Received: by 10.223.185.116 with SMTP id b49csp249071wrg; Thu, 8 Mar 2018 16:47:43 -0800 (PST) X-Google-Smtp-Source: AG47ELsuOpjLnlEUYv5wKvDRp0eq+qKWb/3UJTnING1LyYwqyWQrpwMkSUZPwJm2FKDA40bb6LwI X-Received: by 2002:a17:902:d90f:: with SMTP id c15-v6mr22304379plz.223.1520556463498; Thu, 08 Mar 2018 16:47:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520556463; cv=none; d=google.com; s=arc-20160816; b=vVT5G/VJDlITbqqpGcxhMA6CTdFZW1lts3+03v7QPsBG2d+O4iQWNs7LtEgkBRiQT3 F5Bs/5XtkfqBPYqWjqj3+bF4bJlpyztKVAsB93V7449XPtm7F5YZUXvwQgntI3gHpG2k atBequmdv4J2Zj1S/jgGo727XWXIeWIQGRy0AJs9aPzIeU6vie98IF1YCi+U2NM+0zHD oGjyYbX+TUu70fcrsTMgnSQ3mvfKxAv7AdKTKQ4SSx1GLz/ZnWwAqpZX6CwVi4Rk+A5r axcshTO1NubUlIlr6dg7x1IckQgtDXOJ9g1dMWC283jL3NHa/v7XmPfUQogYoqYn2y2g L9Cg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date:dmarc-filter :dkim-signature:dkim-signature:arc-authentication-results; bh=FsiIwNVEieQo+HQYZ0KhVt27F+b5o0aYjLhQQBicE0E=; b=QQbCw5dBr6665ONr7Zx8woRdDY8sQe/ftEWYJyoKiLwnJUka829CgfdZklTZEonZ6H vdtTbhRcXECk3ddrXskmi8mM2C3YYAxGWnpUjlPfoJp5wEFkNrJpSwm9EOsz4YpP1B+i wHY066BY3nVkr9Dr49AmSLbkA4/H3waLuB6oEcEQK5g5/826MFrLPzaN/FoeZLBLPv6f QpLIIE2sGrVjxDA6oLYNwTeaH+OlC5Biz63jSNe4RkiURNOQSftJsbkuqPpgcyHdxrrB H74WVcWtPb5a7gGF7oJ9dplJiv/XJtfHxnDljl5l7rZt4+5mEZQXWxdeH+OG93G9N2lf onXg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=VLMOweVb; dkim=pass header.i=@codeaurora.org header.s=default header.b=G0shxkgx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l9si13873132pgs.226.2018.03.08.16.47.29; Thu, 08 Mar 2018 16:47:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=VLMOweVb; dkim=pass header.i=@codeaurora.org header.s=default header.b=G0shxkgx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751673AbeCIApT (ORCPT + 99 others); Thu, 8 Mar 2018 19:45:19 -0500 Received: from smtp.codeaurora.org ([198.145.29.96]:36724 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751588AbeCIApR (ORCPT ); Thu, 8 Mar 2018 19:45:17 -0500 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id 2A01060851; Fri, 9 Mar 2018 00:45:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1520556317; bh=Dew0Y7bRngkegthwXLi4+piKs/asJmvtqvv9FsIc20o=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=VLMOweVbN+ES10SKZcyNCLcU2/NwODDG6/DOlvipvRZXimiRQiPBzSItXRX8KpOzN Tz3ezuPLd4zdsNQkzTgW6QRZrQclQPmPcnp3Tke1+XZSu56L5Fk65NPIcavHr1a2ki iX1vh7PB178/8eK2VhjoZJQYYMlgppfm4/oXeisk= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on pdx-caf-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.8 required=2.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED,T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.0 Received: from lmark-linux.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: lmark@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id A2A036071A; Fri, 9 Mar 2018 00:45:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1520556315; bh=Dew0Y7bRngkegthwXLi4+piKs/asJmvtqvv9FsIc20o=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=G0shxkgxRmBmQFCy+jb0TtlytDaKKC+rKEGqjJ6XzW9xNdgR4CXnKBndy+Hnf2Cne +TTE6xyTtszwb46OX9aCdT4ssWHQ3Ah27z9wS2tZ7965731nrqd/gPko7gjxgt2BXo 53l+ff8I5K0s52IK+LAxx8npV1Aq701893FFLHfQ= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org A2A036071A Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=lmark@codeaurora.org Date: Thu, 8 Mar 2018 16:45:14 -0800 (PST) From: Liam Mark X-X-Sender: lmark@lmark-linux.qualcomm.com To: Laura Abbott cc: Sumit Semwal , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, devel@driverdev.osuosl.org, Martijn Coenen , Todd Kjos , =?ISO-8859-15?Q?Arve_Hj=F8nnev=E5g?= , linaro-mm-sig@lists.linaro.org Subject: Re: [RFC] android: ion: How to properly clean caches for uncached allocations In-Reply-To: Message-ID: References: User-Agent: Alpine 2.02 (DEB 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 7 Mar 2018, Laura Abbott wrote: > On 02/28/2018 09:18 PM, Liam Mark wrote: > > The issue: > > > > Currently in ION if you allocate uncached memory it is possible that there > > are still dirty lines in the cache. And often these dirty lines in the > > cache are the zeros which were meant to clear out any sensitive kernel > > data. > > > > What this means is that if you allocate uncached memory from ION, and then > > subsequently write to that buffer (using the uncached mapping you are > > provided by ION) then the data you have written could be corrupted at some > > point in the future if a dirty line is evicted from the cache. > > > > Also this means there is a potential security issue. If an un-privileged > > userspace user allocated uncached memory (for example from the system heap) > > and then if they were to read from that buffer (through the un-cached > > mapping they are provided by ION), and if some of the zeros which were > > written to that memory are still in the cache then this un-privileged > > userspace user could read potentially sensitive kernel data. > > For the use case you are describing we don't actually need the > memory to be non-cached until it comes time to do the dma mapping. > Here's a proposal to shoot holes in: > > - Before any dma_buf attach happens, all mmap mappings are cached > - At the time attach happens, we shoot down any existing userspace > mappings, do the dma_map with appropriate flags to clean the pages > and then allow remapping to userspace as uncached. Really this > looks like a variation on the old Ion faulting code which I removed > except it's for uncached buffers instead of cached buffers. > Thanks Laura, I will take a look to see if I can think of any concerns. Initial thoughts. - What about any kernel mappings (kmap/vmap) the client has made? - I guess it would be tempting to only do this behavior for memory that came from buddy (as opposed to the pool since it should be clean), but we would need to be careful that no pages sneak into the pool without being cleaned (example: client allocs then frees without ever call dma_buf_attach). > Potential problems: > - I'm not 100% about the behavior here if the attaching device > is already dma_coherent. I also consider uncached mappings > enough of a device specific optimization that you shouldn't > do them unless you know it's needed. I don't believe we want to allow uncached memory to be dma mapped by an io-coherent device and this is something I would like to eventually block. Since there is always a kernel cached mapping for ION uncached memory then speculative access could still be putting lines in the cache, so when an io-coherent device tries to read this uncached memory its snoop into the cache could find one of these 'stale' clean cache lines and end up using stale data. Agree? > - The locking/sequencing with userspace could be tricky > since userspace may not like us ripping mappings out from > underneath if it's trying to access. Perhaps delay this work to the dma_map_attachment call since when the data is dma mapped the CPU shouldn't be accessing it? Or worst case perhaps fail all map attempts to uncached memory until the memory has been dma mapped (and cleaned) at least once? Thanks, Liam Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project