| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260121143150.GD13201@unreal> Date: Wed, 21 Jan 2026 16:31:50 +0200 From: Leon Romanovsky <leon@...nel.org> To: Christian König <christian.koenig@....com> Cc: Jason Gunthorpe <jgg@...pe.ca>, Sumit Semwal <sumit.semwal@...aro.org>, Alex Deucher <alexander.deucher@....com>, David Airlie <airlied@...il.com>, Simona Vetter <simona@...ll.ch>, Gerd Hoffmann <kraxel@...hat.com>, Dmitry Osipenko <dmitry.osipenko@...labora.com>, Gurchetan Singh <gurchetansingh@...omium.org>, Chia-I Wu <olvaffe@...il.com>, Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>, Maxime Ripard <mripard@...nel.org>, Thomas Zimmermann <tzimmermann@...e.de>, Lucas De Marchi <lucas.demarchi@...el.com>, Thomas Hellström <thomas.hellstrom@...ux.intel.com>, Rodrigo Vivi <rodrigo.vivi@...el.com>, Kevin Tian <kevin.tian@...el.com>, Joerg Roedel <joro@...tes.org>, Will Deacon <will@...nel.org>, Robin Murphy <robin.murphy@....com>, Felix Kuehling <Felix.Kuehling@....com>, Alex Williamson <alex@...zbot.org>, Ankit Agrawal <ankita@...dia.com>, Vivek Kasireddy <vivek.kasireddy@...el.com>, linux-media@...r.kernel.org, dri-devel@...ts.freedesktop.org, linaro-mm-sig@...ts.linaro.org, linux-kernel@...r.kernel.org, amd-gfx@...ts.freedesktop.org, virtualization@...ts.linux.dev, intel-xe@...ts.freedesktop.org, linux-rdma@...r.kernel.org, iommu@...ts.linux.dev, kvm@...r.kernel.org Subject: Re: [PATCH v3 3/7] dma-buf: Document RDMA non-ODP invalidate_mapping() special case On Wed, Jan 21, 2026 at 03:15:46PM +0100, Christian König wrote: > On 1/21/26 14:59, Jason Gunthorpe wrote: > > On Wed, Jan 21, 2026 at 02:52:53PM +0100, Christian König wrote: > >> On 1/21/26 14:18, Jason Gunthorpe wrote: > >>> On Wed, Jan 21, 2026 at 10:17:16AM +0100, Christian König wrote: > >>>> The whole idea is to make invalidate_mappings truly optional. > >>> > >>> But it's not really optional! It's absence means we are ignoring UAF > >>> security issues when the exporters do their move_notify() and nothing > >>> happens. > >> > >> No that is unproblematic. > >> > >> See the invalidate_mappings callback just tells the importer that > >> the mapping in question can't be relied on any more. > >> > >> But the mapping is truly freed only by the importer calling > >> dma_buf_unmap_attachment(). > >> > >> In other words the invalidate_mappings give the signal to the > >> importer to disable all operations and the > >> dma_buf_unmap_attachment() is the signal from the importer that the > >> housekeeping structures can be freed and the underlying address > >> space or backing object re-used. > > > > I see > > > > Can we document this please, I haven't seen this scheme described > > anyhwere. > > > > And let's clarify what I said in my other email that this new revoke > > semantic is not just a signal to maybe someday unmap but a hard > > barrier that it must be done once the fences complete, similar to > > non-pinned importers. > > Well, I would avoid that semantics. > > Even when the exporter requests the mapping to be invalidated it does not mean that the mapping can go away immediately. > > It's fine when accesses initiated after an invalidation and then waiting for fences go into nirvana and have undefined results, but they should not trigger PCI AER, warnings from the IOMMU or even worse end up in some MMIO BAR of a newly attached devices. > > So if the exporter wants to be 100% sure that nobody is using the mapping any more then it needs to wait for the importer to call dma_buf_unmap_attachment(). > > > The cover letter should be clarified with this understanding too. > > Yeah, completely agree. We really need to flash out that semantics in the documentation. Someone knowledgeable needs to document this properly, either in the code or in the official documentation. A cover letter is not the right place for subtle design decisions. Thanks > > Regards, > Christian. > > > > > Jason >
Powered by blists - more mailing lists