Received: by 2002:a05:7412:251c:b0:e2:908c:2ebd with SMTP id w28csp1370304rda; Mon, 23 Oct 2023 10:23:20 -0700 (PDT) X-Google-Smtp-Source: AGHT+IF2IgotfKc78J5y+vRLK73mXdjsspjInWZ+5qIcwh0eZXRvw1b6ti/iQzuTmohwC8EOCJ2N X-Received: by 2002:aa7:88d0:0:b0:68e:41e9:10be with SMTP id k16-20020aa788d0000000b0068e41e910bemr7735074pff.20.1698081800071; Mon, 23 Oct 2023 10:23:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698081800; cv=none; d=google.com; s=arc-20160816; b=cK3l5cCYNb8WtyYsw1oLOI9836mGEgIt4MAAyoUQA3KhEpCAvWL/qMPHeTnS8aXMjZ n6kJCnvT2yQi+CUPcbiUkPswmuV6EZJ+KkEABX/vnrRIFgAvCPP4SllwHmZxucz5a57E 7+f2JNATpOK5KViqIGJYREIHeozyxdur4xJ3MZ5c9oFGBixwvRdNChw5AMB/zUkdrKQS nNZIcBVD7OKMI0T7NSWfYLeta6rWWkHNHxC9bOs/xyFUVHclQp/aWzJCueI02fS6B5Va iDeDDKv2WpMaLNyWvy1yPq0Dd64006DJEU2JJMs5Z6JwCpEiB7b9CrmMebhGdcofPJl2 CrgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=q1fx88UrJ9qFpWOHD8E4De/iE1OKd8PuPMO6qmw+fgc=; fh=Mn7atjr4KeXJ1efKzJ4CwZ+o/+nmzWeuRrbUBaiMi7M=; b=UDiLQUyA8OBbBVTRycWvLVItEkJ59fDeua4kkFxqryf7i5/Cr/JsM8N6ZF5I7HtaQ3 gFnY3OBPK6y85QzJ0KR2/UrBsXXXGdlQs+OXYo9iMTHksuKRU18HqYbFj6EJE54jTi0S HwMgAO2aJhLbURRO2A8yaNB8rVxAwX5OV7N/1FrQddE4lFVEZ1XOID4Cza0ebZ6XvbRW DPKd3CExqbosZFij2wIVR9Z86MPlq2idZsh5QvqIvMxvnOd2h+LfGMFb1aSXAfPd+Lor uo/O4ezc1+JbqF6GS5Ja6lRRwadaqlqTtqke3klRJnl3hztyOR9W80042ogV/FUv+bV+ xdsg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33]) by mx.google.com with ESMTPS id z126-20020a633384000000b0057c2f61474asi6781154pgz.290.2023.10.23.10.23.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Oct 2023 10:23:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 9D4BE8037517; Mon, 23 Oct 2023 10:23:16 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229810AbjJWRXG (ORCPT + 99 others); Mon, 23 Oct 2023 13:23:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58398 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229453AbjJWRXF (ORCPT ); Mon, 23 Oct 2023 13:23:05 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id F2EF3A2; Mon, 23 Oct 2023 10:23:02 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 6DEDE2F4; Mon, 23 Oct 2023 10:23:43 -0700 (PDT) Received: from [10.57.5.125] (unknown [10.57.5.125]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 19BFE3F762; Mon, 23 Oct 2023 10:22:58 -0700 (PDT) Message-ID: <289f5f83-adc7-4077-b4c0-c951484dd092@arm.com> Date: Mon, 23 Oct 2023 18:22:57 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH 06/10] dma: Use free_decrypted_pages() Content-Language: en-GB To: "Edgecombe, Rick P" , "Lutomirski, Andy" , "linux-mm@kvack.org" , "dave.hansen@linux.intel.com" , "thomas.lendacky@amd.com" , "Reshetova, Elena" , "kirill.shutemov@linux.intel.com" , "mingo@redhat.com" , "Christopherson,, Sean" , "linux-kernel@vger.kernel.org" , "tglx@linutronix.de" , "Yamahata, Isaku" , "Cui, Dexuan" , "mikelley@microsoft.com" , "hpa@zytor.com" , "peterz@infradead.org" , "bp@alien8.de" , "linux-s390@vger.kernel.org" , "sathyanarayanan.kuppuswamy@linux.intel.com" , "x86@kernel.org" Cc: "hch@lst.de" , "m.szyprowski@samsung.com" , "iommu@lists.linux.dev" References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> <20231017202505.340906-7-rick.p.edgecombe@intel.com> From: Robin Murphy In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Mon, 23 Oct 2023 10:23:16 -0700 (PDT) On 2023-10-23 17:46, Edgecombe, Rick P wrote: > On Wed, 2023-10-18 at 18:42 +0100, Robin Murphy wrote: >> On 2023-10-17 21:25, Rick Edgecombe wrote: >>> On TDX it is possible for the untrusted host to cause >>> set_memory_encrypted() or set_memory_decrypted() to fail such that >>> an >>> error is returned and the resulting memory is shared. Callers need >>> to take >>> care to handle these errors to avoid returning decrypted (shared) >>> memory to >>> the page allocator, which could lead to functional or security >>> issues. >>> >>> DMA could free decrypted/shared pages if set_memory_decrypted() >>> fails. >>> Use the recently added free_decrypted_pages() to avoid this. >>> >>> Several paths also result in proper encrypted pages being freed >>> through >>> the same freeing function. Rely on free_decrypted_pages() to not >>> leak the >>> memory in these cases. >> >> If something's needed in the fallback path here, what about the >> cma_release() paths? > > You mean inside cma_release(). If so, unfortunately I think it won't > fit great because there are callers that are never dealing with shared > memory (huge tlb). The reset-to-private operation does extra work that > would be nice to avoid when possible. > > The cases I thought exhibited the issue were the two calls sites of > dma_set_decrypted(). Playing around with it, I was thinking it might be > easier to just fix those to open code leaking the pages on > dma_set_decrypted() error. In which case it won't have the re-encrypt > problem. > > It make's it less fool proof, but more efficient. And > free_decrypted_pages() doesn't fit great anyway, as pointed out by > Christoph. My point is that in dma_direct_alloc(), we get some memory either straight from the page allocator *or* from a CMA area, then call set_memory_decrypted() on it. If the problem is that set_memory_decrypted() can fail and require cleanup, then logically if that cleanup is necessary for the dma_free_contiguous()->__free_pages() call, then surely it must also be necessary for the dma_free_contiguous()->cma_release()->free_contig_range()->__free_page() calls. Thanks, Robin.