1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright (c) 2021-2022, NVIDIA CORPORATION & AFFILIATES.
3 *
4 * Kernel side components to support tools/testing/selftests/iommu
5 */
6 #include <linux/slab.h>
7 #include <linux/iommu.h>
8 #include <linux/xarray.h>
9 #include <linux/file.h>
10 #include <linux/anon_inodes.h>
11 #include <linux/fault-inject.h>
12 #include <linux/platform_device.h>
13 #include <uapi/linux/iommufd.h>
14
15 #include "../iommu-priv.h"
16 #include "io_pagetable.h"
17 #include "iommufd_private.h"
18 #include "iommufd_test.h"
19
20 static DECLARE_FAULT_ATTR(fail_iommufd);
21 static struct dentry *dbgfs_root;
22 static struct platform_device *selftest_iommu_dev;
23
24 size_t iommufd_test_memory_limit = 65536;
25
26 enum {
27 MOCK_IO_PAGE_SIZE = PAGE_SIZE / 2,
28
29 /*
30 * Like a real page table alignment requires the low bits of the address
31 * to be zero. xarray also requires the high bit to be zero, so we store
32 * the pfns shifted. The upper bits are used for metadata.
33 */
34 MOCK_PFN_MASK = ULONG_MAX / MOCK_IO_PAGE_SIZE,
35
36 _MOCK_PFN_START = MOCK_PFN_MASK + 1,
37 MOCK_PFN_START_IOVA = _MOCK_PFN_START,
38 MOCK_PFN_LAST_IOVA = _MOCK_PFN_START,
39 };
40
41 /*
42 * Syzkaller has trouble randomizing the correct iova to use since it is linked
43 * to the map ioctl's output, and it has no ide about that. So, simplify things.
44 * In syzkaller mode the 64 bit IOVA is converted into an nth area and offset
45 * value. This has a much smaller randomization space and syzkaller can hit it.
46 */
iommufd_test_syz_conv_iova(struct io_pagetable * iopt,u64 * iova)47 static unsigned long iommufd_test_syz_conv_iova(struct io_pagetable *iopt,
48 u64 *iova)
49 {
50 struct syz_layout {
51 __u32 nth_area;
52 __u32 offset;
53 };
54 struct syz_layout *syz = (void *)iova;
55 unsigned int nth = syz->nth_area;
56 struct iopt_area *area;
57
58 down_read(&iopt->iova_rwsem);
59 for (area = iopt_area_iter_first(iopt, 0, ULONG_MAX); area;
60 area = iopt_area_iter_next(area, 0, ULONG_MAX)) {
61 if (nth == 0) {
62 up_read(&iopt->iova_rwsem);
63 return iopt_area_iova(area) + syz->offset;
64 }
65 nth--;
66 }
67 up_read(&iopt->iova_rwsem);
68
69 return 0;
70 }
71
iommufd_test_syz_conv_iova_id(struct iommufd_ucmd * ucmd,unsigned int ioas_id,u64 * iova,u32 * flags)72 void iommufd_test_syz_conv_iova_id(struct iommufd_ucmd *ucmd,
73 unsigned int ioas_id, u64 *iova, u32 *flags)
74 {
75 struct iommufd_ioas *ioas;
76
77 if (!(*flags & MOCK_FLAGS_ACCESS_SYZ))
78 return;
79 *flags &= ~(u32)MOCK_FLAGS_ACCESS_SYZ;
80
81 ioas = iommufd_get_ioas(ucmd->ictx, ioas_id);
82 if (IS_ERR(ioas))
83 return;
84 *iova = iommufd_test_syz_conv_iova(&ioas->iopt, iova);
85 iommufd_put_object(&ioas->obj);
86 }
87
88 struct mock_iommu_domain {
89 struct iommu_domain domain;
90 struct xarray pfns;
91 };
92
93 enum selftest_obj_type {
94 TYPE_IDEV,
95 };
96
97 struct mock_dev {
98 struct device dev;
99 };
100
101 struct selftest_obj {
102 struct iommufd_object obj;
103 enum selftest_obj_type type;
104
105 union {
106 struct {
107 struct iommufd_device *idev;
108 struct iommufd_ctx *ictx;
109 struct mock_dev *mock_dev;
110 } idev;
111 };
112 };
113
mock_domain_blocking_free(struct iommu_domain * domain)114 static void mock_domain_blocking_free(struct iommu_domain *domain)
115 {
116 }
117
mock_domain_nop_attach(struct iommu_domain * domain,struct device * dev)118 static int mock_domain_nop_attach(struct iommu_domain *domain,
119 struct device *dev)
120 {
121 return 0;
122 }
123
124 static const struct iommu_domain_ops mock_blocking_ops = {
125 .free = mock_domain_blocking_free,
126 .attach_dev = mock_domain_nop_attach,
127 };
128
129 static struct iommu_domain mock_blocking_domain = {
130 .type = IOMMU_DOMAIN_BLOCKED,
131 .ops = &mock_blocking_ops,
132 };
133
mock_domain_hw_info(struct device * dev,u32 * length,u32 * type)134 static void *mock_domain_hw_info(struct device *dev, u32 *length, u32 *type)
135 {
136 struct iommu_test_hw_info *info;
137
138 info = kzalloc(sizeof(*info), GFP_KERNEL);
139 if (!info)
140 return ERR_PTR(-ENOMEM);
141
142 info->test_reg = IOMMU_HW_INFO_SELFTEST_REGVAL;
143 *length = sizeof(*info);
144 *type = IOMMU_HW_INFO_TYPE_SELFTEST;
145
146 return info;
147 }
148
mock_domain_alloc(unsigned int iommu_domain_type)149 static struct iommu_domain *mock_domain_alloc(unsigned int iommu_domain_type)
