Re: [PATCH 09/21] riscv: dma-mapping: skip invalidation before bidirectional DMA

[PATCH 00/21] dma-mapping: unify support for cache flushes · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
[PATCH 01/21] openrisc: dma-mapping: flush bidirectional mappings · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
[PATCH 02/21] xtensa: dma-mapping: use normal cache invalidation rules · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
Re: [PATCH 02/21] xtensa: dma-mapping: use normal cache invalidation rules · Max Filippov <jcmvbkbc@gmail.com> · 2023-03-27
[PATCH 03/21] sparc32: flush caches in dma_sync_*for_device · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
[PATCH 04/21] microblaze: dma-mapping: skip extra DMA flushes · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
[PATCH 05/21] powerpc: dma-mapping: split out cache operation logic · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
[PATCH 06/21] powerpc: dma-mapping: minimize for_cpu flushing · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
Re: [PATCH 06/21] powerpc: dma-mapping: minimize for_cpu flushing · Christophe Leroy <hidden> · 2023-03-27
Re: [PATCH 06/21] powerpc: dma-mapping: minimize for_cpu flushing · "Arnd Bergmann" <arnd@arndb.de> · 2023-03-27
[PATCH 07/21] powerpc: dma-mapping: always clean cache in _for_device() op · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
[PATCH 08/21] riscv: dma-mapping: only invalidate after DMA, not flush · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
Re: [PATCH 08/21] riscv: dma-mapping: only invalidate after DMA, not flush · Conor Dooley <conor@kernel.org> · 2023-03-29
Re: [PATCH 08/21] riscv: dma-mapping: only invalidate after DMA, not flush · "Arnd Bergmann" <arnd@arndb.de> · 2023-03-30
Re: [PATCH 08/21] riscv: dma-mapping: only invalidate after DMA, not flush · Jessica Clarke <hidden> · 2023-03-29
Re: [PATCH 08/21] riscv: dma-mapping: only invalidate after DMA, not flush · "Lad, Prabhakar" <prabhakar.csengg@gmail.com> · 2023-03-30
Re: [PATCH 08/21] riscv: dma-mapping: only invalidate after DMA, not flush · Palmer Dabbelt <palmer@dabbelt.com> · 2023-04-19
[PATCH 09/21] riscv: dma-mapping: skip invalidation before bidirectional DMA · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
Re: [PATCH 09/21] riscv: dma-mapping: skip invalidation before bidirectional DMA · Conor Dooley <conor@kernel.org> · 2023-03-29
Re: [PATCH 09/21] riscv: dma-mapping: skip invalidation before bidirectional DMA · "Lad, Prabhakar" <prabhakar.csengg@gmail.com> · 2023-03-30
Re: [PATCH 09/21] riscv: dma-mapping: skip invalidation before bidirectional DMA · Palmer Dabbelt <palmer@dabbelt.com> · 2023-04-19
Re: [PATCH 09/21] riscv: dma-mapping: skip invalidation before bidirectional DMA · Guo Ren <guoren@kernel.org> · 2023-05-05
Re: [PATCH 09/21] riscv: dma-mapping: skip invalidation before bidirectional DMA · "Arnd Bergmann" <arnd@arndb.de> · 2023-05-05
Re: [PATCH 09/21] riscv: dma-mapping: skip invalidation before bidirectional DMA · Guo Ren <guoren@kernel.org> · 2023-05-06
Re: [PATCH 09/21] riscv: dma-mapping: skip invalidation before bidirectional DMA · "Arnd Bergmann" <arnd@arndb.de> · 2023-05-06
[PATCH 10/21] csky: dma-mapping: skip invalidating before DMA from device · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
Re: [PATCH 10/21] csky: dma-mapping: skip invalidating before DMA from device · Guo Ren <guoren@kernel.org> · 2023-03-27
[PATCH 11/21] mips: dma-mapping: skip invalidating before bidirectional DMA · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
[PATCH 12/21] mips: dma-mapping: split out cache operation logic · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
[PATCH 13/21] arc: dma-mapping: skip invalidating before bidirectional DMA · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
Re: [PATCH 13/21] arc: dma-mapping: skip invalidating before bidirectional DMA · Vineet Gupta <vgupta@kernel.org> · 2023-04-02
Re: [PATCH 13/21] arc: dma-mapping: skip invalidating before bidirectional DMA · Shahab Vahedi <hidden> · 2023-04-04
Re: [PATCH 13/21] arc: dma-mapping: skip invalidating before bidirectional DMA · Shahab Vahedi <hidden> · 2023-04-06
[PATCH 14/21] parisc: dma-mapping: use regular flush/invalidate ops · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
[PATCH 15/21] ARM: dma-mapping: always invalidate WT caches before DMA · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
Re: [PATCH 15/21] ARM: dma-mapping: always invalidate WT caches before DMA · Linus Walleij <hidden> · 2023-03-31
Re: [PATCH 15/21] ARM: dma-mapping: always invalidate WT caches before DMA · "Russell King (Oracle)" <linux@armlinux.org.uk> · 2023-03-31
Re: [PATCH 15/21] ARM: dma-mapping: always invalidate WT caches before DMA · "Russell King (Oracle)" <linux@armlinux.org.uk> · 2023-03-31
Re: [PATCH 15/21] ARM: dma-mapping: always invalidate WT caches before DMA · "Arnd Bergmann" <arnd@arndb.de> · 2023-03-31
RE: [PATCH 15/21] ARM: dma-mapping: always invalidate WT caches before DMA · David Laight <hidden> · 2023-03-31
Re: [PATCH 15/21] ARM: dma-mapping: always invalidate WT caches before DMA · "Russell King (Oracle)" <linux@armlinux.org.uk> · 2023-03-31
Re: [PATCH 15/21] ARM: dma-mapping: always invalidate WT caches before DMA · "Arnd Bergmann" <arnd@arndb.de> · 2023-03-31
[PATCH 16/21] ARM: dma-mapping: bring back dmac_{clean,inv}_range · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
Re: [PATCH 16/21] ARM: dma-mapping: bring back dmac_{clean,inv}_range · "Russell King (Oracle)" <linux@armlinux.org.uk> · 2023-03-27
[PATCH 17/21] ARM: dma-mapping: use arch_sync_dma_for_{device,cpu}() internally · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
Re: [PATCH 17/21] ARM: dma-mapping: use arch_sync_dma_for_{device,cpu}() internally · Linus Walleij <hidden> · 2023-03-31
Re: [PATCH 17/21] ARM: dma-mapping: use arch_sync_dma_for_{device,cpu}() internally · "Arnd Bergmann" <arnd@arndb.de> · 2023-03-31
[PATCH 18/21] ARM: drop SMP support for ARM11MPCore · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
Re: [PATCH 18/21] ARM: drop SMP support for ARM11MPCore · Neil Armstrong <neil.armstrong@linaro.org> · 2023-03-30
Re: [PATCH 18/21] ARM: drop SMP support for ARM11MPCore · "Arnd Bergmann" <arnd@arndb.de> · 2023-03-30
Re: [PATCH 18/21] ARM: drop SMP support for ARM11MPCore · Neil Armstrong <neil.armstrong@linaro.org> · 2023-03-30
Re: [PATCH 18/21] ARM: drop SMP support for ARM11MPCore · Linus Walleij <hidden> · 2023-03-30
Re: [PATCH 18/21] ARM: drop SMP support for ARM11MPCore · Ard Biesheuvel <ardb@kernel.org> · 2023-03-30
Re: [PATCH 18/21] ARM: drop SMP support for ARM11MPCore · Catalin Marinas <catalin.marinas@arm.com> · 2023-03-31
[PATCH 19/21] ARM: dma-mapping: use generic form of arch_sync_dma_* helpers · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
[PATCH 20/21] ARM: dma-mapping: split out arch_dma_mark_clean() helper · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
Re: [PATCH 20/21] ARM: dma-mapping: split out arch_dma_mark_clean() helper · Robin Murphy <robin.murphy@arm.com> · 2023-03-27
Re: [PATCH 20/21] ARM: dma-mapping: split out arch_dma_mark_clean() helper · "Arnd Bergmann" <arnd@arndb.de> · 2023-03-31
Re: [PATCH 20/21] ARM: dma-mapping: split out arch_dma_mark_clean() helper · Robin Murphy <robin.murphy@arm.com> · 2023-03-31
Re: [PATCH 20/21] ARM: dma-mapping: split out arch_dma_mark_clean() helper · "Arnd Bergmann" <arnd@arndb.de> · 2023-03-31
Re: [PATCH 20/21] ARM: dma-mapping: split out arch_dma_mark_clean() helper · "Russell King (Oracle)" <linux@armlinux.org.uk> · 2023-03-27
Re: [PATCH 20/21] ARM: dma-mapping: split out arch_dma_mark_clean() helper · "Arnd Bergmann" <arnd@arndb.de> · 2023-03-31
Re: [PATCH 20/21] ARM: dma-mapping: split out arch_dma_mark_clean() helper · "Russell King (Oracle)" <linux@armlinux.org.uk> · 2023-03-31
Re: [PATCH 20/21] ARM: dma-mapping: split out arch_dma_mark_clean() helper · Geert Uytterhoeven <geert@linux-m68k.org> · 2023-07-03
Re: [PATCH 20/21] ARM: dma-mapping: split out arch_dma_mark_clean() helper · Christoph Hellwig <hch@lst.de> · 2023-07-06
[PATCH 21/21] dma-mapping: replace custom code with generic implementation · Arnd Bergmann <arnd@kernel.org> · 2023-03-27
Re: [PATCH 21/21] dma-mapping: replace custom code with generic implementation · Christoph Hellwig <hch@lst.de> · 2023-03-27
Re: [PATCH 21/21] dma-mapping: replace custom code with generic implementation · "Arnd Bergmann" <arnd@arndb.de> · 2023-03-31
Re: [PATCH 21/21] dma-mapping: replace custom code with generic implementation · "Lad, Prabhakar" <prabhakar.csengg@gmail.com> · 2023-03-30
RE: [PATCH 21/21] dma-mapping: replace custom code with generic implementation · Biju Das <biju.das.jz@bp.renesas.com> · 2023-04-13
Re: [PATCH 21/21] dma-mapping: replace custom code with generic implementation · "Arnd Bergmann" <arnd@arndb.de> · 2023-04-13
Re: [PATCH 21/21] dma-mapping: replace custom code with generic implementation · Geert Uytterhoeven <geert@linux-m68k.org> · 2023-06-27
Re: [PATCH 00/21] dma-mapping: unify support for cache flushes · Catalin Marinas <catalin.marinas@arm.com> · 2023-03-31
Re: [PATCH 00/21] dma-mapping: unify support for cache flushes · "Arnd Bergmann" <arnd@arndb.de> · 2023-03-31
Re: [PATCH 00/21] dma-mapping: unify support for cache flushes · "Lad, Prabhakar" <prabhakar.csengg@gmail.com> · 2023-05-25

From: "Arnd Bergmann" <arnd@arndb.de>
Date: 2023-05-06 07:53:34
Also in: linux-arm-kernel, linux-m68k, linux-mips, linux-riscv, linux-sh, lkml, sparclinux

On Sat, May 6, 2023, at 09:25, Guo Ren wrote:

On Fri, May 5, 2023 at 9:19 PM Arnd Bergmann [off-list ref] wrote:

quoted

This is something we can consider. Unfortunately, this is something
that no architecture (except pa-risc, which has other problems)
does at the moment, so we'd probably need to have a proper debate
about this.

We already have two conflicting ways to handle DMA_FROM_DEVICE,
either invalidate/invalidate, or clean/invalidate. I can see

I vote to invalidate/invalidate.

...

quoted

that flush/invalidate may be a sensible option as well, but I'd
want to have that discussion after the series is complete, so
we can come to a generic solution that has the same documented
behavior across all architectures.

Yes, I agree to unify them into a generic solution first. My proposal
could be another topic in the future.

Right, I was explicitly trying to exclude that question from my
series, and left it as an architecture specific Kconfig option
based on the current behavior.

quoted

In particular, if we end up moving arm64 and riscv back to the
traditional invalidate/invalidate for DMA_FROM_DEVICE and
document that driver must not rely on buffers getting cleaned

After invalidation, the cache lines are also cleaned, right? So why do
we need to document it additionally?

I mentioned the debate in the cover letter, the full explanation
is archived at
https://lore.kernel.org/all/20220606152150.GA31568@willie-the-truck/ (local)

In short, the problem that is addressed here is leaking sensitive
kernel data to user space or a device as in this sequence:

1. A DMA buffer is allocated in the kernel and contains stale data
   that is no longer needed but must not be exposed to untrusted
   userspace, i.e. encryption keys or user file pages
2. allocator uses memset() to clear out the buffer
3. buffer gets mapped into a device for DMA_FROM_DEVICE
4. writeback cache gets invalidated, uncovering the sensitive
   data by discarding the zeros
5. device returns less data than expected
6. buffer is unmapped
7. whole buffer is mapped or copied to user space

Will added his patch for arm64 to prevent this scenario by using
'clean' instead of 'invalidate' in step 4, and the same behavior
got copied to riscv but not most of the other architectures.
The dma-mapping documentation does not say anything about this
case, and an alternative approach would be to document that
device drivers must watch out for short reads in step 5, or that
kzalloc() should clean the cache in step 2. Both of these come
at a cost as well.

     Arnd

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help