Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp3965180rdg;
        Wed, 18 Oct 2023 10:43:55 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IEyzFtGAB4pu4TpMWjhbFvDJKkfEAeijJzcB4NAty520ODH28Ru4UnHMPrrUlDDhcjhSghA
X-Received: by 2002:a17:90b:35ca:b0:27d:1d1f:1551 with SMTP id nb10-20020a17090b35ca00b0027d1d1f1551mr5574530pjb.29.1697651035206;
        Wed, 18 Oct 2023 10:43:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1697651035; cv=none;
        d=google.com; s=arc-20160816;
        b=0aZ6iBRKfCqMz8qGg8KG47MX16iuSIlKDfcYrsH0ec/v/Hufzb4XM5hD5BzejWqVxn
         khi1oGRQO2W5nU6AmkIYhnVrWYh0/lYpB82DSISl6T0sNxGXg0Ok+NUX6bHwFRWQ3yUm
         TXBtVIqs8KjD487hUBW/knam67iJjgdxhgw7U8E1sdzZr0hl26NsMHKqV9/pxg+HqE9P
         lmMq/S5ZHfsORcybeRjwpSrbtr8izk5e3+FkTDRvN/olAR5Q9teMQlpwP49LB8a/XjXr
         TwZz0U18jYuob37X17gLvTQ4TZYphjiQY73hdTGrsZmVbjwfBCgi1y+KB6rE0ffcfjij
         D4Kw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id;
        bh=ZAUXeaH7Rbb8xRvQaKhLnFryu8T86ynEepmndEu5w/w=;
        fh=AZQ/utyUqYFm5CKtccJeOckgeIA9FK8nc3O9YVojhfE=;
        b=Xsi3C8OWHpRgFD4/4pS9kzTl+JziRBbHVCAOhPtRTMYULE3EVcT7M2DFqK5lNy6FlG
         8faETrEM3QzjUelUef0r3qYcasF1BVeRZIBZyR8G3vsH1Ns62xi3cacsqYKJTYuQf0Sf
         bVlpOX9Ng6D3Z+uEjGro5alqD6cDU6fef/jW+5ffv/v3E1MhycOHzno96HijzNi1oMCq
         /JuPaYUlbkPvCoFnl5e5fF145ZEqoQag5/4uO+sVpaU/OYa2m1nTqfFpuyKjFTxddCGI
         Ngd0EX2rPvgPZVNKm0/hm8ydbvWZEyAyYODV3jsDun2yAF/vP3IyKhvayYnHzbf3UpKK
         RePw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3])
        by mx.google.com with ESMTPS id ot4-20020a17090b3b4400b0027d06e08f9bsi330237pjb.150.2023.10.18.10.43.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 18 Oct 2023 10:43:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by lipwig.vger.email (Postfix) with ESMTP id 473D6822B8FF;
	Wed, 18 Oct 2023 10:43:50 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231837AbjJRRnT (ORCPT <rfc822;gvb.lkml@gmail.com> + 99 others);
        Wed, 18 Oct 2023 13:43:19 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45706 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232544AbjJRRnA (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 18 Oct 2023 13:43:00 -0400
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 1105210E0;
        Wed, 18 Oct 2023 10:42:19 -0700 (PDT)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
        by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 937EC2F4;
        Wed, 18 Oct 2023 10:42:59 -0700 (PDT)
Received: from [10.57.67.203] (unknown [10.57.67.203])
        by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 10BE03F5A1;
        Wed, 18 Oct 2023 10:42:14 -0700 (PDT)
Message-ID: <b4dc423b-a658-449f-9c6d-1502685a2f1b@arm.com>
Date:   Wed, 18 Oct 2023 18:42:12 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH 06/10] dma: Use free_decrypted_pages()
Content-Language: en-GB
To:     Rick Edgecombe <rick.p.edgecombe@intel.com>, x86@kernel.org,
        tglx@linutronix.de, mingo@redhat.com, bp@alien8.de,
        dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org,
        peterz@infradead.org, kirill.shutemov@linux.intel.com,
        elena.reshetova@intel.com, isaku.yamahata@intel.com,
        seanjc@google.com, Michael Kelley <mikelley@microsoft.com>,
        thomas.lendacky@amd.com, decui@microsoft.com,
        sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org,
        linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org
Cc:     Christoph Hellwig <hch@lst.de>,
        Marek Szyprowski <m.szyprowski@samsung.com>,
        iommu@lists.linux.dev
References: <20231017202505.340906-1-rick.p.edgecombe@intel.com>
 <20231017202505.340906-7-rick.p.edgecombe@intel.com>
From:   Robin Murphy <robin.murphy@arm.com>
In-Reply-To: <20231017202505.340906-7-rick.p.edgecombe@intel.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Wed, 18 Oct 2023 10:43:50 -0700 (PDT)

On 2023-10-17 21:25, Rick Edgecombe wrote:
> On TDX it is possible for the untrusted host to cause
> set_memory_encrypted() or set_memory_decrypted() to fail such that an
> error is returned and the resulting memory is shared. Callers need to take
> care to handle these errors to avoid returning decrypted (shared) memory to
> the page allocator, which could lead to functional or security issues.
> 
> DMA could free decrypted/shared pages if set_memory_decrypted() fails.
> Use the recently added free_decrypted_pages() to avoid this.
> 
> Several paths also result in proper encrypted pages being freed through
> the same freeing function. Rely on free_decrypted_pages() to not leak the
> memory in these cases.

If something's needed in the fallback path here, what about the 
cma_release() paths?

Thanks,
Robin.

> Cc: Christoph Hellwig <hch@lst.de>
> Cc: Marek Szyprowski <m.szyprowski@samsung.com>
> Cc: Robin Murphy <robin.murphy@arm.com>
> Cc: iommu@lists.linux.dev
> Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
> ---
>   include/linux/dma-map-ops.h | 3 ++-
>   kernel/dma/contiguous.c     | 2 +-
>   2 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/include/linux/dma-map-ops.h b/include/linux/dma-map-ops.h
> index f2fc203fb8a1..b0800cbbc357 100644
> --- a/include/linux/dma-map-ops.h
> +++ b/include/linux/dma-map-ops.h
> @@ -9,6 +9,7 @@
>   #include <linux/dma-mapping.h>
>   #include <linux/pgtable.h>
>   #include <linux/slab.h>
> +#include <linux/set_memory.h>
>   
>   struct cma;
>   
> @@ -165,7 +166,7 @@ static inline struct page *dma_alloc_contiguous(struct device *dev, size_t size,
>   static inline void dma_free_contiguous(struct device *dev, struct page *page,
>   		size_t size)
>   {
> -	__free_pages(page, get_order(size));
> +	free_decrypted_pages((unsigned long)page_address(page), get_order(size));
>   }
>   #endif /* CONFIG_DMA_CMA*/
>   
> diff --git a/kernel/dma/contiguous.c b/kernel/dma/contiguous.c
> index f005c66f378c..e962f1f6434e 100644
> --- a/kernel/dma/contiguous.c
> +++ b/kernel/dma/contiguous.c
> @@ -429,7 +429,7 @@ void dma_free_contiguous(struct device *dev, struct page *page, size_t size)
>   	}
>   
>   	/* not in any cma, free from buddy */
> -	__free_pages(page, get_order(size));
> +	free_decrypted_pages((unsigned long)page_address(page), get_order(size));
>   }
>   
>   /*