150 {
151 struct mock_iommu_domain *mock;
152
153 if (iommu_domain_type == IOMMU_DOMAIN_BLOCKED)
154 return &mock_blocking_domain;
155
156 if (iommu_domain_type != IOMMU_DOMAIN_UNMANAGED)
157 return NULL;
158
159 mock = kzalloc(sizeof(*mock), GFP_KERNEL);
160 if (!mock)
161 return NULL;
162 mock->domain.geometry.aperture_start = MOCK_APERTURE_START;
163 mock->domain.geometry.aperture_end = MOCK_APERTURE_LAST;
164 mock->domain.pgsize_bitmap = MOCK_IO_PAGE_SIZE;
165 xa_init(&mock->pfns);
166 return &mock->domain;
167 }
168
mock_domain_free(struct iommu_domain * domain)169 static void mock_domain_free(struct iommu_domain *domain)
170 {
171 struct mock_iommu_domain *mock =
172 container_of(domain, struct mock_iommu_domain, domain);
173
174 WARN_ON(!xa_empty(&mock->pfns));
175 kfree(mock);
176 }
177
mock_domain_map_pages(struct iommu_domain * domain,unsigned long iova,phys_addr_t paddr,size_t pgsize,size_t pgcount,int prot,gfp_t gfp,size_t * mapped)178 static int mock_domain_map_pages(struct iommu_domain *domain,
179 unsigned long iova, phys_addr_t paddr,
180 size_t pgsize, size_t pgcount, int prot,
181 gfp_t gfp, size_t *mapped)
182 {
183 struct mock_iommu_domain *mock =
184 container_of(domain, struct mock_iommu_domain, domain);
185 unsigned long flags = MOCK_PFN_START_IOVA;
186 unsigned long start_iova = iova;
187
188 /*
189 * xarray does not reliably work with fault injection because it does a
190 * retry allocation, so put our own failure point.
191 */
192 if (iommufd_should_fail())
193 return -ENOENT;
194
195 WARN_ON(iova % MOCK_IO_PAGE_SIZE);
196 WARN_ON(pgsize % MOCK_IO_PAGE_SIZE);
197 for (; pgcount; pgcount--) {
198 size_t cur;
199
200 for (cur = 0; cur != pgsize; cur += MOCK_IO_PAGE_SIZE) {
201 void *old;
202
203 if (pgcount == 1 && cur + MOCK_IO_PAGE_SIZE == pgsize)
204 flags = MOCK_PFN_LAST_IOVA;
205 old = xa_store(&mock->pfns, iova / MOCK_IO_PAGE_SIZE,
206 xa_mk_value((paddr / MOCK_IO_PAGE_SIZE) |
207 flags),
208 gfp);
209 if (xa_is_err(old)) {
210 for (; start_iova != iova;
211 start_iova += MOCK_IO_PAGE_SIZE)
212 xa_erase(&mock->pfns,
213 start_iova /
214 MOCK_IO_PAGE_SIZE);
215 return xa_err(old);
216 }
217 WARN_ON(old);
218 iova += MOCK_IO_PAGE_SIZE;
219 paddr += MOCK_IO_PAGE_SIZE;
220 *mapped += MOCK_IO_PAGE_SIZE;
221 flags = 0;
222 }
223 }
224 return 0;
225 }
226
mock_domain_unmap_pages(struct iommu_domain * domain,unsigned long iova,size_t pgsize,size_t pgcount,struct iommu_iotlb_gather * iotlb_gather)227 static size_t mock_domain_unmap_pages(struct iommu_domain *domain,
228 unsigned long iova, size_t pgsize,
229 size_t pgcount,
230 struct iommu_iotlb_gather *iotlb_gather)
231 {
232 struct mock_iommu_domain *mock =
233 container_of(domain, struct mock_iommu_domain, domain);
234 bool first = true;
235 size_t ret = 0;
236 void *ent;
237
238 WARN_ON(iova % MOCK_IO_PAGE_SIZE);
239 WARN_ON(pgsize % MOCK_IO_PAGE_SIZE);
240
241 for (; pgcount; pgcount--) {
242 size_t cur;
243
244 for (cur = 0; cur != pgsize; cur += MOCK_IO_PAGE_SIZE) {
245 ent = xa_erase(&mock->pfns, iova / MOCK_IO_PAGE_SIZE);
246 WARN_ON(!ent);
247 /*
248 * iommufd generates unmaps that must be a strict
249 * superset of the map's performend So every starting
250 * IOVA should have been an iova passed to map, and the
251 *
252 * First IOVA must be present and have been a first IOVA
253 * passed to map_pages
254 */
255 if (first) {
256 WARN_ON(!(xa_to_value(ent) &
257 MOCK_PFN_START_IOVA));
258 first = false;
259 }
260 if (pgcount == 1 && cur + MOCK_IO_PAGE_SIZE == pgsize)
261 WARN_ON(!(xa_to_value(ent) &
262 MOCK_PFN_LAST_IOVA));
263
264 iova += MOCK_IO_PAGE_SIZE;
265 ret += MOCK_IO_PAGE_SIZE;
266 }
267 }
268 return ret;
269 }
270
mock_domain_iova_to_phys(struct iommu_domain * domain,dma_addr_t iova)271 static phys_addr_t mock_domain_iova_to_phys(struct iommu_domain *domain,
272 dma_addr_t iova)
273 {
274 struct mock_iommu_domain *mock =
275 container_of(domain, struct mock_iommu_domain, domain);
276 void *ent;
277
278 WARN_ON(iova % MOCK_IO_PAGE_SIZE);
279 ent = xa_load(&mock->pfns, iova / MOCK_IO_PAGE_SIZE);
280 WARN_ON(!ent);
281 return (xa_to_value(ent) & MOCK_PFN_MASK) * MOCK_IO_PAGE_SIZE;
282 }
283
mock_domain_capable(struct device * dev,enum iommu_cap cap)284 static bool mock_domain_capable(struct device *dev, enum iommu_cap cap)
285 {
286 return cap == IOMMU_CAP_CACHE_COHERENCY;
