1 // SPDX-License-Identifier: GPL-2.0 2 /* Copyright (c) 2021-2022, NVIDIA CORPORATION & AFFILIATES. 3 * 4 * Kernel side components to support tools/testing/selftests/iommu 5 */ 6 #include <linux/slab.h> 7 #include <linux/iommu.h> 8 #include <linux/xarray.h> 9 #include <linux/file.h> 10 #include <linux/anon_inodes.h> 11 #include <linux/fault-inject.h> 12 #include <linux/platform_device.h> 13 #include <uapi/linux/iommufd.h> 14 15 #include "../iommu-priv.h" 16 #include "io_pagetable.h" 17 #include "iommufd_private.h" 18 #include "iommufd_test.h" 19 20 static DECLARE_FAULT_ATTR(fail_iommufd); 21 static struct dentry *dbgfs_root; 22 static struct platform_device *selftest_iommu_dev; 23 24 size_t iommufd_test_memory_limit = 65536; 25 26 enum { 27 MOCK_IO_PAGE_SIZE = PAGE_SIZE / 2, 28 29 /* 30 * Like a real page table alignment requires the low bits of the address 31 * to be zero. xarray also requires the high bit to be zero, so we store 32 * the pfns shifted. The upper bits are used for metadata. 33 */ 34 MOCK_PFN_MASK = ULONG_MAX / MOCK_IO_PAGE_SIZE, 35 36 _MOCK_PFN_START = MOCK_PFN_MASK + 1, 37 MOCK_PFN_START_IOVA = _MOCK_PFN_START, 38 MOCK_PFN_LAST_IOVA = _MOCK_PFN_START, 39 }; 40 41 /* 42 * Syzkaller has trouble randomizing the correct iova to use since it is linked 43 * to the map ioctl's output, and it has no ide about that. So, simplify things. 44 * In syzkaller mode the 64 bit IOVA is converted into an nth area and offset 45 * value. This has a much smaller randomization space and syzkaller can hit it. 46 */ 47 static unsigned long __iommufd_test_syz_conv_iova(struct io_pagetable *iopt, 48 u64 *iova) 49 { 50 struct syz_layout { 51 __u32 nth_area; 52 __u32 offset; 53 }; 54 struct syz_layout *syz = (void *)iova; 55 unsigned int nth = syz->nth_area; 56 struct iopt_area *area; 57 58 down_read(&iopt->iova_rwsem); 59 for (area = iopt_area_iter_first(iopt, 0, ULONG_MAX); area; 60 area = iopt_area_iter_next(area, 0, ULONG_MAX)) { 61 if (nth == 0) { 62 up_read(&iopt->iova_rwsem); 63 return iopt_area_iova(area) + syz->offset; 64 } 65 nth--; 66 } 67 up_read(&iopt->iova_rwsem); 68 69 return 0; 70 } 71 72 static unsigned long iommufd_test_syz_conv_iova(struct iommufd_access *access, 73 u64 *iova) 74 { 75 unsigned long ret; 76 77 mutex_lock(&access->ioas_lock); 78 if (!access->ioas) { 79 mutex_unlock(&access->ioas_lock); 80 return 0; 81 } 82 ret = __iommufd_test_syz_conv_iova(&access->ioas->iopt, iova); 83 mutex_unlock(&access->ioas_lock); 84 return ret; 85 } 86 87 void iommufd_test_syz_conv_iova_id(struct iommufd_ucmd *ucmd, 88 unsigned int ioas_id, u64 *iova, u32 *flags) 89 { 90 struct iommufd_ioas *ioas; 91 92 if (!(*flags & MOCK_FLAGS_ACCESS_SYZ)) 93 return; 94 *flags &= ~(u32)MOCK_FLAGS_ACCESS_SYZ; 95 96 ioas = iommufd_get_ioas(ucmd->ictx, ioas_id); 97 if (IS_ERR(ioas)) 98 return; 99 *iova = __iommufd_test_syz_conv_iova(&ioas->iopt, iova); 100 iommufd_put_object(&ioas->obj); 101 } 102 103 struct mock_iommu_domain { 104 struct iommu_domain domain; 105 struct xarray pfns; 106 }; 107 108 enum selftest_obj_type { 109 TYPE_IDEV, 110 }; 111 112 struct mock_dev { 113 struct device dev; 114 }; 115 116 struct selftest_obj { 117 struct iommufd_object obj; 118 enum selftest_obj_type type; 119 120 union { 121 struct { 122 struct iommufd_device *idev; 123 struct iommufd_ctx *ictx; 124 struct mock_dev *mock_dev; 125 } idev; 126 }; 127 }; 128 129 static void mock_domain_blocking_free(struct iommu_domain *domain) 130 { 131 } 132 133 static int mock_domain_nop_attach(struct iommu_domain *domain, 134 struct device *dev) 135 { 136 return 0; 137 } 138 139 static const struct iommu_domain_ops mock_blocking_ops = { 140 .free = mock_domain_blocking_free, 141 .attach_dev = mock_domain_nop_attach, 142 }; 143 144 static struct iommu_domain mock_blocking_domain = { 145 .type = IOMMU_DOMAIN_BLOCKED, 146 .ops = &mock_blocking_ops, 147 }; 148 149 static void *mock_domain_hw_info(struct device *dev, u32 *length, u32 *type) 150 { 151 struct iommu_test_hw_info *info; 152 153 info = kzalloc(sizeof(*info), GFP_KERNEL); 154 if (!info) 155 return ERR_PTR(-ENOMEM); 156 157 info->test_reg = IOMMU_HW_INFO_SELFTEST_REGVAL; 158 *length = sizeof(*info); 159 *type = IOMMU_HW_INFO_TYPE_SELFTEST; 160 161 return info; 162 } 163 164 static struct iommu_domain *mock_domain_alloc(unsigned int iommu_domain_type) 165 { 166 struct mock_iommu_domain *mock; 167 168 if (iommu_domain_type == IOMMU_DOMAIN_BLOCKED) 169 return &mock_blocking_domain; 170 171 if (iommu_domain_type != IOMMU_DOMAIN_UNMANAGED) 172 return NULL; 173 174 mock = kzalloc(sizeof(*mock), GFP_KERNEL); 175 if (!mock) 176 return NULL; 177 mock->domain.geometry.aperture_start = MOCK_APERTURE_START; 178 mock->domain.geometry.aperture_end = MOCK_APERTURE_LAST; 179 mock->domain.pgsize_bitmap = MOCK_IO_PAGE_SIZE; 180 xa_init(&mock->pfns); 181 return &mock->domain; 182 } 183 184 static void mock_domain_free(struct iommu_domain *domain) 185 { 186 struct mock_iommu_domain *mock = 187 container_of(domain, struct mock_iommu_domain, domain); 188 189 WARN_ON(!xa_empty(&mock->pfns)); 190 kfree(mock); 191 } 192 193 static int mock_domain_map_pages(struct iommu_domain *domain, 194 unsigned long iova, phys_addr_t paddr, 195 size_t pgsize, size_t pgcount, int prot, 196 gfp_t gfp, size_t *mapped) 197 { 198 struct mock_iommu_domain *mock = 199 container_of(domain, struct mock_iommu_domain, domain); 200 unsigned long flags = MOCK_PFN_START_IOVA; 201 unsigned long start_iova = iova; 202 203 /* 204 * xarray does not reliably work with fault injection because it does a 205 * retry allocation, so put our own failure point. 206 */ 207 if (iommufd_should_fail()) 208 return -ENOENT; 209 210 WARN_ON(iova % MOCK_IO_PAGE_SIZE); 211 WARN_ON(pgsize % MOCK_IO_PAGE_SIZE); 212 for (; pgcount; pgcount--) { 213 size_t cur; 214 215 for (cur = 0; cur != pgsize; cur += MOCK_IO_PAGE_SIZE) { 216 void *old; 217 218 if (pgcount == 1 && cur + MOCK_IO_PAGE_SIZE == pgsize) 219 flags = MOCK_PFN_LAST_IOVA; 220 old = xa_store(&mock->pfns, iova / MOCK_IO_PAGE_SIZE, 221 xa_mk_value((paddr / MOCK_IO_PAGE_SIZE) | 222 flags), 223 gfp); 224 if (xa_is_err(old)) { 225 for (; start_iova != iova; 226 start_iova += MOCK_IO_PAGE_SIZE) 227 xa_erase(&mock->pfns, 228 start_iova / 229 MOCK_IO_PAGE_SIZE); 230 return xa_err(old); 231 } 232 WARN_ON(old); 233 iova += MOCK_IO_PAGE_SIZE; 234 paddr += MOCK_IO_PAGE_SIZE; 235 *mapped += MOCK_IO_PAGE_SIZE; 236 flags = 0; 237 } 238 } 239 return 0; 240 } 241 242 static size_t mock_domain_unmap_pages(struct iommu_domain *domain, 243 unsigned long iova, size_t pgsize, 244 size_t pgcount, 245 struct iommu_iotlb_gather *iotlb_gather) 246 { 247 struct mock_iommu_domain *mock = 248 container_of(domain, struct mock_iommu_domain, domain); 249 bool first = true; 250 size_t ret = 0; 251 void *ent; 252 253 WARN_ON(iova % MOCK_IO_PAGE_SIZE); 254 WARN_ON(pgsize % MOCK_IO_PAGE_SIZE); 255 256 for (; pgcount; pgcount--) { 257 size_t cur; 258 259 for (cur = 0; cur != pgsize; cur += MOCK_IO_PAGE_SIZE) { 260 ent = xa_erase(&mock->pfns, iova / MOCK_IO_PAGE_SIZE); 261 WARN_ON(!ent); 262 /* 263 * iommufd generates unmaps that must be a strict 264 * superset of the map's performend So every starting 265 * IOVA should have been an iova passed to map, and the 266 * 267 * First IOVA must be present and have been a first IOVA 268 * passed to map_pages 269 */ 270 if (first) { 271 WARN_ON(!(xa_to_value(ent) & 272 MOCK_PFN_START_IOVA)); 273 first = false; 274 } 275 if (pgcount == 1 && cur + MOCK_IO_PAGE_SIZE == pgsize) 276 WARN_ON(!