| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 7 Dec 2020 20:15:21 +0800
From: zhukeqian <zhukeqian1@...wei.com>
To: Will Deacon <will@...nel.org>, Robin Murphy <robin.murphy@....com>
CC: <linux-kernel@...r.kernel.org>,
<linux-arm-kernel@...ts.infradead.org>,
<iommu@...ts.linux-foundation.org>, Marc Zyngier <maz@...nel.org>,
"Joerg Roedel" <joro@...tes.org>,
Catalin Marinas <catalin.marinas@....com>,
"James Morse" <james.morse@....com>,
Suzuki K Poulose <suzuki.poulose@....com>,
"Sean Christopherson" <sean.j.christopherson@...el.com>,
Julien Thierry <julien.thierry.kdev@...il.com>,
Mark Brown <broonie@...nel.org>,
"Thomas Gleixner" <tglx@...utronix.de>,
Andrew Morton <akpm@...ux-foundation.org>,
Alexios Zavras <alexios.zavras@...el.com>,
<wanghaibin.wang@...wei.com>, <jiangkunkun@...wei.com>
Subject: Re: [PATCH] iommu: Up front sanity check in the arm_lpae_map
Hi,
On 2020/12/7 20:05, Will Deacon wrote:
> On Mon, Dec 07, 2020 at 12:01:09PM +0000, Robin Murphy wrote:
>> On 2020-12-05 08:29, Keqian Zhu wrote:
>>> ... then we have more chance to detect wrong code logic.
>>
>> I don't follow that justification - it's still the same check with the same
>> outcome, so how does moving it have any effect on the chance to detect
>> errors?
>>
>> AFAICS the only difference it would make is to make some errors *less*
>> obvious - if a sufficiently broken caller passes an empty prot value
>> alongside an invalid size or already-mapped address, this will now quietly
>> hide the warnings from the more serious condition(s).
>>
>> Yes, it will bail out a bit faster in the specific case where the prot value
>> is the only thing wrong, but since when do we optimise for fundamentally
>> incorrect API usage?
>
> I thought it was the other way round -- doesn't this patch move the "empty
> prot" check later, so we have a chance to check the size and addresses
> first?
Yes, this is my original idea.
For that we treat iommu_prot with no permission as success at early start, defer
this early return can expose hidden errors.
Thanks,
Keqian
>
> Will
>
>>> Signed-off-by: Keqian Zhu <zhukeqian1@...wei.com>
>>> ---
>>> drivers/iommu/io-pgtable-arm.c | 8 ++++----
>>> 1 file changed, 4 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
>>> index a7a9bc08dcd1..8ade72adab31 100644
>>> --- a/drivers/iommu/io-pgtable-arm.c
>>> +++ b/drivers/iommu/io-pgtable-arm.c
>>> @@ -444,10 +444,6 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>> arm_lpae_iopte prot;
>>> long iaext = (s64)iova >> cfg->ias;
>>> - /* If no access, then nothing to do */
>>> - if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>>> - return 0;
>>> -
>>> if (WARN_ON(!size || (size & cfg->pgsize_bitmap) != size))
>>> return -EINVAL;
>>> @@ -456,6 +452,10 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
>>> if (WARN_ON(iaext || paddr >> cfg->oas))
>>> return -ERANGE;
>>> + /* If no access, then nothing to do */
>>> + if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
>>> + return 0;
>>> +
>>> prot = arm_lpae_prot_to_pte(data, iommu_prot);
>>> ret = __arm_lpae_map(data, iova, paddr, size, prot, lvl, ptep, gfp);
>>> /*
>>>
> .
>
Powered by blists - more mailing lists