Re: [BUG] crypto: ccree: driver does not handle case where cryptlen = authsize =0

From: Gilad Ben-Yossef
Date: Mon Mar 07 2022 - 08:22:16 EST

Next message: Krzysztof Kozlowski: "Re: [PATCH 2/2] dt-bindings: pwm: at91: Add SAMA7G5 compatible strings list"
Previous message: Vignesh Raghavendra: "Re: [PATCH V1] extcon/usb: Remove disable irq operation in system sleep."
In reply to: Robin Murphy: "Re: [BUG] crypto: ccree: driver does not handle case where cryptlen = authsize =0"
Next in thread: Gilad Ben-Yossef: "Re: [BUG] crypto: ccree: driver does not handle case where cryptlen = authsize =0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Mar 7, 2022 at 3:12 PM Robin Murphy <robin.murphy@xxxxxxx> wrote:
>
> On 2022-03-07 13:03, Robin Murphy wrote:
> > On 2022-03-07 12:47, Gilad Ben-Yossef wrote:
> >> On Mon, Mar 7, 2022 at 2:36 PM Robin Murphy <robin.murphy@xxxxxxx> wrote:
> >>>
> >>> On 2022-03-07 12:17, Gilad Ben-Yossef wrote:
> >>>> On Mon, Mar 7, 2022 at 1:14 PM Robin Murphy <robin.murphy@xxxxxxx>
> >>>> wrote:
> >>>>
> >>>>> The "overlap" is in the sense of having more than one mapping
> >>>>> within the
> >>>>> same cacheline:
> >>>>>
> >>>>> [ 142.458120] DMA-API: add_dma_entry start P=ba79f200 N=ba79f
> >>>>> D=ba79f200 L=10 DMA_FROM_DEVICE attrs=0
> >>>>> [ 142.458156] DMA-API: add_dma_entry start P=445dc010 N=445dc
> >>>>> D=445dc010 L=10 DMA_TO_DEVICE attrs=0
> >>>>> [ 142.458178] sun8i-ss 1c15000.crypto: SRC 0/1/1 445dc000 len=16 bi=0
> >>>>> [ 142.458215] sun8i-ss 1c15000.crypto: DST 0/1/1 ba79f200 len=16 bi=0
> >>>>> [ 142.458234] DMA-API: add_dma_entry start P=ba79f210 N=ba79f
> >>>>> D=ba79f210 L=10 DMA_FROM_DEVICE attrs=0
> >>>>>
> >>>>> This actually illustrates exactly the reason why this is
> >>>>> unsupportable.
> >>>>> ba79f200 is mapped for DMA_FROM_DEVICE, therefore subsequently mapping
> >>>>> ba79f210 for DMA_TO_DEVICE may cause the cacheline covering the range
> >>>>> ba79f200-ba79f23f to be written back over the top of data that the
> >>>>> device has already started to write to memory. Hello data corruption.
> >>>>>
> >>>>> Separate DMA mappings should be from separate memory allocations,
> >>>>> respecting ARCH_DMA_MINALIGN.
> >>>>
> >>>> hmm... I know I'm missing something here, but how does this align with
> >>>> the following from active_cacheline_insert() in kernel/dma/debug.c ?
> >>>>
> >>>> /* If the device is not writing memory then we don't have any
> >>>> * concerns about the cpu consuming stale data. This
> >>>> mitigates
> >>>> * legitimate usages of overlapping mappings.
> >>>> */
> >>>> if (entry->direction == DMA_TO_DEVICE)
> >>>> return 0;
> >>>
> >>> It's OK to have multiple mappings that are *all* DMA_TO_DEVICE, which
> >>> looks to be the case that this check was intended to allow. However I
> >>> think you're right that it should still actually check for conflicting
> >>> directions between the new entry and any existing ones, otherwise it
> >>> ends up a bit too lenient.
> >>>
> >>> Cheers,
> >>> Robin.
> >>
> >> I understand what you are saying about why checking for conflicting
> >> directions may be a good thing, but given that the code is as it is
> >> right now, how are we seeing the warning for two mapping that one of
> >> them is DMA_TO_DEVICE?
> >
> > Because it's the second one that isn't. The warning is triggered by
> > adding the DMA_FROM_DEVICE entry, which *is* checked, and finds the
> > DMA_TO_DEVICE entry already present. What's not great is that if those
> > two mappings happened to be made in the opposite order then it would be
> > missed entirely.
>
> Urgh, no, sorry, that's some imaginary conflation of the cacheline radix
> tree with the entry hash bucket...
>
> What's actually happened here is that I've failed to read the log
> properly and they're both DMA_FROM_DEVICE. But the potential problem of
> mixed-direction mappings being missed does still stand in general.

Ah, right!

OK, Now I feel a little better.

You know, I think that dma debug logic is oversimplified a bit in
other ways too.

Think for example about the scenario that started this - a (crypto,
but it doesn't matter) gets two sg lists - src and dst.
It will map the src for DMA_TO_DEVICE and the dst as DMA_FROM_DEVICE.

Now the two sg list might actually be one and the same or they might
be two different sg lists but referring to the exact same buffers.

So long as the driver DMA maps, says, the src first and then the dst,
or vice versa, and does not initiate any read/write from either the
CPU or device until the 2nd mapping, I would claim that this is
perfectly safe (same thing for not touching the buffer post the first
unmap and before the 2nd) and it does simplify the driver quite a bit
- but the dma debug logic will consider it an error right now.

Gilad

--
Gilad Ben-Yossef
Chief Coffee Drinker

values of β will give rise to dom!

Next message: Krzysztof Kozlowski: "Re: [PATCH 2/2] dt-bindings: pwm: at91: Add SAMA7G5 compatible strings list"
Previous message: Vignesh Raghavendra: "Re: [PATCH V1] extcon/usb: Remove disable irq operation in system sleep."
In reply to: Robin Murphy: "Re: [BUG] crypto: ccree: driver does not handle case where cryptlen = authsize =0"
Next in thread: Gilad Ben-Yossef: "Re: [BUG] crypto: ccree: driver does not handle case where cryptlen = authsize =0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]