Re: [PATCH v5 4/5] iommu/uapi: Handle data and argsz filled by users

2020-07-21 Thread Jacob Pan
On Fri, 17 Jul 2020 13:59:54 -0600
Alex Williamson  wrote:

> On Thu, 16 Jul 2020 11:45:16 -0700
> Jacob Pan  wrote:
> 
> > IOMMU UAPI data has a user filled argsz field which indicates the
> > data length comes with the API call. User data is not trusted,
> > argsz must be validated based on the current kernel data size,
> > mandatory data size, and feature flags.
> > 
> > User data may also be extended, results in possible argsz increase.
> > Backward compatibility is ensured based on size and flags checking.
> > 
> > This patch adds sanity checks in the IOMMU layer. In addition to
> > argsz, reserved/unused fields in padding, flags, and version are
> > also checked. Details are documented in
> > Documentation/userspace-api/iommu.rst
> > 
> > Signed-off-by: Liu Yi L 
> > Signed-off-by: Jacob Pan 
> > ---
> >  drivers/iommu/iommu.c | 192
> > --
> > include/linux/iommu.h |  20 -- 2 files changed, 200
> > insertions(+), 12 deletions(-)
> > 
> > diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
> > index d43120eb1dc5..fe30a940d19e 100644
> > --- a/drivers/iommu/iommu.c
> > +++ b/drivers/iommu/iommu.c
> > @@ -1950,36 +1950,214 @@ int iommu_attach_device(struct
> > iommu_domain *domain, struct device *dev) }
> >  EXPORT_SYMBOL_GPL(iommu_attach_device);
> >  
> > +/*
> > + * Check flags and other user privided data for valid
> > combinations. We also
> > + * make sure no reserved fields or unused flags are not set. This
> > is to ensure
> > + * not breaking userspace in the future when these fields or flags
> > are used.
> > + */
> > +static int iommu_check_cache_invl_data(struct
> > iommu_cache_invalidate_info *info) +{
> > +   u32 mask;
> > +
> > +   if (info->version != IOMMU_CACHE_INVALIDATE_INFO_VERSION_1)
> > +   return -EINVAL;
> > +
> > +   mask = (1 << IOMMU_CACHE_INV_TYPE_NR) - 1;
> > +   if (info->cache & ~mask)
> > +   return -EINVAL;
> > +
> > +   if (info->granularity >= IOMMU_INV_GRANU_NR)
> > +   return -EINVAL;
> > +
> > +   switch (info->granularity) {
> > +   case IOMMU_INV_GRANU_ADDR:
> > +   mask = IOMMU_INV_ADDR_FLAGS_PASID |
> > +   IOMMU_INV_ADDR_FLAGS_ARCHID |
> > +   IOMMU_INV_ADDR_FLAGS_LEAF;
> > +
> > +   if (info->granu.addr_info.flags & ~mask)
> > +   return -EINVAL;
> > +   break;
> > +   case IOMMU_INV_GRANU_PASID:
> > +   mask = IOMMU_INV_PASID_FLAGS_PASID |
> > +   IOMMU_INV_PASID_FLAGS_ARCHID;
> > +   if (info->granu.pasid_info.flags & ~mask)
> > +   return -EINVAL;
> > +
> > +   break;
> > +   case IOMMU_INV_GRANU_DOMAIN:
> > +   /* No flags to check */
> > +   break;
> > +   default:
> > +   return -EINVAL;
> > +   }
> > +
> > +   if (info->padding[0] || info->padding[1])
> > +   return -EINVAL;
> > +
> > +   return 0;
> > +}
> > +
> >  int iommu_cache_invalidate(struct iommu_domain *domain, struct
> > device *dev,
> > -  struct iommu_cache_invalidate_info
> > *inv_info)
> > +  void __user *uinfo)
> >  {
> > +   struct iommu_cache_invalidate_info inv_info = { 0 };
> > +   u32 minsz, maxsz;
> > +   int ret = 0;
> > +
> > if (unlikely(!domain->ops->cache_invalidate))
> > return -ENODEV;
> >  
> > -   return domain->ops->cache_invalidate(domain, dev,
> > inv_info);
> > +   /* Current kernel data size is the max to be copied from
> > user */
> > +   maxsz = sizeof(struct iommu_cache_invalidate_info);
> > +
> > +   /*
> > +* No new spaces can be added before the variable sized
> > union, the
> > +* minimum size is the offset to the union.
> > +*/
> > +   minsz = offsetof(struct iommu_cache_invalidate_info,
> > granu); +
> > +   /* Copy minsz from user to get flags and argsz */
> > +   if (copy_from_user(_info, uinfo, minsz))
> > +   return -EFAULT;
> > +
> > +   /* Fields before variable size union is mandatory */
> > +   if (inv_info.argsz < minsz)
> > +   return -EINVAL;
> > +
> > +   /* PASID and address granu requires additional info beyond
> > minsz */
> > +   if (inv_info.argsz == minsz &&
> > +   ((inv_info.granularity == IOMMU_INV_GRANU_PASID) ||
> > +   (inv_info.granularity ==
> > IOMMU_INV_GRANU_ADDR)))
> > +   return -EINVAL;
> > +   /*
> > +* User might be using a newer UAPI header which has a
> > larger data
> > +* size, we shall support the existing flags within the
> > current
> > +* size. Copy the remaining user data _after_ minsz but
> > not more
> > +* than the current kernel supported size.
> > +*/
> > +   if (copy_from_user((void *)_info + minsz, uinfo +
> > minsz,
> > +   min(inv_info.argsz, maxsz) -
> > minsz))
> > +   return -EFAULT;  
> 
> To further clarify previous comments about maxsz usage:
> 
> s/maxsz/sizeof(inv_info)/
> 
Yes, will remove 

