Received: by 2002:ab2:1149:0:b0:1f3:1f8c:d0c6 with SMTP id z9csp12103lqz; Fri, 29 Mar 2024 07:09:24 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCU2KtgYWjBDxr+VqGzrX6sOWc/r3K9KPyfkTqAmsdSEdWRevye84GaGcbHZ/Ik2ZYehqy7AaiQLpFwE8EtSu72d/QAQTL020CxnGstlcQ== X-Google-Smtp-Source: AGHT+IGU2I4fQZ97zXfBEiUV7KwFHhEUckuyAq+HcXy4G5Ryp7Zbg8M13zfoJhc9r+JscqznnoIX X-Received: by 2002:a05:6a00:1912:b0:6ea:dfc1:b86 with SMTP id y18-20020a056a00191200b006eadfc10b86mr3576584pfi.12.1711721364011; Fri, 29 Mar 2024 07:09:24 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711721363; cv=pass; d=google.com; s=arc-20160816; b=QkDp4pfVMFuGgixCrqU1n/JrnCfLQB5v6mT6LGRVAPJGKrDIlvy8D2vnRFcSsSPuzC N/US48xEF+WBbwUJoKVTCNcBxPWAhmoGs/Ht9qbQ85PBpBN6GWrJzc2hbbpauM8ibhuI ku7tFo4nMeUrrv1bxRusV/Md579kqn/uD60t7KeYV/0Bfgl0fn1tbSLNgAjof1PS+R35 BzCe4lm/1yFyJ3aAK6WFCXYJjdId9zYYzxMmPPXb6c+6QccZg4n2NfU8AWDxaEVjh0kv VyqqUesn3Sox62tiSMvXh9ep9QKpFhizuNxQpci6nEQssNW/5mQ+KiLKeAt9YvZ1zEN0 f68Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=5xMRtmmiXsV0OkqgRGIWPX/VDBM+5oYWb/Uq2FzU8fk=; fh=43KPihJnOrhvaJgLfA035CbFOOYGx3Xw97T9BoQlRIA=; b=ZmHXySxTIe3sq9XGWskOj2XIjJQKM2/XSklxuhcWET+i8hadAzyGHhJbh1c7WHVBEo XvHYA0sknyo922kLxDECH1wx33hHkcOU2RKLy4FZlyfMcvVD6xhmiZzxeCkX2wUap2fJ J8P96QGLZ5tOagSlVG0EOEGF0KsKqjCYWq+bJI7lGHz/Xan/8jAWy92ZuXDLRbCugR3N drW4cQmiXXrV6rQOIN/FsLROrqyI9NiB7hpqynipgm+DQk10CLzCoUiMHuJBm3JjeV3s 31KrpBGRe0K+r04mSgjop9LWJ5jXepPZfHK4oakSs5uvfUdZ3NwtRgqzYL1NB54bNqrg 50Ww==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=NOmRhm4G; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-124773-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-124773-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id jo41-20020a056a0090a900b006e70395b7f5si3752511pfb.197.2024.03.29.07.09.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Mar 2024 07:09:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-124773-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=NOmRhm4G; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-124773-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-124773-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 031B2B27165 for ; Fri, 29 Mar 2024 13:47:56 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4C27F184102; Fri, 29 Mar 2024 12:41:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="NOmRhm4G" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6B7611487CC; Fri, 29 Mar 2024 12:41:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711716117; cv=none; b=Yivp9l2WQVBHZWVGlNjOdSN2hbyLwHIBa0LT8rME+uW+GFjjcG4sLTDhIJ+8bFYE21muRTmgDTp7XAG44yvObutzdotvhqPjk19Ba8FHMoSQ9/RKrFf7hJLN+fSpRzdH6/Qnc+sdEn8oCsVd9dH5Ep7pOv0DT8aK2nZh1SedAsY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711716117; c=relaxed/simple; bh=gy+jUNA+O1Dke5XEhLYl2A8HvP/VJgKAGU8g/kUqfFY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=P/s988Mlm1As5uwQdvQ7LR6DNYaIY4dI7tg4QZghA+cO0F0rkbtTucuNgmrgakUWzyrglcLk3XCSnp3NpXx206TfhM2UuYpIIz5r1LBoHhKAhWLiYgwlKDpwGWYJPishf8QdCFYieYFAoMGKEAYIOTdrOoR7ua4xVUoi4Q0chuo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=NOmRhm4G; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7DC8EC433A6; Fri, 29 Mar 2024 12:41:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1711716117; bh=gy+jUNA+O1Dke5XEhLYl2A8HvP/VJgKAGU8g/kUqfFY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=NOmRhm4GBRVkIudsBInRWC9jg4BUUTwn1yCwW87VDmPTFTwWv7a9IQALWQVrkvo4m JzHOZnqvHfcBAXPvw4yI+rolwqILpU18JKyRioqDgpcyzp8h238mgXSUeLqO3+rDLT ofl2Fu0AxL9teSEAKWAkK95COFTRZkQt8JgPC/sSMGtq3Ixg5q3jnv46P2NG2nhXoz gSY6REW+XCGvDgvPrK/3RQOkbI9aVTZaHlb8U3CKnqM2ilOxVL8Mg98qrcGlvD11Bf +iY/pzLUCmQ7kf5FdXevrwIFuFMUpOOXz6hJAlla/P7bsYXebRwFi1hkVqFhK+bvR/ mFeH32hiWpgUw== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Rick Edgecombe , Christoph Hellwig , Sasha Levin , m.szyprowski@samsung.com, iommu@lists.linux.dev Subject: [PATCH AUTOSEL 6.8 63/98] dma-direct: Leak pages on dma_set_decrypted() failure Date: Fri, 29 Mar 2024 08:37:34 -0400 Message-ID: <20240329123919.3087149-63-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240329123919.3087149-1-sashal@kernel.org> References: <20240329123919.3087149-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.8.2 Content-Transfer-Encoding: 8bit From: Rick Edgecombe [ Upstream commit b9fa16949d18e06bdf728a560f5c8af56d2bdcaf ] On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. DMA could free decrypted/shared pages if dma_set_decrypted() fails. This should be a rare case. Just leak the pages in this case instead of freeing them. Signed-off-by: Rick Edgecombe Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin --- kernel/dma/direct.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/kernel/dma/direct.c b/kernel/dma/direct.c index 98b2e192fd696..4d543b1e9d577 100644 --- a/kernel/dma/direct.c +++ b/kernel/dma/direct.c @@ -286,7 +286,7 @@ void *dma_direct_alloc(struct device *dev, size_t size, } else { ret = page_address(page); if (dma_set_decrypted(dev, ret, size)) - goto out_free_pages; + goto out_leak_pages; } memset(ret, 0, size); @@ -307,6 +307,8 @@ void *dma_direct_alloc(struct device *dev, size_t size, out_free_pages: __dma_direct_free_pages(dev, page, size); return NULL; +out_leak_pages: + return NULL; } void dma_direct_free(struct device *dev, size_t size, @@ -367,12 +369,11 @@ struct page *dma_direct_alloc_pages(struct device *dev, size_t size, ret = page_address(page); if (dma_set_decrypted(dev, ret, size)) - goto out_free_pages; + goto out_leak_pages; memset(ret, 0, size); *dma_handle = phys_to_dma_direct(dev, page_to_phys(page)); return page; -out_free_pages: - __dma_direct_free_pages(dev, page, size); +out_leak_pages: return NULL; } -- 2.43.0