There is nothing preventing a root user from inadvertently unbinding an AP queue device that is in use by a guest from the vfio_ap device driver and binding it to a zcrypt driver. This can result in a queue being accessible from both the host and a guest. This patch introduces safeguards that prevent sharing of an AP queue between the host when a queue device is unbound from the vfio_ap device driver. In addition, this patch restores guest access to AP queue devices bound to the vfio_ap driver if the queue's APQN is assigned to an mdev device in use by a guest. Signed-off-by: Tony Krowiak <akrowiak@xxxxxxxxxxxxx> --- drivers/s390/crypto/vfio_ap_drv.c | 12 +++- drivers/s390/crypto/vfio_ap_ops.c | 100 +++++++++++++++++++++++++++++++++- drivers/s390/crypto/vfio_ap_private.h | 2 + 3 files changed, 111 insertions(+), 3 deletions(-) diff --git a/drivers/s390/crypto/vfio_ap_drv.c b/drivers/s390/crypto/vfio_ap_drv.c index e9824c35c34f..c215978daf39 100644 --- a/drivers/s390/crypto/vfio_ap_drv.c +++ b/drivers/s390/crypto/vfio_ap_drv.c @@ -42,12 +42,22 @@ MODULE_DEVICE_TABLE(vfio_ap, ap_queue_ids); static int vfio_ap_queue_dev_probe(struct ap_device *apdev) { + struct ap_queue *queue = to_ap_queue(&apdev->device); + + mutex_lock(&matrix_dev->lock); + vfio_ap_mdev_probe_queue(queue); + mutex_unlock(&matrix_dev->lock); + return 0; } static void vfio_ap_queue_dev_remove(struct ap_device *apdev) { - /* Nothing to do yet */ + struct ap_queue *queue = to_ap_queue(&apdev->device); + + mutex_lock(&matrix_dev->lock); + vfio_ap_mdev_remove_queue(queue); + mutex_unlock(&matrix_dev->lock); } static void vfio_ap_matrix_dev_release(struct device *dev) diff --git a/drivers/s390/crypto/vfio_ap_ops.c b/drivers/s390/crypto/vfio_ap_ops.c index ede45184eb67..40324951bd37 100644 --- a/drivers/s390/crypto/vfio_ap_ops.c +++ b/drivers/s390/crypto/vfio_ap_ops.c @@ -226,8 +226,6 @@ static struct device *vfio_ap_get_queue_dev(unsigned long apid, &apqn, match_apqn); } - - static int vfio_ap_mdev_validate_masks(unsigned long *apm, unsigned long *aqm) { int ret; @@ -259,6 +257,27 @@ static bool vfio_ap_queues_on_drv(unsigned long *apm, unsigned long *aqm) return true; } +static bool vfio_ap_card_on_drv(struct ap_queue *queue, unsigned long *aqm) +{ + unsigned long apid, apqi; + struct device *dev; + + apid = AP_QID_CARD(queue->qid); + + for_each_set_bit_inv(apqi, aqm, AP_DOMAINS) { + if (queue->qid == AP_MKQID(apid, apqi)) + continue; + + dev = vfio_ap_get_queue_dev(apid, apqi); + if (!dev) + return false; + + put_device(dev); + } + + return true; +} + /** * assign_adapter_store * @@ -1017,3 +1036,80 @@ void vfio_ap_mdev_unregister(void) { mdev_unregister_device(&matrix_dev->device); } + +static struct ap_matrix_mdev *vfio_ap_mdev_find_matrix_mdev(unsigned long apid, + unsigned long apqi) +{ + struct ap_matrix_mdev *matrix_mdev; + + list_for_each_entry(matrix_mdev, &matrix_dev->mdev_list, node) { + if (test_bit_inv(apid, matrix_mdev->matrix.apm) && + test_bit_inv(apqi, matrix_mdev->matrix.aqm)) + return matrix_mdev; + } + + return NULL; +} + +void vfio_ap_mdev_probe_queue(struct ap_queue *queue) +{ + struct ap_matrix_mdev *matrix_mdev; + unsigned long *shadow_apm, *shadow_aqm; + unsigned long apid = AP_QID_CARD(queue->qid); + unsigned long apqi = AP_QID_QUEUE(queue->qid); + + /* + * Find the mdev device to which the APQN of the queue device being + * probed is assigned + */ + matrix_mdev = vfio_ap_mdev_find_matrix_mdev(apid, apqi); + + /* Check whether we found an mdev device and it is in use by a guest */ + if (matrix_mdev && matrix_mdev->kvm) { + shadow_apm = matrix_mdev->shadow_crycb->apm; + shadow_aqm = matrix_mdev->shadow_crycb->aqm; + /* + * If the guest already has access to the adapter card + * referenced by APID or does not have access to the queues + * referenced by APQI, there is nothing to do here. + */ + if (test_bit_inv(apid, shadow_apm) || + !test_bit_inv(apqi, shadow_aqm)) + return; + + /* + * If each APQN with the APID of the queue being probed and an + * APQI in the shadow CRYCB references a queue device that is + * bound to the vfio_ap driver, then plug the adapter into the + * guest. + */ + if (vfio_ap_card_on_drv(queue, shadow_aqm)) { + set_bit_inv(apid, shadow_apm); + vfio_ap_mdev_update_crycb(matrix_mdev); + } + } +} + +void vfio_ap_mdev_remove_queue(struct ap_queue *queue) +{ + struct ap_matrix_mdev *matrix_mdev; + unsigned long apid = AP_QID_CARD(queue->qid); + unsigned long apqi = AP_QID_QUEUE(queue->qid); + + matrix_mdev = vfio_ap_mdev_find_matrix_mdev(apid, apqi); + + /* + * If the queue is assigned to the mdev device and the mdev device + * is in use by a guest, unplug the adapter referred to by the APID + * of the APQN of the queue being removed. + */ + if (matrix_mdev && matrix_mdev->kvm) { + if (!test_bit_inv(apid, matrix_mdev->shadow_crycb->apm)) + return; + + clear_bit_inv(apid, matrix_mdev->shadow_crycb->apm); + vfio_ap_mdev_update_crycb(matrix_mdev); + } + + vfio_ap_mdev_reset_queue(apid, apqi); +} diff --git a/drivers/s390/crypto/vfio_ap_private.h b/drivers/s390/crypto/vfio_ap_private.h index e8457aa61976..6b1f7df5b979 100644 --- a/drivers/s390/crypto/vfio_ap_private.h +++ b/drivers/s390/crypto/vfio_ap_private.h @@ -87,5 +87,7 @@ struct ap_matrix_mdev { extern int vfio_ap_mdev_register(void); extern void vfio_ap_mdev_unregister(void); +void vfio_ap_mdev_remove_queue(struct ap_queue *queue); +void vfio_ap_mdev_probe_queue(struct ap_queue *queue); #endif /* _VFIO_AP_PRIVATE_H_ */ -- 2.7.4