287 }
288
mock_domain_set_plaform_dma_ops(struct device * dev)289 static void mock_domain_set_plaform_dma_ops(struct device *dev)
290 {
291 /*
292 * mock doesn't setup default domains because we can't hook into the
293 * normal probe path
294 */
295 }
296
297 static struct iommu_device mock_iommu_device = {
298 };
299
mock_probe_device(struct device * dev)300 static struct iommu_device *mock_probe_device(struct device *dev)
301 {
302 return &mock_iommu_device;
303 }
304
305 static const struct iommu_ops mock_ops = {
306 .owner = THIS_MODULE,
307 .pgsize_bitmap = MOCK_IO_PAGE_SIZE,
308 .hw_info = mock_domain_hw_info,
309 .domain_alloc = mock_domain_alloc,
310 .capable = mock_domain_capable,
311 .set_platform_dma_ops = mock_domain_set_plaform_dma_ops,
312 .device_group = generic_device_group,
313 .probe_device = mock_probe_device,
314 .default_domain_ops =
315 &(struct iommu_domain_ops){
316 .free = mock_domain_free,
317 .attach_dev = mock_domain_nop_attach,
318 .map_pages = mock_domain_map_pages,
319 .unmap_pages = mock_domain_unmap_pages,
320 .iova_to_phys = mock_domain_iova_to_phys,
321 },
322 };
323
324 static inline struct iommufd_hw_pagetable *
get_md_pagetable(struct iommufd_ucmd * ucmd,u32 mockpt_id,struct mock_iommu_domain ** mock)325 get_md_pagetable(struct iommufd_ucmd *ucmd, u32 mockpt_id,
326 struct mock_iommu_domain **mock)
327 {
328 struct iommufd_hw_pagetable *hwpt;
329 struct iommufd_object *obj;
330
331 obj = iommufd_get_object(ucmd->ictx, mockpt_id,
332 IOMMUFD_OBJ_HW_PAGETABLE);
333 if (IS_ERR(obj))
334 return ERR_CAST(obj);
335 hwpt = container_of(obj, struct iommufd_hw_pagetable, obj);
336 if (hwpt->domain->ops != mock_ops.default_domain_ops) {
337 iommufd_put_object(&hwpt->obj);
338 return ERR_PTR(-EINVAL);
339 }
340 *mock = container_of(hwpt->domain, struct mock_iommu_domain, domain);
341 return hwpt;
342 }
343
344 struct mock_bus_type {
345 struct bus_type bus;
346 struct notifier_block nb;
347 };
348
349 static struct mock_bus_type iommufd_mock_bus_type = {
350 .bus = {
351 .name = "iommufd_mock",
352 },
353 };
354
355 static atomic_t mock_dev_num;
356
mock_dev_release(struct device * dev)357 static void mock_dev_release(struct device *dev)
358 {
359 struct mock_dev *mdev = container_of(dev, struct mock_dev, dev);
360
361 atomic_dec(&mock_dev_num);
362 kfree(mdev);
363 }
364
mock_dev_create(void)365 static struct mock_dev *mock_dev_create(void)
366 {
367 struct mock_dev *mdev;
368 int rc;
369
370 mdev = kzalloc(sizeof(*mdev), GFP_KERNEL);
371 if (!mdev)
372 return ERR_PTR(-ENOMEM);
373
374 device_initialize(&mdev->dev);
375 mdev->dev.release = mock_dev_release;
376 mdev->dev.bus = &iommufd_mock_bus_type.bus;
377
378 rc = dev_set_name(&mdev->dev, "iommufd_mock%u",
379 atomic_inc_return(&mock_dev_num));
380 if (rc)
381 goto err_put;
382
383 rc = device_add(&mdev->dev);
384 if (rc)
385 goto err_put;
386 return mdev;
387
388 err_put:
389 put_device(&mdev->dev);
390 return ERR_PTR(rc);
391 }
392
mock_dev_destroy(struct mock_dev * mdev)393 static void mock_dev_destroy(struct mock_dev *mdev)
394 {
395 device_unregister(&mdev->dev);
396 }
397
iommufd_selftest_is_mock_dev(struct device * dev)398 bool iommufd_selftest_is_mock_dev(struct device *dev)
399 {
400 return dev->release == mock_dev_release;
401 }
402
403 /* Create an hw_pagetable with the mock domain so we can test the domain ops */
iommufd_test_mock_domain(struct iommufd_ucmd * ucmd,struct iommu_test_cmd * cmd)404 static int iommufd_test_mock_domain(struct iommufd_ucmd *ucmd,
405 struct iommu_test_cmd *cmd)
406 {
407 struct iommufd_device *idev;
408 struct selftest_obj *sobj;
409 u32 pt_id = cmd->id;
410 u32 idev_id;
411 int rc;
412
413 sobj = iommufd_object_alloc(ucmd->ictx, sobj, IOMMUFD_OBJ_SELFTEST);
414 if (IS_ERR(sobj))
415 return PTR_ERR(sobj);
416
417 sobj->idev.ictx = ucmd->ictx;
418 sobj->type = TYPE_IDEV;
419
420 sobj->idev.mock_dev = mock_dev_create();
421 if (IS_ERR(sobj->idev.mock_dev)) {
422 rc = PTR_ERR(sobj->idev.mock_dev);
423 goto out_sobj;
424 }
425
426 idev = iommufd_device_bind(ucmd->ictx, &sobj->idev.mock_dev->dev,
427 &idev_id);
428 if (IS_ERR(idev)) {
429 rc = PTR_ERR(idev);
430 goto out_mdev;
431 }
432 sobj->idev.idev = idev;
433
434 rc = iommufd_device_attach(idev, &pt_id);
435 if (rc)
436 goto out_unbind;
437
438 /* Userspace must destroy the device_id to destroy the object */