Re: [PATCH v5 4/5] iommu/uapi: Handle data and argsz filled by users

2020-07-21 Thread Jacob Pan
On Fri, 17 Jul 2020 17:58:04 +0200
Auger Eric  wrote:

> Hi Jacob,
> On 7/16/20 8:45 PM, Jacob Pan wrote:
> 
> Could you share a branch? I was not able to apply this on either
> iommu/next or master?
> 
Will push it to github for the next version. This set is based on
v5.8-rc1 and my fixes for devTLB.

> > IOMMU UAPI data has a user filled argsz field which indicates the
> > data length comes with the API call.  
> s/ comes with the API call/ of the structure
>  User data is not trusted, argsz must be
Sounds good.

> > validated based on the current kernel data size, mandatory data
> > size, and feature flags.
> > 
> > User data may also be extended, results in possible argsz
> > increase.  
> s/results/resulting
got it.

> > Backward compatibility is ensured based on size and flags
> > checking.  
> flags is missing in iommu_cache_invalidate_info.
Right, I will rephrase as "flags or the functional equivalent fields"

> > 
> > This patch adds sanity checks in the IOMMU layer. In addition to
> > argsz, reserved/unused fields in padding, flags, and version are
> > also checked. Details are documented in
> > Documentation/userspace-api/iommu.rst
> > 
> > Signed-off-by: Liu Yi L 
> > Signed-off-by: Jacob Pan 
> > ---
> >  drivers/iommu/iommu.c | 192
> > --
> > include/linux/iommu.h |  20 -- 2 files changed, 200
> > insertions(+), 12 deletions(-)
> > 
> > diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
> > index d43120eb1dc5..fe30a940d19e 100644
> > --- a/drivers/iommu/iommu.c
> > +++ b/drivers/iommu/iommu.c
> > @@ -1950,36 +1950,214 @@ int iommu_attach_device(struct
> > iommu_domain *domain, struct device *dev) }
> >  EXPORT_SYMBOL_GPL(iommu_attach_device);
> >  
> > +/*
> > + * Check flags and other user privided data for valid
> > combinations. We also  
> s/privided/provided
will fix

