Re: [PATCH v6 00/11] Fix BUG_ON in vfio_iommu_group_notifier()

From: Lu Baolu
Date: Sun Feb 20 2022 - 22:39:53 EST

Next message: Eric Biggers: "Re: [PATCH v2 8/9] random: use hash function for crng_slow_load()"
Previous message: Eric Biggers: "Re: [PATCH v4] random: use simpler fast key erasure flow on per-cpu keys"
In reply to: Jason Gunthorpe: "Re: [PATCH v6 00/11] Fix BUG_ON in vfio_iommu_group_notifier()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2/18/22 11:51 PM, Jason Gunthorpe wrote:

On Fri, Feb 18, 2022 at 08:55:10AM +0800, Lu Baolu wrote:

Hi folks,

The iommu group is the minimal isolation boundary for DMA. Devices in
a group can access each other's MMIO registers via peer to peer DMA
and also need share the same I/O address space.

Once the I/O address space is assigned to user control it is no longer
available to the dma_map* API, which effectively makes the DMA API
non-working.

Second, userspace can use DMA initiated by a device that it controls
to access the MMIO spaces of other devices in the group. This allows
userspace to indirectly attack any kernel owned device and it's driver.

This series has changed quite a lot since v1 - but I couldn't spot
anything wrong with this. It is a small incremental step and I think
it is fine now, so

Reviewed-by: Jason Gunthorpe<jgg@xxxxxxxxxx>

I hope you continue to work on the "Scrap iommu_attach/detach_group()
interfaces" series and try to minimize all the special places testing
against the default domain

Sure.

Best regards,
baolu

Next message: Eric Biggers: "Re: [PATCH v2 8/9] random: use hash function for crng_slow_load()"
Previous message: Eric Biggers: "Re: [PATCH v4] random: use simpler fast key erasure flow on per-cpu keys"
In reply to: Jason Gunthorpe: "Re: [PATCH v6 00/11] Fix BUG_ON in vfio_iommu_group_notifier()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]