Received: by 10.223.185.116 with SMTP id b49csp249071wrg;
        Thu, 8 Mar 2018 16:47:43 -0800 (PST)
X-Google-Smtp-Source: AG47ELsuOpjLnlEUYv5wKvDRp0eq+qKWb/3UJTnING1LyYwqyWQrpwMkSUZPwJm2FKDA40bb6LwI
X-Received: by 2002:a17:902:d90f:: with SMTP id c15-v6mr22304379plz.223.1520556463498;
        Thu, 08 Mar 2018 16:47:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520556463; cv=none;
        d=google.com; s=arc-20160816;
        b=vVT5G/VJDlITbqqpGcxhMA6CTdFZW1lts3+03v7QPsBG2d+O4iQWNs7LtEgkBRiQT3
         F5Bs/5XtkfqBPYqWjqj3+bF4bJlpyztKVAsB93V7449XPtm7F5YZUXvwQgntI3gHpG2k
         atBequmdv4J2Zj1S/jgGo727XWXIeWIQGRy0AJs9aPzIeU6vie98IF1YCi+U2NM+0zHD
         oGjyYbX+TUu70fcrsTMgnSQ3mvfKxAv7AdKTKQ4SSx1GLz/ZnWwAqpZX6CwVi4Rk+A5r
         axcshTO1NubUlIlr6dg7x1IckQgtDXOJ9g1dMWC283jL3NHa/v7XmPfUQogYoqYn2y2g
         L9Cg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date:dmarc-filter
         :dkim-signature:dkim-signature:arc-authentication-results;
        bh=FsiIwNVEieQo+HQYZ0KhVt27F+b5o0aYjLhQQBicE0E=;
        b=QQbCw5dBr6665ONr7Zx8woRdDY8sQe/ftEWYJyoKiLwnJUka829CgfdZklTZEonZ6H
         vdtTbhRcXECk3ddrXskmi8mM2C3YYAxGWnpUjlPfoJp5wEFkNrJpSwm9EOsz4YpP1B+i
         wHY066BY3nVkr9Dr49AmSLbkA4/H3waLuB6oEcEQK5g5/826MFrLPzaN/FoeZLBLPv6f
         QpLIIE2sGrVjxDA6oLYNwTeaH+OlC5Biz63jSNe4RkiURNOQSftJsbkuqPpgcyHdxrrB
         H74WVcWtPb5a7gGF7oJ9dplJiv/XJtfHxnDljl5l7rZt4+5mEZQXWxdeH+OG93G9N2lf
         onXg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@codeaurora.org header.s=default header.b=VLMOweVb;
       dkim=pass header.i=@codeaurora.org header.s=default header.b=G0shxkgx;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l9si13873132pgs.226.2018.03.08.16.47.29;
        Thu, 08 Mar 2018 16:47:43 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@codeaurora.org header.s=default header.b=VLMOweVb;
       dkim=pass header.i=@codeaurora.org header.s=default header.b=G0shxkgx;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751673AbeCIApT (ORCPT <rfc822;arandomawesomegeek@gmail.com>
        + 99 others); Thu, 8 Mar 2018 19:45:19 -0500
Received: from smtp.codeaurora.org ([198.145.29.96]:36724 "EHLO
        smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751588AbeCIApR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 8 Mar 2018 19:45:17 -0500
Received: by smtp.codeaurora.org (Postfix, from userid 1000)
        id 2A01060851; Fri,  9 Mar 2018 00:45:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
        s=default; t=1520556317;
        bh=Dew0Y7bRngkegthwXLi4+piKs/asJmvtqvv9FsIc20o=;
        h=Date:From:To:cc:Subject:In-Reply-To:References:From;
        b=VLMOweVbN+ES10SKZcyNCLcU2/NwODDG6/DOlvipvRZXimiRQiPBzSItXRX8KpOzN
         Tz3ezuPLd4zdsNQkzTgW6QRZrQclQPmPcnp3Tke1+XZSu56L5Fk65NPIcavHr1a2ki
         iX1vh7PB178/8eK2VhjoZJQYYMlgppfm4/oXeisk=
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
        pdx-caf-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.8 required=2.0 tests=ALL_TRUSTED,BAYES_00,
        DKIM_SIGNED,T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.0
Received: from lmark-linux.qualcomm.com (i-global254.qualcomm.com [199.106.103.254])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        (Authenticated sender: lmark@smtp.codeaurora.org)
        by smtp.codeaurora.org (Postfix) with ESMTPSA id A2A036071A;
        Fri,  9 Mar 2018 00:45:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
        s=default; t=1520556315;
        bh=Dew0Y7bRngkegthwXLi4+piKs/asJmvtqvv9FsIc20o=;
        h=Date:From:To:cc:Subject:In-Reply-To:References:From;
        b=G0shxkgxRmBmQFCy+jb0TtlytDaKKC+rKEGqjJ6XzW9xNdgR4CXnKBndy+Hnf2Cne
         +TTE6xyTtszwb46OX9aCdT4ssWHQ3Ah27z9wS2tZ7965731nrqd/gPko7gjxgt2BXo
         53l+ff8I5K0s52IK+LAxx8npV1Aq701893FFLHfQ=
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org A2A036071A
Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org
Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=lmark@codeaurora.org
Date:   Thu, 8 Mar 2018 16:45:14 -0800 (PST)
From:   Liam Mark <lmark@codeaurora.org>
X-X-Sender: lmark@lmark-linux.qualcomm.com
To:     Laura Abbott <labbott@redhat.com>
cc:     Sumit Semwal <sumit.semwal@linaro.org>,
        linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
        devel@driverdev.osuosl.org, Martijn Coenen <maco@android.com>,
        Todd Kjos <tkjos@android.com>,
        =?ISO-8859-15?Q?Arve_Hj=F8nnev=E5g?= <arve@android.com>,
        linaro-mm-sig@lists.linaro.org
Subject: Re: [RFC] android: ion: How to properly clean caches for uncached
 allocations
In-Reply-To: <b1479541-13bd-85ea-f9c7-25264c91f9b9@redhat.com>
Message-ID: <alpine.DEB.2.02.1803081635170.20592@lmark-linux.qualcomm.com>
References: <alpine.DEB.2.02.1802282111320.22860@lmark-linux.qualcomm.com> <b1479541-13bd-85ea-f9c7-25264c91f9b9@redhat.com>
User-Agent: Alpine 2.02 (DEB 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 7 Mar 2018, Laura Abbott wrote:

> On 02/28/2018 09:18 PM, Liam Mark wrote:
> > The issue:
> > 
> > Currently in ION if you allocate uncached memory it is possible that there
> > are still dirty lines in the cache.  And often these dirty lines in the
> > cache are the zeros which were meant to clear out any sensitive kernel
> > data.
> > 
> > What this means is that if you allocate uncached memory from ION, and then
> > subsequently write to that buffer (using the uncached mapping you are
> > provided by ION) then the data you have written could be corrupted at some
> > point in the future if a dirty line is evicted from the cache.
> > 
> > Also this means there is a potential security issue.  If an un-privileged
> > userspace user allocated uncached memory (for example from the system heap)
> > and then if they were to read from that buffer (through the un-cached
> > mapping they are provided by ION), and if some of the zeros which were
> > written to that memory are still in the cache then this un-privileged
> > userspace user could read potentially sensitive kernel data.
> 
> For the use case you are describing we don't actually need the
> memory to be non-cached until it comes time to do the dma mapping.
> Here's a proposal to shoot holes in:
> 
> - Before any dma_buf attach happens, all mmap mappings are cached
> - At the time attach happens, we shoot down any existing userspace
> mappings, do the dma_map with appropriate flags to clean the pages
> and then allow remapping to userspace as uncached. Really this
> looks like a variation on the old Ion faulting code which I removed
> except it's for uncached buffers instead of cached buffers.
> 

Thanks Laura, I will take a look to see if I can think of any concerns.

Initial thoughts.
- What about any kernel mappings (kmap/vmap) the client has made?

- I guess it would be tempting to only do this behavior for memory that 
came from buddy (as opposed to the pool since it should be clean), but we 
would need to be careful that no pages sneak into the pool without being 
cleaned (example: client allocs then frees without ever call 
dma_buf_attach).

> Potential problems:
> - I'm not 100% about the behavior here if the attaching device
> is already dma_coherent. I also consider uncached mappings
> enough of a device specific optimization that you shouldn't
> do them unless you know it's needed.

I don't believe we want to allow uncached memory to be dma mapped by an 
io-coherent device and this is something I would like to eventually block.

Since there is always a kernel cached mapping for ION uncached memory then 
speculative access could still be putting lines in the cache, so when an 
io-coherent device tries to read this uncached memory its snoop into the 
cache could find one of these 'stale' clean cache lines and end up using 
stale data. 
Agree?

> - The locking/sequencing with userspace could be tricky
> since userspace may not like us ripping mappings out from
> underneath if it's trying to access.

Perhaps delay this work to the dma_map_attachment call since when the data 
is dma mapped the CPU shouldn't be accessing it? 

Or worst case perhaps fail all map attempts to uncached memory until the 
memory has been dma mapped (and cleaned) at least once?

Thanks,
Liam

Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project