> > + * make sure no reserved fields or unused flags are not set. This
> > is to ensure  
> s/not// ?
right,

> > + * not breaking userspace in the future when these fields or flags
> > are used.
> > + */
> > +static int iommu_check_cache_invl_data(struct
> > iommu_cache_invalidate_info *info) +{
> > +   u32 mask;
> > +
> > +   if (info->version !=
> > IOMMU_CACHE_INVALIDATE_INFO_VERSION_1)  
> increased version number?
Right now we just support version 1. if we increase the version number
in the future, we need to check the current kernel version is newer
than the user provided version.
Does it sounds right to you?

> > +   return -EINVAL;
> > +
> > +   mask = (1 << IOMMU_CACHE_INV_TYPE_NR) - 1;
> > +   if (info->cache & ~mask)
> > +   return -EINVAL;
> > +
> > +   if (info->granularity >= IOMMU_INV_GRANU_NR)
> > +   return -EINVAL;
> > +
> > +   switch (info->granularity) {
> > +   case IOMMU_INV_GRANU_ADDR:
> > +   mask = IOMMU_INV_ADDR_FLAGS_PASID |
> > +   IOMMU_INV_ADDR_FLAGS_ARCHID |
> > +   IOMMU_INV_ADDR_FLAGS_LEAF;
> > +
> > +   if (info->granu.addr_info.flags & ~mask)
> > +   return -EINVAL;
> > +   break;
> > +   case IOMMU_INV_GRANU_PASID:
> > +   mask = IOMMU_INV_PASID_FLAGS_PASID |
> > +   IOMMU_INV_PASID_FLAGS_ARCHID;
> > +   if (info->granu.pasid_info.flags & ~mask)
> > +   return -EINVAL;
> > +
> > +   break;
> > +   case IOMMU_INV_GRANU_DOMAIN:
> > +   /* No flags to check */
> > +   break;
> > +   default:
> > +   return -EINVAL;
> > +   }
> > +
> > +   if (info->padding[0] || info->padding[1])  
> padding has become "__u8  padding[6];" in 2/5
Good point, will fix

> 
> > +   return -EINVAL;
> > +
> > +   return 0;
> > +}
> > +
> >  int iommu_cache_invalidate(struct iommu_domain *domain, struct
> > device *dev,
> > -  struct iommu_cache_invalidate_info
> > *inv_info)
> > +  void __user *uinfo)
> >  {
> > +   struct iommu_cache_invalidate_info inv_info = { 0 };
> > +   u32 minsz, maxsz;
> > +   int ret = 0;
> > +
> > if (unlikely(!domain->ops->cache_invalidate))
> > return -ENODEV;
> >  
> > -   return domain->ops->cache_invalidate(domain, dev,
> > inv_info);
> > +   /* Current kernel data size is the max to be copied from
> > user */
> > +   maxsz = sizeof(struct iommu_cache_invalidate_info);
> > +
> > +   /*
> > +* No new spaces can be added before the variable sized
> > union, the
> > +* minimum size is the offset to the union.
> > +*/
> > +   minsz = offsetof(struct iommu_cache_invalidate_info,
> > granu); +
> > +   /* Copy minsz from user to get flags and argsz */
> > +   if (copy_from_user(_info, uinfo, minsz))
> > +   return -EFAULT;
> > +
> > +   /* Fields before variable size union is mandatory */
> > +   if (inv_info.argsz < minsz)
> > +   return -EINVAL;
> > +
> > +   /* PASID and address granu requires additional info beyond
> > minsz */  
> s/requires/require
got 

Re: [PATCH v5 4/5] iommu/uapi: Handle data and argsz filled by users

2020-07-17 Thread Alex Williamson
On Thu, 16 Jul 2020 11:45:16 -0700
Jacob Pan  wrote:

> IOMMU UAPI data has a user filled argsz field which indicates the data
> length comes with the API call. User data is not trusted, argsz must be
> validated based on the current kernel data size, mandatory data size,
> and feature flags.
> 
> User data may also be extended, results in possible argsz increase.
> Backward compatibility is ensured based on size and flags checking.
> 
> This patch adds sanity checks in the IOMMU layer. In addition to argsz,
> reserved/unused fields in padding, flags, and version are also checked.
> Details are documented in Documentation/userspace-api/iommu.rst
> 
> Signed-off-by: Liu Yi L 
> Signed-off-by: Jacob Pan 
> ---
>  drivers/iommu/iommu.c | 192 
> --
>  include/linux/iommu.h |  20 --
>  2 files changed, 200 insertions(+), 12 deletions(-)
> 
> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
> index d43120eb1dc5..fe30a940d19e 100644
> --- a/drivers/iommu/iommu.c
> +++ b/drivers/iommu/iommu.c
> @@ -1950,36 +1950,214 @@ int iommu_attach_device(struct iommu_domain *domain, 
> struct device *dev)
>  }
>  EXPORT_SYMBOL_GPL(iommu_attach_device);
>  
> +/*
> + * Check flags and other user privided data for valid combinations. We also
> + * make sure no reserved fields or unused flags are not set. This is to 
> ensure
> + * not breaking userspace in the future when these fields or flags are used.
> + */
> +static int iommu_check_cache_invl_data(struct iommu_cache_invalidate_info 
> *info)
> +{
> + u32 mask;
> +
> + if (info->version != IOMMU_CACHE_INVALIDATE_INFO_VERSION_1)
> + return -EINVAL;
> +
> + mask = (1 << IOMMU_CACHE_INV_TYPE_NR) - 1;
> + if (info->cache & ~mask)
> + return -EINVAL;
> +
> + if (info->granularity >= IOMMU_INV_GRANU_NR)
> + return -EINVAL;
> +
> + switch (info->granularity) {
> + case IOMMU_INV_GRANU_ADDR:
> + mask = IOMMU_INV_ADDR_FLAGS_PASID |
> + IOMMU_INV_ADDR_FLAGS_ARCHID |
> + IOMMU_INV_ADDR_FLAGS_LEAF;
> +
> + if (info->granu.addr_info.flags & ~mask)
> + return -EINVAL;
> + break;
> + case IOMMU_INV_GRANU_PASID:
> + mask = IOMMU_INV_PASID_FLAGS_PASID |
> + IOMMU_INV_PASID_FLAGS_ARCHID;
> + if (info->granu.pasid_info.flags & ~mask)
> + return -EINVAL;
> +
> + break;
> + case IOMMU_INV_GRANU_DOMAIN:
> + /* No flags to check */
> + break;
> + default:
> + return -EINVAL;
> + }
> +
> + if (info->padding[0] || info->padding[1])
> + return -EINVAL;
> +
> + return 0;
> +}
> +
>  int iommu_cache_invalidate(struct iommu_domain *domain, struct device *dev,
> -struct iommu_cache_invalidate_info *inv_info)
> +void __user *uinfo)
>  {
> + struct iommu_cache_invalidate_info inv_info = { 0 };
> + u32 minsz, maxsz;
> + int ret = 0;
> +
>   if (unlikely(!domain->ops->cache_invalidate))
>   return -ENODEV;
>  
> - return domain->ops->cache_invalidate(domain, dev, inv_info);
> + /* Current kernel data size is the max to be copied from user */
> + maxsz = sizeof(struct iommu_cache_invalidate_info);
> +
> + /*
> +  * No new spaces can be added before the variable sized union, the
> +  * minimum size is the offset to the union.
> +  */
> + minsz = offsetof(struct iommu_cache_invalidate_info, granu);
> +
> + /* Copy minsz from user to get flags and argsz */
> + if (copy_from_user(_info, uinfo, minsz))
> + return -EFAULT;
> +
> + /* Fields before variable size union is mandatory */
> + if (inv_info.argsz < minsz)
> + return -EINVAL;
> +
> + /* PASID and address granu requires additional info beyond minsz */
> + if (inv_info.argsz == minsz &&
> + ((inv_info.granularity == IOMMU_INV_GRANU_PASID) ||
> + (inv_info.granularity == IOMMU_INV_GRANU_ADDR)))
> + return -EINVAL;
> + /*
> +  * User might be using a newer UAPI header which has a larger data
> +  * size, we shall support the existing flags within the current
> +  * size. Copy the remaining user data _after_ minsz but not more
> +  * than the current kernel supported size.
> +  */
> + if (copy_from_user((void *)_info + minsz, uinfo + minsz,
> + min(inv_info.argsz, maxsz) - minsz))
> + return -EFAULT;

To further clarify previous comments about maxsz usage:

s/maxsz/sizeof(inv_info)/

> +
> + /* Now the argsz is validated, check the content */
> + ret = iommu_check_cache_invl_data(_info);
> + if (ret)
> + return ret;
> +
> + return domain->ops->cache_invalidate(domain, dev, _info);
>  }
>  

Re: [PATCH v5 4/5] iommu/uapi: Handle data and argsz filled by users

2020-07-17 Thread Auger Eric
Hi Jacob,
On 7/16/20 8:45 PM, Jacob Pan wrote:

Could you share a branch? I was not able to apply this on either
iommu/next or master?

> IOMMU UAPI data has a user filled argsz field which indicates the data
> length comes with the API call.
s/ comes with the API call/ of the structure
 User data is not trusted, argsz must be
> validated based on the current kernel data size, mandatory data size,
> and feature flags.
> 
> User data may also be extended, results in possible argsz increase.
s/results/resulting
> Backward compatibility is ensured based on size and flags checking.
flags is missing in iommu_cache_invalidate_info.
> 
> This patch adds sanity checks in the IOMMU layer. In addition to argsz,
> reserved/unused fields in padding, flags, and version are also checked.
> Details are documented in Documentation/userspace-api/iommu.rst
> 
> Signed-off-by: Liu Yi L 
> Signed-off-by: Jacob Pan 
> ---
>  drivers/iommu/iommu.c | 192 
> --
>  include/linux/iommu.h |  20 --
>  2 files changed, 200 insertions(+), 12 deletions(-)
> 
> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
> index d43120eb1dc5..fe30a940d19e 100644
> --- a/drivers/iommu/iommu.c
> +++ b/drivers/iommu/iommu.c
> @@ -1950,36 +1950,214 @@ int iommu_attach_device(struct iommu_domain *domain, 
> struct device *dev)
>  }
>  EXPORT_SYMBOL_GPL(iommu_attach_device);
>  
> +/*
> + * Check flags and other user privided data for valid combinations. We also
s/privided/provided
> + * make sure no reserved fields or unused flags are not set. This is to 
> ensure
s/not// ?
> + * not breaking userspace in the future when these fields or flags are used.
> + */
> +static int iommu_check_cache_invl_data(struct iommu_cache_invalidate_info 
> *info)
> +{
> + u32 mask;
> +
> + if (info->version != IOMMU_CACHE_INVALIDATE_INFO_VERSION_1)
increased version number?
> + return -EINVAL;
> +
> + mask = (1 << IOMMU_CACHE_INV_TYPE_NR) - 1;
> + if (info->cache & ~mask)
> + return -EINVAL;
> +
> + if (info->granularity >= IOMMU_INV_GRANU_NR)
> + return -EINVAL;
> +
> + switch (info->granularity) {
> + case IOMMU_INV_GRANU_ADDR:
> + mask = IOMMU_INV_ADDR_FLAGS_PASID |
> + IOMMU_INV_ADDR_FLAGS_ARCHID |
> + IOMMU_INV_ADDR_FLAGS_LEAF;
> +
> + if (info->granu.addr_info.flags & ~mask)
> + return -EINVAL;
> + break;
> + case IOMMU_INV_GRANU_PASID:
> + mask = IOMMU_INV_PASID_FLAGS_PASID |
> + IOMMU_INV_PASID_FLAGS_ARCHID;
> + if (info->granu.pasid_info.flags & ~mask)
> + return -EINVAL;
> +
> + break;
> + case IOMMU_INV_GRANU_DOMAIN:
> + /* No flags to check */
> + break;
> + default:
> + return -EINVAL;
> + }
> +
> + if (info->padding[0] || info->padding[1])
padding has become "__u8padding[6];" in 2/5

> + return -EINVAL;
> +
> + return 0;
> +}
> +
>  int iommu_cache_invalidate(struct iommu_domain *domain, struct device *dev,
> -struct iommu_cache_invalidate_info *inv_info)
> +void __user *uinfo)
>  {
> + struct iommu_cache_invalidate_info inv_info = { 0 };
> + u32 minsz, maxsz;
> + int ret = 0;
> +
>   if (unlikely(!domain->ops->cache_invalidate))
>   return -ENODEV;
>  
> - return domain->ops->cache_invalidate(domain, dev, inv_info);
> + /* Current kernel data size is the max to be copied from user */
> + maxsz = sizeof(struct iommu_cache_invalidate_info);
> +
> + /*
> +  * No new spaces can be added before the variable sized union, the
> +  * minimum size is the offset to the union.
> +  */
> + minsz = offsetof(struct iommu_cache_invalidate_info, granu);
> +
> + /* Copy minsz from user to get flags and argsz */
> + if (copy_from_user(_info, uinfo, minsz))
> + return -EFAULT;
> +
> + /* Fields before variable size union is mandatory */
> + if (inv_info.argsz < minsz)
> + return -EINVAL;
> +
> + /* PASID and address granu requires additional info beyond minsz */
s/requires/require
> + if (inv_info.argsz == minsz &&
> + ((inv_info.granularity == IOMMU_INV_GRANU_PASID) ||
> + (inv_info.granularity == IOMMU_INV_GRANU_ADDR)))
> + return -EINVAL;
> + /*
> +  * User might be using a newer UAPI header which has a larger data
> +  * size, we shall support the existing flags within the current
> +  * size. Copy the remaining user data _after_ minsz but not more
> +  * than the current kernel supported size.
> +  */
> + if (copy_from_user((void *)_info + minsz, uinfo + minsz,
> + min(inv_info.argsz, maxsz) - minsz))
> + return -EFAULT;
> +
> + /* 

[PATCH v5 4/5] iommu/uapi: Handle data and argsz filled by users

2020-07-16 Thread Jacob Pan
IOMMU UAPI data has a user filled argsz field which indicates the data
length comes with the API call. User data is not trusted, argsz must be
validated based on the current kernel data size, mandatory data size,
and feature flags.

User data may also be extended, results in possible argsz increase.
Backward compatibility is ensured based on size and flags checking.

This patch adds sanity checks in the IOMMU layer. In addition to argsz,
reserved/unused fields in padding, flags, and version are also checked.
Details are documented in Documentation/userspace-api/iommu.rst

Signed-off-by: Liu Yi L 
Signed-off-by: Jacob Pan 
---
 drivers/iommu/iommu.c | 192 --
 include/linux/iommu.h |  20 --
 2 files changed, 200 insertions(+), 12 deletions(-)

diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index d43120eb1dc5..fe30a940d19e 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -1950,36 +1950,214 @@ int iommu_attach_device(struct iommu_domain *domain, 
struct device *dev)
 }
 EXPORT_SYMBOL_GPL(iommu_attach_device);
 