(xa_to_value(ent) & 277 MOCK_PFN_LAST_IOVA)); 278 279 iova += MOCK_IO_PAGE_SIZE; 280 ret += MOCK_IO_PAGE_SIZE; 281 } 282 } 283 return ret; 284 } 285 286 static phys_addr_t mock_domain_iova_to_phys(struct iommu_domain *domain, 287 dma_addr_t iova) 288 { 289 struct mock_iommu_domain *mock = 290 container_of(domain, struct mock_iommu_domain, domain); 291 void *ent; 292 293 WARN_ON(iova % MOCK_IO_PAGE_SIZE); 294 ent = xa_load(&mock->pfns, iova / MOCK_IO_PAGE_SIZE); 295 WARN_ON(!ent); 296 return (xa_to_value(ent) & MOCK_PFN_MASK) * MOCK_IO_PAGE_SIZE; 297 } 298 299 static bool mock_domain_capable(struct device *dev, enum iommu_cap cap) 300 { 301 return cap == IOMMU_CAP_CACHE_COHERENCY; 302 } 303 304 static void mock_domain_set_plaform_dma_ops(struct device *dev) 305 { 306 /* 307 * mock doesn't setup default domains because we can't hook into the 308 * normal probe path 309 */ 310 } 311 312 static struct iommu_device mock_iommu_device = { 313 }; 314 315 static struct iommu_device *mock_probe_device(struct device *dev) 316 { 317 return &mock_iommu_device; 318 } 319 320 static const struct iommu_ops mock_ops = { 321 .owner = THIS_MODULE, 322 .pgsize_bitmap = MOCK_IO_PAGE_SIZE, 323 .hw_info = mock_domain_hw_info, 324 .domain_alloc = mock_domain_alloc, 325 .capable = mock_domain_capable, 326 .set_platform_dma_ops = mock_domain_set_plaform_dma_ops, 327 .device_group = generic_device_group, 328 .probe_device = mock_probe_device, 329 .default_domain_ops = 330 &(struct iommu_domain_ops){ 331 .free = mock_domain_free, 332 .attach_dev = mock_domain_nop_attach, 333 .map_pages = mock_domain_map_pages, 334 .unmap_pages = mock_domain_unmap_pages, 335 .iova_to_phys = mock_domain_iova_to_phys, 336 }, 337 }; 338 339 static inline struct iommufd_hw_pagetable * 340 get_md_pagetable(struct iommufd_ucmd *ucmd, u32 mockpt_id, 341 struct mock_iommu_domain **mock) 342 { 343 struct iommufd_hw_pagetable *hwpt; 344 struct iommufd_object *obj; 345 346 obj = iommufd_get_object(ucmd->ictx, mockpt_id, 347 IOMMUFD_OBJ_HW_PAGETABLE); 348 if (IS_ERR(obj)) 349 return ERR_CAST(obj); 350 hwpt = container_of(obj, struct iommufd_hw_pagetable, obj); 351 if (hwpt->domain->ops != mock_ops.default_domain_ops) { 352 iommufd_put_object(&hwpt->obj); 353 return ERR_PTR(-EINVAL); 354 } 355 *mock = container_of(hwpt->domain, struct mock_iommu_domain, domain); 356 return hwpt; 357 } 358 359 struct mock_bus_type { 360 struct bus_type bus; 361 struct notifier_block nb; 362 }; 363 364 static struct mock_bus_type iommufd_mock_bus_type = { 365 .bus = { 366 .name = "iommufd_mock", 367 }, 368 }; 369 370 static atomic_t mock_dev_num; 371 372 static void mock_dev_release(struct device *dev) 373 { 374 struct mock_dev *mdev = container_of(dev, struct mock_dev, dev); 375 376 atomic_dec(&mock_dev_num); 377 kfree(mdev); 378 } 379 380 static struct mock_dev *mock_dev_create(void) 381 { 382 struct mock_dev *mdev; 383 int rc; 384 385 mdev = kzalloc(sizeof(*mdev), GFP_KERNEL); 386 if (!mdev) 387 return ERR_PTR(-ENOMEM); 388 389 device_initialize(&mdev->dev); 390 mdev->dev.release = mock_dev_release; 391 mdev->dev.bus = &iommufd_mock_bus_type.bus; 392 393 rc = dev_set_name(&mdev->dev, "iommufd_mock%u", 394 atomic_inc_return(&mock_dev_num)); 395 if (rc) 396 goto err_put; 397 398 rc = device_add(&mdev->dev); 399 if (rc) 400 goto err_put; 401 return mdev; 402 403 err_put: 404 put_device(&mdev->dev); 405 return ERR_PTR(rc); 406 } 407 408 static void mock_dev_destroy(struct mock_dev *mdev) 409 { 410 device_unregister(&mdev->dev); 411 } 412 413 bool iommufd_selftest_is_mock_dev(struct device *dev) 414 { 415 return dev->release == mock_dev_release; 416 } 417 418 /* Create an hw_pagetable with the mock domain so we can test the domain ops */ 419 static int iommufd_test_mock_domain(struct iommufd_ucmd *ucmd, 420 struct iommu_test_cmd *cmd) 421 { 422 struct iommufd_device *idev; 423 struct selftest_obj *sobj; 424 u32 pt_id = cmd->id; 425 u32 idev_id; 426 int rc; 427 428 sobj = iommufd_object_alloc(ucmd->ictx, sobj, IOMMUFD_OBJ_SELFTEST); 