439 cmd->mock_domain.out_hwpt_id = pt_id;
440 cmd->mock_domain.out_stdev_id = sobj->obj.id;
441 cmd->mock_domain.out_idev_id = idev_id;
442 rc = iommufd_ucmd_respond(ucmd, sizeof(*cmd));
443 if (rc)
444 goto out_detach;
445 iommufd_object_finalize(ucmd->ictx, &sobj->obj);
446 return 0;
447
448 out_detach:
449 iommufd_device_detach(idev);
450 out_unbind:
451 iommufd_device_unbind(idev);
452 out_mdev:
453 mock_dev_destroy(sobj->idev.mock_dev);
454 out_sobj:
455 iommufd_object_abort(ucmd->ictx, &sobj->obj);
456 return rc;
457 }
458
459 /* Replace the mock domain with a manually allocated hw_pagetable */
iommufd_test_mock_domain_replace(struct iommufd_ucmd * ucmd,unsigned int device_id,u32 pt_id,struct iommu_test_cmd * cmd)460 static int iommufd_test_mock_domain_replace(struct iommufd_ucmd *ucmd,
461 unsigned int device_id, u32 pt_id,
462 struct iommu_test_cmd *cmd)
463 {
464 struct iommufd_object *dev_obj;
465 struct selftest_obj *sobj;
466 int rc;
467
468 /*
469 * Prefer to use the OBJ_SELFTEST because the destroy_rwsem will ensure
470 * it doesn't race with detach, which is not allowed.
471 */
472 dev_obj =
473 iommufd_get_object(ucmd->ictx, device_id, IOMMUFD_OBJ_SELFTEST);
474 if (IS_ERR(dev_obj))
475 return PTR_ERR(dev_obj);
476
477 sobj = container_of(dev_obj, struct selftest_obj, obj);
478 if (sobj->type != TYPE_IDEV) {
479 rc = -EINVAL;
480 goto out_dev_obj;
481 }
482
483 rc = iommufd_device_replace(sobj->idev.idev, &pt_id);
484 if (rc)
485 goto out_dev_obj;
486
487 cmd->mock_domain_replace.pt_id = pt_id;
488 rc = iommufd_ucmd_respond(ucmd, sizeof(*cmd));
489
490 out_dev_obj:
491 iommufd_put_object(dev_obj);
492 return rc;
493 }
494
495 /* Add an additional reserved IOVA to the IOAS */
iommufd_test_add_reserved(struct iommufd_ucmd * ucmd,unsigned int mockpt_id,unsigned long start,size_t length)496 static int iommufd_test_add_reserved(struct iommufd_ucmd *ucmd,
497 unsigned int mockpt_id,
498 unsigned long start, size_t length)
499 {
500 struct iommufd_ioas *ioas;
501 int rc;
502
503 ioas = iommufd_get_ioas(ucmd->ictx, mockpt_id);
504 if (IS_ERR(ioas))
505 return PTR_ERR(ioas);
506 down_write(&ioas->iopt.iova_rwsem);
507 rc = iopt_reserve_iova(&ioas->iopt, start, start + length - 1, NULL);
508 up_write(&ioas->iopt.iova_rwsem);
509 iommufd_put_object(&ioas->obj);
510 return rc;
511 }
512
513 /* Check that every pfn under each iova matches the pfn under a user VA */
iommufd_test_md_check_pa(struct iommufd_ucmd * ucmd,unsigned int mockpt_id,unsigned long iova,size_t length,void __user * uptr)514 static int iommufd_test_md_check_pa(struct iommufd_ucmd *ucmd,
515 unsigned int mockpt_id, unsigned long iova,
516 size_t length, void __user *uptr)
517 {
518 struct iommufd_hw_pagetable *hwpt;
519 struct mock_iommu_domain *mock;
520 uintptr_t end;
521 int rc;
522
523 if (iova % MOCK_IO_PAGE_SIZE || length % MOCK_IO_PAGE_SIZE ||
524 (uintptr_t)uptr % MOCK_IO_PAGE_SIZE ||
525 check_add_overflow((uintptr_t)uptr, (uintptr_t)length, &end))
526 return -EINVAL;
527
528 hwpt = get_md_pagetable(ucmd, mockpt_id, &mock);
529 if (IS_ERR(hwpt))
530 return PTR_ERR(hwpt);
531
532 for (; length; length -= MOCK_IO_PAGE_SIZE) {
533 struct page *pages[1];
534 unsigned long pfn;
535 long npages;
536 void *ent;
537
538 npages = get_user_pages_fast((uintptr_t)uptr & PAGE_MASK, 1, 0,
539 pages);
540 if (npages < 0) {
541 rc = npages;
542 goto out_put;
543 }
544 if (WARN_ON(npages != 1)) {
545 rc = -EFAULT;
546 goto out_put;
547 }
548 pfn = page_to_pfn(pages[0]);
549 put_page(pages[0]);
550
551 ent = xa_load(&mock->pfns, iova / MOCK_IO_PAGE_SIZE);
552 if (!ent ||
553 (xa_to_value(ent) & MOCK_PFN_MASK) * MOCK_IO_PAGE_SIZE !=
554 pfn * PAGE_SIZE + ((uintptr_t)uptr % PAGE_SIZE)) {
555 rc = -EINVAL;
556 goto out_put;
557 }
558 iova += MOCK_IO_PAGE_SIZE;
559 uptr += MOCK_IO_PAGE_SIZE;
560 }
561 rc = 0;
562
563 out_put:
564 iommufd_put_object(&hwpt->obj);
565 return rc;
566 }
567
568 /* Check that the page ref count matches, to look for missing pin/unpins */
iommufd_test_md_check_refs(struct iommufd_ucmd * ucmd,void __user * uptr,size_t length,unsigned int refs)569 static int iommufd_test_md_check_refs(struct iommufd_ucmd *ucmd,
570 void __user *uptr, size_t length,
571 unsigned int refs)
572 {
573 uintptr_t end;
574
575 if (length % PAGE_SIZE || (uintptr_t)uptr % PAGE_SIZE ||
576 check_add_overflow((uintptr_t)uptr, (uintptr_t)length, &end))
577 return -EINVAL;
578
579 for (; length; length -= PAGE_SIZE) {
580 struct page *pages[1];
581 long npages;
582
583 npages = get_user_pages_fast((uintptr_t)uptr, 1, 0, pages);
584 if (npages < 0)
585 return npages;
586 if (WARN_ON(npages != 1))
587 return -EFAULT;
588 if (!PageCompound(pages[0])) {
589 unsigned int count;
590
591 count = page_ref_count(pages[0]);
592 if (count / GUP_PIN_COUNTING_BIAS != refs) {
593 put_page(pages[0]);
594 return -EIO;
595 }
596 }
597 put_page(pages[0]);
598 uptr += PAGE_SIZE;
599 }
600 return 0;
601 }
602
603 struct selftest_access {
604 struct iommufd_access *access;
605 struct file *file;
606 struct mutex lock;
607 struct list_head items;
608 unsigned int next_id;
609 bool destroying;
610 };
611
612 struct selftest_access_item {
613 struct list_head items_elm;
614 unsigned long iova;
615 size_t length;
616 unsigned int id;
617 };
618
619 static const struct file_operations iommfd_test_staccess_fops;
620
iommufd_access_get(int fd)621 static struct selftest_access *iommufd_access_get(int fd)
622 {
623 struct file *file;
624
625 file = fget(fd);
626 if (!file)
627 return ERR_PTR(-EBADFD);
628
629 if (file->f_op != &iommfd_test_staccess_fops) {
630 fput(file);
631 return ERR_PTR(-EBADFD);
632 }
633 return file->private_data;
634 }
635
iommufd_test_access_unmap(void * data,unsigned long iova,unsigned long length)636 static void iommufd_test_access_unmap(void *data, unsigned long iova,
637 unsigned long length)
638 {
639 unsigned long iova_last = iova + length - 1;
640 struct selftest_access *staccess = data;
641 struct selftest_access_item *item;
642 struct selftest_access_item *tmp;
643
644 mutex_lock(&staccess->lock);
645 list_for_each_entry_safe(item, tmp, &staccess->items, items_elm) {
646 if (iova > item->iova + item->length - 1 ||
647 iova_last < item->iova)
648 continue;
649 list_del(&item->items_elm);
650 iommufd_access_unpin_pages(staccess->access, item->iova,
651 item->length);
652 kfree(item);
653 }
654 mutex_unlock(&staccess->lock);
655 }
656
iommufd_test_access_item_destroy(struct iommufd_ucmd * ucmd,unsigned int access_id,unsigned int item_id)657 static int iommufd_test_access_item_destroy(struct iommufd_ucmd *ucmd,
658 unsigned int access_id,
659 unsigned int item_id)
660 {
661 struct selftest_access_item *item;
662 struct selftest_access *staccess;
663
664 staccess = iommufd_access_get(access_id);
665 if (IS_ERR(staccess))
666 return PTR_ERR(staccess);
667
668 mutex_lock(&staccess->lock);
669 list_for_each_entry(item, &staccess->items, items_elm) {
670 if (item->id == item_id) {
671 list_del(&item->items_elm);
672 iommufd_access_unpin_pages(staccess->access, item->iova,
673 item->length);
674 mutex_unlock(&staccess->lock);
675 kfree(item);
676 fput(staccess->file);
677 return 0;
678 }
679 }
680 mutex_unlock(&staccess->lock);
681 fput(staccess->file);
682 return -ENOENT;
683 }
684
iommufd_test_staccess_release(struct inode * inode,struct file * filep)685 static int iommufd_test_staccess_release(struct inode *inode,
686 struct file *filep)
687 {
688 struct selftest_access *staccess = filep->private_data;
689
690 if (staccess->access) {
691 iommufd_test_access_unmap(staccess, 0, ULONG_MAX);
692 iommufd_access_destroy(staccess->access);
693 }
694 mutex_destroy(&staccess->lock);
695 kfree(staccess);
696 return 0;
697 }
698
699 static const struct iommufd_access_ops selftest_access_ops_pin = {
700 .needs_pin_pages = 1,
701 .unmap = iommufd_test_access_unmap,
702 };
703
704 static const struct iommufd_access_ops selftest_access_ops = {
705 .unmap = iommufd_test_access_unmap,
706 };
707
708 static const struct file_operations iommfd_test_staccess_fops = {
709 .release = iommufd_test_staccess_release,
710 };
711
iommufd_test_alloc_access(void)712 static struct selftest_access *iommufd_test_alloc_access(void)
713 {
714 struct selftest_access *staccess;
715 struct file *filep;
716
717 staccess = kzalloc(sizeof(*staccess), GFP_KERNEL_ACCOUNT);
718 if (!staccess)
719 return ERR_PTR(-ENOMEM);
720 INIT_LIST_HEAD(&staccess->items);
721 mutex_init(&staccess->lock);
722
723 filep = anon_inode_getfile("[iommufd_test_staccess]",
724 &iommfd_test_staccess_fops, staccess,
725 O_RDWR);
726 if (IS_ERR(filep)) {
727 kfree(staccess);
728 return ERR_CAST(filep);
729 }
730 staccess->file = filep;
731 return staccess;
732 }
