On Wed, Oct 02, 2019 at 10:15:43PM +0100, Robin Murphy wrote: > Hi Kees, > > On 2019-10-02 9:46 pm, Kees Cook wrote: > > As we've seen from USB and other areas, we need to always do runtime > > checks for DMA operating on memory regions that might be remapped. This > > consolidates the (existing!) checks and makes them on by default. A > > warning will be triggered for any drivers still using DMA on the stack > > (as has been seen in a few recent reports). > > > > Suggested-by: Laura Abbott <labb...@redhat.com> > > Signed-off-by: Kees Cook <keesc...@chromium.org> > > --- > > include/linux/dma-debug.h | 8 -------- > > include/linux/dma-mapping.h | 8 +++++++- > > kernel/dma/debug.c | 16 ---------------- > > 3 files changed, 7 insertions(+), 25 deletions(-) > > > > diff --git a/include/linux/dma-debug.h b/include/linux/dma-debug.h > > index 4208f94d93f7..2af9765d9af7 100644 > > --- a/include/linux/dma-debug.h > > +++ b/include/linux/dma-debug.h > > @@ -18,9 +18,6 @@ struct bus_type; > > extern void dma_debug_add_bus(struct bus_type *bus); > > -extern void debug_dma_map_single(struct device *dev, const void *addr, > > - unsigned long len); > > - > > extern void debug_dma_map_page(struct device *dev, struct page *page, > > size_t offset, size_t size, > > int direction, dma_addr_t dma_addr); > > @@ -75,11 +72,6 @@ static inline void dma_debug_add_bus(struct bus_type > > *bus) > > { > > } > > -static inline void debug_dma_map_single(struct device *dev, const void > > *addr, > > - unsigned long len) > > -{ > > -} > > - > > static inline void debug_dma_map_page(struct device *dev, struct page > > *page, > > size_t offset, size_t size, > > int direction, dma_addr_t dma_addr) > > diff --git a/include/linux/dma-mapping.h b/include/linux/dma-mapping.h > > index 4a1c4fca475a..2d6b8382eab1 100644 > > --- a/include/linux/dma-mapping.h > > +++ b/include/linux/dma-mapping.h > > @@ -583,7 +583,13 @@ static inline unsigned long > > dma_get_merge_boundary(struct device *dev) > > static inline dma_addr_t dma_map_single_attrs(struct device *dev, void > > *ptr, > > size_t size, enum dma_data_direction dir, unsigned long attrs) > > { > > - debug_dma_map_single(dev, ptr, size); > > + /* DMA must never operate on stack or other remappable places. */ > > + WARN_ONCE(is_vmalloc_addr(ptr) || !virt_addr_valid(ptr), > > This stands to absolutely cripple I/O performance on arm64, because every > valid call will end up going off and scanning the memblock list, which is > not something we want on a fastpath in non-debug configurations. We'd need a > much better solution to the "pfn_valid() vs. EFI no-map" problem before this > might be viable.
Ah! Interesting. I didn't realize this was fast-path (I don't know the DMA code at all). I thought it was more of a "one time setup" before actual DMA activity started. Regardless, is_vmalloc_addr() is extremely light (a bounds check), and is the most important part of this as far as catching stack-based DMA attempts. I thought virt_addr_valid() was cheap too, but I see it's much heavier on arm64. I just went to compare what the existing USB check does, and it happens immediately before its call to dma_map_single(). Both checks are simple bounds checks, so it shouldn't be an issue: if (is_vmalloc_addr(urb->setup_packet)) { WARN_ONCE(1, "setup packet is not dma capable\n"); return -EAGAIN; } else if (object_is_on_stack(urb->setup_packet)) { WARN_ONCE(1, "setup packet is on stack\n"); return -EAGAIN; } urb->setup_dma = dma_map_single( hcd->self.sysdev, urb->setup_packet, sizeof(struct usb_ctrlrequest), In the USB case, it'll actually refuse to do the operation. Should dma_map_single() similarly fail? I could push these checks down into dma_map_single(), which would be a no-change on behavior for USB and gain the checks on all other callers... -- Kees Cook