Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp211333pxb; Wed, 23 Mar 2022 16:32:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzvGVTMsQ9INKstV9+63B0/76HFiX6qajgRFf0FtUCdDLPibOE5T0xLQDAm+2A6SLZWwtP+ X-Received: by 2002:a05:6402:5243:b0:419:4ce2:cb5c with SMTP id t3-20020a056402524300b004194ce2cb5cmr3285053edd.151.1648078371033; Wed, 23 Mar 2022 16:32:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648078371; cv=none; d=google.com; s=arc-20160816; b=W+rfswhRu41WITbMBEkjpaBPVP16kSpXHNdDnUvmJl4Ma/k/wBF8CE1pnZDslnfiuy IKuE13HOB3h3kYrfqfHXZd7wbnF2iRW2VnIX6G6GVXuSgNBRccL0sq0QWQrrC5IXpduc nGA3Lr3xB0nR2xYypRulY0nD917oqM71K03TjOCRMosnMzm9snPohaS5Kytxts7HVXT6 qOrsh/VUNYNQVptb/heA5BBp2vgEh4lkwiv8nsupcFud+9ImTKuUJm2d2aHo8nLJ5R+8 7LIeriZG1Xe2sholNW+8rTLvGET8XsnhKnqhhb8LB7nP+J7tAQU0UV1b/bqGjnDwyKJx JLWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=l31r+W7LBgruLkZdrQOyrr0ZyUI7gPwysXW3Jyl3DS8=; b=tsdf6yLk8PaAJGc0H17Zld8RHnniwrfE6+geSOkaCBLKQxVzDyBS3qjy+ltoctobqQ YXs6b/FzCZtDDKGlxwD8pq/L3ZGril+xoUD9dfgTwO6hb7ELA1pbIFM7SKYcMcL+etcK nYSKmVNxhzpPXf2zHFqoa4lvr1chbBRSP1a/Az57YhDzbu/LFTFfDgm325p1Ffg+UIdf 5b3iNtEZDLfEl3qqtr58jHEHcpn7KTW3/hb/Sn5QJ72c8WvYUKwiBWTM1tJe0SU+MkiS HeTy4vEJo28lxkTNpUPCvEucNPNj70ACVDmymsgSvc1scy4quakeP8RGsMZ2aorxfU07 AUBQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f9-20020a170906738900b006df76385c29si11860569ejl.201.2022.03.23.16.32.25; Wed, 23 Mar 2022 16:32:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344827AbiCWUzs (ORCPT + 70 others); Wed, 23 Mar 2022 16:55:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59714 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244002AbiCWUzq (ORCPT ); Wed, 23 Mar 2022 16:55:46 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 2318B8AE78; Wed, 23 Mar 2022 13:54:16 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 5E8E4D6E; Wed, 23 Mar 2022 13:54:15 -0700 (PDT) Received: from [10.57.43.230] (unknown [10.57.43.230]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 9CBF03F73B; Wed, 23 Mar 2022 13:54:12 -0700 (PDT) Message-ID: Date: Wed, 23 Mar 2022 20:54:08 +0000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [REGRESSION] Recent swiotlb DMA_FROM_DEVICE fixes break ath9k-based AP Content-Language: en-GB To: Linus Torvalds Cc: Oleksandr Natalenko , Halil Pasic , Christoph Hellwig , Marek Szyprowski , =?UTF-8?Q?Toke_H=c3=b8iland-J=c3=b8rgensen?= , Kalle Valo , "David S. Miller" , Jakub Kicinski , Paolo Abeni , Olha Cherevyk , iommu , linux-wireless , Netdev , Linux Kernel Mailing List , Greg Kroah-Hartman , stable References: <1812355.tdWV9SEqCh@natalenko.name> <27b5a287-7a33-9a8b-ad6d-04746735fb0c@arm.com> From: Robin Murphy In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On 2022-03-23 19:16, Linus Torvalds wrote: > On Wed, Mar 23, 2022 at 12:06 PM Robin Murphy wrote: >> >> On 2022-03-23 17:27, Linus Torvalds wrote: >>> >>> I'm assuming that the ath9k issue is that it gives DMA mapping a big >>> enough area to handle any possible packet size, and just expects - >>> quite reasonably - smaller packets to only fill the part they need. >>> >>> Which that "info leak" patch obviously breaks entirely. >> >> Except that's the exact case which the new patch is addressing > > Not "addressing". Breaking. > > Which is why it will almost certainly get reverted. > > Not doing DMA to the whole area seems to be quite the sane thing to do > for things like network packets, and overwriting the part that didn't > get DMA'd with zeroes seems to be exactly the wrong thing here. > > So the SG_IO - and other random untrusted block command sources - data > leak will almost certainly have to be addressed differently. Possibly > by simply allocating the area with GFP_ZERO to begin with. Er, the point of the block layer case is that whole area *is* zeroed to begin with, and a latent memory corruption problem in SWIOTLB itself replaces those zeros with random other kernel data unexpectedly. Let me try illustrating some sequences for clarity... Expected behaviour/without SWIOTLB: Memory --------------------------------------------------- start 12345678 dma_map(DMA_FROM_DEVICE) no-op device writes partial data 12ABC678 <- ABC dma_unmap(DMA_FROM_DEVICE) 12ABC678 SWIOTLB previously: Memory Bounce buffer --------------------------------------------------- start 12345678 xxxxxxxx dma_map(DMA_FROM_DEVICE) no-op device writes partial data 12345678 xxABCxxx <- ABC dma_unmap(DMA_FROM_DEVICE) xxABCxxx <- xxABCxxx SWIOTLB Now: Memory Bounce buffer --------------------------------------------------- start 12345678 xxxxxxxx dma_map(DMA_FROM_DEVICE) 12345678 -> 12345678 device writes partial data 12345678 12ABC678 <- ABC dma_unmap(DMA_FROM_DEVICE) 12ABC678 <- 12ABC678 Now, sure we can prevent any actual information leakage by initialising the bounce buffer slot with zeros, but then we're just corrupting the not-written-to parts of the mapping with zeros instead of anyone else's old data. That's still fundamentally not OK. The only thing SWIOTLB can do to be correct is treat DMA_FROM_DEVICE as a read-modify-write of the entire mapping, because it has no way to know how much of it is actually going to be modified. I'll admit I still never quite grasped the reason for also adding the override to swiotlb_sync_single_for_device() in aa6f8dcbab47, but I think by that point we were increasingly tired and confused and starting to second-guess ourselves (well, I was, at least). I don't think it's wrong per se, but as I said I do think it can bite anyone who's been doing dma_sync_*() wrong but getting away with it until now. If ddbd89deb7d3 alone turns out to work OK then I'd be inclined to try a partial revert of just that one hunk. Thanks, Robin.