429 if (IS_ERR(sobj)) 430 return PTR_ERR(sobj); 431 432 sobj->idev.ictx = ucmd->ictx; 433 sobj->type = TYPE_IDEV; 434 435 sobj->idev.mock_dev = mock_dev_create(); 436 if (IS_ERR(sobj->idev.mock_dev)) { 437 rc = PTR_ERR(sobj->idev.mock_dev); 438 goto out_sobj; 439 } 440 441 idev = iommufd_device_bind(ucmd->ictx, &sobj->idev.mock_dev->dev, 442 &idev_id); 443 if (IS_ERR(idev)) { 444 rc = PTR_ERR(idev); 445 goto out_mdev; 446 } 447 sobj->idev.idev = idev; 448 449 rc = iommufd_device_attach(idev, &pt_id); 450 if (rc) 451 goto out_unbind; 452 453 /* Userspace must destroy the device_id to destroy the object */ 454 cmd->mock_domain.out_hwpt_id = pt_id; 455 cmd->mock_domain.out_stdev_id = sobj->obj.id; 456 cmd->mock_domain.out_idev_id = idev_id; 457 rc = iommufd_ucmd_respond(ucmd, sizeof(*cmd)); 458 if (rc) 459 goto out_detach; 460 iommufd_object_finalize(ucmd->ictx, &sobj->obj); 461 return 0; 462 463 out_detach: 464 iommufd_device_detach(idev); 465 out_unbind: 466 iommufd_device_unbind(idev); 467 out_mdev: 468 mock_dev_destroy(sobj->idev.mock_dev); 469 out_sobj: 470 iommufd_object_abort(ucmd->ictx, &sobj->obj); 471 return rc; 472 } 473 474 /* Replace the mock domain with a manually allocated hw_pagetable */ 475 static int iommufd_test_mock_domain_replace(struct iommufd_ucmd *ucmd, 476 unsigned int device_id, u32 pt_id, 477 struct iommu_test_cmd *cmd) 478 { 479 struct iommufd_object *dev_obj; 480 struct selftest_obj *sobj; 481 int rc; 482 483 /* 484 * Prefer to use the OBJ_SELFTEST because the destroy_rwsem will ensure 485 * it doesn't race with detach, which is not allowed. 486 */ 487 dev_obj = 488 iommufd_get_object(ucmd->ictx, device_id, IOMMUFD_OBJ_SELFTEST); 489 if (IS_ERR(dev_obj)) 490 return PTR_ERR(dev_obj); 491 492 sobj = container_of(dev_obj, struct selftest_obj, obj); 493 if (sobj->type != TYPE_IDEV) { 494 rc = -EINVAL; 495 goto out_dev_obj; 496 } 497 498 rc = iommufd_device_replace(sobj->idev.idev, &pt_id); 499 if (rc) 500 goto out_dev_obj; 501 502 cmd->mock_domain_replace.pt_id = pt_id; 503 rc = iommufd_ucmd_respond(ucmd, sizeof(*cmd)); 504 505 out_dev_obj: 506 iommufd_put_object(dev_obj); 507 return rc; 508 } 509 510 /* Add an additional reserved IOVA to the IOAS */ 511 static int iommufd_test_add_reserved(struct iommufd_ucmd *ucmd, 512 unsigned int mockpt_id, 513 unsigned long start, size_t length) 514 { 515 struct iommufd_ioas *ioas; 516 int rc; 517 518 ioas = iommufd_get_ioas(ucmd->ictx, mockpt_id); 519 if (IS_ERR(ioas)) 520 return PTR_ERR(ioas); 521 down_write(&ioas->iopt.iova_rwsem); 522 rc = iopt_reserve_iova(&ioas->iopt, start, start + length - 1, NULL); 523 up_write(&ioas->iopt.iova_rwsem); 524 iommufd_put_object(&ioas->obj); 525 return rc; 526 } 527 528 /* Check that every pfn under each iova matches the pfn under a user VA */ 529 static int iommufd_test_md_check_pa(struct iommufd_ucmd *ucmd, 530 unsigned int mockpt_id, unsigned long iova, 531 size_t length, void __user *uptr) 532 { 533 struct iommufd_hw_pagetable *hwpt; 534 struct mock_iommu_domain *mock; 535 uintptr_t end; 536 int rc; 537 538 if (iova % MOCK_IO_PAGE_SIZE || length % MOCK_IO_PAGE_SIZE || 539 (uintptr_t)uptr % MOCK_IO_PAGE_SIZE || 540 check_add_overflow((uintptr_t)uptr, (uintptr_t)length, &end)) 541 return -EINVAL; 542 543 hwpt = get_md_pagetable(ucmd, mockpt_id, &mock); 544 if (IS_ERR(hwpt)) 545 return PTR_ERR(hwpt); 546 547 for (; length; length -= MOCK_IO_PAGE_SIZE) { 548 struct page *pages[1]; 549 unsigned long pfn; 550 long npages; 551 void *ent; 552 553 npages = get_user_pages_fast((uintptr_t)uptr & PAGE_MASK, 1, 0, 554 pages); 555 if (npages < 0) { 556 rc = npages; 557 goto out_put; 558 } 559 if (WARN_ON(npages != 1)) { 560 rc = -EFAULT; 561 goto out_put; 562 } 563 pfn = page_to_pfn(pages[0]); 564 put_page(pages[0]); 565 566 ent = xa_load(&mock->pfns, iova / MOCK_IO_PAGE_SIZE); 567 if (!ent || 568 (xa_to_value(ent) & MOCK_PFN_MASK) * MOCK_IO_PAGE_SIZE != 569 pfn * PAGE_SIZE + ((uintptr_t)uptr % PAGE_SIZE)) { 570 rc = -EINVAL; 571 goto out_put; 572 } 573 iova += MOCK_IO_PAGE_SIZE; 574 uptr += MOCK_IO_PAGE_SIZE; 575 } 576 rc = 0; 577 578 out_put: 579 iommufd_put_object(&hwpt->obj); 580 return rc; 581 } 582 583 /* Check that the page ref count matches, to look for missing pin/unpins */ 584 static int iommufd_test_md_check_refs(struct iommufd_ucmd *ucmd, 585 void __user *uptr, size_t length, 586 unsigned int refs) 587 { 588 uintptr_t end; 589 590 if (length % PAGE_SIZE || (uintptr_t)uptr % PAGE_SIZE || 591 check_add_overflow((uintptr_t)uptr, (uintptr_t)length, &end)) 592 return -EINVAL; 593 594 for (; length; length -= PAGE_SIZE) { 595 struct page *pages[1]; 596 long npages; 597 598 npages = get_user_pages_fast((uintptr_t)uptr, 1, 0, pages); 599 if (npages < 0) 600 return npages; 601 if (WARN_ON(npages != 1)) 602 return -EFAULT; 603 if (!PageCompound(pages[0])) { 604 unsigned int count; 605 606 count = page_ref_count(pages[0]); 607 if (count / GUP_PIN_COUNTING_BIAS != refs) { 608 put_page(pages[0]); 609 return -EIO; 610 } 611 } 612 put_page(pages[0]); 613 uptr += PAGE_SIZE; 614 } 615 return 0; 616 } 617 618 struct selftest_access { 619 struct iommufd_access *access; 620 struct file *file; 621 struct mutex lock; 622 struct list_head items; 623 unsigned int next_id; 624 bool destroying; 625 }; 626 627 struct selftest_access_item { 628 struct list_head items_elm; 629 unsigned long iova; 630 size_t length; 631 unsigned int id; 632 }; 633 634 static const struct file_operations iommfd_test_staccess_fops; 635 636 static struct selftest_access *iommufd_access_get(int fd) 637 { 638 struct file *file; 639 640 file = fget(fd); 641 if (!file) 642 return ERR_PTR(-EBADFD); 643 644 if (file->f_op != &iommfd_test_staccess_fops) { 645 fput(file); 646 return ERR_PTR(-EBADFD); 647 } 648 return file->private_data; 649 } 650 651 static void iommufd_test_access_unmap(void *data, unsigned long iova, 652 unsigned long length) 653 { 654 unsigned long iova_last = iova + length - 1; 655 struct selftest_access *staccess = data; 656 struct selftest_access_item *item; 657 struct selftest_access_item *tmp; 658 659 mutex_lock(&staccess->lock); 660 list_for_each_entry_safe(item, tmp, &staccess->items, items_elm) { 661 if (iova > item->iova + item->length - 1 || 662 iova_last < item->iova) 663 continue; 664 list_del(&item->items_elm); 665 iommufd_access_unpin_pages(staccess->access, item->iova, 666 item->length); 667 kfree(item); 668 } 669 mutex_unlock(&staccess->lock); 670 } 671 672 static int iommufd_test_access_item_destroy(struct iommufd_ucmd *ucmd, 673 unsigned int access_id, 674 unsigned int item_id) 675 { 676 struct selftest_access_item *item; 677 struct selftest_access *staccess; 678 679 staccess = iommufd_access_get(access_id); 680 if (IS_ERR(staccess)) 681 return PTR_ERR(staccess); 682 683 mutex_lock(&staccess->lock); 684 list_for_each_entry(item, &staccess->items, items_elm) { 685 if (item->id == item_id) { 686 list_del(&item->items_elm); 687 iommufd_access_unpin_pages(staccess->access, item->iova, 688 item->length); 689 mutex_unlock(&staccess->lock); 690 kfree(item); 691 fput(staccess->file); 692 return 0; 693 } 694 } 695 mutex_unlock(&staccess->lock); 696 fput(staccess->file); 697 return -ENOENT; 698 } 699 700 static int iommufd_test_staccess_release(struct inode *inode, 701 struct file *filep) 702 { 703 struct selftest_access *staccess = filep->private_data; 704 705 if (staccess->access) { 706 iommufd_test_access_unmap(staccess, 0, ULONG_MAX); 707 iommufd_access_destroy(staccess->access); 708 } 709 mutex_destroy(&staccess->lock); 710 kfree(staccess); 711 return 0; 712 } 713 714 static const struct iommufd_access_ops selftest_access_ops_pin = { 715 .needs_pin_pages = 1, 716 .unmap = iommufd_test_access_unmap, 717 }; 718 719 static const struct iommufd_access_ops selftest_access_ops = { 720 .unmap = iommufd_test_access_unmap, 721 }; 722 723 static const struct file_operations iommfd_test_staccess_fops = { 724 .release = iommufd_test_staccess_release, 725 }; 726 727 static struct selftest_access *iommufd_test_alloc_access(void) 728 { 729 struct selftest_access *staccess; 730 struct file *filep; 731 732 staccess = kzalloc(sizeof(*staccess), GFP_KERNEL_ACCOUNT); 733 if (!staccess) 734 return ERR_PTR(-ENOMEM); 735 INIT_LIST_HEAD(&staccess->items); 736 mutex_init(&staccess->lock); 737 738 filep = anon_inode_getfile("[iommufd_test_staccess]", 739 &iommfd_test_staccess_fops, staccess, 740 O_RDWR); 741 if (IS_ERR(filep)) { 742 kfree(staccess); 743 return ERR_CAST(filep); 744 } 745 staccess->file = filep; 746 return staccess; 747 } 748 749 static int iommufd_test_create_access(struct iommufd_ucmd *ucmd, 750 unsigned int ioas_id, unsigned int flags) 751 { 752 struct iommu_test_cmd *cmd = ucmd->cmd; 753 struct selftest_access *staccess; 754 struct iommufd_access *access; 755 u32 id; 756 int fdno; 757 int rc; 758 759 if (flags & ~MOCK_FLAGS_ACCESS_CREATE_NEEDS_PIN_PAGES) 760 return -EOPNOTSUPP; 761 762 staccess = iommufd_test_alloc_access(); 763 if (IS_ERR(staccess)) 764 return PTR_ERR(staccess); 765 766 fdno = get_unused_fd_flags(O_CLOEXEC); 767 if (fdno < 0) { 768 rc = -ENOMEM; 769 goto out_free_staccess; 770 } 771 772 access = iommufd_access_create( 773 ucmd->ictx, 774 (flags & MOCK_FLAGS_ACCESS_CREATE_NEEDS_PIN_PAGES) ? 775 &selftest_access_ops_pin : 776 &selftest_access_ops, 777 staccess, &id); 778 if (IS_ERR(access)) { 779 rc = PTR_ERR(access); 780 goto out_put_fdno; 781 } 782 rc = iommufd_access_attach(access, ioas_id); 783 if (rc) 784 goto out_destroy; 785 cmd->create_access.out_access_fd = fdno; 786 rc = iommufd_ucmd_respond(ucmd, sizeof(*cmd)); 787 if (rc) 788 goto out_destroy; 789 790 staccess->access = access; 791 fd_install(fdno, staccess->file); 792 return 0; 793 794 out_destroy: 795 iommufd_access_destroy(access); 796 out_put_fdno: 797 put_unused_fd(fdno); 798 out_free_staccess: 799 fput(staccess->file); 800 return rc; 801 } 802 803 static int iommufd_test_access_replace_ioas(struct iommufd_ucmd *ucmd, 804 unsigned int access_id, 805 unsigned int ioas_id) 806 { 807 struct selftest_access *staccess; 808 int rc; 809 810 staccess = iommufd_access_get(access_id); 811 if (IS_ERR(staccess)) 812 return PTR_ERR(staccess); 813 814 rc = iommufd_access_replace(staccess->access, ioas_id); 815 fput(staccess->file); 816 return rc; 817 } 818 819 /* Check that the pages in a page array match the pages in the user VA */ 820 static int iommufd_test_check_pages(void __user *uptr, struct page **pages, 821 size_t npages) 822 { 823 for (; npages; npages--) { 824 struct page *tmp_pages[1]; 825 long rc; 826 827 rc = get_user_pages_fast((uintptr_t)uptr, 1, 0, tmp_pages); 828 if (rc < 0) 829 return rc; 830 if (WARN_ON(rc != 1)) 831 return -EFAULT; 832 put_page(tmp_pages[0]); 833 if (tmp_pages[0] != *pages) 834 return -EBADE; 835 pages++; 836 uptr += PAGE_SIZE; 837 } 838 return 0; 839 } 840 841 static int iommufd_test_access_pages(struct iommufd_ucmd *ucmd, 842 unsigned int access_id, unsigned long iova, 843 size_t length, void __user *uptr, 844 u32 flags) 845 { 846 struct iommu_test_cmd *cmd = ucmd->cmd; 847 struct selftest_access_item *item; 848 struct selftest_access *staccess; 849 struct page **pages; 850 size_t npages; 851 int rc; 852 853 /* Prevent syzkaller from triggering a WARN_ON in kvzalloc() */ 854 if (length > 16*1024*1024) 855 return -ENOMEM; 856 857 if (flags & ~(MOCK_FLAGS_ACCESS_WRITE | MOCK_FLAGS_ACCESS_SYZ)) 858 return -EOPNOTSUPP; 859 860 staccess = iommufd_access_get(access_id); 861 if (IS_ERR(staccess)) 862 return PTR_ERR(staccess); 863 864 if (staccess->access->ops != &selftest_access_ops_pin) { 865 rc = -EOPNOTSUPP; 866 goto out_put; 867 } 868 869 if (flags & MOCK_FLAGS_ACCESS_SYZ) 870 iova = iommufd_test_syz_conv_iova(staccess->access, 871 &cmd->access_pages.iova); 872 873 npages = (ALIGN(iova + length, PAGE_SIZE) - 874 ALIGN_DOWN(iova, PAGE_SIZE)) / 875 PAGE_SIZE; 876 pages = kvcalloc(npages, sizeof(*pages), GFP_KERNEL_ACCOUNT); 877 if (!pages) { 878 rc = -ENOMEM; 879 goto out_put; 880 } 881 882 /* 883 * Drivers will need to think very carefully about this locking. The 884 * core code can do multiple unmaps instantaneously after 885 * iommufd_access_pin_pages() and *all* the unmaps must not return until 886 * the range is unpinned. This simple implementation puts a global lock 887 * around the pin, which may not suit drivers that want this to be a 888 * performance path. drivers that get this wrong will trigger WARN_ON 889 * races and cause EDEADLOCK failures to userspace. 890 */ 891 mutex_lock(&staccess->lock); 892 rc = iommufd_access_pin_pages(staccess->access, iova, length, pages, 893 flags & MOCK_FLAGS_ACCESS_WRITE); 894 if (rc) 895 goto out_unlock; 896 897 /* For syzkaller allow uptr to be NULL to skip this check */ 898 if (uptr) { 899 rc = iommufd_test_check_pages( 900 uptr - (iova - ALIGN_DOWN(iova, PAGE_SIZE)), pages, 901 npages); 902 if (rc) 903 goto out_unaccess; 904 } 905 906 item = kzalloc(sizeof(*item), GFP_KERNEL_ACCOUNT); 907 if (!item) { 908 rc = -ENOMEM; 909 goto out_unaccess; 910 } 911 912 item->iova = iova; 913 item->length = length; 914 item->id = staccess->next_id++; 915 list_add_tail(&item->items_elm, &staccess->items); 916 917 cmd->access_pages.out_access_pages_id = item->id; 918 rc = iommufd_ucmd_respond(ucmd, sizeof(*cmd)); 919 if (rc) 920 goto out_free_item; 921 goto out_unlock; 922 923 out_free_item: 924 list_del(&item->items_elm); 925 kfree(item); 926 out_unaccess: 927 iommufd_access_unpin_pages(staccess->access, iova, length); 928 out_unlock: 929 mutex_unlock(&staccess->lock); 930 kvfree(pages); 931 out_put: 932 fput(staccess->file); 933 return rc; 934 } 935 936 static int iommufd_test_access_rw(struct iommufd_ucmd *ucmd, 937 unsigned int access_id, unsigned long iova, 938 size_t length, void __user *ubuf, 939 unsigned int flags) 940 { 941 struct iommu_test_cmd *cmd = ucmd->cmd; 942 struct selftest_access *staccess; 943 void *tmp; 944 int rc; 945 946 /* Prevent syzkaller from triggering a WARN_ON in kvzalloc() */ 947 if (length > 16*1024*1024) 948 return -ENOMEM; 949 950 if (flags & ~(MOCK_ACCESS_RW_WRITE | MOCK_ACCESS_RW_SLOW_PATH | 951 MOCK_FLAGS_ACCESS_SYZ)) 952 return -EOPNOTSUPP; 953 954 staccess = iommufd_access_get(access_id); 955 if (IS_ERR(staccess)) 956 return PTR_ERR(staccess); 957 958 tmp = kvzalloc(length, GFP_KERNEL_ACCOUNT); 959 if (!tmp) { 960 rc = -ENOMEM; 961 goto out_put; 962 } 963 964 if (flags & MOCK_ACCESS_RW_WRITE) { 965 if (copy_from_user(tmp, ubuf, length)) { 966 rc = -EFAULT; 967 goto out_free; 968 } 969 } 970 971 if (flags & MOCK_FLAGS_ACCESS_SYZ) 972 iova = iommufd_test_syz_conv_iova(staccess->access, 973 &cmd->access_rw.iova); 974 975 rc = iommufd_access_rw(staccess->access, iova, tmp, length, flags); 976 if (rc) 977 goto out_free; 978 if (!(flags & MOCK_ACCESS_RW_WRITE)) { 979 if (copy_to_user(ubuf, tmp, length)) { 980 rc = -EFAULT; 981 goto out_free; 982 } 983 } 984 985 out_free: 986 kvfree(tmp); 987 out_put: 988 fput(staccess->file); 989 return rc; 990 } 991 static_assert((unsigned int)MOCK_ACCESS_RW_WRITE == IOMMUFD_ACCESS_RW_WRITE); 992 static_assert((unsigned int)MOCK_ACCESS_RW_SLOW_PATH == 993 __IOMMUFD_ACCESS_RW_SLOW_PATH); 994 995 void iommufd_selftest_destroy(struct iommufd_object *obj) 996 { 997 struct selftest_obj *sobj = container_of(obj, struct selftest_obj, obj); 998 999 switch (sobj->type) { 1000 case TYPE_IDEV: 1001 iommufd_device_detach(sobj->idev.idev); 1002 