lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 30 Apr 2019 10:53:48 +0100
From:   Robin Murphy <>
To:     Lu Baolu <>, Christoph Hellwig <>
Cc:     David Woodhouse <>,
        Joerg Roedel <>,,,,,,,
        Konrad Rzeszutek Wilk <>,
        Marek Szyprowski <>,,
Subject: Re: [PATCH v3 02/10] swiotlb: Factor out slot allocation and free

On 30/04/2019 03:02, Lu Baolu wrote:
> Hi Robin,
> On 4/29/19 7:06 PM, Robin Murphy wrote:
>> On 29/04/2019 06:10, Lu Baolu wrote:
>>> Hi Christoph,
>>> On 4/26/19 11:04 PM, Christoph Hellwig wrote:
>>>> On Thu, Apr 25, 2019 at 10:07:19AM +0800, Lu Baolu wrote:
>>>>> This is not VT-d specific. It's just how generic IOMMU works.
>>>>> Normally, IOMMU works in paging mode. So if a driver issues DMA with
>>>>> IOVA  0xAAAA0123, IOMMU can remap it with a physical address 
>>>>> 0xBBBB0123.
>>>>> But we should never expect IOMMU to remap 0xAAAA0123 with physical
>>>>> address of 0xBBBB0000. That's the reason why I said that IOMMU will 
>>>>> not
>>>>> work there.
>>>> Well, with the iommu it doesn't happen.  With swiotlb it obviosuly
>>>> can happen, so drivers are fine with it.  Why would that suddenly
>>>> become an issue when swiotlb is called from the iommu code?
>>> I would say IOMMU is DMA remapping, not DMA engine. :-)
>> I'm not sure I really follow the issue here - if we're copying the 
>> buffer to the bounce page(s) there's no conceptual difference from 
>> copying it to SWIOTLB slot(s), so there should be no need to worry 
>> about the original in-page offset.
>>  From the reply up-thread I guess you're trying to include an 
>> optimisation to only copy the head and tail of the buffer if it spans 
>> multiple pages, and directly map the ones in the middle, but AFAICS 
>> that's going to tie you to also using strict mode for TLB maintenance, 
>> which may not be a win overall depending on the balance between 
>> invalidation bandwidth vs. memcpy bandwidth. At least if we use 
>> standard SWIOTLB logic to always copy the whole thing, we should be 
>> able to release the bounce pages via the flush queue to allow 'safe' 
>> lazy unmaps.
> With respect, even we use the standard SWIOTLB logic, we need to use
> the strict mode for TLB maintenance.
> Say, some swiotbl slots are used by untrusted device for bounce page
> purpose. When the device driver unmaps the IOVA, the slots are freed but
> the mapping is still cached in IOTLB, hence the untrusted device is 
> still able to access the slots. Then the slots are allocated to other
> devices. This makes it possible for the untrusted device to access
> the data buffer of other devices.

Sure, that's indeed how it would work right now - however since the 
bounce pages will be freed and reused by the DMA API layer itself (at 
the same level as the IOVAs) I see no technical reason why we couldn't 
investigate deferred freeing as a future optimisation.


Powered by blists - more mailing lists