+/*
+ * Check flags and other user privided data for valid combinations. We also
+ * make sure no reserved fields or unused flags are not set. This is to ensure
+ * not breaking userspace in the future when these fields or flags are used.
+ */
+static int iommu_check_cache_invl_data(struct iommu_cache_invalidate_info 
*info)
+{
+   u32 mask;
+
+   if (info->version != IOMMU_CACHE_INVALIDATE_INFO_VERSION_1)
+   return -EINVAL;
+
+   mask = (1 << IOMMU_CACHE_INV_TYPE_NR) - 1;
+   if (info->cache & ~mask)
+   return -EINVAL;
+
+   if (info->granularity >= IOMMU_INV_GRANU_NR)
+   return -EINVAL;
+
+   switch (info->granularity) {
+   case IOMMU_INV_GRANU_ADDR:
+   mask = IOMMU_INV_ADDR_FLAGS_PASID |
+   IOMMU_INV_ADDR_FLAGS_ARCHID |
+   IOMMU_INV_ADDR_FLAGS_LEAF;
+
+   if (info->granu.addr_info.flags & ~mask)
+   return -EINVAL;
+   break;
+   case IOMMU_INV_GRANU_PASID:
+   mask = IOMMU_INV_PASID_FLAGS_PASID |
+   IOMMU_INV_PASID_FLAGS_ARCHID;
+   if (info->granu.pasid_info.flags & ~mask)
+   return -EINVAL;
+
+   break;
+   case IOMMU_INV_GRANU_DOMAIN:
+   /* No flags to check */
+   break;
+   default:
+   return -EINVAL;
+   }
+
+   if (info->padding[0] || info->padding[1])
+   return -EINVAL;
+
+   return 0;
+}
+
 int iommu_cache_invalidate(struct iommu_domain *domain, struct device *dev,
-  struct iommu_cache_invalidate_info *inv_info)
+  void __user *uinfo)
 {
+   struct iommu_cache_invalidate_info inv_info = { 0 };
+   u32 minsz, maxsz;
+   int ret = 0;
+
if (unlikely(!domain->ops->cache_invalidate))
return -ENODEV;
 
-   return domain->ops->cache_invalidate(domain, dev, inv_info);
+   /* Current kernel data size is the max to be copied from user */
+   maxsz = sizeof(struct iommu_cache_invalidate_info);
+
+   /*
+* No new spaces can be added before the variable sized union, the
+* minimum size is the offset to the union.
+*/
+   minsz = offsetof(struct iommu_cache_invalidate_info, granu);
+
+   /* Copy minsz from user to get flags and argsz */
+   if (copy_from_user(_info, uinfo, minsz))
+   return -EFAULT;
+
+   /* Fields before variable size union is mandatory */
+   if (inv_info.argsz < minsz)
+   return -EINVAL;
+
+   /* PASID and address granu requires additional info beyond minsz */
+   if (inv_info.argsz == minsz &&
+   ((inv_info.granularity == IOMMU_INV_GRANU_PASID) ||
+   (inv_info.granularity == IOMMU_INV_GRANU_ADDR)))
+   return -EINVAL;
+   /*
+* User might be using a newer UAPI header which has a larger data
+* size, we shall support the existing flags within the current
+* size. Copy the remaining user data _after_ minsz but not more
+* than the current kernel supported size.
+*/
+   if (copy_from_user((void *)_info + minsz, uinfo + minsz,
+   min(inv_info.argsz, maxsz) - minsz))
+   return -EFAULT;
+
+   /* Now the argsz is validated, check the content */
+   ret = iommu_check_cache_invl_data(_info);
+   if (ret)
+   return ret;
+
+   return domain->ops->cache_invalidate(domain, dev, _info);
 }
 EXPORT_SYMBOL_GPL(iommu_cache_invalidate);
 
-int iommu_sva_bind_gpasid(struct iommu_domain *domain,
-  struct device *dev, struct iommu_gpasid_bind_data 
*data)
+
+static int iommu_check_bind_data(struct iommu_gpasid_bind_data *data)
 {
+   u32 mask;