Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp3969871rdg; Wed, 18 Oct 2023 10:53:16 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEV+84AseCwWQskPXubpk+e43I9hxxNBFi47Xa4zeSebXAp5vZ/6EkTlXWtZ1bRhaxy6ibF X-Received: by 2002:a05:6a21:3291:b0:173:f8c9:94ef with SMTP id yt17-20020a056a21329100b00173f8c994efmr7108575pzb.41.1697651596617; Wed, 18 Oct 2023 10:53:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697651596; cv=none; d=google.com; s=arc-20160816; b=k9QnW+3/M6cg6luIOKe9+j+WQBBQP4ielELh4CWuybMnahwOTK7ncEObyRLmWlyhWL u3DHZnS0HLJDGxy+LSlI/+cUBjZ2EIGfa++WeHj1TIgazg5ezhoZQpQA3rmCyLNUzoFZ OZoOln7tEcqCY1tQF2CYSFVrrMkQymoJQbZXlpOtGyn3gcI/HysD/qvbnec7+AiCQvWp EUbnADMYRguGhYbFYRFKrNiEuVrl6Na0YMi9HOu1nhHTaIqPuaFXg1UjiSWzKnvdn9Ng qdUjUPQ+UskYsIzO/b9Cdc+YL6j23m1xKe5U7vEEVMA6WiyCZtCafAgiH17pEeXiFGtO uHng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=B7GTV9O8w5nAZ0b02U6Ag0DDKMxVVBcmGHkRbTba3fo=; fh=sjOTqH1TqHml+/JKgIzmKtQj7FigiERRiWaQ+Yhae7Y=; b=Y3Tqu+2KkoEB3ul1BYjBO5Bkj+WPANLn1IJESO0hdoA3SlEmNx1HdgxBxtrV4Uz1VD 32pX+TWYJKqZD4rY1gUuXelhy8ccfKdIbAfA3/7qxtFKq+sHcKPIRzCwv6KL3LKjoWZR wdH5mS54Pj627igYB1E120uV/hWi9kRcS6IxctvI4RLrDAsjiXc7Z0Mm7uznpj8cR8fO jDvCXIlTRqnXwL4MW1xuPshlZ5gDjzTLsVagi7vWR4PJeJxJMCLL56gNfvhtqm8ExVIm gNJ6HbPwmWMH+8gYG6xzszwcCzXz4vk1TnCE15fyR5Pv48jNf4mSFTaFJlvI9GzJkSBn NItw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from howler.vger.email (howler.vger.email. [23.128.96.34]) by mx.google.com with ESMTPS id x190-20020a6386c7000000b005702257f332si2627597pgd.21.2023.10.18.10.53.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Oct 2023 10:53:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 8435D8084581; Wed, 18 Oct 2023 10:53:13 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231544AbjJRRxF (ORCPT + 99 others); Wed, 18 Oct 2023 13:53:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37482 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229744AbjJRRxE (ORCPT ); Wed, 18 Oct 2023 13:53:04 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 292C6B8 for ; Wed, 18 Oct 2023 10:53:02 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id DA4F62F4; Wed, 18 Oct 2023 10:53:42 -0700 (PDT) Received: from [10.57.67.203] (unknown [10.57.67.203]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 97F743F5A1; Wed, 18 Oct 2023 10:53:00 -0700 (PDT) Message-ID: <85e332bf-decf-427c-a2e5-95ab872d4ea6@arm.com> Date: Wed, 18 Oct 2023 18:52:59 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] swiotlb: Rewrite comment explaining why the source is preserved on DMA_FROM_DEVICE Content-Language: en-GB To: Sean Christopherson , Christoph Hellwig , Marek Szyprowski Cc: iommu@lists.linux.dev, linux-kernel@vger.kernel.org, Yan Zhao , Linus Torvalds References: <20231018173409.1871540-1-seanjc@google.com> From: Robin Murphy In-Reply-To: <20231018173409.1871540-1-seanjc@google.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on howler.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Wed, 18 Oct 2023 10:53:13 -0700 (PDT) On 2023-10-18 18:34, Sean Christopherson wrote: > Rewrite the comment explaining why swiotlb copies the original buffer to > the TLB buffer before initiating DMA *from* the device, i.e. before the > device DMAs into the TLB buffer. The existing comment's argument that > preserving the original data can prevent a kernel memory leak is bogus. > > If the driver that triggered the mapping _knows_ that the device will > overwrite the entire mapping, or the driver will consume only the written > parts, then copying from the original memory is completely pointless. > > If neither of the above holds true, then copying from the original adds > value only if preserving the data is necessary for functional correctness, > or the driver explicitly initialized the original memory. If the driver > didn't initialize the memory, then copying the original buffer to the TLB > buffer simply changes what kernel data is leaked to userspace. > > Writing the entire TLB buffer _does_ prevent leaking stale TLB buffer data > from a previous bounce, but that can be achieved by simply zeroing the TLB > buffer when grabbing a slot. > > The real reason swiotlb ended up initializing the TLB buffer with the > original buffer is that it's necessary to make swiotlb operate as > transparently as possible, i.e. to behave as closely as possible to > hardware, and to avoid corrupting the original buffer, e.g. if the driver > knows the device will do partial writes and is relying on the unwritten > data to be preserved. Thanks Sean, I like this :) Reviewed-by: Robin Murphy > Cc: Yan Zhao > Cc: Robin Murphy > Cc: Linus Torvalds > Link: https://lore.kernel.org/all/ZN5elYQ5szQndN8n@google.com > Signed-off-by: Sean Christopherson > --- > kernel/dma/swiotlb.c | 12 +++++++----- > 1 file changed, 7 insertions(+), 5 deletions(-) > > diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c > index 01637677736f..e071415a75dc 100644 > --- a/kernel/dma/swiotlb.c > +++ b/kernel/dma/swiotlb.c > @@ -1296,11 +1296,13 @@ phys_addr_t swiotlb_tbl_map_single(struct device *dev, phys_addr_t orig_addr, > pool->slots[index + i].orig_addr = slot_addr(orig_addr, i); > tlb_addr = slot_addr(pool->start, index) + offset; > /* > - * When dir == DMA_FROM_DEVICE we could omit the copy from the orig > - * to the tlb buffer, if we knew for sure the device will > - * overwrite the entire current content. But we don't. Thus > - * unconditional bounce may prevent leaking swiotlb content (i.e. > - * kernel memory) to user-space. > + * When the device is writing memory, i.e. dir == DMA_FROM_DEVICE, copy > + * the original buffer to the TLB buffer before initiating DMA in order > + * to preserve the original's data if the device does a partial write, > + * i.e. if the device doesn't overwrite the entire buffer. Preserving > + * the original data, even if it's garbage, is necessary to match > + * hardware behavior (use of swiotlb is supposed to be transparent) and Super-nit: I think that last "and" is superfluous (i.e. unwritten memory not magically corrupting itself *is* the aforementioned hardware behaviour). > + * so that swiotlb doesn't corrupt bytes that the device does NOT write. > */ > swiotlb_bounce(dev, tlb_addr, mapping_size, DMA_TO_DEVICE); > return tlb_addr; > > base-commit: 213f891525c222e8ed145ce1ce7ae1f47921cb9c