| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aKc5niDWTwaCInH2@Asurada-Nvidia>
Date: Thu, 21 Aug 2025 08:22:06 -0700
From: Nicolin Chen <nicolinc@...dia.com>
To: Jason Gunthorpe <jgg@...dia.com>
CC: <robin.murphy@....com>, <joro@...tes.org>, <bhelgaas@...gle.com>,
<will@...nel.org>, <robin.clark@....qualcomm.com>, <yong.wu@...iatek.com>,
<matthias.bgg@...il.com>, <angelogioacchino.delregno@...labora.com>,
<thierry.reding@...il.com>, <vdumpa@...dia.com>, <jonathanh@...dia.com>,
<rafael@...nel.org>, <lenb@...nel.org>, <kevin.tian@...el.com>,
<yi.l.liu@...el.com>, <baolu.lu@...ux.intel.com>,
<linux-arm-kernel@...ts.infradead.org>, <iommu@...ts.linux.dev>,
<linux-kernel@...r.kernel.org>, <linux-arm-msm@...r.kernel.org>,
<linux-mediatek@...ts.infradead.org>, <linux-tegra@...r.kernel.org>,
<linux-acpi@...r.kernel.org>, <linux-pci@...r.kernel.org>,
<patches@...ts.linux.dev>, <pjaroszynski@...dia.com>, <vsethi@...dia.com>,
<helgaas@...nel.org>, <etzhao1900@...il.com>
Subject: Re: [PATCH v3 3/5] iommu: Add iommu_get_domain_for_dev_locked()
helper
On Thu, Aug 21, 2025 at 10:13:04AM -0300, Jason Gunthorpe wrote:
> On Tue, Aug 19, 2025 at 10:22:20AM -0700, Nicolin Chen wrote:
>
> > Yet, I also see some other cases that cannot be helped with the
> > type function. Just listing a few:
>
> Probably several query functions are needed that can be lock safe
>
> > 1) domain matching (and type)
> > drivers/gpu/drm/tegra/drm.c:965: if (domain && domain->type != IOMMU_DOMAIN_IDENTITY &&
> > drivers/gpu/drm/tegra/drm.c:966: domain != tegra->domain)
> > drivers/gpu/drm/tegra/drm.c-967- return 0;
>
> is attached
I should have pasted the full piece:
drivers/gpu/drm/tegra/drm.c-960- /*
drivers/gpu/drm/tegra/drm.c:961: * If the host1x client is already attached to an IOMMU domain that is
drivers/gpu/drm/tegra/drm.c-962- * not the shared IOMMU domain, don't try to attach it to a different
drivers/gpu/drm/tegra/drm.c-963- * domain. This allows using the IOMMU-backed DMA API.
drivers/gpu/drm/tegra/drm.c-964- */
drivers/gpu/drm/tegra/drm.c-965- if (domain && domain->type != IOMMU_DOMAIN_IDENTITY &&
drivers/gpu/drm/tegra/drm.c-966- domain != tegra->domain)
So, the check is two-fold:
1) is attached
2) is the shared IOMMU domain (tegra->domain?)
> > 4) map/unmap
> > drivers/net/ipa/ipa_mem.c:465: domain = iommu_get_domain_for_dev(dev);
> > drivers/net/ipa/ipa_mem.c-466- if (!domain) {
> > drivers/net/ipa/ipa_mem.c-467- dev_err(dev, "no IOMMU domain found for IMEM\n");
> > drivers/net/ipa/ipa_mem.c-468- return -EINVAL;
> > drivers/net/ipa/ipa_mem.c-469- }
> > drivers/net/ipa/ipa_mem.c-470-
> > drivers/net/ipa/ipa_mem.c-471- /* Align the address down and the size up to page boundaries */
> > drivers/net/ipa/ipa_mem.c-472- phys = addr & PAGE_MASK;
> > drivers/net/ipa/ipa_mem.c-473- size = PAGE_ALIGN(size + addr - phys);
> > drivers/net/ipa/ipa_mem.c-474- iova = phys; /* We just want a direct mapping */
> > drivers/net/ipa/ipa_mem.c-475-
> > drivers/net/ipa/ipa_mem.c-476- ret = iommu_map(domain, iova, phys, size, IOMMU_READ | IOMMU_WRITE,
> > ...
> > drivers/net/ipa/ipa_mem.c:495: domain = iommu_get_domain_for_dev(dev);
> > drivers/net/ipa/ipa_mem.c-496- if (domain) {
> > drivers/net/ipa/ipa_mem.c-497- size_t size;
> > drivers/net/ipa/ipa_mem.c-498-
> > drivers/net/ipa/ipa_mem.c-499- size = iommu_unmap(domain, ipa->imem_iova, ipa->imem_size);
>
> Broken! Illegal to call iommu_map on a DMA API domain.
>
> This is exactly the sort of abuse I would like to see made imposible :(
>
> If it really needs something like this then it needs a proper dma api
> interface to do it and properly reserve the iova from the allocator.
Yea. This particular case is forcing a direct mapping for a small
piece of memory. So it should probably be described in the Device
Tree v.s. the of_match_table data in the driver, so that _of core
would allocate an IOMMU_RESV_DIRECT.
Overall, I feel this would be a big project yet arguably for a low
reward..
Nicolin
Powered by blists - more mailing lists