From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1CE08C433FE for ; Wed, 23 Mar 2022 20:54:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344827AbiCWUzs (ORCPT ); Wed, 23 Mar 2022 16:55:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59714 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244002AbiCWUzq (ORCPT ); Wed, 23 Mar 2022 16:55:46 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 2318B8AE78; Wed, 23 Mar 2022 13:54:16 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 5E8E4D6E; Wed, 23 Mar 2022 13:54:15 -0700 (PDT) Received: from [10.57.43.230] (unknown [10.57.43.230]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 9CBF03F73B; Wed, 23 Mar 2022 13:54:12 -0700 (PDT) Message-ID: Date: Wed, 23 Mar 2022 20:54:08 +0000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [REGRESSION] Recent swiotlb DMA_FROM_DEVICE fixes break ath9k-based AP Content-Language: en-GB To: Linus Torvalds Cc: Oleksandr Natalenko , Halil Pasic , Christoph Hellwig , Marek Szyprowski , =?UTF-8?Q?Toke_H=c3=b8iland-J=c3=b8rgensen?= , Kalle Valo , "David S. Miller" , Jakub Kicinski , Paolo Abeni , Olha Cherevyk , iommu , linux-wireless , Netdev , Linux Kernel Mailing List , Greg Kroah-Hartman , stable References: <1812355.tdWV9SEqCh@natalenko.name> <27b5a287-7a33-9a8b-ad6d-04746735fb0c@arm.com> From: Robin Murphy In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On 2022-03-23 19:16, Linus Torvalds wrote: > On Wed, Mar 23, 2022 at 12:06 PM Robin Murphy wrote: >> >> On 2022-03-23 17:27, Linus Torvalds wrote: >>> >>> I'm assuming that the ath9k issue is that it gives DMA mapping a big >>> enough area to handle any possible packet size, and just expects - >>> quite reasonably - smaller packets to only fill the part they need. >>> >>> Which that "info leak" patch obviously breaks entirely. >> >> Except that's the exact case which the new patch is addressing > > Not "addressing". Breaking. > > Which is why it will almost certainly get reverted. > > Not doing DMA to the whole area seems to be quite the sane thing to do > for things like network packets, and overwriting the part that didn't > get DMA'd with zeroes seems to be exactly the wrong thing here. > > So the SG_IO - and other random untrusted block command sources - data > leak will almost certainly have to be addressed differently. Possibly > by simply allocating the area with GFP_ZERO to begin with. Er, the point of the block layer case is that whole area *is* zeroed to begin with, and a latent memory corruption problem in SWIOTLB itself replaces those zeros with random other kernel data unexpectedly. Let me try illustrating some sequences for clarity... Expected behaviour/without SWIOTLB: Memory --------------------------------------------------- start 12345678 dma_map(DMA_FROM_DEVICE) no-op device writes partial data 12ABC678 <- ABC dma_unmap(DMA_FROM_DEVICE) 12ABC678 SWIOTLB previously: Memory Bounce buffer --------------------------------------------------- start 12345678 xxxxxxxx dma_map(DMA_FROM_DEVICE) no-op device writes partial data 12345678 xxABCxxx <- ABC dma_unmap(DMA_FROM_DEVICE) xxABCxxx <- xxABCxxx SWIOTLB Now: Memory Bounce buffer --------------------------------------------------- start 12345678 xxxxxxxx dma_map(DMA_FROM_DEVICE) 12345678 -> 12345678 device writes partial data 12345678 12ABC678 <- ABC dma_unmap(DMA_FROM_DEVICE) 12ABC678 <- 12ABC678 Now, sure we can prevent any actual information leakage by initialising the bounce buffer slot with zeros, but then we're just corrupting the not-written-to parts of the mapping with zeros instead of anyone else's old data. That's still fundamentally not OK. The only thing SWIOTLB can do to be correct is treat DMA_FROM_DEVICE as a read-modify-write of the entire mapping, because it has no way to know how much of it is actually going to be modified. I'll admit I still never quite grasped the reason for also adding the override to swiotlb_sync_single_for_device() in aa6f8dcbab47, but I think by that point we were increasingly tired and confused and starting to second-guess ourselves (well, I was, at least). I don't think it's wrong per se, but as I said I do think it can bite anyone who's been doing dma_sync_*() wrong but getting away with it until now. If ddbd89deb7d3 alone turns out to work OK then I'd be inclined to try a partial revert of just that one hunk. Thanks, Robin.