RE: [PATCH v7 6/7] iommu/uapi: Handle data and argsz filled by users
From: Liu, Yi L
Date: Thu Aug 13 2020 - 05:44:06 EST
> From: Auger Eric <eric.auger@xxxxxxxxxx>
> Sent: Thursday, August 13, 2020 5:31 PM
>
> Hi Yi,
>
> On 8/13/20 11:25 AM, Liu, Yi L wrote:
> > Hi Eric,
> >
> >
> >> From: Auger Eric <eric.auger@xxxxxxxxxx>
> >> Sent: Thursday, August 13, 2020 5:12 PM
> >>
> >> Hi Jacob,
> >>
> >> On 7/30/20 2:21 AM, Jacob Pan wrote:
> >>> IOMMU user APIs are responsible for processing user data. This patch
> >>> changes the interface such that user pointers can be passed into
> >>> IOMMU code directly. Separate kernel APIs without user pointers are
> >>> introduced for in-kernel users of the UAPI functionality.
> >> This is just done for a single function, ie. iommu_sva_unbind_gpasid.
> >>
> >> If I am not wrong there is no user of this latter after applying the
> >> whole series? If correct you may remove it at this stage?
> >
> > the user of this function is in vfio. And it is the same with
> > iommu_uapi_sva_bind/unbind_gpasid() and iommu_uapi_cache_invalidate().
> >
> > https://lore.kernel.org/kvm/1595917664-33276-11-git-send-email-yi.l.li
> > u@xxxxxxxxx/
> > https://lore.kernel.org/kvm/1595917664-33276-12-git-send-email-yi.l.li
> > u@xxxxxxxxx/
> Yep I know ;-) But this series mostly deals with iommu uapi rework.
> That's not a big deal though.
I see. btw. it's great if you can take a look on vfio v6 to see if your comments
are well addressed. :-)
Regards,
Yi Liu
> Thanks
>
> Eric
> >
> > Regards,
> > Yi Liu
> >
> >>>
> >>> IOMMU UAPI data has a user filled argsz field which indicates the
> >>> data length of the structure. User data is not trusted, argsz must
> >>> be validated based on the current kernel data size, mandatory data
> >>> size, and feature flags.
> >>>
> >>> User data may also be extended, resulting in possible argsz increase.
> >>> Backward compatibility is ensured based on size and flags (or the
> >>> functional equivalent fields) checking.
> >>>
> >>> This patch adds sanity checks in the IOMMU layer. In addition to
> >>> argsz, reserved/unused fields in padding, flags, and version are also checked.
> >>> Details are documented in Documentation/userspace-api/iommu.rst
> >>>
> >>> Signed-off-by: Liu Yi L <yi.l.liu@xxxxxxxxx>
> >>> Signed-off-by: Jacob Pan <jacob.jun.pan@xxxxxxxxxxxxxxx>
> >>> ---
> >>> drivers/iommu/iommu.c | 201
> >> ++++++++++++++++++++++++++++++++++++++++++++++++--
> >>> include/linux/iommu.h | 28 ++++---
> >>> 2 files changed, 212 insertions(+), 17 deletions(-)
> >>>
> >>> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c index
> >>> 3a913ce94a3d..1ee55c4b3a3a 100644
> >>> --- a/drivers/iommu/iommu.c
> >>> +++ b/drivers/iommu/iommu.c
> >>> @@ -1950,33 +1950,218 @@ int iommu_attach_device(struct iommu_domain
> >> *domain, struct device *dev)
> >>> }
> >>> EXPORT_SYMBOL_GPL(iommu_attach_device);
> >>>
> >>> +/*
> >>> + * Check flags and other user provided data for valid combinations.
> >>> +We also
> >>> + * make sure no reserved fields or unused flags are set. This is to
> >>> +ensure
> >>> + * not breaking userspace in the future when these fields or flags are used.
