| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d7af5227af69d3e12023e29eb79785e792ce5b5c.1768501336.git.nicolinc@nvidia.com>
Date: Thu, 15 Jan 2026 10:23:30 -0800
From: Nicolin Chen <nicolinc@...dia.com>
To: <will@...nel.org>
CC: <jgg@...dia.com>, <robin.murphy@....com>, <joro@...tes.org>,
<linux-arm-kernel@...ts.infradead.org>, <iommu@...ts.linux.dev>,
<linux-kernel@...r.kernel.org>, <skolothumtho@...dia.com>,
<praan@...gle.com>, <xueshuai@...ux.alibaba.com>, <smostafa@...gle.com>
Subject: [PATCH rc v7 3/4] iommu/arm-smmu-v3: Mark EATS_TRANS safe when computing the update sequence
From: Jason Gunthorpe <jgg@...dia.com>
If VM wants to toggle EATS_TRANS off at the same time as changing the CFG,
hypervisor will see EATS change to 0 and insert a V=0 breaking update into
the STE even though the VM did not ask for that.
In bare metal, EATS_TRANS is ignored by CFG=ABORT/BYPASS, which is why this
does not cause a problem until we have the nested case where CFG is always
a variation of S2 trans that does use EATS_TRANS.
Relax the rules for EATS_TRANS sequencing, we don't need it to be exact as
the enclosing code will always disable ATS at the PCI device when changing
EATS_TRANS. This ensures there are no ATS transactions that can race with
an EATS_TRANS change so we don't need to carefully sequence these bits.
Fixes: 1e8be08d1c91 ("iommu/arm-smmu-v3: Support IOMMU_DOMAIN_NESTED")
Cc: stable@...r.kernel.org
Signed-off-by: Jason Gunthorpe <jgg@...dia.com>
Reviewed-by: Shuai Xue <xueshuai@...ux.alibaba.com>
Signed-off-by: Nicolin Chen <nicolinc@...dia.com>
---
drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 26 +++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
index ccd6357fa5a8..77a87af5c673 100644
--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
+++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
@@ -1086,6 +1086,32 @@ VISIBLE_IF_KUNIT
void arm_smmu_get_ste_update_safe(const __le64 *cur, const __le64 *target,
__le64 *safe_bits)
{
+ const __le64 eats_s1chk =
+ FIELD_PREP(STRTAB_STE_1_EATS, STRTAB_STE_1_EATS_S1CHK);
+ const __le64 eats_trans =
+ FIELD_PREP(STRTAB_STE_1_EATS, STRTAB_STE_1_EATS_TRANS);
+
+ /*
+ * When an STE changes EATS_TRANS, the sequencing code in the attach
+ * logic already will have the PCI cap for ATS disabled. Thus at this
+ * moment we can expect that the device will not generate ATS queries
+ * and so we don't care about the sequencing of EATS. The purpose of
+ * EATS_TRANS is to protect the system from hostile untrusted devices
+ * that issue ATS when the PCI config space is disabled. However, if
+ * EATS_TRANS is being changed, then we must have already trusted the
+ * device as the EATS_TRANS security block is being disabled.
+ *
+ * Note: now the EATS_TRANS update is moved to the first entry_set().
+ * Changing S2S and EATS might transiently result in S2S=1 and EATS=1
+ * which is a bad STE (see "5.2 Stream Table Entry"). In such a case,
+ * we can't do a hitless update. Also, it should not be added to the
+ * safe bits with STRTAB_STE_1_EATS_S1CHK, because EATS=0b11 would be
+ * effectively an errant 0b00 configuration.
+ */
+ if (!((cur[1] | target[1]) & cpu_to_le64(eats_s1chk)) &&
+ !((cur[2] | target[2]) & cpu_to_le64(STRTAB_STE_2_S2S)))
+ safe_bits[1] |= cpu_to_le64(eats_trans);
+
/*
* MEV does not meaningfully impact the operation of the HW, it only
* changes how many fault events are generated, thus we can relax it
--
2.43.0
Powered by blists - more mailing lists