From: Aneesh Kumar K.V <aneesh.kumar@kernel.org>
To: Robin Murphy <robin.murphy@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
linux-kernel@vger.kernel.org, iommu@lists.linux.dev,
linux-coco@lists.linux.dev
Cc: Catalin Marinas <catalin.marinas@arm.com>,
will@kernel.org, jgg@ziepe.ca, steven.price@arm.com,
Marek Szyprowski <m.szyprowski@samsung.com>
Subject: Re: [PATCH 1/2] dma-direct: Validate DMA mask against canonical DMA addresses
Date: Tue, 20 Jan 2026 19:55:01 +0530 [thread overview]
Message-ID: <yq5aqzrkjr9e.fsf@kernel.org> (raw)
In-Reply-To: <893a6503-d33f-41d8-8966-19b9f251d9da@arm.com>
Robin Murphy <robin.murphy@arm.com> writes:
> On 2026-01-20 9:59 am, Suzuki K Poulose wrote:
>> On 20/01/2026 06:42, Aneesh Kumar K.V (Arm) wrote:
>>> On systems that apply an address encryption tag or mask to DMA addresses,
>>> DMA mask validation must be performed against the canonical DMA address.
>>> Using a non-canonical (e.g. encrypted or unencrypted) DMA address
>>> can incorrectly fail capability checks, since architecture-specific
>>> encryption bits are not part of the device’s actual DMA addressing
>>> capability. For example, arm64 adds PROT_NS_SHARED to unencrypted DMA
>>> addresses.
>>>
>>> Fix this by validating device DMA masks against __phys_to_dma(), ensuring
>>> that the architecture encryption mask does not influence the check.
>>>
>>> Fixes: b66e2ee7b6c8 ("dma: Introduce generic dma_addr_*crypted helpers")
>>
>>
>>> Signed-off-by: Aneesh Kumar K.V (Arm) <aneesh.kumar@kernel.org>
>>> ---
>>> kernel/dma/direct.c | 4 ++--
>>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/kernel/dma/direct.c b/kernel/dma/direct.c
>>> index 8e04f72baaa3..a5639e9415f5 100644
>>> --- a/kernel/dma/direct.c
>>> +++ b/kernel/dma/direct.c
>>> @@ -580,12 +580,12 @@ int dma_direct_supported(struct device *dev, u64
>>> mask)
>>> /*
>>> * This check needs to be against the actual bit mask value, so use
>>> - * phys_to_dma_unencrypted() here so that the SME encryption mask
>>> isn't
>>> + * __phys_to_dma() here so that the arch specific encryption mask
>>> isn't
>>> * part of the check.
>>> */
>>> if (IS_ENABLED(CONFIG_ZONE_DMA))
>>> min_mask = min_t(u64, min_mask, zone_dma_limit);
>>> - return mask >= phys_to_dma_unencrypted(dev, min_mask);
>>> + return mask >= __phys_to_dma(dev, min_mask);
>>
>> This is wrong, isn't it ? For e.g., for CCA, even though the "Flag" is
>> added to the PA, it is really part of the actual "PA" and thus must be
>> checked against the full PA ?
>
> Yes, it's much the same as for AMD SEV (albeit the other way round) -
> the encryption/decryption bit is part of the DMA address because it
> needs to be driven by the device, so it is crucial that the device's DMA
> mask is capable of expressing that.
>
Commit c92a54cfa0257e8ffd66b2a17d49e9c0bd4b769f explains these details.
I was wondering whether the DMA-enable operation should live outside the
set_mask operation. Conceptually, set_mask should be derived purely from
max_pfn, while the DMA enablement path could additionally verify whether
the device requires access to an alias address, depending on whether it
is operating in trusted or untrusted mode?
>
> Hence, as I think we've discussed before, for CCA we can't really
> support 32-bit devices doing DMA to shared pages at all, unless the
> whole VM is limited to a 31-bit IPA space.
>
-aneesh
next prev parent reply other threads:[~2026-01-20 14:27 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-20 6:42 [PATCH 1/2] dma-direct: Validate DMA mask against canonical DMA addresses Aneesh Kumar K.V (Arm)
2026-01-20 6:42 ` [PATCH 2/2] dma-direct: Make phys_to_dma() pick encrypted vs unencrypted per device Aneesh Kumar K.V (Arm)
2026-01-20 9:33 ` kernel test robot
2026-01-20 10:49 ` kernel test robot
2026-01-20 9:59 ` [PATCH 1/2] dma-direct: Validate DMA mask against canonical DMA addresses Suzuki K Poulose
2026-01-20 11:59 ` Robin Murphy
2026-01-20 14:25 ` Aneesh Kumar K.V [this message]
2026-01-20 19:22 ` Robin Murphy
2026-01-21 4:50 ` Aneesh Kumar K.V
2026-01-20 14:18 ` Aneesh Kumar K.V
2026-01-20 14:39 ` Suzuki K Poulose
2026-01-20 15:11 ` Jason Gunthorpe
2026-01-20 17:11 ` Robin Murphy
2026-01-20 17:54 ` Jason Gunthorpe
2026-01-20 18:47 ` Robin Murphy
2026-01-20 19:54 ` Jason Gunthorpe
2026-01-20 10:59 ` kernel test robot
2026-01-20 13:26 ` Jason Gunthorpe
2026-01-20 15:25 ` Aneesh Kumar K.V
2026-01-20 15:43 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=yq5aqzrkjr9e.fsf@kernel.org \
--to=aneesh.kumar@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=iommu@lists.linux.dev \
--cc=jgg@ziepe.ca \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=robin.murphy@arm.com \
--cc=steven.price@arm.com \
--cc=suzuki.poulose@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.