> >>> + */
> >>> +static int iommu_check_cache_invl_data(struct
> >>> +iommu_cache_invalidate_info
> >> *info)
> >>> +{
> >>> + u32 mask;
> >>> + int i;
> >>> +
> >>> + if (info->version != IOMMU_CACHE_INVALIDATE_INFO_VERSION_1)
> >>> + return -EINVAL;
> >>> +
> >>> + mask = (1 << IOMMU_CACHE_INV_TYPE_NR) - 1;
> >>> + if (info->cache & ~mask)
> >>> + return -EINVAL;
> >>> +
> >>> + if (info->granularity >= IOMMU_INV_GRANU_NR)
> >>> + return -EINVAL;
> >>> +
> >>> + switch (info->granularity) {
> >>> + case IOMMU_INV_GRANU_ADDR:
> >>> + if (info->cache & IOMMU_CACHE_INV_TYPE_PASID)
> >>> + return -EINVAL;
> >>> +
> >>> + mask = IOMMU_INV_ADDR_FLAGS_PASID |
> >>> + IOMMU_INV_ADDR_FLAGS_ARCHID |
> >>> + IOMMU_INV_ADDR_FLAGS_LEAF;
> >>> +
> >>> + if (info->granu.addr_info.flags & ~mask)
> >>> + return -EINVAL;
> >>> + break;
> >>> + case IOMMU_INV_GRANU_PASID:
> >>> + mask = IOMMU_INV_PASID_FLAGS_PASID |
> >>> + IOMMU_INV_PASID_FLAGS_ARCHID;
> >>> + if (info->granu.pasid_info.flags & ~mask)
> >>> + return -EINVAL;
> >>> +
> >>> + break;
> >>> + case IOMMU_INV_GRANU_DOMAIN:
> >>> + if (info->cache & IOMMU_CACHE_INV_TYPE_DEV_IOTLB)
> >>> + return -EINVAL;
> >>> + break;
> >>> + default:
> >>> + return -EINVAL;
> >>> + }
> >>> +
> >>> + /* Check reserved padding fields */
> >>> + for (i = 0; i < sizeof(info->padding); i++) {
> >>> + if (info->padding[i])
> >>> + return -EINVAL;
> >>> + }
> >>> +
> >>> + return 0;
> >>> +}
> >>> +
> >>> int iommu_uapi_cache_invalidate(struct iommu_domain *domain, struct
> >>> device
> >> *dev,
> >>> - struct iommu_cache_invalidate_info *inv_info)
> >>> + void __user *uinfo)
> >>> {
> >>> + struct iommu_cache_invalidate_info inv_info = { 0 };
> >>> + u32 minsz;
> >>> + int ret = 0;
> >>> +
> >>> if (unlikely(!domain->ops->cache_invalidate))
> >>> return -ENODEV;
> >>> > - return domain->ops->cache_invalidate(domain, dev, inv_info);
> >>> + /*
> >>> + * No new spaces can be added before the variable sized union, the
> >>> + * minimum size is the offset to the union.
> >>> + */
> >>> + minsz = offsetof(struct iommu_cache_invalidate_info, granu);
> >>> +
> >>> + /* Copy minsz from user to get flags and argsz */
> >>> + if (copy_from_user(&inv_info, uinfo, minsz))
> >>> + return -EFAULT;
> >>> +
> >>> + /* Fields before variable size union is mandatory */
> >>> + if (inv_info.argsz < minsz)
> >>> + return -EINVAL;
> >>> +
> >>> + /* PASID and address granu require additional info beyond minsz */
> >>> + if (inv_info.argsz == minsz &&
> >>> + ((inv_info.granularity == IOMMU_INV_GRANU_PASID) ||
> >>> + (inv_info.granularity == IOMMU_INV_GRANU_ADDR)))
> >>> + return -EINVAL;
> >>> +
> >>> + if (inv_info.granularity == IOMMU_INV_GRANU_PASID &&
> >>> + inv_info.argsz < offsetofend(struct
> >>> +iommu_cache_invalidate_info,
> >> granu.pasid_info))
> >>> + return -EINVAL;
> >>> +
> >>> + if (inv_info.granularity == IOMMU_INV_GRANU_ADDR &&
> >>> + inv_info.argsz < offsetofend(struct
> >>> +iommu_cache_invalidate_info,
> >> granu.addr_info))
> >>> + return -EINVAL;
> >>> +
> >>> + /*
> >>> + * User might be using a newer UAPI header which has a larger data
> >>> + * size, we shall support the existing flags within the current
> >>> + * size. Copy the remaining user data _after_ minsz but not more
> >>> + * than the current kernel supported size.
