From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 42D2D3C0A05 for ; Wed, 15 Jul 2026 19:54:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.179 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784145271; cv=none; b=fmySpJ3/Wc7qOA2aw+C9vGvoG1R2JoFB0n61XcuFhJXllzCaI0r524ii5h3wc1CRryO8JwRP5nRnCnlC8ElCJ/iz2U5Zd2wYdnZ2fBKAUc4JhiP9SjLhl5GlDJuQnD3rJfkxiqCXlmNPS29Mb6hPE88d8MHX4Fwfzv0Ve0VnUcE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784145271; c=relaxed/simple; bh=4qb8T6qmU1ERimycQggw6mEfG7vDR8984uwJV16kjJw=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=ajsMMDuZbjj2lqf3DFX+0/76M/kwxgcKYoFSOnQuMFqYQAa98b6qR7UYCgQIbFQIBPx11xJJYMPAY+cEVVbjU2+497xkBC0g3KtFKdU6tM9KPI1Tw4EFyQ+oHF1mjBHj2ppmmaxPox9bZY7n5s3ax+bzWo0kJAAZdnAFJ/rL+XY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=lR5gV7E0; arc=none smtp.client-ip=209.85.214.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="lR5gV7E0" Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-2cacef7d299so2045ad.1 for ; Wed, 15 Jul 2026 12:54:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1784145269; x=1784750069; darn=vger.kernel.org; h=in-reply-to:content-disposition:content-type:mime-version :references:message-id:subject:cc:to:from:date:from:to:cc:subject :date:message-id:reply-to:content-type; bh=m53R6Qi+zQcNj87e/Jawa3dfMVvzT1k6XowiuqLX1eY=; b=lR5gV7E0GnIm4AnFBbsi1tzcz6pmx3t82bZNq91Stu0b2IEvM4PfYB2pUH0IfXA59i I5txghGHqMYSS26MeVhAd/KzZAayKOyUD4YxRydE2kWTs6lcksZc8vRHmerPOss40kq8 IawjgWNgVN0MzOEgWmdamUOoN7mFhOQSgwsn1XItU85yCdGAmFMioe1iDYjZs2VW9GWZ Wp9X9Igws72t/0iZOQfT8I/OmS/1S/7Q+cJIA6XgnKK4iRoSBZkjEpAi3b/NMwFvphLO 9arT9bwazaJ/hi+iMPmzfiyU86kLublJY7BdG+hTo+LYzwkEURCZmhANRnbCaLYgijrJ DT1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1784145269; x=1784750069; h=in-reply-to:content-disposition:content-type:mime-version :references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to :content-type; bh=m53R6Qi+zQcNj87e/Jawa3dfMVvzT1k6XowiuqLX1eY=; b=Rl9ccsZXhupEtyJobFVELqH7x5gJ8iWDkpLdmoWL0hfe9Iwdq9t9/XrJ29b7D802P/ llo4NbEIGnJKBCfrCvTUHmSEVeLWfC0KNvY7lcUxtdatZZBMOZyTqLq83at896dckS9y iPrNnBWRdZnER7ywu2KzOMixxGtBQuFOrJsFoV+XkZYLfY8DNxp0l7mb0oY2BzxhUntC LDMgoWuZIM8qtnPXdbdppnIpSd2VL7Jy3cRwv/4azNjY/K8JsM5xoLKjTu+CSgvtEb78 +uBqZ8KmnWv22wWyqiqQRuN/daSiPcW862/t4lUxenjbq7Z7S6VAsXl9dyJGYOIe8qXn 09AA== X-Forwarded-Encrypted: i=1; AHgh+RpvWHYuhDT3LeyywM0u6rthQByQ+7vVaFdWCxyEHDoSteEJz0/h7eIXOF4JDIx7i5zaxYGLKfSJKa8uZZ0=@vger.kernel.org X-Gm-Message-State: AOJu0Yw84lhr+0xeWcB9/rBD7ypyVEVtLcJZhNnCyD9gb++19ns/aNvZ jHTewyyBSOlJ2cnDGlaTv6DBhwSJIa+nBk181CAR6JkPTiD/HU+JC9YNBVTrRXIIGg== X-Gm-Gg: AfdE7clqWw423bjEvLHse3GtDf7TujJg9S6qblgCvMOFFSVSze85dT4rjd69K/L1USd r4iX9poFPP2ydaAoj/PVEw1HbYq1s2vkK9wnZjhpQwWDv5BM4F3LEde1PvtxrOUQs4xqo43rhHU oYRH1dz5WF1i7If3IIqAazIYVJnoTyMerLcXRSVAOlOL43PYIqQee6Q91ysHaA5hMmhFYWp6Tqk j0l7gHFNDvGvDiJXdQLMu73cc51ZlazUz1gqIE4/fMW28mOKAVooF5rkb8PyIJ6JtRUwlrZ6f7Z R4XAH7t5UxWSNN9AJYXo71U+eLRdebdnLds33e1y7jk8B5FV3O6RMWbizv60D+jrE6Gs3cJAy2c y6Yh0GMussLTGZ8D3ubaT+mZgYNb12PNY/5Cr004gnc1un//y/+hIGBCmR1UV9pZgjzv8Gyf/r6 W4y5esB9pN5aq1bjoMHBH1D7y/Vv93+gZHCo4KT+SJfuE28SM= X-Received: by 2002:a17:902:e804:b0:2ca:bf8e:360b with SMTP id d9443c01a7336-2cf1a93edebmr466595ad.9.1784145269137; Wed, 15 Jul 2026 12:54:29 -0700 (PDT) Received: from google.com (10.129.124.34.bc.googleusercontent.com. [34.124.129.10]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-84a4f271ddbsm3883142b3a.18.2026.07.15.12.54.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jul 2026 12:54:27 -0700 (PDT) Date: Wed, 15 Jul 2026 19:54:21 +0000 From: Pranjal Shrivastava To: Nicolin Chen Cc: Will Deacon , Jason Gunthorpe , Kevin Tian , Robin Murphy , joro@8bytes.org, David Woodhouse , Lu Baolu , linux-arm-kernel@lists.infradead.org, iommu@lists.linux.dev, linux-kernel@vger.kernel.org Subject: Re: [PATCH v4 2/6] iommu/arm-smmu-v3-iommufd: Reject unsupported bits in invalidation commands Message-ID: References: <5c70a336821e3cea176356470d94ff18329ff867.1784054606.git.nicolinc@nvidia.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5c70a336821e3cea176356470d94ff18329ff867.1784054606.git.nicolinc@nvidia.com> On Tue, Jul 14, 2026 at 11:48:48AM -0700, Nicolin Chen wrote: > The arm_vsmmu_cache_invalidate() op hands a guest's invalidation commands > to the trusted main command queue after enforcing only the VMID or the SID, > and passes the rest of the command through to the queue unchanged. > [...] > + > +static int arm_vsmmu_validate_user_cmd(struct arm_vsmmu *vsmmu, u64 data[2]) > +{ > + struct arm_smmu_device *smmu = vsmmu->smmu; > + u64 allowed[2] = { CMDQ_0_OP }; > + > + /* Collect the fields userspace is allowed to set for each opcode */ > + switch (data[0] & CMDQ_0_OP) { > + case CMDQ_OP_TLBI_NH_VA: > + /* An SMMU with 8-bit ASIDs treats the upper 8 bits as RES0 */ > + allowed[0] |= FIELD_PREP(CMDQ_TLBI_0_ASID, > + GENMASK(smmu->asid_bits - 1, 0)); > + fallthrough; > + case CMDQ_OP_TLBI_NH_VAA: > + /* NUM/SCALE/TG/TTL are range fields gated on FEAT_RANGE_INV */ > + if (smmu->features & ARM_SMMU_FEAT_RANGE_INV) { > + if (arm_vsmmu_validate_range(smmu, data)) > + return -EIO; > + allowed[0] |= CMDQ_TLBI_0_NUM | CMDQ_TLBI_0_SCALE; > + allowed[1] |= CMDQ_TLBI_1_TG | CMDQ_TLBI_1_TTL; > + /* SCALE bit 25 (values above 31) is RES0 without DS */ > + if (!(smmu->features & ARM_SMMU_FEAT_DS)) > + allowed[0] &= ~FIELD_PREP(CMDQ_TLBI_0_SCALE, > + BIT(5)); > + } > + allowed[0] |= CMDQ_TLBI_0_VMID; > + allowed[1] |= CMDQ_TLBI_1_LEAF | CMDQ_TLBI_1_VA_MASK; > + break; > + case CMDQ_OP_TLBI_NH_ASID: > + /* An SMMU with 8-bit ASIDs treats the upper 8 bits as RES0 */ > + allowed[0] |= FIELD_PREP(CMDQ_TLBI_0_ASID, > + GENMASK(smmu->asid_bits - 1, 0)); > + fallthrough; > + case CMDQ_OP_TLBI_NH_ALL: > + allowed[0] |= CMDQ_TLBI_0_VMID; > + break; > + case CMDQ_OP_ATC_INV: > + /* ATC_INV is illegal unless the SMMU implements ATS */ > + if (!(smmu->features & ARM_SMMU_FEAT_ATS)) > + return -EIO; > + /* A Size above 52 (invalidate-all) may raise a CERROR_ILL */ > + if (FIELD_GET(CMDQ_ATC_1_SIZE, data[1]) > ATC_INV_SIZE_ALL) > + return -EIO; > + /* > + * SSV/SSID/Global need substream support. SSID and Global are > + * IGNORED (not RES0) when SSV == 0, so they need no SSV check. > + */ > + if (smmu->ssid_bits) > + allowed[0] |= CMDQ_0_SSV | CMDQ_ATC_0_SSID | > + CMDQ_ATC_0_GLOBAL; > + allowed[0] |= CMDQ_ATC_0_SID; > + allowed[1] |= CMDQ_ATC_1_SIZE | CMDQ_ATC_1_ADDR_MASK; > + break; > + case CMDQ_OP_CFGI_CD: > + /* No SSV for CFGI_CD; SSID requires substream support */ > + if (smmu->ssid_bits) > + allowed[0] |= CMDQ_CFGI_0_SSID; > + allowed[1] |= CMDQ_CFGI_1_LEAF; > + fallthrough; > + case CMDQ_OP_CFGI_CD_ALL: > + allowed[0] |= CMDQ_CFGI_0_SID; > + break; Nit: Although, the convert_user_cmd would check the CMDQ_OP again, it seems like validate_user_cmd would return 0 for an unsupported cmd that doesn't match any of the above cases, should we add a default case and return -EIO there? > + } > + > + /* > + * Reject any other bit, e.g. a RES0 bit or a Secure bit, before the > + * command reaches the trusted main cmdq, so a guest cannot wedge the > + * shared queue for every device with a CERROR_ILL. > + * > + * By contrast, an out-of-range address or ID value does not need a > + * check: the spec defines it as CONSTRAINED UNPREDICTABLE, which is > + * scoped to the guest itself and does not raise a CERROR_ILL. > + */ > + if ((data[0] & ~allowed[0]) || (data[1] & ~allowed[1])) > + return -EIO; > + return 0; > +} > + Apart from that, Reviewed-by: Pranjal Shrivastava Thanks, Praan