From: Aneesh Kumar K.V <aneesh.kumar@kernel.org>
To: Jason Gunthorpe <jgg@ziepe.ca>
Cc: linux-kernel@vger.kernel.org, iommu@lists.linux.dev,
linux-coco@lists.linux.dev,
Catalin Marinas <catalin.marinas@arm.com>,
will@kernel.org, robin.murphy@arm.com, suzuki.poulose@arm.com,
steven.price@arm.com, Marek Szyprowski <m.szyprowski@samsung.com>
Subject: Re: [PATCH 1/2] dma-direct: Validate DMA mask against canonical DMA addresses
Date: Tue, 20 Jan 2026 20:55:43 +0530 [thread overview]
Message-ID: <yq5ams28jog8.fsf@kernel.org> (raw)
In-Reply-To: <20260120132657.GO961572@ziepe.ca>
Jason Gunthorpe <jgg@ziepe.ca> writes:
> On Tue, Jan 20, 2026 at 12:12:54PM +0530, Aneesh Kumar K.V (Arm) wrote:
>> On systems that apply an address encryption tag or mask to DMA addresses,
>> DMA mask validation must be performed against the canonical DMA address.
>> Using a non-canonical (e.g. encrypted or unencrypted) DMA address
>> can incorrectly fail capability checks, since architecture-specific
>> encryption bits are not part of the device’s actual DMA addressing
>> capability. For example, arm64 adds PROT_NS_SHARED to unencrypted DMA
>> addresses.
>
> Huh?
>
> static inline dma_addr_t phys_to_dma_direct(struct device *dev,
> phys_addr_t phys)
> {
> if (force_dma_unencrypted(dev))
> return phys_to_dma_unencrypted(dev, phys);
> return phys_to_dma(dev, phys);
> }
>
> dma_addr_t swiotlb_map(struct device *dev, phys_addr_t paddr, size_t size,
> enum dma_data_direction dir, unsigned long attrs)
> {
> [..]
>
> /* Ensure that the address returned is DMA'ble */
> dma_addr = phys_to_dma_unencrypted(dev, swiotlb_addr);
> [..]
> return dma_addr;
> }
>
> The check in dma_direct_supported() is checking if the device's HW
> capability can contain the range of dma_addr_t's the DMA API will
> generate. Since it above is generating dma_addr_t's with the
> PROT_NS_SHARED set, it is correct to check it against the mask.
>
> If the IOVA does not contain PROT_NS_SHARED then I would expect all of
> the above to be removed too?
>
> Can you please explain what the probem is better?
>
There is no specific problem identified. The motivation for this change
is to ensure that the trusted device mask check is accurate.
>
> I just had a long talk with our internal people about this very
> subject and they were adament that the ARM design had the T=0 SMMU S2
> configured so that the IOVA starts at PROT_NS_SHARED, not 0. I am
> against this, I think it is a bad choice, and this patch is showing
> exactly why :)
>
> IMHO you should map the T=0 S2 so that the IOVA starts at 0 and we
> don't add PROT_NS_SHARED to the IOVA anyhwere.
>
But how will we support a trusted device access to both shared and
private memory? Commit 7d953a06241624ee2efb172d037a4168978f4147 goes
into some details w.r.t why PROT_NS_SHARED was added to dma_addr_t.
>
> This logic is going to be wrong for T=1 DMA to private memory though.
>
> Jason
-aneesh
next prev parent reply other threads:[~2026-01-20 15:25 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-20 6:42 [PATCH 1/2] dma-direct: Validate DMA mask against canonical DMA addresses Aneesh Kumar K.V (Arm)
2026-01-20 6:42 ` [PATCH 2/2] dma-direct: Make phys_to_dma() pick encrypted vs unencrypted per device Aneesh Kumar K.V (Arm)
2026-01-20 9:33 ` kernel test robot
2026-01-20 10:49 ` kernel test robot
2026-01-20 9:59 ` [PATCH 1/2] dma-direct: Validate DMA mask against canonical DMA addresses Suzuki K Poulose
2026-01-20 11:59 ` Robin Murphy
2026-01-20 14:25 ` Aneesh Kumar K.V
2026-01-20 19:22 ` Robin Murphy
2026-01-21 4:50 ` Aneesh Kumar K.V
2026-01-20 14:18 ` Aneesh Kumar K.V
2026-01-20 14:39 ` Suzuki K Poulose
2026-01-20 15:11 ` Jason Gunthorpe
2026-01-20 17:11 ` Robin Murphy
2026-01-20 17:54 ` Jason Gunthorpe
2026-01-20 18:47 ` Robin Murphy
2026-01-20 19:54 ` Jason Gunthorpe
2026-01-20 10:59 ` kernel test robot
2026-01-20 13:26 ` Jason Gunthorpe
2026-01-20 15:25 ` Aneesh Kumar K.V [this message]
2026-01-20 15:43 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=yq5ams28jog8.fsf@kernel.org \
--to=aneesh.kumar@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=iommu@lists.linux.dev \
--cc=jgg@ziepe.ca \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=robin.murphy@arm.com \
--cc=steven.price@arm.com \
--cc=suzuki.poulose@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.