lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ZHKaBQt8623s9+VK@nvidia.com>
Date:   Sat, 27 May 2023 21:02:13 -0300
From:   Jason Gunthorpe <jgg@...dia.com>
To:     Alistair Popple <apopple@...dia.com>
Cc:     Andrew Morton <akpm@...ux-foundation.org>, will@...nel.org,
        catalin.marinas@....com, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org, robin.murphy@....com,
        nicolinc@...dia.com, linux-arm-kernel@...ts.infradead.org,
        kvm@...r.kernel.org, John Hubbard <jhubbard@...dia.com>,
        zhi.wang.linux@...il.com, Sean Christopherson <seanjc@...gle.com>
Subject: Re: [PATCH 2/2] arm64: Notify on pte permission upgrades

On Wed, May 24, 2023 at 11:47:29AM +1000, Alistair Popple wrote:
> ARM64 requires TLB invalidates when upgrading pte permission from
> read-only to read-write. However mmu_notifiers assume upgrades do not
> need notifications and none are sent. This causes problems when a
> secondary TLB such as implemented by an ARM SMMU doesn't support
> broadcast TLB maintenance (BTM) and caches a read-only PTE.

I don't really like this design, but I see how you get here..

mmu notifiers behavior should not be tied to the architecture, they
are supposed to be generic reflections of what the MM is doing so that
they can be hooked into by general purpose drivers.

If you want to hardwire invalidate_range to be only for SVA cases that
actually share the page table itself and rely on some arch-defined
invalidation, then we should give the op a much better name and
discourage anyone else from abusing the new ops variable behavior.

> As no notification is sent and the SMMU does not snoop TLB invalidates
> it will continue to return read-only entries to a device even though
> the CPU page table contains a writable entry. This leads to a
> continually faulting device and no way of handling the fault.

Doesn't the fault generate a PRI/etc? If we get a PRI maybe we should
just have the iommu driver push an iotlb invalidation command before
it acks it? PRI is already really slow so I'm not sure a pipelined
invalidation is going to be a problem? Does the SMMU architecture
permit negative caching which would suggest we need it anyhow?

Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