| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 10 Oct 2016 05:01:25 -0400 (EDT)
From: David Miller <davem@...emloft.net>
To: nikita.yoush@...entembedded.com
Cc: jeffrey.t.kirsher@...el.com, intel-wired-lan@...ts.osuosl.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
cphealy@...il.com
Subject: Re: igb driver can cause cache invalidation of non-owned memory?
From: Nikita Yushchenko <nikita.yoush@...entembedded.com>
Date: Mon, 10 Oct 2016 11:52:06 +0300
> With this scheme, page used for Rx is completely dma_map()ed at
> allocation time, split into two buffers, and individual buffer is
> sync_to_cpu()ed AND PASSED TO NETWORK STACK via skb_add_rx_frag() -
> while driver driver still uses other buffer. Later, when driver decides
> to no longer use this page, it will dma_unmap() it completely - which on
> archs with non-coherent caches means cache invalidation. This cache
> invalidation will include area that is already passed elsewhere.
This should happen only if the device wrote into that piece of the
memory which it absolutely should not.
When the dma sync occurs, no dirty data should be in the caches for
the portion of the page any more, and therefore nothing should be
written back unless the device illegally wrote to that part of the
page again.
If something is causing data to be written back even if the device
doesn't write into that area again, it's a bug.
And FWIW the swiommu code has this bug. It should never (re-)copy
back into the mapped area after a sync unless the device wrote into
that area in the time between the sync and the unmap.
Powered by blists - more mailing lists