Received: by 2002:ab2:1149:0:b0:1f3:1f8c:d0c6 with SMTP id z9csp12783lqz; Fri, 29 Mar 2024 07:10:18 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVYoG9fu6DWSas2Tjmgd3vYuBkNkE6nnf1TXEveH3IAQZFSmBrKxP16jOBdkscJOL4A3dBsu/uiTWgrj/k2CMM0JgjrxReTWQabkovbgw== X-Google-Smtp-Source: AGHT+IHqSyV3ClQJp3HM4AnahYogBLQimCZ2g3Jk9DBBt6WQzIk9Q1ANAxTXdmVkVDTghVDmp5wp X-Received: by 2002:a17:902:a589:b0:1e0:ca47:4d96 with SMTP id az9-20020a170902a58900b001e0ca474d96mr2361357plb.3.1711721418209; Fri, 29 Mar 2024 07:10:18 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711721418; cv=pass; d=google.com; s=arc-20160816; b=TkhpjmDwb6k10jKlGvUhzMtFcwoPTj4hO3iauUbsHBGmQlTWEg4FvOZtfKBJkAoWir t5ye1HoBqI0Guq9EgqCpSd4oq/Ciaoduk7tnHsaVn9WRdP8fj+6V2MzQmQHN2NOFb7fn j+uat352yvCkqf+SfobFQcGvA0hx6BRl7rFob9AdMrjSLeuxLfqRTQFo1Nz3NOqwI+78 H6XIjPUxDNdXbASNSr3Ft/D8z/jm2BJsymdxHkpKIhkMLfjW0/oSn41OQpWrjN5K44cP 2Yj+sXnYiQLjSaQmEKVdcVg4VZy7skFtXEMamUp7/u46GzrUyD0K54+sXDieptxUpp9h joqw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=ZI5umWoKY9/LTkKTrDmbJgoxzZDEpmYcr4uyocbiuX4=; fh=43KPihJnOrhvaJgLfA035CbFOOYGx3Xw97T9BoQlRIA=; b=CTRICyztjfjoZWAAkYr+2SBzeXU6ljA1qMbiPTiV/HJcGCWWjTnJ/JMjefwasB8Lc5 qpmH/ihEBTrY69DKuGNCsxMToFB7V46WlB1RixTAj4k3qA9gogiGYO6MM+bwIjBxO0eI y1jPI1Xo7QS/G24C+nBFluAeN1SkrBW3kzU/pQXmnzayxX3Ve6cfwwsWju/Vdcpz432y vVnfqUJ6SHN9nkJcarrszJtiK5Fc1N7vGfbqBU4hS8A5KYuFZ7GdKJeRBI/EhZGhbGi0 HTmKsqBa7wTCbc+jjJSrWJbhHu16kOGochBlAsXjo9krvnE5Y/W7+P5Brf3w7Un+0Uf/ /i/Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=JU90wOeu; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-124854-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-124854-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id im15-20020a170902bb0f00b001e0a8026fd3si3560372plb.241.2024.03.29.07.10.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Mar 2024 07:10:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-124854-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=JU90wOeu; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-124854-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-124854-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 81BFC2823A0 for ; Fri, 29 Mar 2024 14:10:10 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 63BD41C1337; Fri, 29 Mar 2024 12:44:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="JU90wOeu" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7B9671C2308; Fri, 29 Mar 2024 12:44:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711716296; cv=none; b=fNSO5snjldTEIjkFOZKR9YbeOBw5K/6/oOmXUOhNo+b0dVbioPCeOzu56VvdKBtIXyfTrfdrsJE46akmRczBzQE/KbV8AOz17L8+LWegzbLlRu4T1+k5/3zQsS41ncT5pO3wDQbtVciJbd94N1ceGb92l0hb6qw2uZxR8DmMJfw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711716296; c=relaxed/simple; bh=k3zuf16/TCQid4I2XHlZ7Fg+DXFG1/Fja7b3voOoAZM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=dNqrXkk447EYsD5M/mcV26BL+L233UgOzevtHzwPs1NUgYJ8ZhmbRG6skL4F7GVM9GOx//q0Hp7virtllaERW8KLPUun2N2DtKeb8d0EZkd5MOKTczSDTZ9+uTyOYKt1UHu/l99RWUyXPCmXr9maKB0Aggu4hRS2sxTIBLc6hqo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=JU90wOeu; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 92903C43390; Fri, 29 Mar 2024 12:44:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1711716296; bh=k3zuf16/TCQid4I2XHlZ7Fg+DXFG1/Fja7b3voOoAZM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JU90wOeukIlADuZoBi8IeFA/LEWtYfeWiaKD9WdQGlbPbqaV4u6Y0rOHUKJNK8kXn JBX4KFUPuj7tCAcQ0Qgf+F674EMdRRpNQMQAkeylKpPltvW3/I5ikOoTW8nygNOVjl sm4+zP35tNiEHzQGPLSnd40jfQdDOF1XbYR2DyVQOY41W/nFD5jGsJfmRqzzk21am8 7+ItJ2cTKTro8rDJ/OIckqC6JS9DQofem/NFHM7ANY43dV8MrMfgwEZIgQZxaaz8MI vjDHUyMts2SbHeC4dNeEII3oEIgwVzA64N6M5k3aLEEhjW4GaQG/T3XzpH5IK1gmZW m/DYKLWTlezeg== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Rick Edgecombe , Christoph Hellwig , Sasha Levin , m.szyprowski@samsung.com, iommu@lists.linux.dev Subject: [PATCH AUTOSEL 6.6 45/75] dma-direct: Leak pages on dma_set_decrypted() failure Date: Fri, 29 Mar 2024 08:42:26 -0400 Message-ID: <20240329124330.3089520-45-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240329124330.3089520-1-sashal@kernel.org> References: <20240329124330.3089520-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.6.23 Content-Transfer-Encoding: 8bit From: Rick Edgecombe [ Upstream commit b9fa16949d18e06bdf728a560f5c8af56d2bdcaf ] On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. DMA could free decrypted/shared pages if dma_set_decrypted() fails. This should be a rare case. Just leak the pages in this case instead of freeing them. Signed-off-by: Rick Edgecombe Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin --- kernel/dma/direct.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/kernel/dma/direct.c b/kernel/dma/direct.c index 9596ae1aa0dac..fc2d10b2aca6f 100644 --- a/kernel/dma/direct.c +++ b/kernel/dma/direct.c @@ -295,7 +295,7 @@ void *dma_direct_alloc(struct device *dev, size_t size, } else { ret = page_address(page); if (dma_set_decrypted(dev, ret, size)) - goto out_free_pages; + goto out_leak_pages; } memset(ret, 0, size); @@ -316,6 +316,8 @@ void *dma_direct_alloc(struct device *dev, size_t size, out_free_pages: __dma_direct_free_pages(dev, page, size); return NULL; +out_leak_pages: + return NULL; } void dma_direct_free(struct device *dev, size_t size, @@ -378,12 +380,11 @@ struct page *dma_direct_alloc_pages(struct device *dev, size_t size, ret = page_address(page); if (dma_set_decrypted(dev, ret, size)) - goto out_free_pages; + goto out_leak_pages; memset(ret, 0, size); *dma_handle = phys_to_dma_direct(dev, page_to_phys(page)); return page; -out_free_pages: - __dma_direct_free_pages(dev, page, size); +out_leak_pages: return NULL; } -- 2.43.0