733
iommufd_test_create_access(struct iommufd_ucmd * ucmd,unsigned int ioas_id,unsigned int flags)734 static int iommufd_test_create_access(struct iommufd_ucmd *ucmd,
735 unsigned int ioas_id, unsigned int flags)
736 {
737 struct iommu_test_cmd *cmd = ucmd->cmd;
738 struct selftest_access *staccess;
739 struct iommufd_access *access;
740 u32 id;
741 int fdno;
742 int rc;
743
744 if (flags & ~MOCK_FLAGS_ACCESS_CREATE_NEEDS_PIN_PAGES)
745 return -EOPNOTSUPP;
746
747 staccess = iommufd_test_alloc_access();
748 if (IS_ERR(staccess))
749 return PTR_ERR(staccess);
750
751 fdno = get_unused_fd_flags(O_CLOEXEC);
752 if (fdno < 0) {
753 rc = -ENOMEM;
754 goto out_free_staccess;
755 }
756
757 access = iommufd_access_create(
758 ucmd->ictx,
759 (flags & MOCK_FLAGS_ACCESS_CREATE_NEEDS_PIN_PAGES) ?
760 &selftest_access_ops_pin :
761 &selftest_access_ops,
762 staccess, &id);
763 if (IS_ERR(access)) {
764 rc = PTR_ERR(access);
765 goto out_put_fdno;
766 }
767 rc = iommufd_access_attach(access, ioas_id);
768 if (rc)
769 goto out_destroy;
770 cmd->create_access.out_access_fd = fdno;
771 rc = iommufd_ucmd_respond(ucmd, sizeof(*cmd));
772 if (rc)
773 goto out_destroy;
774
775 staccess->access = access;
776 fd_install(fdno, staccess->file);
777 return 0;
778
779 out_destroy:
780 iommufd_access_destroy(access);
781 out_put_fdno:
782 put_unused_fd(fdno);
783 out_free_staccess:
784 fput(staccess->file);
785 return rc;
786 }
787
iommufd_test_access_replace_ioas(struct iommufd_ucmd * ucmd,unsigned int access_id,unsigned int ioas_id)788 static int iommufd_test_access_replace_ioas(struct iommufd_ucmd *ucmd,
789 unsigned int access_id,
790 unsigned int ioas_id)
791 {
792 struct selftest_access *staccess;
793 int rc;
794
795 staccess = iommufd_access_get(access_id);
796 if (IS_ERR(staccess))
797 return PTR_ERR(staccess);
798
799 rc = iommufd_access_replace(staccess->access, ioas_id);
800 fput(staccess->file);
801 return rc;
802 }
803
804 /* Check that the pages in a page array match the pages in the user VA */
iommufd_test_check_pages(void __user * uptr,struct page ** pages,size_t npages)805 static int iommufd_test_check_pages(void __user *uptr, struct page **pages,
806 size_t npages)
807 {
808 for (; npages; npages--) {
809 struct page *tmp_pages[1];
810 long rc;
811
812 rc = get_user_pages_fast((uintptr_t)uptr, 1, 0, tmp_pages);
813 if (rc < 0)
814 return rc;
815 if (WARN_ON(rc != 1))
816 return -EFAULT;
817 put_page(tmp_pages[0]);
818 if (tmp_pages[0] != *pages)
819 return -EBADE;
820 pages++;
821 uptr += PAGE_SIZE;
822 }
823 return 0;
824 }
825
iommufd_test_access_pages(struct iommufd_ucmd * ucmd,unsigned int access_id,unsigned long iova,size_t length,void __user * uptr,u32 flags)826 static int iommufd_test_access_pages(struct iommufd_ucmd *ucmd,
827 unsigned int access_id, unsigned long iova,
828 size_t length, void __user *uptr,
829 u32 flags)
830 {
831 struct iommu_test_cmd *cmd = ucmd->cmd;
832 struct selftest_access_item *item;
833 struct selftest_access *staccess;
834 struct page **pages;
835 size_t npages;
836 int rc;
837
838 /* Prevent syzkaller from triggering a WARN_ON in kvzalloc() */
839 if (length > 16*1024*1024)
840 return -ENOMEM;
841
842 if (flags & ~(MOCK_FLAGS_ACCESS_WRITE | MOCK_FLAGS_ACCESS_SYZ))
843 return -EOPNOTSUPP;
844
845 staccess = iommufd_access_get(access_id);
846 if (IS_ERR(staccess))
847 return PTR_ERR(staccess);
848
849 if (staccess->access->ops != &selftest_access_ops_pin) {
850 rc = -EOPNOTSUPP;
851 goto out_put;
852 }
853
854 if (flags & MOCK_FLAGS_ACCESS_SYZ)
855 iova = iommufd_test_syz_conv_iova(&staccess->access->ioas->iopt,
856 &cmd->access_pages.iova);
857
858 npages = (ALIGN(iova + length, PAGE_SIZE) -
859 ALIGN_DOWN(iova, PAGE_SIZE)) /
860 PAGE_SIZE;
861 pages = kvcalloc(npages, sizeof(*pages), GFP_KERNEL_ACCOUNT);
862 if (!pages) {
863 rc = -ENOMEM;
864 goto out_put;
865 }
866
867 /*
868 * Drivers will need to think very carefully about this locking. The
869 * core code can do multiple unmaps instantaneously after
870 * iommufd_access_pin_pages() and *all* the unmaps must not return until
871 * the range is unpinned. This simple implementation puts a global lock
872 * around the pin, which may not suit drivers that want this to be a
873 * performance path. drivers that get this wrong will trigger WARN_ON
874 * races and cause EDEADLOCK failures to userspace.
