From patchwork Tue Oct 17 20:24:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rick Edgecombe X-Patchwork-Id: 13426023 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B5FF3CDB482 for ; Tue, 17 Oct 2023 20:25:38 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 85EE580069; Tue, 17 Oct 2023 16:25:35 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7E7CD8000C; Tue, 17 Oct 2023 16:25:35 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5A69E8006A; Tue, 17 Oct 2023 16:25:35 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 2E0B68000C for ; Tue, 17 Oct 2023 16:25:35 -0400 (EDT) Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 04346B614C for ; Tue, 17 Oct 2023 20:25:34 +0000 (UTC) X-FDA: 81356083830.28.699E062 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by imf05.hostedemail.com (Postfix) with ESMTP id DDBC4100018 for ; Tue, 17 Oct 2023 20:25:32 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=TfJWvC4i; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf05.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1697574333; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=2OIUddPavlDw4X1Ooc50ZlrwjQq7sSJ6/SveBJhDK64=; b=WxCEEt2QITFN5WAPFe0bcdkfF7OIhGPD9Y4trOnr18I1o0o+C12hQEUqtqO7LYNIgCcOUT RJNjUg/mZViJnxfSxUM9e8+oWG3Xt6NcuHIyBEGd6ntcXodOeRo5s1m0RKLshxkJ1TGq4H +HZFPhuI/s6i/A+wHm8iZ+utIOh2794= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=TfJWvC4i; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf05.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.198.163.7 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1697574333; a=rsa-sha256; cv=none; b=onAd6veBs2+UlNrB8uWv//uPXMwR7aTCIjOoD3JcsAI23PehXmNAY9isnNl+EMKqRbKOul aSCzXWKj1fqguPJennvqSlSK/0ruLXCt9lJKwHySAhmqdXmfDJvnBMWlYTvcPhMpm0D8Qj 4wOuf+XhCkSfZdncBEIMOSFd76h/YSY= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1697574333; x=1729110333; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=3Ad9kgdhE7qzJyM/s24lZCoX+Aafx5OUit4Dj7g+sn8=; b=TfJWvC4iQYYjFbNMIfKU/VKXObTvIG5n5AyBser9uxYsyxd+0aZLsS3k ZRgM2B9t+bq6GLCHfGPDTxRvnqp945SqwNbH2UvPojLPG7sJ/0k1kyRr0 jBokC6Pc0EMMr3BC4Sa+tezyldQeVOclTMpK+zoILFz8+BUWLdZt2qWS4 bmamddXzSNOPmiXUYvoHBh6a9uHc4zu4TIQt7GuNKxhEaFvhu/x7YK39Y 5r08uCByUuZUTfqLW2/uSWU+wIRBhgfesrYAM2WIrSUoevCiZ71UISiyA nHtNUxfNJI+uzs0Lind/zRfdb+7Y36+7HJV351AKEDbGZk6euue8o2oGs Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="7429525" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="7429525" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:25:32 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10866"; a="900040448" X-IronPort-AV: E=Sophos;i="6.03,233,1694761200"; d="scan'208";a="900040448" Received: from rtdinh-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.212.150.155]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Oct 2023 13:23:29 -0700 From: Rick Edgecombe To: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, elena.reshetova@intel.com, isaku.yamahata@intel.com, seanjc@google.com, Michael Kelley , thomas.lendacky@amd.com, decui@microsoft.com, sathyanarayanan.kuppuswamy@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org Cc: rick.p.edgecombe@intel.com, Christoph Hellwig , Marek Szyprowski , Robin Murphy , iommu@lists.linux.dev Subject: [PATCH 04/10] swiotlb: Use free_decrypted_pages() Date: Tue, 17 Oct 2023 13:24:59 -0700 Message-Id: <20231017202505.340906-5-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231017202505.340906-1-rick.p.edgecombe@intel.com> References: <20231017202505.340906-1-rick.p.edgecombe@intel.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: DDBC4100018 X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: 1dptzxxbzsh3k6sf6snnq131e6p6gez3 X-HE-Tag: 1697574332-310136 X-HE-Meta: U2FsdGVkX19f9hPk+w8maa7cgDESRoMfZ9KODs6Q5O2iX9vYDIG5c0I/D7bA4GuEa3TZBOGq4JHf+KOVrD1pNvoBp1ut8nxtvjBXu+ghnp1plT2dXh/toopTHOMBPuzxsfrisWHmeqcBloCRpfK5CgQEXmIOONG0gGPgGLTOtmfZjSNu6S5aWBGy2hf4HRVddVOt7VDXBwzigL5p1YMz1Fieqbg8dWHYrqNVg1FaEHM6xlocH0nKKu/tiXSOHOvns5iIILam5VmuIfladm896qIVj+Bzxy2IG7kb6fJAgprc93Dcau1QIX27I25WqkPZeZZze6TZDXKAum0OXTZegqTw0+NLm5CYOQoTjGkxg+8JdhXssXmeGRgPu1AxRPT5kZRfMn+KL6jUGTLhi989ApQExFD0wCgzuwb5toWP4ejG06xsNAun9yH8DFmLUpJZpuUSMAFYEG/QTrHIShcCEET9ioL3T3VgMNqnDaXCrHAF0ytHJo6CXMMSjcuF6jKsc3gu3Lz2R1p54tqpM/CAQWYzM0eWiXIGHG9WJIBLa7y5RpPBRF7OICMo/Gym0hpk8/7+OpEltX9FOYmqz4MWUtDFjvbu5bAQdocOcUFp+yJ0ZG9mtoUcmuN4zKEx1w/BTC0xaJSYeCvWzvhvPzt0y/WGTDl4aB6nXxCQ4cIMGid/db4sz1EssUKLGE68O0VVeABmT9HEh6SENETAWEwgNcPTrZhrvmySzWi2mKBwWZs4r9HqIM/ryTVCgK6+9KcG3X1Yny3fM8nks3QxFs7EDc5dfLVnw8m3E09/aA4VcBhi0Bsc0+ETvRg240b70ZZWkAtRr4SwDnSXcc8yaoNAyJNJS8PixOHb9JIi2Ti7RO0symP0IQUf2Flaq8SZzSTOIJqajZxdvpvpu7XyyR2mvCt5H1T7tR5rg+sFbrCSVLyiN1qo5JR/iT7GGgG7LR9LtSEzKfxCZcAXyJZETCq Fnbboauk yMQp67XOqX4Zq2yi2YQ6M9aCD+CFIyXIZ9qWl9NmqJFJ8d1vyuYzzGydx/NcolJzUrsmgSpdAfalwp5yrkKOVwKN/U120LkP5AaTH/MWWumpBrLvlKYcbYL7vchhXak14VhFVE/g+VdG3TrSRhfGB6Mn7tRa0Cc7HCy+LwPArH4sJj4qxk/QayQwFGSZ2mdFd5v0EBezCYpqnYqJ3uZs3Fmvs4rqyTxr1oECXqaO9ATGog8D7GHECeIf1N1cNAODxMVbW+iiAmIOU+UYr9zicWnG1V19yaUsHmRN3 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On TDX it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. Swiotlb could free decrypted/shared pages if set_memory_decrypted() fails. Use the recently added free_decrypted_pages() to avoid this. In swiotlb_exit(), check for set_memory_encrypted() errors manually, because the pages are not nessarily going to the page allocator. Cc: Christoph Hellwig Cc: Marek Szyprowski Cc: Robin Murphy Cc: iommu@lists.linux.dev Signed-off-by: Rick Edgecombe --- kernel/dma/swiotlb.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c index 394494a6b1f3..ad06786c4f98 100644 --- a/kernel/dma/swiotlb.c +++ b/kernel/dma/swiotlb.c @@ -524,6 +524,7 @@ void __init swiotlb_exit(void) unsigned long tbl_vaddr; size_t tbl_size, slots_size; unsigned int area_order; + int ret; if (swiotlb_force_bounce) return; @@ -536,17 +537,19 @@ void __init swiotlb_exit(void) tbl_size = PAGE_ALIGN(mem->end - mem->start); slots_size = PAGE_ALIGN(array_size(sizeof(*mem->slots), mem->nslabs)); - set_memory_encrypted(tbl_vaddr, tbl_size >> PAGE_SHIFT); + ret = set_memory_encrypted(tbl_vaddr, tbl_size >> PAGE_SHIFT); if (mem->late_alloc) { area_order = get_order(array_size(sizeof(*mem->areas), mem->nareas)); free_pages((unsigned long)mem->areas, area_order); - free_pages(tbl_vaddr, get_order(tbl_size)); + if (!ret) + free_pages(tbl_vaddr, get_order(tbl_size)); free_pages((unsigned long)mem->slots, get_order(slots_size)); } else { memblock_free_late(__pa(mem->areas), array_size(sizeof(*mem->areas), mem->nareas)); - memblock_free_late(mem->start, tbl_size); + if (!ret) + memblock_free_late(mem->start, tbl_size); memblock_free_late(__pa(mem->slots), slots_size); } @@ -581,7 +584,7 @@ static struct page *alloc_dma_pages(gfp_t gfp, size_t bytes) return page; error: - __free_pages(page, order); + free_decrypted_pages((unsigned long)vaddr, order); return NULL; }