All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
Cc: "Alexander Gordeev" <agordeev@linux.ibm.com>,
	"Heiko Carstens" <hca@linux.ibm.com>,
	linux-s390@vger.kernel.org, "Vasily Gorbik" <gor@linux.ibm.com>
Subject: Re: [PATCH v7 15/22] dma-direct: pass attrs to dma_capable() for DMA_ATTR_CC_SHARED checks
Date: Wed, 01 Jul 2026 06:14:31 +0000	[thread overview]
Message-ID: <20260701061432.16E3C1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701054926.825925-16-aneesh.kumar@kernel.org>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:

New issues:
- [High] xen_swiotlb_map_phys() unconditionally rejects valid MMIO DMA mappings for devices requiring unencrypted DMA, breaking peer-to-peer DMA.
- [High] xen_swiotlb_map_phys() fails to strip the encryption bit from bounce buffer DMA addresses.

Pre-existing issues:
- [Critical] gart_alloc_coherent() and gart_free_coherent() pass an invalid dma_addr to dma_direct_free(), causing severe page allocator corruption and physical memory leaks.
--

commit d278e823d2c8033c6a6105a3f51b2763931c565f
Author: Aneesh Kumar K.V (Arm) <aneesh.kumar@kernel.org>

dma-direct: pass attrs to dma_capable() for DMA_ATTR_CC_SHARED checks
    
Teach dma_capable() about DMA_ATTR_CC_SHARED so the capability
check can reject encrypted DMA addresses for devices that require
unencrypted/shared DMA.

Also propagate DMA_ATTR_CC_SHARED in swiotlb_map() when the selected
SWIOTLB pool is decrypted so the capability check sees the correct DMA
address attribute.

Tested-by: Jiri Pirko <jiri@nvidia.com>
Tested-by: Michael Kelley <mhklinux@outlook.com>
Tested-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Petr Tesarik <ptesarik@suse.com>
Signed-off-by: Aneesh Kumar K.V (Arm) <aneesh.kumar@kernel.org>

> diff --git a/arch/x86/kernel/amd_gart_64.c b/arch/x86/kernel/amd_gart_64.c
> index e8000a56732e4..b5f1f031d45b8 100644
> --- a/arch/x86/kernel/amd_gart_64.c
> +++ b/arch/x86/kernel/amd_gart_64.c
[ ... ]
> @@ -473,7 +474,8 @@ gart_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_addr,
>  		return vaddr;
>  
>  	*dma_addr = dma_map_area(dev, virt_to_phys(vaddr), size,
> -			DMA_BIDIRECTIONAL, (1UL << get_order(size)) - 1);
> +				 DMA_BIDIRECTIONAL,
> +				 (1UL << get_order(size)) - 1, attrs);
>  	flush_gart();
>  	if (unlikely(*dma_addr == DMA_MAPPING_ERROR))
>  		goto out_free;

[Severity: Critical]
This is a pre-existing issue, but does the error path in gart_alloc_coherent()
and gart_free_coherent() pass an invalid dma_addr to dma_direct_free()?

If dma_map_area() fails, *dma_addr becomes DMA_MAPPING_ERROR, and the error
path at out_free passes it to dma_direct_free(). On success,
gart_free_coherent() later passes the GART-mapped dma_addr to
dma_direct_free().

Because dma_direct_free() uses the provided dma_addr to locate the backing
struct page (when dma_free_from_pool() is false), passing a GART aperture
address or DMA_MAPPING_ERROR instead of the physical DMA address causes it
to operate on bogus page structures, leading to severe memory corruption and
physical page leaks.

> diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
> index 8c4abe65cd49f..e2538824ef52e 100644
> --- a/drivers/xen/swiotlb-xen.c
> +++ b/drivers/xen/swiotlb-xen.c
> @@ -212,7 +212,7 @@ static dma_addr_t xen_swiotlb_map_phys(struct device *dev, phys_addr_t phys,
>  	BUG_ON(dir == DMA_NONE);
>  
>  	if (attrs & DMA_ATTR_MMIO) {
> -		if (unlikely(!dma_capable(dev, phys, size, false))) {
> +		if (unlikely(!dma_capable(dev, phys, size, false, attrs))) {

[Severity: High]
Does this unconditionally reject valid MMIO DMA mappings for devices requiring
unencrypted DMA, breaking peer-to-peer DMA?

When mapping MMIO memory, attrs typically lacks DMA_ATTR_CC_SHARED. For CoCo
guests under Xen, force_dma_unencrypted(dev) is true, so dma_capable() will
evaluate !(attrs & DMA_ATTR_CC_SHARED) && force_dma_unencrypted(dev) as true,
thus rejecting the mapping.

While dma_direct_map_phys() was fixed elsewhere in this series to append
DMA_ATTR_CC_SHARED for MMIO, it appears xen_swiotlb_map_phys() was missed.

>  			dev_err_once(
>  				dev,
>  				"DMA addr %pa+%zu overflow (mask %llx, bus limit %llx).\n",
[ ... ]
> @@ -253,7 +253,7 @@ static dma_addr_t xen_swiotlb_map_phys(struct device *dev, phys_addr_t phys,
>  	/*
>  	 * Ensure that the address returned is DMA'ble
>  	 */
> -	if (unlikely(!dma_capable(dev, dev_addr, size, true))) {
> +	if (unlikely(!dma_capable(dev, dev_addr, size, true, attrs))) {

[Severity: High]
Does this fail to strip the encryption bit from bounce buffer DMA addresses?

When a DMA mapping requires a bounce buffer, swiotlb_tbl_map_single() allocates
an unencrypted buffer and injects DMA_ATTR_CC_SHARED into attrs. However,
dev_addr was set via xen_phys_to_dma(dev, map) right above this check, which
relies on phys_to_dma() and unconditionally applies the physical encryption bit
to the DMA address.

Because attrs now contains DMA_ATTR_CC_SHARED, dma_capable() will approve the
address. As a result, the device erroneously receives an encrypted DMA address
for decrypted memory.

>  		__swiotlb_tbl_unmap_single(dev, map, size, dir,
>  				attrs | DMA_ATTR_SKIP_CPU_SYNC,
>  				swiotlb_find_pool(dev, map));

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260701054926.825925-1-aneesh.kumar@kernel.org?part=15

  reply	other threads:[~2026-07-01  6:14 UTC|newest]

Thread overview: 74+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01  5:49 [PATCH v7 00/22] dma-mapping: Track shared DMA state through direct, pool and swiotlb paths Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 01/22] dma-direct: return struct page from dma_direct_alloc_from_pool() Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 02/22] dma-pool: fix page leak in atomic_pool_expand() cleanup Aneesh Kumar K.V (Arm)
2026-07-01  6:08   ` sashiko-bot
2026-07-13 17:54   ` Jason Gunthorpe
2026-07-14  3:35     ` Aneesh Kumar K.V
2026-07-14 12:22       ` Jason Gunthorpe
2026-07-01  5:49 ` [PATCH v7 03/22] iommu/dma: Check atomic pool allocation result directly Aneesh Kumar K.V (Arm)
2026-07-13 17:57   ` Jason Gunthorpe
2026-07-01  5:49 ` [PATCH v7 04/22] dma: free atomic pool pages by physical address Aneesh Kumar K.V (Arm)
2026-07-13 18:10   ` Jason Gunthorpe
2026-07-14  3:57     ` Aneesh Kumar K.V
2026-07-14 12:23       ` Jason Gunthorpe
2026-07-01  5:49 ` [PATCH v7 05/22] swiotlb: Preserve allocation virtual address for dynamic pools Aneesh Kumar K.V (Arm)
2026-07-13 19:08   ` Jason Gunthorpe
2026-07-01  5:49 ` [PATCH v7 06/22] s390: Expose protected virtualization through cc_platform_has() Aneesh Kumar K.V (Arm)
2026-07-01  5:49 ` [PATCH v7 07/22] dma-direct: swiotlb: handle swiotlb alloc/free outside __dma_direct_alloc_pages Aneesh Kumar K.V (Arm)
2026-07-13 19:12   ` Jason Gunthorpe
2026-07-01  5:49 ` [PATCH v7 08/22] coco: arm64: s390: powerpc: Mark secure guests with CC_ATTR_GUEST_MEM_ENCRYPT Aneesh Kumar K.V (Arm)
2026-07-07 15:41   ` Suzuki K Poulose
2026-07-07 16:58   ` Catalin Marinas
2026-07-01  5:49 ` [PATCH v7 09/22] dma-mapping: Add internal shared allocation attribute Aneesh Kumar K.V (Arm)
2026-07-13 19:13   ` Jason Gunthorpe
2026-07-01  5:49 ` [PATCH v7 10/22] dma-direct: use __DMA_ATTR_ALLOC_CC_SHARED in alloc/free paths Aneesh Kumar K.V (Arm)
2026-07-13 19:21   ` Jason Gunthorpe
2026-07-01  5:49 ` [PATCH v7 11/22] dma-pool: track decrypted atomic pools and select them via attrs Aneesh Kumar K.V (Arm)
2026-07-13 17:56   ` Jason Gunthorpe
2026-07-14  4:02     ` Aneesh Kumar K.V
2026-07-14 12:25       ` Jason Gunthorpe
2026-07-13 18:48   ` Jason Gunthorpe
2026-07-14  4:27     ` Aneesh Kumar K.V
2026-07-14 12:26       ` Jason Gunthorpe
2026-07-01  5:49 ` [PATCH v7 12/22] dma: swiotlb: pass mapping attributes by reference Aneesh Kumar K.V (Arm)
2026-07-13 19:22   ` Jason Gunthorpe
2026-07-01  5:49 ` [PATCH v7 13/22] dma: swiotlb: track pool encryption state and honor DMA_ATTR_CC_SHARED Aneesh Kumar K.V (Arm)
2026-07-13 19:25   ` Jason Gunthorpe
2026-07-01  5:49 ` [PATCH v7 14/22] dma-mapping: make dma_pgprot() honor __DMA_ATTR_ALLOC_CC_SHARED Aneesh Kumar K.V (Arm)
2026-07-13 19:26   ` Jason Gunthorpe
2026-07-01  5:49 ` [PATCH v7 15/22] dma-direct: pass attrs to dma_capable() for DMA_ATTR_CC_SHARED checks Aneesh Kumar K.V (Arm)
2026-07-01  6:14   ` sashiko-bot [this message]
2026-07-13 19:28   ` Jason Gunthorpe
2026-07-01  5:49 ` [PATCH v7 16/22] dma-direct: make dma_direct_map_phys() honor DMA_ATTR_CC_SHARED Aneesh Kumar K.V (Arm)
2026-07-01  6:14   ` sashiko-bot
2026-07-08 11:35   ` Catalin Marinas
2026-07-08 15:09     ` Aneesh Kumar K.V
2026-07-08 17:58     ` Aneesh Kumar K.V
2026-07-09 11:13       ` Catalin Marinas
2026-07-09 18:13         ` Jason Gunthorpe
2026-07-10  5:22           ` Aneesh Kumar K.V
2026-07-10 16:19             ` Jason Gunthorpe
2026-07-10 19:09               ` Aneesh Kumar K.V
2026-07-13 13:56                 ` Jason Gunthorpe
2026-07-08 12:11   ` Suzuki K Poulose
2026-07-13 19:32   ` Jason Gunthorpe
2026-07-01  5:49 ` [PATCH v7 17/22] dma-direct: set decrypted flag for remapped DMA allocations Aneesh Kumar K.V (Arm)
2026-07-13 19:37   ` Jason Gunthorpe
2026-07-01  5:49 ` [PATCH v7 18/22] dma-direct: select DMA address encoding from __DMA_ATTR_ALLOC_CC_SHARED Aneesh Kumar K.V (Arm)
2026-07-13 19:39   ` Jason Gunthorpe
2026-07-01  5:49 ` [PATCH v7 19/22] dma-direct: rename ret to cpu_addr in alloc helpers Aneesh Kumar K.V (Arm)
2026-07-13 19:40   ` Jason Gunthorpe
2026-07-01  5:49 ` [PATCH v7 20/22] dma: swiotlb: free dynamic pools from process context Aneesh Kumar K.V (Arm)
2026-07-13 19:41   ` Jason Gunthorpe
2026-07-14  5:03     ` Aneesh Kumar K.V
2026-07-01  5:49 ` [PATCH v7 21/22] dma: swiotlb: handle set_memory_decrypted() failures Aneesh Kumar K.V (Arm)
2026-07-13 19:42   ` Jason Gunthorpe
2026-07-01  5:49 ` [PATCH v7 22/22] swiotlb: remove unused SWIOTLB_FORCE flag Aneesh Kumar K.V (Arm)
2026-07-13 19:42   ` Jason Gunthorpe
2026-07-07  8:06 ` [PATCH v7 00/22] dma-mapping: Track shared DMA state through direct, pool and swiotlb paths Aneesh Kumar K.V
2026-07-07 13:03   ` Marek Szyprowski
2026-07-10 10:50     ` Will Deacon
2026-07-13 19:43     ` Jason Gunthorpe
2026-07-14  6:06       ` Marek Szyprowski
2026-07-14  9:52         ` Aneesh Kumar K.V
2026-07-14 10:00           ` Marek Szyprowski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260701061432.16E3C1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=agordeev@linux.ibm.com \
    --cc=gor@linux.ibm.com \
    --cc=hca@linux.ibm.com \
    --cc=linux-s390@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.