From: Robin Murphy <robin.murphy@arm.com>
To: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>,
"Lutomirski, Andy" <luto@kernel.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>,
"thomas.lendacky@amd.com" <thomas.lendacky@amd.com>,
"Reshetova, Elena" <elena.reshetova@intel.com>,
"kirill.shutemov@linux.intel.com"
<kirill.shutemov@linux.intel.com>,
"mingo@redhat.com" <mingo@redhat.com>, "Christopherson,,
Sean" <seanjc@google.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"Yamahata, Isaku" <isaku.yamahata@intel.com>,
"Cui, Dexuan" <decui@microsoft.com>,
"mikelley@microsoft.com" <mikelley@microsoft.com>,
"hpa@zytor.com" <hpa@zytor.com>,
"peterz@infradead.org" <peterz@infradead.org>,
"bp@alien8.de" <bp@alien8.de>,
"linux-s390@vger.kernel.org" <linux-s390@vger.kernel.org>,
"sathyanarayanan.kuppuswamy@linux.intel.com"
<sathyanarayanan.kuppuswamy@linux.intel.com>,
"x86@kernel.org" <x86@kernel.org>
Cc: "hch@lst.de" <hch@lst.de>,
"m.szyprowski@samsung.com" <m.szyprowski@samsung.com>,
"iommu@lists.linux.dev" <iommu@lists.linux.dev>
Subject: Re: [PATCH 06/10] dma: Use free_decrypted_pages()
Date: Mon, 23 Oct 2023 18:22:57 +0100 [thread overview]
Message-ID: <289f5f83-adc7-4077-b4c0-c951484dd092@arm.com> (raw)
In-Reply-To: <ea8ad4e75303178ee907682797dea7de36441c95.camel@intel.com>
On 2023-10-23 17:46, Edgecombe, Rick P wrote:
> On Wed, 2023-10-18 at 18:42 +0100, Robin Murphy wrote:
>> On 2023-10-17 21:25, Rick Edgecombe wrote:
>>> On TDX it is possible for the untrusted host to cause
>>> set_memory_encrypted() or set_memory_decrypted() to fail such that
>>> an
>>> error is returned and the resulting memory is shared. Callers need
>>> to take
>>> care to handle these errors to avoid returning decrypted (shared)
>>> memory to
>>> the page allocator, which could lead to functional or security
>>> issues.
>>>
>>> DMA could free decrypted/shared pages if set_memory_decrypted()
>>> fails.
>>> Use the recently added free_decrypted_pages() to avoid this.
>>>
>>> Several paths also result in proper encrypted pages being freed
>>> through
>>> the same freeing function. Rely on free_decrypted_pages() to not
>>> leak the
>>> memory in these cases.
>>
>> If something's needed in the fallback path here, what about the
>> cma_release() paths?
>
> You mean inside cma_release(). If so, unfortunately I think it won't
> fit great because there are callers that are never dealing with shared
> memory (huge tlb). The reset-to-private operation does extra work that
> would be nice to avoid when possible.
>
> The cases I thought exhibited the issue were the two calls sites of
> dma_set_decrypted(). Playing around with it, I was thinking it might be
> easier to just fix those to open code leaking the pages on
> dma_set_decrypted() error. In which case it won't have the re-encrypt
> problem.
>
> It make's it less fool proof, but more efficient. And
> free_decrypted_pages() doesn't fit great anyway, as pointed out by
> Christoph.
My point is that in dma_direct_alloc(), we get some memory either
straight from the page allocator *or* from a CMA area, then call
set_memory_decrypted() on it. If the problem is that
set_memory_decrypted() can fail and require cleanup, then logically if
that cleanup is necessary for the dma_free_contiguous()->__free_pages()
call, then surely it must also be necessary for the
dma_free_contiguous()->cma_release()->free_contig_range()->__free_page()
calls.
Thanks,
Robin.
next prev parent reply other threads:[~2023-10-23 17:23 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20231017202505.340906-1-rick.p.edgecombe@intel.com>
2023-10-17 20:24 ` [PATCH 04/10] swiotlb: Use free_decrypted_pages() Rick Edgecombe
2023-10-18 4:43 ` Christoph Hellwig
2023-10-18 15:55 ` Edgecombe, Rick P
2023-10-31 10:43 ` Petr Tesařík
2023-10-31 15:54 ` Edgecombe, Rick P
2023-10-31 17:13 ` Petr Tesařík
2023-10-31 17:29 ` Edgecombe, Rick P
2023-11-01 6:27 ` Petr Tesařík
2023-11-01 14:40 ` Edgecombe, Rick P
2023-10-17 20:25 ` [PATCH 06/10] dma: " Rick Edgecombe
2023-10-18 6:24 ` Christoph Hellwig
2023-10-18 17:09 ` Edgecombe, Rick P
2023-10-18 17:42 ` Robin Murphy
2023-10-23 16:46 ` Edgecombe, Rick P
2023-10-23 17:22 ` Robin Murphy [this message]
2023-10-23 17:27 ` Edgecombe, Rick P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=289f5f83-adc7-4077-b4c0-c951484dd092@arm.com \
--to=robin.murphy@arm.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=decui@microsoft.com \
--cc=elena.reshetova@intel.com \
--cc=hch@lst.de \
--cc=hpa@zytor.com \
--cc=iommu@lists.linux.dev \
--cc=isaku.yamahata@intel.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-s390@vger.kernel.org \
--cc=luto@kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=mikelley@microsoft.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=rick.p.edgecombe@intel.com \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=seanjc@google.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox