Received: by 10.223.185.116 with SMTP id b49csp4618097wrg; Mon, 26 Feb 2018 22:53:56 -0800 (PST) X-Google-Smtp-Source: AG47ELsMpQ6srzt+Yq3vZChUk7ydqIbkj/Zalz5h75Ikbz0jiQU/Vvla5KGWyMZQS2M6TDZMOtPU X-Received: by 2002:a17:902:28c3:: with SMTP id f61-v6mr2375033plb.346.1519714436037; Mon, 26 Feb 2018 22:53:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519714436; cv=none; d=google.com; s=arc-20160816; b=LXDypAZYnLM0zdwjgad0Yv/ip7SHaoHMYUIpa3T5cS9JQer23fll193PA8ZCRVHkbd WcC/kMRwFEhn5AXJztwGwMhInUBO66F6LcnKbByBEYQgqgVOVIk+G+UBjVhIrQr1VlED dNfSPCcNB36lECL4uyVm8iZZZLyaDvm6ZUGk45lCPshX4kEeGzYZq7fu8YFUItfZiUJ2 BJQwrjaJEp6ShUbv32vIZolT1KW7qQUNBTd2CSiJ9Beh/8dCZo1gPNSJRmyVvKtq6pmJ 6QRvlqy2hQSyZY6Fa/lZU7ivjaFl5OOvpbRjSzQS2XTjBgAhyJ7xx1mcO2BOb8DkfUlq Q/BA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature :arc-authentication-results; bh=RQxiPWfPIY3tT40qYcqRhJobEV4en1Rharp/ZvdJwZs=; b=kAwm7onVIi2fTPeo6wzL44DBeF2uUQUqu8Ea/CQBoNoYlxNeFxSaoT79xZizcqjYmz mXpDtZOc0baiSNa33969FUQEZZenvmM4hwSRIyazh4Jvubo1RKQr71VwA/7YxaBHk9I1 T9Px1Ya800HYeoL6rEvHHVKwelphKzQ3nahvVqvfZZOgjJXDFtHFeowVQ5N0xBCHA99c UW+ZKsTmjfbeDJjZhMqBRjznxQz3jadoGgvg5cSw3TbT/g2/NMaiNNcfAoNDcAT8qWNn q0OF3IfbbQb96yjfEUWKu5G7UV2cINGT6tDGgubpTL7ExJs/T90VTUiNs+ffbQewm2lg AUWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=uWas84uM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t12si6647387pgf.575.2018.02.26.22.53.40; Mon, 26 Feb 2018 22:53:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=uWas84uM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752028AbeB0Gwh (ORCPT + 99 others); Tue, 27 Feb 2018 01:52:37 -0500 Received: from mail-lf0-f65.google.com ([209.85.215.65]:40460 "EHLO mail-lf0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751128AbeB0Gwg (ORCPT ); Tue, 27 Feb 2018 01:52:36 -0500 Received: by mail-lf0-f65.google.com with SMTP id 37so25880661lfs.7 for ; Mon, 26 Feb 2018 22:52:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=RQxiPWfPIY3tT40qYcqRhJobEV4en1Rharp/ZvdJwZs=; b=uWas84uMyzdTv+9Mgxp/9Q0btmFuV0U5DiSWC7ru8PrLr9DiJXSVNtlcRA4uoN5Zj8 XIRT25vhZQ7WAMB7++0oqcyA2O1usabCPHodQg+bbXyF4SZ7cmcwHrplCvgoqYDOTAJT 0AzdJD0jfnA+ItcOuY63zBgc7kNSIAbunFlUyEJT89ddw2Sa/s48dzwwK3ZUXaQbjw+M vknIY7WAVU21rU41NA18vKAVr53EqOZhyTqXqgtKWy1+DxAz3jlxeDLBsYx7Ot0Zk/b6 z1pGeEwADDNMKFyrcGLVobvZrW4q5g0/XvsF+S0BiLTRLNR4+hFNRYy/jn05Ez490YCm 1+Vw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=RQxiPWfPIY3tT40qYcqRhJobEV4en1Rharp/ZvdJwZs=; b=BeDYovr/UfmQXRGMJJMWnq4ERAbBDneLx50kfR/kPEfbZO7Sk+LMFdR+XAxjMms9pJ 7dl2eXJeCAstN8lAyCL8vd4YLESMj+IuHUbZY/Dt0i6hanZucrlIZbMnBdZr0sJfQ6Wh 52DO3AJb+w5jBaSSybQbsoo6GPKRHGR9CR4LwbuXS9Lttd7mpmERoZBRHzuLECEm2ZSt xDefytvhjcX1850yuGxOSwNFsQ5yQ4XMBjeZnVKJUka842umUj1NnA8ZsCNOgueTBk3S t01/fgiXAmbOsyb56LwV7Bxv5xOozmwGakgTkFhu8AmVcxZBWJkRIzznwConsPz3vAmS FqJA== X-Gm-Message-State: APf1xPDlD2t221ylEf+ofWVAQ8gL/hCAQ5EknGZIjO5qd4p+fQf/Uxp9 ZCNvMEShoEBKdqUClpDdpXQ= X-Received: by 10.25.115.136 with SMTP id h8mr9384185lfk.117.1519714354287; Mon, 26 Feb 2018 22:52:34 -0800 (PST) Received: from [10.17.182.9] (ll-59.209.223.85.sovam.net.ua. [85.223.209.59]) by smtp.gmail.com with ESMTPSA id o134sm2386610lfo.86.2018.02.26.22.52.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Feb 2018 22:52:33 -0800 (PST) Subject: Re: [PATCH 8/9] drm/xen-front: Implement GEM operations To: Boris Ostrovsky , Oleksandr Andrushchenko , xen-devel@lists.xenproject.org, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, airlied@linux.ie, daniel.vetter@intel.com, seanpaul@chromium.org, gustavo@padovan.org, jgross@suse.com, konrad.wilk@oracle.com References: <1519200222-20623-1-git-send-email-andr2000@gmail.com> <1519200222-20623-9-git-send-email-andr2000@gmail.com> <2f2c6fea-c0cb-e244-41f3-269db07986fc@oracle.com> <56c4a78b-356a-fb35-a97e-187581ae45ad@epam.com> <71ab9d03-dc07-f7f2-c9f8-463cc926e573@oracle.com> From: Oleksandr Andrushchenko Message-ID: Date: Tue, 27 Feb 2018 08:52:32 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <71ab9d03-dc07-f7f2-c9f8-463cc926e573@oracle.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 02/27/2018 01:47 AM, Boris Ostrovsky wrote: > On 02/23/2018 10:35 AM, Oleksandr Andrushchenko wrote: >> On 02/23/2018 05:26 PM, Boris Ostrovsky wrote: >>> On 02/21/2018 03:03 AM, Oleksandr Andrushchenko wrote: >>>> +static struct xen_gem_object *gem_create(struct drm_device *dev, >>>> size_t size) >>>> +{ >>>> + struct xen_drm_front_drm_info *drm_info = dev->dev_private; >>>> + struct xen_gem_object *xen_obj; >>>> + int ret; >>>> + >>>> + size = round_up(size, PAGE_SIZE); >>>> + xen_obj = gem_create_obj(dev, size); >>>> + if (IS_ERR_OR_NULL(xen_obj)) >>>> + return xen_obj; >>>> + >>>> + if (drm_info->cfg->be_alloc) { >>>> + /* >>>> + * backend will allocate space for this buffer, so >>>> + * only allocate array of pointers to pages >>>> + */ >>>> + xen_obj->be_alloc = true; >>> If be_alloc is a flag (which I am not sure about) --- should it be set >>> to true *after* you've successfully allocated your things? >> this is a configuration option telling about the way >> the buffer gets allocated: either by the frontend or >> backend (be_alloc -> buffer allocated by the backend) > > I can see how drm_info->cfg->be_alloc might be a configuration option > but xen_obj->be_alloc is set here and that's not how configuration > options typically behave. you are right, I will put be_alloc down the code and will slightly rework error handling for this function > >>>> + ret = gem_alloc_pages_array(xen_obj, size); >>>> + if (ret < 0) { >>>> + gem_free_pages_array(xen_obj); >>>> + goto fail; >>>> + } >>>> + >>>> + ret = alloc_xenballooned_pages(xen_obj->num_pages, >>>> + xen_obj->pages); >>> Why are you allocating balloon pages? >> in this use-case we map pages provided by the backend >> (yes, I know this can be a problem from both security >> POV and that DomU can die holding pages of Dom0 forever: >> but still it is a configuration option, so user decides >> if her use-case needs this and takes responsibility for >> such a decision). > > Perhaps I am missing something here but when you say "I know this can be > a problem from both security POV ..." then there is something wrong with > your solution. well, in this scenario there are actually 2 concerns: 1. If DomU dies the pages/grants from Dom0/DomD cannot be reclaimed back 2. Misbehaving guest may send too many requests to the backend exhausting grant references and memory of Dom0/DomD (this is the only concern from security POV). Please see [1] But, we are focusing on embedded use-cases, so those systems we use are not that "dynamic" with respect to 2). Namely: we have fixed number of domains and their functionality is well known, so we can do rather precise assumption on resource usage. This is why I try to warn on such a use-case and rely on the end user who understands the caveats I'll probably add more precise description of this use-case clarifying what is that security POV, so there is no confusion Hope this explanation answers your questions > -boris > >> Please see description of the buffering modes in xen_drm_front.h >> specifically for backend allocated buffers: >> ******************************************************************************* >> >> * 2. Buffers allocated by the backend >> ******************************************************************************* >> >> * >> * This mode of operation is run-time configured via guest domain >> configuration >> * through XenStore entries. >> * >> * For systems which do not provide IOMMU support, but having specific >> * requirements for display buffers it is possible to allocate such >> buffers >> * at backend side and share those with the frontend. >> * For example, if host domain is 1:1 mapped and has DRM/GPU hardware >> expecting >> * physically contiguous memory, this allows implementing zero-copying >> * use-cases. >> >>> -boris >>> >>>> + if (ret < 0) { >>>> + DRM_ERROR("Cannot allocate %zu ballooned pages: %d\n", >>>> + xen_obj->num_pages, ret); >>>> + goto fail; >>>> + } >>>> + >>>> + return xen_obj; >>>> + } >>>> + /* >>>> + * need to allocate backing pages now, so we can share those >>>> + * with the backend >>>> + */ >>>> + xen_obj->num_pages = DIV_ROUND_UP(size, PAGE_SIZE); >>>> + xen_obj->pages = drm_gem_get_pages(&xen_obj->base); >>>> + if (IS_ERR_OR_NULL(xen_obj->pages)) { >>>> + ret = PTR_ERR(xen_obj->pages); >>>> + xen_obj->pages = NULL; >>>> + goto fail; >>>> + } >>>> + >>>> + return xen_obj; >>>> + >>>> +fail: >>>> + DRM_ERROR("Failed to allocate buffer with size %zu\n", size); >>>> + return ERR_PTR(ret); >>>> +} >>>> + >>>> Thank you, Oleksandr [1] https://lists.xenproject.org/archives/html/xen-devel/2017-07/msg03100.html