com \
    --cc=robin.murphy@arm.com \
    --cc=shuah@kernel.org \
    --cc=suravee.suthikulpanit@amd.com \
    --cc=will@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox