From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
To: sashiko-reviews@lists.linux.dev
Cc: vkoul@kernel.org, Frank.Li@kernel.org, dmaengine@vger.kernel.org
Subject: Re: [PATCH 3/4] crypto: iaa - avoid counting fallback decompression bytes
Date: Tue, 14 Jul 2026 18:33:26 -0700 [thread overview]
Message-ID: <874ii1qbo9.fsf@intel.com> (raw)
In-Reply-To: <20260714042149.5F3091F00A3A@smtp.kernel.org>
sashiko-bot@kernel.org writes:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
>
> Pre-existing issues:
> - [High] Pre-existing DMA API violation: software fallback
> (`deflate_generic_decompress`) writes to the destination scatterlist
> while it is still mapped for DMA (`DMA_FROM_DEVICE`), leading to
> silent data corruption when unmapped if SWIOTLB or confidential
> computing is active.
Even if this is pre-existing, will think a bit more about this one, and
see if I can fix this more or less easily.
> --
>
> --- Patch [3]: [PATCH 3/4] crypto: iaa - avoid counting fallback decompression bytes ---
> commit 589e7e250edf8839b3b071db5475eb3581825d01
> Author: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
>
> crypto: iaa - avoid counting fallback decompression bytes
>
> When decompression falls back to deflate-generic after an analytics
> error, the request no longer completes through IAA. Move decompression
> byte accounting into the successful IAA completion path in both the
> synchronous and asynchronous flows so decomp_bytes only reflects bytes
> actually processed by IAA.
>
>> diff --git a/drivers/crypto/intel/iaa/iaa_crypto_main.c b/drivers/crypto/intel/iaa/iaa_crypto_main.c
>> index fb154959c2aa8..8f68b1478476e 100644
>> --- a/drivers/crypto/intel/iaa/iaa_crypto_main.c
>> +++ b/drivers/crypto/intel/iaa/iaa_crypto_main.c
>> @@ -1084,15 +1084,17 @@ static void iaa_desc_complete(struct idxd_desc *idxd_desc,
>> }
>> } else {
>
> [Severity: High]
> This is a pre-existing issue, but does calling deflate_generic_decompress()
> in the error path just above this block violate the DMA API?
>
> In iaa_desc_complete(), if check_completion() fails with IAA_ANALYTICS_ERROR,
> the driver falls back to software decompression:
>
> drivers/crypto/intel/iaa/iaa_crypto_main.c:iaa_desc_complete() {
> ...
> ret = deflate_generic_decompress(ctx->req);
> ...
> err:
> dma_unmap_sg(dev, ctx->req->dst, sg_nents(ctx->req->dst), DMA_FROM_DEVICE);
> ...
> }
>
> Because the scatterlist is still mapped for DMA, won't dma_unmap_sg()
> overwrite the CPU's decompression work with the bounce buffer contents
> if SWIOTLB or confidential computing is active?
>
>> ctx->req->dlen = idxd_desc->iax_completion->output_size;
>> +
>> + if (!ctx->compress) {
>> + update_total_decomp_bytes_in(ctx->req->slen);
>> + update_wq_decomp_bytes(iaa_wq->wq, ctx->req->slen);
>> + }
>> }
>
> [ ... ]
>
>> @@ -1475,16 +1477,16 @@ static int iaa_decompress(struct crypto_tfm *tfm, struct acomp_req *req,
>> }
>> } else {
>
> [Severity: High]
> This is a pre-existing issue, but is there a similar DMA API violation here?
>
> In iaa_decompress(), the synchronous path executes the software fallback
> and returns to the caller:
>
> drivers/crypto/intel/iaa/iaa_crypto_main.c:iaa_decompress() {
> ...
> ret = deflate_generic_decompress(req);
> ...
> out:
> return ret;
> }
>
> Does this mean the caller will subsequently unmap the scatterlist and
> unknowingly overwrite the fallback's data when SWIOTLB is active?
>
>> req->dlen = idxd_desc->iax_completion->output_size;
>> +
>> + /* Update stats */
>> + update_total_decomp_bytes_in(slen);
>> + update_wq_decomp_bytes(wq, slen);
>> }
>
> --
> Sashiko AI review · https://sashiko.dev/#/patchset/20260713-iaa-crypto-fixes-zswap-v1-0-65cac23c684d@intel.com?part=3
--
Vinicius
next prev parent reply other threads:[~2026-07-15 1:33 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-14 4:10 [PATCH 0/4] crypto: iaa - Fixes for multi entry SG lists Vinicius Costa Gomes
2026-07-14 4:10 ` [PATCH 1/4] dmaengine: idxd: assign all engines to group 0 in IAA defaults Vinicius Costa Gomes
2026-07-14 4:21 ` sashiko-bot
2026-07-14 21:53 ` Dave Jiang
2026-07-14 21:55 ` Dave Jiang
2026-07-15 1:38 ` Vinicius Costa Gomes
2026-07-14 4:10 ` [PATCH 2/4] crypto: iaa - fall back to software for multi-entry scatterlists Vinicius Costa Gomes
2026-07-14 4:36 ` sashiko-bot
2026-07-15 1:31 ` Vinicius Costa Gomes
2026-07-14 21:54 ` Dave Jiang
2026-07-14 4:10 ` [PATCH 3/4] crypto: iaa - avoid counting fallback decompression bytes Vinicius Costa Gomes
2026-07-14 4:21 ` sashiko-bot
2026-07-15 1:33 ` Vinicius Costa Gomes [this message]
2026-07-14 21:56 ` Dave Jiang
2026-07-14 4:10 ` [PATCH 4/4] crypto: iaa - use bounce buffer for multi-sg decompress input Vinicius Costa Gomes
2026-07-14 4:21 ` sashiko-bot
2026-07-14 22:01 ` Dave Jiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874ii1qbo9.fsf@intel.com \
--to=vinicius.gomes@intel.com \
--cc=Frank.Li@kernel.org \
--cc=dmaengine@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox