Received: by 10.223.185.116 with SMTP id b49csp5623786wrg;
        Wed, 7 Mar 2018 15:16:39 -0800 (PST)
X-Google-Smtp-Source: AG47ELtdHfOi5DoJvpzcZHz+cZd5+ZlviY9TIkKp4JrxW66wVLJ3QIODWARNzhZ0axI6J6SMRFqj
X-Received: by 2002:a17:902:6a8c:: with SMTP id n12-v6mr17937943plk.230.1520464599007;
        Wed, 07 Mar 2018 15:16:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520464598; cv=none;
        d=google.com; s=arc-20160816;
        b=ZWsnlz8WGMiKkLWYI1yaIECzpnlRAy26yX0k3xGVDi8NPXOBnFJ+7wA2yObziptqTq
         rVQeFwqnEAhLwq7U1SZMfz2UsHA5umqvPjZINi6KIZrJ58/iyakhWRagHQoYCKs1+K5O
         V/yLr/sqGfdiC71k+hGGSKSwOkZzk9hubMXG2mFOK1LGFo4vOfFHemGygcTfwa4qwFZ8
         B8MNJpswwok+f1fPEIrjud+M+Xm9bnlqfzs1q+1+Z2ctruRhadiS+yrVu0aaDFJN4j1d
         36k3dmUUvRzwzBgOCOCJzIYC/JHj1wyIDeEZKur7tRs3lniMCzFPfzuwxD1tSmrw1/Fb
         SNEA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:arc-authentication-results;
        bh=7N+RRZgdJqS3M4kW10FuIj26u2aF0cqNyd0chZbl5ro=;
        b=iL6jP5ue1N3JJeFWMkLoM9ohWVXuOfWP/pmQO/SGxI9Og/tYv8fS7WtPN1OaxEXB8u
         C39GqX4p/ghAMUlbchcTfJqmrG5Agqs447+OKaY8HlVOwhWstDh1oGZCCWFnwIqRWaQb
         ff6XGWEgZHqXmAaX4jhOAy0+sz7bfwaZQ+kTv62gNmOFT/kxjHmLXErVxcf4G2VBPFRx
         B12mU+wl9QUH/POHWT6ltEcT3hEDuwuGjYltpOjK7g73jEpvs50t2Kq7VHI6+ulEI3Mv
         pnTACD8KDYsRsC54FF3pqRp8dHUaFmAj5EER8MMN2hNtTq+o/3jY38GhpFjQ6f5V+y95
         1gWw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l30si8599873pgc.574.2018.03.07.15.16.24;
        Wed, 07 Mar 2018 15:16:38 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755011AbeCGXPG (ORCPT <rfc822;ttoukan.linux@gmail.com>
        + 99 others); Wed, 7 Mar 2018 18:15:06 -0500
Received: from mail-oi0-f45.google.com ([209.85.218.45]:38490 "EHLO
        mail-oi0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754757AbeCGXPF (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 7 Mar 2018 18:15:05 -0500
Received: by mail-oi0-f45.google.com with SMTP id h23so3011182oib.5
        for <linux-kernel@vger.kernel.org>; Wed, 07 Mar 2018 15:15:05 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=7N+RRZgdJqS3M4kW10FuIj26u2aF0cqNyd0chZbl5ro=;
        b=SkdQU1JwZwWVLiAowKZt+ptGp9fFDPOBbDamDF4gGIPzvHclwR0aStbYDJlY0Q/NGG
         H/fzaDVeXzuGmxoZsdI89bPkSYDmn4DlJwy2vJ2ecG5i/HFxP6gcdwFBOpZ97OdbLGoj
         quSqKpUc4Ekk1T/3DKlV29SUIXJT2rkImw+EONX6o5ghngBYkAavX0E1DjqAUZDkPPRE
         yc6SZ8NyUb7v38FzFh99goZI6l1xDIvvLqTkf26oU/8Nd1ekD/atQqp9GD39L9FSUP38
         zdaaymzmqhbiWNqe4dYbv1Thxz9Ht1VTygHJ7JwCd3Q0N64d5eAbGvaMVcp7nQznG1gu
         32rw==
X-Gm-Message-State: AElRT7FsQ6a+OQOgCSKD+B+hd/5mox+TWTFuN+bK3cbzDjl86tRj5to3
        u/Ar0zlYyT9Tv0U4aC2oYoDerw==
X-Received: by 10.202.195.13 with SMTP id t13mr15865965oif.40.1520464504929;
        Wed, 07 Mar 2018 15:15:04 -0800 (PST)
Received: from ?IPv6:2601:602:9802:a8dc::f21a? ([2601:602:9802:a8dc::f21a])
        by smtp.gmail.com with ESMTPSA id o48sm9959299otb.31.2018.03.07.15.15.02
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 07 Mar 2018 15:15:03 -0800 (PST)
Subject: Re: [RFC] android: ion: How to properly clean caches for uncached
 allocations
To:     Liam Mark <lmark@codeaurora.org>,
        Sumit Semwal <sumit.semwal@linaro.org>
Cc:     linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
        devel@driverdev.osuosl.org, Martijn Coenen <maco@android.com>,
        Todd Kjos <tkjos@android.com>,
        =?UTF-8?Q?Arve_Hj=c3=b8nnev=c3=a5g?= <arve@android.com>,
        linaro-mm-sig@lists.linaro.org
References: <alpine.DEB.2.02.1802282111320.22860@lmark-linux.qualcomm.com>
From:   Laura Abbott <labbott@redhat.com>
Message-ID: <b1479541-13bd-85ea-f9c7-25264c91f9b9@redhat.com>
Date:   Wed, 7 Mar 2018 15:15:01 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <alpine.DEB.2.02.1802282111320.22860@lmark-linux.qualcomm.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 02/28/2018 09:18 PM, Liam Mark wrote:
> The issue:
> 
> Currently in ION if you allocate uncached memory it is possible that there
> are still dirty lines in the cache.  And often these dirty lines in the
> cache are the zeros which were meant to clear out any sensitive kernel
> data.
> 
> What this means is that if you allocate uncached memory from ION, and then
> subsequently write to that buffer (using the uncached mapping you are
> provided by ION) then the data you have written could be corrupted at some
> point in the future if a dirty line is evicted from the cache.
> 
> Also this means there is a potential security issue.  If an un-privileged
> userspace user allocated uncached memory (for example from the system heap)
> and then if they were to read from that buffer (through the un-cached
> mapping they are provided by ION), and if some of the zeros which were
> written to that memory are still in the cache then this un-privileged
> userspace user could read potentially sensitive kernel data.

For the use case you are describing we don't actually need the
memory to be non-cached until it comes time to do the dma mapping.
Here's a proposal to shoot holes in:

- Before any dma_buf attach happens, all mmap mappings are cached
- At the time attach happens, we shoot down any existing userspace
mappings, do the dma_map with appropriate flags to clean the pages
and then allow remapping to userspace as uncached. Really this
looks like a variation on the old Ion faulting code which I removed
except it's for uncached buffers instead of cached buffers.

Potential problems:
- I'm not 100% about the behavior here if the attaching device
is already dma_coherent. I also consider uncached mappings
enough of a device specific optimization that you shouldn't
do them unless you know it's needed.
- The locking/sequencing with userspace could be tricky
since userspace may not like us ripping mappings out from
underneath if it's trying to access.

Thoughts?

Thanks,
Laura