From: Laura Abbott <labbott@redhat.com>
To: Liam Mark <lmark@codeaurora.org>, Sumit Semwal <sumit.semwal@linaro.org>
Cc: devel@driverdev.osuosl.org, "Todd Kjos" <tkjos@android.com>,
linux-kernel@vger.kernel.org, linaro-mm-sig@lists.linaro.org,
"Arve Hjønnevåg" <arve@android.com>,
"Martijn Coenen" <maco@android.com>,
linux-arm-kernel@lists.infradead.org
Subject: Re: [RFC] android: ion: How to properly clean caches for uncached allocations
Date: Wed, 7 Mar 2018 15:15:01 -0800 [thread overview]
Message-ID: <b1479541-13bd-85ea-f9c7-25264c91f9b9@redhat.com> (raw)
In-Reply-To: <alpine.DEB.2.02.1802282111320.22860@lmark-linux.qualcomm.com>
On 02/28/2018 09:18 PM, Liam Mark wrote:
> The issue:
>
> Currently in ION if you allocate uncached memory it is possible that there
> are still dirty lines in the cache. And often these dirty lines in the
> cache are the zeros which were meant to clear out any sensitive kernel
> data.
>
> What this means is that if you allocate uncached memory from ION, and then
> subsequently write to that buffer (using the uncached mapping you are
> provided by ION) then the data you have written could be corrupted at some
> point in the future if a dirty line is evicted from the cache.
>
> Also this means there is a potential security issue. If an un-privileged
> userspace user allocated uncached memory (for example from the system heap)
> and then if they were to read from that buffer (through the un-cached
> mapping they are provided by ION), and if some of the zeros which were
> written to that memory are still in the cache then this un-privileged
> userspace user could read potentially sensitive kernel data.
For the use case you are describing we don't actually need the
memory to be non-cached until it comes time to do the dma mapping.
Here's a proposal to shoot holes in:
- Before any dma_buf attach happens, all mmap mappings are cached
- At the time attach happens, we shoot down any existing userspace
mappings, do the dma_map with appropriate flags to clean the pages
and then allow remapping to userspace as uncached. Really this
looks like a variation on the old Ion faulting code which I removed
except it's for uncached buffers instead of cached buffers.
Potential problems:
- I'm not 100% about the behavior here if the attaching device
is already dma_coherent. I also consider uncached mappings
enough of a device specific optimization that you shouldn't
do them unless you know it's needed.
- The locking/sequencing with userspace could be tricky
since userspace may not like us ripping mappings out from
underneath if it's trying to access.
Thoughts?
Thanks,
Laura
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
WARNING: multiple messages have this Message-ID (diff)
From: labbott@redhat.com (Laura Abbott)
To: linux-arm-kernel@lists.infradead.org
Subject: [RFC] android: ion: How to properly clean caches for uncached allocations
Date: Wed, 7 Mar 2018 15:15:01 -0800 [thread overview]
Message-ID: <b1479541-13bd-85ea-f9c7-25264c91f9b9@redhat.com> (raw)
In-Reply-To: <alpine.DEB.2.02.1802282111320.22860@lmark-linux.qualcomm.com>
On 02/28/2018 09:18 PM, Liam Mark wrote:
> The issue:
>
> Currently in ION if you allocate uncached memory it is possible that there
> are still dirty lines in the cache. And often these dirty lines in the
> cache are the zeros which were meant to clear out any sensitive kernel
> data.
>
> What this means is that if you allocate uncached memory from ION, and then
> subsequently write to that buffer (using the uncached mapping you are
> provided by ION) then the data you have written could be corrupted at some
> point in the future if a dirty line is evicted from the cache.
>
> Also this means there is a potential security issue. If an un-privileged
> userspace user allocated uncached memory (for example from the system heap)
> and then if they were to read from that buffer (through the un-cached
> mapping they are provided by ION), and if some of the zeros which were
> written to that memory are still in the cache then this un-privileged
> userspace user could read potentially sensitive kernel data.
For the use case you are describing we don't actually need the
memory to be non-cached until it comes time to do the dma mapping.
Here's a proposal to shoot holes in:
- Before any dma_buf attach happens, all mmap mappings are cached
- At the time attach happens, we shoot down any existing userspace
mappings, do the dma_map with appropriate flags to clean the pages
and then allow remapping to userspace as uncached. Really this
looks like a variation on the old Ion faulting code which I removed
except it's for uncached buffers instead of cached buffers.
Potential problems:
- I'm not 100% about the behavior here if the attaching device
is already dma_coherent. I also consider uncached mappings
enough of a device specific optimization that you shouldn't
do them unless you know it's needed.
- The locking/sequencing with userspace could be tricky
since userspace may not like us ripping mappings out from
underneath if it's trying to access.
Thoughts?
Thanks,
Laura
next prev parent reply other threads:[~2018-03-07 23:15 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-01 5:18 [RFC] android: ion: How to properly clean caches for uncached allocations Liam Mark
2018-03-01 5:18 ` Liam Mark
2018-03-07 23:15 ` Laura Abbott [this message]
2018-03-07 23:15 ` Laura Abbott
2018-03-09 0:45 ` Liam Mark
2018-03-09 0:45 ` Liam Mark
2018-03-09 2:01 ` Laura Abbott
2018-03-09 2:01 ` Laura Abbott
2018-11-01 22:15 ` [RFC PATCH v2] " Liam Mark
2018-11-01 22:15 ` Liam Mark
2018-11-01 22:15 ` Liam Mark
2018-11-02 19:01 ` John Stultz
2018-11-02 19:01 ` John Stultz
2018-11-02 19:01 ` John Stultz
2018-11-06 21:20 ` Liam Mark
2018-11-06 21:20 ` Liam Mark
2018-11-20 16:46 ` Brian Starkey
2018-11-20 16:46 ` Brian Starkey
2018-11-20 16:46 ` Brian Starkey
2018-11-27 4:59 ` Liam Mark
2018-11-27 4:59 ` Liam Mark
2018-11-27 4:59 ` Liam Mark
2018-11-27 10:35 ` Brian Starkey
2018-11-27 10:35 ` Brian Starkey
2018-11-27 10:35 ` Brian Starkey
2018-11-28 6:46 ` Liam Mark
2018-11-28 6:46 ` Liam Mark
2018-11-28 6:46 ` Liam Mark
2018-11-28 11:10 ` Brian Starkey
2018-11-28 11:10 ` Brian Starkey
2018-11-28 11:10 ` Brian Starkey
2018-11-29 7:03 ` Liam Mark
2018-11-29 7:03 ` Liam Mark
2018-11-29 7:03 ` Liam Mark
2018-11-29 14:14 ` Brian Starkey
2018-11-29 14:14 ` Brian Starkey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b1479541-13bd-85ea-f9c7-25264c91f9b9@redhat.com \
--to=labbott@redhat.com \
--cc=arve@android.com \
--cc=devel@driverdev.osuosl.org \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lmark@codeaurora.org \
--cc=maco@android.com \
--cc=sumit.semwal@linaro.org \
--cc=tkjos@android.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.