875 */
876 mutex_lock(&staccess->lock);
877 rc = iommufd_access_pin_pages(staccess->access, iova, length, pages,
878 flags & MOCK_FLAGS_ACCESS_WRITE);
879 if (rc)
880 goto out_unlock;
881
882 /* For syzkaller allow uptr to be NULL to skip this check */
883 if (uptr) {
884 rc = iommufd_test_check_pages(
885 uptr - (iova - ALIGN_DOWN(iova, PAGE_SIZE)), pages,
886 npages);
887 if (rc)
888 goto out_unaccess;
889 }
890
891 item = kzalloc(sizeof(*item), GFP_KERNEL_ACCOUNT);
892 if (!item) {
893 rc = -ENOMEM;
894 goto out_unaccess;
895 }
896
897 item->iova = iova;
898 item->length = length;
899 item->id = staccess->next_id++;
900 list_add_tail(&item->items_elm, &staccess->items);
901
902 cmd->access_pages.out_access_pages_id = item->id;
903 rc = iommufd_ucmd_respond(ucmd, sizeof(*cmd));
904 if (rc)
905 goto out_free_item;
906 goto out_unlock;
907
908 out_free_item:
909 list_del(&item->items_elm);
910 kfree(item);
911 out_unaccess:
912 iommufd_access_unpin_pages(staccess->access, iova, length);
913 out_unlock:
914 mutex_unlock(&staccess->lock);
915 kvfree(pages);
916 out_put:
917 fput(staccess->file);
918 return rc;
919 }
920
iommufd_test_access_rw(struct iommufd_ucmd * ucmd,unsigned int access_id,unsigned long iova,size_t length,void __user * ubuf,unsigned int flags)921 static int iommufd_test_access_rw(struct iommufd_ucmd *ucmd,
922 unsigned int access_id, unsigned long iova,
923 size_t length, void __user *ubuf,
924 unsigned int flags)
925 {
926 struct iommu_test_cmd *cmd = ucmd->cmd;
927 struct selftest_access *staccess;
928 void *tmp;
929 int rc;
930
931 /* Prevent syzkaller from triggering a WARN_ON in kvzalloc() */
932 if (length > 16*1024*1024)
933 return -ENOMEM;
934
935 if (flags & ~(MOCK_ACCESS_RW_WRITE | MOCK_ACCESS_RW_SLOW_PATH |
936 MOCK_FLAGS_ACCESS_SYZ))
937 return -EOPNOTSUPP;
938
939 staccess = iommufd_access_get(access_id);
940 if (IS_ERR(staccess))
941 return PTR_ERR(staccess);
942
943 tmp = kvzalloc(length, GFP_KERNEL_ACCOUNT);
944 if (!tmp) {
945 rc = -ENOMEM;
946 goto out_put;
947 }
948
949 if (flags & MOCK_ACCESS_RW_WRITE) {
950 if (copy_from_user(tmp, ubuf, length)) {
951 rc = -EFAULT;
952 goto out_free;
953 }
954 }
955
956 if (flags & MOCK_FLAGS_ACCESS_SYZ)
957 iova = iommufd_test_syz_conv_iova(&staccess->access->ioas->iopt,
958 &cmd->access_rw.iova);
959
960 rc = iommufd_access_rw(staccess->access, iova, tmp, length, flags);
961 if (rc)
962 goto out_free;
963 if (!(flags & MOCK_ACCESS_RW_WRITE)) {
964 if (copy_to_user(ubuf, tmp, length)) {
965 rc = -EFAULT;
966 goto out_free;
967 }
968 }
969
970 out_free:
971 kvfree(tmp);
972 out_put:
973 fput(staccess->file);
974 return rc;
975 }
976 static_assert((unsigned int)MOCK_ACCESS_RW_WRITE == IOMMUFD_ACCESS_RW_WRITE);
977 static_assert((unsigned int)MOCK_ACCESS_RW_SLOW_PATH ==
978 __IOMMUFD_ACCESS_RW_SLOW_PATH);
979
iommufd_selftest_destroy(struct iommufd_object * obj)980 void iommufd_selftest_destroy(struct iommufd_object *obj)
981 {
982 struct selftest_obj *sobj = container_of(obj, struct selftest_obj, obj);
983
984 switch (sobj->type) {
985 case TYPE_IDEV:
986 iommufd_device_detach(sobj->idev.idev);
987 iommufd_device_unbind(sobj->idev.idev);
988 mock_dev_destroy(sobj->idev.mock_dev);
989 break;
990 }
991 }
992
iommufd_test(struct iommufd_ucmd * ucmd)993 int iommufd_test(struct iommufd_ucmd *ucmd)
994 {
995 struct iommu_test_cmd *cmd = ucmd->cmd;
996
997 switch (cmd->op) {
998 case IOMMU_TEST_OP_ADD_RESERVED:
999 return iommufd_test_add_reserved(ucmd, cmd->id,
1000 cmd->add_reserved.start,
1001 cmd->add_reserved.length);
