[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20240103124403.GM50406@nvidia.com>
Date: Wed, 3 Jan 2024 08:44:03 -0400
From: Jason Gunthorpe <jgg@...dia.com>
To: Baolu Lu <baolu.lu@...ux.intel.com>
Cc: Yi Liu <yi.l.liu@...el.com>, joro@...tes.org,
alex.williamson@...hat.com, kevin.tian@...el.com,
robin.murphy@....com, cohuck@...hat.com, eric.auger@...hat.com,
nicolinc@...dia.com, kvm@...r.kernel.org, mjrosato@...ux.ibm.com,
chao.p.peng@...ux.intel.com, yi.y.sun@...ux.intel.com,
peterx@...hat.com, jasowang@...hat.com,
shameerali.kolothum.thodi@...wei.com, lulu@...hat.com,
suravee.suthikulpanit@....com, iommu@...ts.linux.dev,
linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org,
zhenzhong.duan@...el.com, joao.m.martins@...cle.com,
xin.zeng@...el.com, yan.y.zhao@...el.com, j.granados@...sung.com
Subject: Re: [PATCH v10 10/10] iommu/vt-d: Add iotlb flush for nested domain
On Wed, Jan 03, 2024 at 11:06:19AM +0800, Baolu Lu wrote:
> On 2024/1/3 9:33, Yi Liu wrote:
> > On 2024/1/3 02:44, Jason Gunthorpe wrote:
> > > On Tue, Jan 02, 2024 at 06:38:34AM -0800, Yi Liu wrote:
> > >
> > > > +static void intel_nested_flush_cache(struct dmar_domain
> > > > *domain, u64 addr,
> > > > + unsigned long npages, bool ih, u32 *error)
> > > > +{
> > > > + struct iommu_domain_info *info;
> > > > + unsigned long i;
> > > > + unsigned mask;
> > > > + u32 fault;
> > > > +
> > > > + xa_for_each(&domain->iommu_array, i, info)
> > > > + qi_flush_piotlb(info->iommu,
> > > > + domain_id_iommu(domain, info->iommu),
> > > > + IOMMU_NO_PASID, addr, npages, ih, NULL);
> > >
> > > This locking on the xarray is messed up throughout the driver. There
> > > could be a concurrent detach at this point which will free info and
> > > UAF this.
> >
> > hmmm, xa_for_each() takes and releases rcu lock, and according to the
> > domain_detach_iommu(), info is freed after xa_erase(). For an existing
> > info stored in xarray, xa_erase() should return after rcu lock is released.
> > is it? Any idea? @Baolu
>
> I once thought locking for xarray is self-contained. I need more thought
> on this before taking further action.
The locking of xarray itself is self-contained, but once it returns a
value then the user has to provide locking to protect the value.
In this case the xarray storage memory itself will not UAF but the
info pointer to memory returned from the xarray will.
I've been thinking arm/amd/intel all need the same datastructure here,
and it is a bit complicated. We should try to make a library to handle
it..
It is straightforward except for the RCU list walk for invalidation..
Jason
Powered by blists - more mailing lists