Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp1040839pxj; Wed, 2 Jun 2021 19:07:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzRKbuEiqJumQWz8wZLjNUrO+d/tsezx/2TnzuihaI3WUEWT1WB5M29/KhOz9ELmgx4JalU X-Received: by 2002:a05:6402:5a:: with SMTP id f26mr41918647edu.306.1622686068462; Wed, 02 Jun 2021 19:07:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622686068; cv=none; d=google.com; s=arc-20160816; b=DIpR+hHno5Ju5bcjrV0E+0xi6LSmoUAN4fAdVQY6nF75fTq6Z0eXthr3k2Le/TJ6Pl PR+cyt51WwEW9pomE7K19q/7keU352FtCP9CfqCMr5dXUWKt2UjZ6DoYqGTIlCAB3OrC F1PH/Jze+x56UaMU2c1Cb6HDKfcreaxSKMzQYJyaALHxY0Kes/a9Cnb9P4b8KtKZOHmw mUzBPWUaNXFsXsBlmvzG8N9H3gZQmKhbbz6+uUOPMjSxQYSLQOQAvuXA7TWfIH2Zgr4H Gw1QGqNN5M1CimBpoTa9w41K61M8oCUNMyt1mB8iCFFGBlO63UMuddQk2dN6J31czIqX /tTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:ironport-sdr:ironport-sdr; bh=vCNhf+AYURt/JvR1qexl2PrqG0eyfhSNOEiHmQzjmBs=; b=him2jdqYxz/koLCSsF1RPVKvTuHPIB3Hq3aF28ayEwyoPMK+in4nwygrIsQgfdzaIM ERf67STQKtCeH0dMkP/4m/aFXN8wVe7bSKT9H87ASXqonQg8nMZ5sBxnoz1eztM1H8Vz 32el/ymbLlArZkkhSGJAJK/DZp+JavVdskdXYCtYDO1xW1jbQngQX6jvyqFPoDoJKP3K rht8fLnaMvERjvrWwKXsdNx+AfS01wQgafaoVcBB6HQR4pB8rQj6ri+txvG9670l6/Ot 3F02rFwqCaeE80sWTtzVkb9ctC1CzyzYlxIBWvz9AVaB/lf0QkNZ1NBnN4R65Rj1UAnk ayJg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t7si1293465edd.39.2021.06.02.19.07.22; Wed, 02 Jun 2021 19:07:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229769AbhFCCFe (ORCPT + 99 others); Wed, 2 Jun 2021 22:05:34 -0400 Received: from mga07.intel.com ([134.134.136.100]:49736 "EHLO mga07.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229541AbhFCCFd (ORCPT ); Wed, 2 Jun 2021 22:05:33 -0400 IronPort-SDR: gXksGlg6wMZ38k/R14iVqL83/0bn14pWy1jWMYxxOFZQkpjOzf6CdPgEcto/iAJ40OjfYcZcqq p5NJLm1jVRWg== X-IronPort-AV: E=McAfee;i="6200,9189,10003"; a="267812276" X-IronPort-AV: E=Sophos;i="5.83,244,1616482800"; d="scan'208";a="267812276" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Jun 2021 19:03:49 -0700 IronPort-SDR: 3l4OYGXTPqbxSxOvUGo09jcOcihVNH59aPcFpeSbajzoXQVVvKgjW1rvBE9b2XrPPmhaLf+Wnv PHYqc7c/f80A== X-IronPort-AV: E=Sophos;i="5.83,244,1616482800"; d="scan'208";a="550521295" Received: from akleen-mobl1.amr.corp.intel.com (HELO [10.209.87.193]) ([10.209.87.193]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Jun 2021 19:03:48 -0700 Subject: Re: [PATCH v1 5/8] dma: Use size for swiotlb boundary checks To: Konrad Rzeszutek Wilk Cc: mst@redhat.com, jasowang@redhat.com, virtualization@lists.linux-foundation.org, hch@lst.de, m.szyprowski@samsung.com, robin.murphy@arm.com, iommu@lists.linux-foundation.org, x86@kernel.org, sathyanarayanan.kuppuswamy@linux.intel.com, jpoimboe@redhat.com, linux-kernel@vger.kernel.org References: <20210603004133.4079390-1-ak@linux.intel.com> <20210603004133.4079390-6-ak@linux.intel.com> From: Andi Kleen Message-ID: <665925d2-d6d5-218f-15f8-c6c5abaaba40@linux.intel.com> Date: Wed, 2 Jun 2021 19:03:47 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 6/2/2021 6:48 PM, Konrad Rzeszutek Wilk wrote: > On Wed, Jun 02, 2021 at 05:41:30PM -0700, Andi Kleen wrote: >> swiotlb currently only uses the start address of a DMA to check if something >> is in the swiotlb or not. But with virtio and untrusted hosts the host >> could give some DMA mapping that crosses the swiotlb boundaries, >> potentially leaking or corrupting data. Add size checks to all the swiotlb >> checks and reject any DMAs that cross the swiotlb buffer boundaries. > I seem to be only CC-ed on this and #7, so please bear with me. You weren't cc'ed originally so if you get partial emails it must be through some list. > > But could you explain to me why please: > > commit daf9514fd5eb098d7d6f3a1247cb8cc48fc94155 (swiotlb/stable/for-linus-5.12) > Author: Martin Radev > Date: Tue Jan 12 16:07:29 2021 +0100 > > swiotlb: Validate bounce size in the sync/unmap path > > does not solve the problem as well? Thanks. I missed that patch, race condition. One major difference of my patch is that it supports an error return, which allows virtio to error out. This is important in virtio because otherwise you'll end up with uninitialized memory on the target without any indication. This uninitialized memory could be an potential attack vector on the guest memory, e.g. if the attacker finds some way to echo it out again. But the error return could be added to your infrastructure too and what would make this patch much shorter. I'll take a look at that. -Andi