1002 case IOMMU_TEST_OP_MOCK_DOMAIN:
1003 return iommufd_test_mock_domain(ucmd, cmd);
1004 case IOMMU_TEST_OP_MOCK_DOMAIN_REPLACE:
1005 return iommufd_test_mock_domain_replace(
1006 ucmd, cmd->id, cmd->mock_domain_replace.pt_id, cmd);
1007 case IOMMU_TEST_OP_MD_CHECK_MAP:
1008 return iommufd_test_md_check_pa(
1009 ucmd, cmd->id, cmd->check_map.iova,
1010 cmd->check_map.length,
1011 u64_to_user_ptr(cmd->check_map.uptr));
1012 case IOMMU_TEST_OP_MD_CHECK_REFS:
1013 return iommufd_test_md_check_refs(
1014 ucmd, u64_to_user_ptr(cmd->check_refs.uptr),
1015 cmd->check_refs.length, cmd->check_refs.refs);
1016 case IOMMU_TEST_OP_CREATE_ACCESS:
1017 return iommufd_test_create_access(ucmd, cmd->id,
1018 cmd->create_access.flags);
1019 case IOMMU_TEST_OP_ACCESS_REPLACE_IOAS:
1020 return iommufd_test_access_replace_ioas(
1021 ucmd, cmd->id, cmd->access_replace_ioas.ioas_id);
1022 case IOMMU_TEST_OP_ACCESS_PAGES:
1023 return iommufd_test_access_pages(
1024 ucmd, cmd->id, cmd->access_pages.iova,
1025 cmd->access_pages.length,
1026 u64_to_user_ptr(cmd->access_pages.uptr),
1027 cmd->access_pages.flags);
1028 case IOMMU_TEST_OP_ACCESS_RW:
1029 return iommufd_test_access_rw(
1030 ucmd, cmd->id, cmd->access_rw.iova,
1031 cmd->access_rw.length,
1032 u64_to_user_ptr(cmd->access_rw.uptr),
1033 cmd->access_rw.flags);
1034 case IOMMU_TEST_OP_DESTROY_ACCESS_PAGES:
1035 return iommufd_test_access_item_destroy(
1036 ucmd, cmd->id, cmd->destroy_access_pages.access_pages_id);
1037 case IOMMU_TEST_OP_SET_TEMP_MEMORY_LIMIT:
1038 /* Protect _batch_init(), can not be less than elmsz */
1039 if (cmd->memory_limit.limit <
1040 sizeof(unsigned long) + sizeof(u32))
1041 return -EINVAL;
1042 iommufd_test_memory_limit = cmd->memory_limit.limit;
1043 return 0;
1044 default:
1045 return -EOPNOTSUPP;
1046 }
1047 }
1048
iommufd_should_fail(void)1049 bool iommufd_should_fail(void)
1050 {
1051 return should_fail(&fail_iommufd, 1);
1052 }
1053
iommufd_test_init(void)1054 int __init iommufd_test_init(void)
1055 {
1056 struct platform_device_info pdevinfo = {
1057 .name = "iommufd_selftest_iommu",
1058 };
1059 int rc;
1060
1061 dbgfs_root =
1062 fault_create_debugfs_attr("fail_iommufd", NULL, &fail_iommufd);
1063
1064 selftest_iommu_dev = platform_device_register_full(&pdevinfo);
1065 if (IS_ERR(selftest_iommu_dev)) {
1066 rc = PTR_ERR(selftest_iommu_dev);
1067 goto err_dbgfs;
1068 }
1069
1070 rc = bus_register(&iommufd_mock_bus_type.bus);
1071 if (rc)
1072 goto err_platform;
1073
1074 rc = iommu_device_sysfs_add(&mock_iommu_device,
1075 &selftest_iommu_dev->dev, NULL, "%s",
1076 dev_name(&selftest_iommu_dev->dev));
1077 if (rc)
1078 goto err_bus;
1079
1080 rc = iommu_device_register_bus(&mock_iommu_device, &mock_ops,
1081 &iommufd_mock_bus_type.bus,
1082 &iommufd_mock_bus_type.nb);
1083 if (rc)
1084 goto err_sysfs;
1085 return 0;
1086
1087 err_sysfs:
1088 iommu_device_sysfs_remove(&mock_iommu_device);
1089 err_bus:
1090 bus_unregister(&iommufd_mock_bus_type.bus);
1091 err_platform:
1092 platform_device_unregister(selftest_iommu_dev);
1093 err_dbgfs:
1094 debugfs_remove_recursive(dbgfs_root);
1095 return rc;
1096 }
1097
iommufd_test_exit(void)1098 void iommufd_test_exit(void)
1099 {
1100 iommu_device_sysfs_remove(&mock_iommu_device);
1101 iommu_device_unregister_bus(&mock_iommu_device,
1102 &iommufd_mock_bus_type.bus,
1103 &iommufd_mock_bus_type.nb);
1104 bus_unregister(&iommufd_mock_bus_type.bus);
1105 platform_device_unregister(selftest_iommu_dev);
1106 debugfs_remove_recursive(dbgfs_root);
1107 }
1108