> >>> + */
> >>> + if (copy_from_user((void *)&inv_info + minsz, uinfo + minsz,
> >>> + min_t(u32, inv_info.argsz, sizeof(inv_info)) - minsz))
> >>> + return -EFAULT;
> >>> +
> >>> + /* Now the argsz is validated, check the content */
> >>> + ret = iommu_check_cache_invl_data(&inv_info);
> >>> + if (ret)
> >>> + return ret;
> >>> +
> >>> + return domain->ops->cache_invalidate(domain, dev, &inv_info);
> >>> }
> >>> EXPORT_SYMBOL_GPL(iommu_uapi_cache_invalidate);
> >>>
> >>> -int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain,
> >>> - struct device *dev, struct iommu_gpasid_bind_data
> >> *data)
> >>> +static int iommu_check_bind_data(struct iommu_gpasid_bind_data
> >>> +*data) {
> >>> + u32 mask;
> >>> + int i;
> >>> +
> >>> + if (data->version != IOMMU_GPASID_BIND_VERSION_1)
> >>> + return -EINVAL;
> >>> +
> >>> + /* Check the range of supported formats */
> >>> + if (data->format >= IOMMU_PASID_FORMAT_LAST)
> >>> + return -EINVAL;
> >>> +
> >>> + /* Check all flags */
> >>> + mask = IOMMU_SVA_GPASID_VAL;
> >>> + if (data->flags & ~mask)
> >>> + return -EINVAL;
> >>> +
> >>> + /* Check reserved padding fields */
> >>> + for (i = 0; i < sizeof(data->padding); i++) {
> >>> + if (data->padding[i])
> >>> + return -EINVAL;
> >>> + }
> >>> +
> >>> + return 0;
> >>> +}
> >>> +
> >>> +static int iommu_sva_prepare_bind_data(void __user *udata,
> >>> + struct iommu_gpasid_bind_data *data)
> >>> {
> >>> + u32 minsz;
> >>> +
> >>> + /*
> >>> + * No new spaces can be added before the variable sized union, the
> >>> + * minimum size is the offset to the union.
> >>> + */
> >>> + minsz = offsetof(struct iommu_gpasid_bind_data, vendor);
> >>> +
> >>> + /* Copy minsz from user to get flags and argsz */
> >>> + if (copy_from_user(data, udata, minsz))
> >>> + return -EFAULT;
> >>> +
> >>> + /* Fields before variable size union is mandatory */
> >>> + if (data->argsz < minsz)
> >>> + return -EINVAL;
> >>> + /*
> >>> + * User might be using a newer UAPI header, we shall let IOMMU vendor
> >>> + * driver decide on what size it needs. Since the guest PASID bind data
> >>> + * can be vendor specific, larger argsz could be the result of extension
> >>> + * for one vendor but it should not affect another vendor.
> >>> + * Copy the remaining user data _after_ minsz
> >>> + */
> >>> + if (copy_from_user((void *)data + minsz, udata + minsz,
> >>> + min_t(u32, data->argsz, sizeof(*data)) - minsz))
> >>> + return -EFAULT;
> >>> +
> >>> + return iommu_check_bind_data(data); }
> >>> +
> >>> +int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, struct
> >>> +device
> >> *dev,
> >>> + void __user *udata)
> >>> +{
> >>> + struct iommu_gpasid_bind_data data = { 0 };
> >>> + int ret;
> >>> +
> >>> if (unlikely(!domain->ops->sva_bind_gpasid))
> >>> return -ENODEV;
> >>>
> >>> - return domain->ops->sva_bind_gpasid(domain, dev, data);
> >>> + ret = iommu_sva_prepare_bind_data(udata, &data);
> >>> + if (ret)
> >>> + return ret;
> >>> +
> >>> + return domain->ops->sva_bind_gpasid(domain, dev, &data);
> >>> }
> >>> EXPORT_SYMBOL_GPL(iommu_uapi_sva_bind_gpasid);
> >>>
> >>> -int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain,
> >>> struct device
> >> *dev,
> >>> - ioasid_t pasid)
> >>> +int iommu_sva_unbind_gpasid(struct iommu_domain *domain, struct device
> *dev,
> >>> + struct iommu_gpasid_bind_data *data)
> >>> {
> >>> if (unlikely(!domain->ops->sva_unbind_gpasid))
> >>> return -ENODEV;
> >>>
> >>> - return domain->ops->sva_unbind_gpasid(dev, pasid);
> >>> + return domain->ops->sva_unbind_gpasid(dev, data->hpasid); }
> >>> +EXPORT_SYMBOL_GPL(iommu_sva_unbind_gpasid);
> >>> +
> >>> +int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain,
> >>> +struct device
> >> *dev,
> >>> + void __user *udata)
> >>> +{
> >>> + struct iommu_gpasid_bind_data data = { 0 };
> >>> + int ret;
> >>> +
> >>> + if (unlikely(!domain->ops->sva_bind_gpasid))
> >>> + return -ENODEV;
> >>> +
> >>> + ret = iommu_sva_prepare_bind_data(udata, &data);
> >>> + if (ret)
> >>> + return ret;
> >>> +
> >>> + return iommu_sva_unbind_gpasid(domain, dev, &data);
> >>> }
> >>> EXPORT_SYMBOL_GPL(iommu_uapi_sva_unbind_gpasid);
> >>>
> >>> diff --git a/include/linux/iommu.h b/include/linux/iommu.h index
> >>> 2dcc1a33f6dc..4a02c9e09048 100644
> >>> --- a/include/linux/iommu.h
> >>> +++ b/include/linux/iommu.h
> >>> @@ -432,11 +432,14 @@ extern void iommu_detach_device(struct
> >> iommu_domain *domain,
> >>> struct device *dev);
> >>> extern int iommu_uapi_cache_invalidate(struct iommu_domain *domain,
> >>> struct device *dev,
> >>> - struct iommu_cache_invalidate_info *inv_info);
> >>> + void __user *uinfo);
> >>> +
> >>> extern int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain,
> >>> - struct device *dev, struct
> >> iommu_gpasid_bind_data *data);
> >>> + struct device *dev, void __user *udata);
> >>> extern int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain,
> >>> - struct device *dev, ioasid_t pasid);
> >>> + struct device *dev, void __user *udata);
> extern int
> >>> +iommu_sva_unbind_gpasid(struct iommu_domain *domain,
> >>> + struct device *dev, struct
> >> iommu_gpasid_bind_data *data);
> >>> extern struct iommu_domain *iommu_get_domain_for_dev(struct device
> >>> *dev); extern struct iommu_domain *iommu_get_dma_domain(struct
> >>> device *dev); extern int iommu_map(struct iommu_domain *domain,
> >>> unsigned long iova, @@ -1054,22 +1057,29 @@ static inline int
> >>> iommu_sva_get_pasid(struct
> >> iommu_sva *handle)
> >>> return IOMMU_PASID_INVALID;
> >>> }
> >>>
> >>> -static inline int iommu_uapi_cache_invalidate(struct iommu_domain *domain,
> >>> - struct device *dev,
> >>> - struct iommu_cache_invalidate_info
> >> *inv_info)
> >>> +static inline int
> >>> +iommu_uapi_cache_invalidate(struct iommu_domain *domain,
> >>> + struct device *dev,
> >>> + struct iommu_cache_invalidate_info *inv_info)
> >>> {
> >>> return -ENODEV;
> >>> }
> >>>
> >>> static inline int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain,
> >>> - struct device *dev,
> >>> - struct iommu_gpasid_bind_data *data)
> >>> + struct device *dev, void __user *udata)
> >>> {
> >>> return -ENODEV;
> >>> }
> >>>
> >>> static inline int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain,
> >>> - struct device *dev, int pasid)
> >>> + struct device *dev, void __user *udata)
> {
> >>> + return -ENODEV;
> >>> +}
> >>> +
> >>> +static inline int iommu_sva_unbind_gpasid(struct iommu_domain *domain,
> >>> + struct device *dev,
> >>> + struct iommu_gpasid_bind_data *data)
> >>> {
> >>> return -ENODEV;
> >>> }
> >>>
> >> Otherwise looks good to me
> >> Reviewed-by: Eric Auger <eric.auger@xxxxxxxxxx>
> >>
> >> Thanks
> >>
> >> Eric
> >