| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 Mar 2022 11:25:25 +0100
From: Maxime Bizon <mbizon@...ebox.fr>
To: Linus Torvalds <torvalds@...ux-foundation.org>,
Toke Høiland-Jørgensen <toke@...e.dk>
Cc: Robin Murphy <robin.murphy@....com>,
Christoph Hellwig <hch@....de>,
Oleksandr Natalenko <oleksandr@...alenko.name>,
Halil Pasic <pasic@...ux.ibm.com>,
Marek Szyprowski <m.szyprowski@...sung.com>,
Kalle Valo <kvalo@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
Olha Cherevyk <olha.cherevyk@...il.com>,
iommu <iommu@...ts.linux-foundation.org>,
linux-wireless <linux-wireless@...r.kernel.org>,
Netdev <netdev@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable <stable@...r.kernel.org>
Subject: Re: [REGRESSION] Recent swiotlb DMA_FROM_DEVICE fixes break
ath9k-based AP
On Thu, 2022-03-24 at 12:26 -0700, Linus Torvalds wrote:
>
> It's actually very natural in that situation to flush the caches from
> the CPU side again. And so dma_sync_single_for_device() is a fairly
> reasonable thing to do in that situation.
>
In the non-cache-coherent scenario, and assuming dma_map() did an
initial cache invalidation, you can write this:
rx_buffer_complete_1(buf)
{
invalidate_cache(buf, size)
if (!is_ready(buf))
return;
<proceed with receive>
}
or
rx_buffer_complete_2(buf)
{
if (!is_ready(buf)) {
invalidate_cache(buf, size)
return;
}
<proceed with receive>
}
The latter is preferred for performance because dma_map() did the
initial invalidate.
Of course you could write:
rx_buffer_complete_3(buf)
{
invalidate_cache(buf, size)
if
(!is_ready(buf)) {
invalidate_cache(buf, size)
return;
}
<proceed with receive>
}
but it's a waste of CPU cycles
So I'd be very cautious assuming sync_for_cpu() and sync_for_device()
are both doing invalidation in existing implementation of arch DMA ops,
implementers may have taken some liberty around DMA-API to avoid
unnecessary cache operation (not to blame them).
For example looking at arch/arm/mm/dma-mapping.c, for DMA_FROM_DEVICE
sync_single_for_device()
=> __dma_page_cpu_to_dev()
=> dma_cache_maint_page(op=dmac_map_area)
=> cpu_cache.dma_map_area()
sync_single_for_cpu()
=> __dma_page_dev_to_cpu()
=>
__dma_page_cpu_to_dev(op=dmac_unmap_area)
=>
cpu_cache.dma_unmap_area()
dma_map_area() always does cache invalidate.
But for a couple of CPU variant, dma_unmap_area() is a noop, so
sync_for_cpu() does nothing.
Toke's patch will break ath9k on those platforms (mostly silent
breakage, rx corruption leading to bad performance)
> There's a fair number of those dma_sync_single_for_device() things
> all over. Could we find mis-uses and warn about them some way? It
> seems to be a very natural thing to do in this context, but bounce
> buffering does make them very fragile.
At least in network drivers, there are at least two patterns:
1) The issue at hand, hardware mixing rx_status and data inside the
same area. Usually very old hardware, very quick grep in network
drivers only revealed slicoss.c. Probably would have gone unnoticed if
ath9k hardware wasn't so common.
2) The very common "copy break" pattern. If a received packet is
smaller than a certain threshold, the driver rx path is changed to do:
sync_for_cpu()
alloc_small_skb()
memcpy(small_skb, rx_buffer_data)
sync_for_device()
Original skb is left in the hardware, this reduces memory wasted.
This pattern is completely valid wrt DMA-API, the buffer is always
either owned by CPU or device.
--
Maxime
Powered by blists - more mailing lists