| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b8055e0f0f1b4473db2583586350b4f7aa8f3b4c.1768248467.git.nicolinc@nvidia.com>
Date: Mon, 12 Jan 2026 12:20:16 -0800
From: Nicolin Chen <nicolinc@...dia.com>
To: <will@...nel.org>
CC: <jgg@...dia.com>, <robin.murphy@....com>, <joro@...tes.org>,
<linux-arm-kernel@...ts.infradead.org>, <iommu@...ts.linux.dev>,
<linux-kernel@...r.kernel.org>, <skolothumtho@...dia.com>,
<praan@...gle.com>, <xueshuai@...ux.alibaba.com>, <smostafa@...gle.com>
Subject: [PATCH rc v6 3/4] iommu/arm-smmu-v3: Mark STE EATS safe when computing the update sequence
From: Jason Gunthorpe <jgg@...dia.com>
If a VM wants to toggle EATS off at the same time as changing the CFG, the
hypervisor will see EATS change to 0 and insert a V=0 breaking update into
the STE even though the VM did not ask for that.
In bare metal, EATS is ignored by CFG=ABORT/BYPASS, which is why this does
not cause a problem until we have nested where CFG is always a variation of
S2 trans that does use EATS.
Relax the rules for EATS sequencing, we don't need it to be exact because
the enclosing code will always disable ATS at the PCI device if we are
changing EATS. This ensures there are no ATS transactions that can race
with an EATS change so we don't need to carefully sequence these bits.
Fixes: 1e8be08d1c91 ("iommu/arm-smmu-v3: Support IOMMU_DOMAIN_NESTED")
Cc: stable@...r.kernel.org
Signed-off-by: Jason Gunthorpe <jgg@...dia.com>
Reviewed-by: Shuai Xue <xueshuai@...ux.alibaba.com>
Signed-off-by: Nicolin Chen <nicolinc@...dia.com>
---
drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
index ccd6357fa5a8..58008fe94ab3 100644
--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
+++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
@@ -1096,6 +1096,24 @@ void arm_smmu_get_ste_update_safe(const __le64 *cur, const __le64 *target,
* fault records even when MEV == 0.
*/
safe_bits[1] |= cpu_to_le64(STRTAB_STE_1_MEV);
+
+ /*
+ * When a STE comes to change EATS the sequencing code in the attach
+ * logic already will have the PCI cap for ATS disabled. Thus at this
+ * moment we can expect that the device will not generate ATS queries
+ * and so we don't care about the sequencing of EATS. The purpose of
+ * EATS is to protect the system from hostile untrusted devices that
+ * issue ATS when the PCI config space is disabled. However, if EATS
+ * is being changed then we already must be trusting the device since
+ * the EATS security block is being disabled.
+ *
+ * Note: Since we moved the EATS update to the first phase, changing
+ * S2S and EATS might transiently set S2S=1 and EATS=1, resulting in
+ * a bad STE. See "5.2 Stream Table Entry". In such a case, we can't
+ * do a hitless update.
+ */
+ if (!((cur[2] | target[2]) & cpu_to_le64(STRTAB_STE_2_S2S)))
+ safe_bits[1] |= cpu_to_le64(STRTAB_STE_1_EATS);
}
EXPORT_SYMBOL_IF_KUNIT(arm_smmu_get_ste_update_safe);
--
2.43.0
Powered by blists - more mailing lists