iommufd_device_unbind(sobj->idev.idev); 1003 mock_dev_destroy(sobj->idev.mock_dev); 1004 break; 1005 } 1006 } 1007 1008 int iommufd_test(struct iommufd_ucmd *ucmd) 1009 { 1010 struct iommu_test_cmd *cmd = ucmd->cmd; 1011 1012 switch (cmd->op) { 1013 case IOMMU_TEST_OP_ADD_RESERVED: 1014 return iommufd_test_add_reserved(ucmd, cmd->id, 1015 cmd->add_reserved.start, 1016 cmd->add_reserved.length); 1017 case IOMMU_TEST_OP_MOCK_DOMAIN: 1018 return iommufd_test_mock_domain(ucmd, cmd); 1019 case IOMMU_TEST_OP_MOCK_DOMAIN_REPLACE: 1020 return iommufd_test_mock_domain_replace( 1021 ucmd, cmd->id, cmd->mock_domain_replace.pt_id, cmd); 1022 case IOMMU_TEST_OP_MD_CHECK_MAP: 1023 return iommufd_test_md_check_pa( 1024 ucmd, cmd->id, cmd->check_map.iova, 1025 cmd->check_map.length, 1026 u64_to_user_ptr(cmd->check_map.uptr)); 1027 case IOMMU_TEST_OP_MD_CHECK_REFS: 1028 return iommufd_test_md_check_refs( 1029 ucmd, u64_to_user_ptr(cmd->check_refs.uptr), 1030 cmd->check_refs.length, cmd->check_refs.refs); 1031 case IOMMU_TEST_OP_CREATE_ACCESS: 1032 return iommufd_test_create_access(ucmd, cmd->id, 1033 cmd->create_access.flags); 1034 case IOMMU_TEST_OP_ACCESS_REPLACE_IOAS: 1035 return iommufd_test_access_replace_ioas( 1036 ucmd, cmd->id, cmd->access_replace_ioas.ioas_id); 1037 case IOMMU_TEST_OP_ACCESS_PAGES: 1038 return iommufd_test_access_pages( 1039 ucmd, cmd->id, cmd->access_pages.iova, 1040 cmd->access_pages.length, 1041 u64_to_user_ptr(cmd->access_pages.uptr), 1042 cmd->access_pages.flags); 1043 case IOMMU_TEST_OP_ACCESS_RW: 1044 return iommufd_test_access_rw( 1045 ucmd, cmd->id, cmd->access_rw.iova, 1046 cmd->access_rw.length, 1047 u64_to_user_ptr(cmd->access_rw.uptr), 1048 cmd->access_rw.flags); 1049 case IOMMU_TEST_OP_DESTROY_ACCESS_PAGES: 1050 return iommufd_test_access_item_destroy( 1051 ucmd, cmd->id, cmd->destroy_access_pages.access_pages_id); 1052 case IOMMU_TEST_OP_SET_TEMP_MEMORY_LIMIT: 1053 /* Protect _batch_init(), can not be less than elmsz */ 1054 if (cmd->memory_limit.limit < 1055 sizeof(unsigned long) + sizeof(u32)) 1056 return -EINVAL; 1057 iommufd_test_memory_limit = cmd->memory_limit.limit; 1058 return 0; 1059 default: 1060 return -EOPNOTSUPP; 1061 } 1062 } 1063 1064 bool iommufd_should_fail(void) 1065 { 1066 return should_fail(&fail_iommufd, 1); 1067 } 1068 1069 int __init iommufd_test_init(void) 1070 { 1071 struct platform_device_info pdevinfo = { 1072 .name = "iommufd_selftest_iommu", 1073 }; 1074 int rc; 1075 1076 dbgfs_root = 1077 fault_create_debugfs_attr("fail_iommufd", NULL, &fail_iommufd); 1078 1079 selftest_iommu_dev = platform_device_register_full(&pdevinfo); 1080 if (IS_ERR(selftest_iommu_dev)) { 1081 rc = PTR_ERR(selftest_iommu_dev); 1082 goto err_dbgfs; 1083 } 1084 1085 rc = bus_register(&iommufd_mock_bus_type.bus); 1086 if (rc) 1087 goto err_platform; 1088 1089 rc = iommu_device_sysfs_add(&mock_iommu_device, 1090 &selftest_iommu_dev->dev, NULL, "%s", 1091 dev_name(&selftest_iommu_dev->dev)); 1092 if (rc) 1093 goto err_bus; 1094 1095 rc = iommu_device_register_bus(&mock_iommu_device, &mock_ops, 1096 &iommufd_mock_bus_type.bus, 1097 &iommufd_mock_bus_type.nb); 1098 if (rc) 1099 goto err_sysfs; 1100 return 0; 1101 1102 err_sysfs: 1103 iommu_device_sysfs_remove(&mock_iommu_device); 1104 err_bus: 1105 bus_unregister(&iommufd_mock_bus_type.bus); 1106 err_platform: 1107 platform_device_unregister(selftest_iommu_dev); 1108 err_dbgfs: 1109 debugfs_remove_recursive(dbgfs_root); 1110 return rc; 1111 } 1112 1113 void iommufd_test_exit(void) 1114 { 1115 iommu_device_sysfs_remove(&mock_iommu_device); 1116 iommu_device_unregister_bus(&mock_iommu_device, 1117 &iommufd_mock_bus_type.bus, 1118 &iommufd_mock_bus_type.nb); 1119 bus_unregister(&iommufd_mock_bus_type.bus); 1120 platform_device_unregister(selftest_iommu_dev); 1121 debugfs_remove_recursive(dbgfs_root); 1122 } 1123