From: Christoph Hellwig <hch@infradead.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Tom Lendacky <thomas.lendacky@amd.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
"James E.J. Bottomley" <jejb@linux.ibm.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
stable <stable@vger.kernel.org>,
Christoph Hellwig <hch@infradead.org>,
Christian Borntraeger <borntraeger@de.ibm.com>,
iommu <iommu@lists.linux-foundation.org>,
Doug Gilbert <dgilbert@interlog.com>,
Halil Pasic <pasic@linux.ibm.com>,
Robin Murphy <robin.murphy@arm.com>,
Thiago Jung Bauermann <bauerman@linux.ibm.com>,
Anshuman Khandual <khandual@linux.vnet.ibm.com>
Subject: Re: [PATCH v2 1/1] swiotlb: rework "fix info leak with DMA_FROM_DEVICE"
Date: Sun, 6 Mar 2022 23:58:04 -0800 [thread overview]
Message-ID: <YiW7DMRymTV/zvDb@infradead.org> (raw)
In-Reply-To: <CAHk-=wgQGLgqqgsKXUCykiK9B1UwdCj2-NvDkBAuYhSgdtAmkQ@mail.gmail.com>
On Sun, Mar 06, 2022 at 12:30:55PM -0800, Linus Torvalds wrote:
> So I would expect that
>
> (a) READ/WRITE actually fills the whole buffer
>
> (b) READ/WRITE are the only ones where we care about performance at a
> bounce-buffer level
>
> so it boils down to "do we still do this horrible memcpy even for
> regular IO commands"? Because that would, in my opinion, just be
> stupid.
For one thing this is not just for block I/O, but for all DMA.
Second, "normal" I/O might always fail, including after partial
transfers. SCSI even considers that normal. Network devices consider
it normal to not fill the entiret receive buffers, etc.
In short: anything that operates directly on user memory is a trivial
reproducer here. The CVE uses SG_IO, but staying in block land direct
I/O will work just the same because swiotlb will copy back the
uninitialized data to user memory after an I/O failure.
What we've been thinking of is a version of the dma map calls where
the unmap gets passed how much data actually was transferred and only
copies that out. But that seems like the only sane interface.
Now IFF we known that the buffer is never looked at on I/O failure
or short I/O we could do away with all this. But without adding new
interfaces where the caller guarantees that we can't know that. For
userspace memory it is guaranteed to be not true. For kernel memory
is most likely is true, but there's some amazingly awful pieces of
code that probably still get it wrong.
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
prev parent reply other threads:[~2022-03-07 7:58 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-05 17:07 [PATCH v2 1/1] swiotlb: rework "fix info leak with DMA_FROM_DEVICE" Halil Pasic
2022-03-05 19:44 ` Linus Torvalds
2022-03-06 7:58 ` Christoph Hellwig
2022-03-06 20:30 ` Linus Torvalds
2022-03-07 7:58 ` Christoph Hellwig [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YiW7DMRymTV/zvDb@infradead.org \
--to=hch@infradead.org \
--cc=bauerman@linux.ibm.com \
--cc=borntraeger@de.ibm.com \
--cc=dgilbert@interlog.com \
--cc=iommu@lists.linux-foundation.org \
--cc=jejb@linux.ibm.com \
--cc=khandual@linux.vnet.ibm.com \
--cc=linux-doc@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=mst@redhat.com \
--cc=pasic@linux.ibm.com \
--cc=robin.murphy@arm.com \
--cc=stable@vger.kernel.org \
--cc=thomas.lendacky@amd.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox