Received: by 10.192.165.156 with SMTP id m28csp951836imm; Wed, 18 Apr 2018 01:02:44 -0700 (PDT) X-Google-Smtp-Source: AIpwx48aN9cbZWQ1h+qGV5934YdniKUd0ebuLjbCkQQexIEj+hRDL8THukr+yS5tL8ckKITgLhrW X-Received: by 10.98.172.15 with SMTP id v15mr1059881pfe.129.1524038564656; Wed, 18 Apr 2018 01:02:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524038564; cv=none; d=google.com; s=arc-20160816; b=w51a0EwpzE4Q1l42di2Y76JyQ4n5TsLgnQcl5OJ0fyQFdEOV2p7QeliQ70LtWz8gWr o0AsowQY+VFmFku0eu+0fQJBwACFPy7NT2Q1GxFZy3EIo1dhGPdSAirUqVKI6FfDS9yC ZqGnApPyMuuim6YuRWls1nXiSfNddMiZDHDTLRgjasm5ddSzdKgrTKD4OyH1FMzd26mu OOuzUl223XMNSPjEz5horDGlb0yyafZuT/gJ1oO/HpEQk7ArtdrQPpW1R5FEZ0jFhp+5 LtTXq3wRgVtI354MOI4DabyEv8GyMsGJ+RNPd1J53JoJ6NRgqjZ99zD1IcU5QN5AkVn2 52Xg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=UjFlCTnPSzRfyUJDx+M7zfbUPbdbt6dCggQCLGlfslo=; b=nkaFvzNZfoaRGso0w0pikdYoa6SiUGQlYcNmMo3ZJpxl4vr8uNCPjoSyBGx0SHGcb3 vXFevUka9j3Q8mFzC+Nok7TFmssv4l6LDWH3WRhugRYey/6TKY1CjdhOsJ2hu6N1tGen bUVWOwRCy8ilCy0FF3r+T83YmofkfgpKDc6PMCZbJ2OCGm3Kn5mwinLJ+aaCsT0ObzLj IrIyn5IIIBbRw4z4cC0MD81rnvl1V4cWEMerqlQB9/No+7nCtapm/0+P3sITNG6ebtT5 MXt31Alwzm0T8g19y6TmdLh2zOhYpzSn0A59PUrUGhOsncEQC/5kyYX9MloPaI4oo82d OA0w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=QZmDJ99O; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z3si175276pgr.171.2018.04.18.01.02.29; Wed, 18 Apr 2018 01:02:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=QZmDJ99O; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752972AbeDRIBR (ORCPT + 99 others); Wed, 18 Apr 2018 04:01:17 -0400 Received: from mail-lf0-f68.google.com ([209.85.215.68]:42682 "EHLO mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752707AbeDRIBQ (ORCPT ); Wed, 18 Apr 2018 04:01:16 -0400 Received: by mail-lf0-f68.google.com with SMTP id x130-v6so1241567lff.9 for ; Wed, 18 Apr 2018 01:01:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=UjFlCTnPSzRfyUJDx+M7zfbUPbdbt6dCggQCLGlfslo=; b=QZmDJ99OAtIpANIWpRRPEy1GRjWO/b5drmnRPShRfCg1E2i4PecvFieXPqHqzAVYtC UmlxqC5XAj2iQ0Ha3eCoJa4fPifmjgfHBmA8YTEe6rBGwx1GaILDg0+8U6zLQXXr+C9j mkJCfkh7o4+3W8/GdsKPZQWJyqaLkHtppveWdBvcNFvvrG4Iw9ALdwye+ymru/umK4ox e9VhEBifgaxomwLy2Zidsor5+zsZWvXtGQ17AUijnAjEQ3UoO2+BuTQLP4VA7POkTZOB TbtAzqRd2C8kiimKN9KHnhsdWiZOL99oNAOL1XDUFAOnw9rsiuzs1uenMgWGKwQHT8k6 KnIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=UjFlCTnPSzRfyUJDx+M7zfbUPbdbt6dCggQCLGlfslo=; b=FVwe+RWEWSPSyM5nM8e+7gOdNryfnzi5WD3lJOXU0BL4j5vGlgE9weFPn/k/S6doLE BbpZtUUz1g+DRWDr9RE3emiJVOD5CtRzQAKcGbOQpN4go2QoZxfP+SSouKCKnqL/6ELz MVTbzeBqZVgKoI+d5akUeUsrqDJ8ktDi1EFCi5BTs4BRfilxa5CPzounux/FY1GcFXmp DUtBXE7frXuyTMUwn9ln21Pt2T6i8Qo7uX7WKEpJCYN4mmVvtQo6W7z738w8vIbDrJRI q9TzHrH2jemKsp0MdbCvrFeSgvyvQCvSpcEWS201QrYBOC/ycuuQkqKGRXNWdxfJhLgm PhgA== X-Gm-Message-State: ALQs6tC5eN3e1+gov0/OAIWVriXB1udlX9iyIZRnm9lTVF+PobwlhGFf 8rT9caoxnANVltM0wP5mN4I= X-Received: by 2002:a19:1f4a:: with SMTP id f71-v6mr770090lff.12.1524038474668; Wed, 18 Apr 2018 01:01:14 -0700 (PDT) Received: from [10.17.182.9] (ll-74.141.223.85.sovam.net.ua. [85.223.141.74]) by smtp.gmail.com with ESMTPSA id t10-v6sm153434lfe.11.2018.04.18.01.01.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Apr 2018 01:01:13 -0700 (PDT) Subject: Re: [Xen-devel] [PATCH 0/1] drm/xen-zcopy: Add Xen zero-copy helper DRM driver To: =?UTF-8?Q?Roger_Pau_Monn=c3=a9?= Cc: Dongwon Kim , "Oleksandr_Andrushchenko@epam.com" , jgross@suse.com, Artem Mygaiev , konrad.wilk@oracle.com, airlied@linux.ie, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, "Potrola, MateuszX" , daniel.vetter@intel.com, xen-devel@lists.xenproject.org, boris.ostrovsky@oracle.com, Matt Roper References: <20180329131931.29957-1-andr2000@gmail.com> <5d8fec7f-956c-378f-be90-f45029385740@gmail.com> <20180416192905.GA18096@downor-Z87X-UD5H> <20180417075928.GT31310@phenom.ffwll.local> <20180417205744.GA15930@downor-Z87X-UD5H> <41487acb-a67a-8933-d0c3-702c19b0938e@gmail.com> <20180418073508.ptvntwedczpvl7bx@MacBook-Pro-de-Roger.local> From: Oleksandr Andrushchenko Message-ID: Date: Wed, 18 Apr 2018 11:01:12 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <20180418073508.ptvntwedczpvl7bx@MacBook-Pro-de-Roger.local> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 04/18/2018 10:35 AM, Roger Pau Monné wrote: > On Wed, Apr 18, 2018 at 09:38:39AM +0300, Oleksandr Andrushchenko wrote: >> On 04/17/2018 11:57 PM, Dongwon Kim wrote: >>> On Tue, Apr 17, 2018 at 09:59:28AM +0200, Daniel Vetter wrote: >>>> On Mon, Apr 16, 2018 at 12:29:05PM -0700, Dongwon Kim wrote: >> 3.2 Backend exports dma-buf to xen-front >> >> In this case Dom0 pages are shared with DomU. As before, DomU can only write >> to these pages, not any other page from Dom0, so it can be still considered >> safe. >> But, the following must be considered (highlighted in xen-front's Kernel >> documentation): >>  - If guest domain dies then pages/grants received from the backend cannot >>    be claimed back - think of it as memory lost to Dom0 (won't be used for >> any >>    other guest) >>  - Misbehaving guest may send too many requests to the backend exhausting >>    its grant references and memory (consider this from security POV). As the >>    backend runs in the trusted domain we also assume that it is trusted as >> well, >>    e.g. must take measures to prevent DDoS attacks. > I cannot parse the above sentence: > > "As the backend runs in the trusted domain we also assume that it is > trusted as well, e.g. must take measures to prevent DDoS attacks." > > What's the relation between being trusted and protecting from DoS > attacks? I mean that we trust the backend that it can prevent Dom0 from crashing in case DomU's frontend misbehaves, e.g. if the frontend sends too many memory requests etc. > In any case, all? PV protocols are implemented with the frontend > sharing pages to the backend, and I think there's a reason why this > model is used, and it should continue to be used. This is the first use-case above. But there are real-world use-cases (embedded in my case) when physically contiguous memory needs to be shared, one of the possible ways to achieve this is to share contiguous memory from Dom0 to DomU (the second use-case above) > Having to add logic in the backend to prevent such attacks means > that: > > - We need more code in the backend, which increases complexity and > chances of bugs. > - Such code/logic could be wrong, thus allowing DoS. You can live without this code at all, but this is then up to backend which may make Dom0 down because of DomU's frontend doing evil things >> 4. xen-front/backend/xen-zcopy synchronization >> >> 4.1. As I already said in 2) all the inter VM communication happens between >> xen-front and the backend, xen-zcopy is NOT involved in that. >> When xen-front wants to destroy a display buffer (dumb/dma-buf) it issues a >> XENDISPL_OP_DBUF_DESTROY command (opposite to XENDISPL_OP_DBUF_CREATE). >> This call is synchronous, so xen-front expects that backend does free the >> buffer pages on return. >> >> 4.2. Backend, on XENDISPL_OP_DBUF_DESTROY: >>   - closes all dumb handles/fd's of the buffer according to [3] >>   - issues DRM_IOCTL_XEN_ZCOPY_DUMB_WAIT_FREE IOCTL to xen-zcopy to make >> sure >>     the buffer is freed (think of it as it waits for dma-buf->release >> callback) > So this zcopy thing keeps some kind of track of the memory usage? Why > can't the user-space backend keep track of the buffer usage? Because there is no dma-buf UAPI which allows to track the buffer life cycle (e.g. wait until dma-buf's .release callback is called) >>   - replies to xen-front that the buffer can be destroyed. >> This way deletion of the buffer happens synchronously on both Dom0 and DomU >> sides. In case if DRM_IOCTL_XEN_ZCOPY_DUMB_WAIT_FREE returns with time-out >> error >> (BTW, wait time is a parameter of this IOCTL), Xen will defer grant >> reference >> removal and will retry later until those are free. >> >> Hope this helps understand how buffers are synchronously deleted in case >> of xen-zcopy with a single protocol command. >> >> I think the above logic can also be re-used by the hyper-dmabuf driver with >> some additional work: >> >> 1. xen-zcopy can be split into 2 parts and extend: >> 1.1. Xen gntdev driver [4], [5] to allow creating dma-buf from grefs and >> vise versa, > I don't know much about the dma-buf implementation in Linux, but > gntdev is a user-space device, and AFAICT user-space applications > don't have any notion of dma buffers. How are such buffers useful for > user-space? Why can't this just be called memory? A dma-buf is seen by user-space as a file descriptor and you can pass it to different drivers then. For example, you can share a buffer used by a display driver for scanout with a GPU, to compose a picture into it: 1. User-space (US) allocates a display buffer from display driver 2. US asks display driver to export the dma-buf which backs up that buffer, US gets buffer's fd: dma_buf_fd 3. US asks GPU driver to import a buffer and provides it with dma_buf_fd 4. GPU renders contents into display buffer (dma_buf_fd) Finally, this is indeed some memory, but a bit more [1] > > Also, (with my FreeBSD maintainer hat) how is this going to translate > to other OSes? So far the operations performed by the gntdev device > are mostly OS-agnostic because this just map/unmap memory, and in fact > they are implemented by Linux and FreeBSD. At the moment I can only see Linux implementation and it seems to be perfectly ok as we do not change Xen's APIs etc. and only use the existing ones (remember, we only extend gntdev/balloon drivers, all the changes in the Linux kernel) As the second note I can also think that we do not extend gntdev/balloon drivers and have re-worked xen-zcopy driver be a separate entity, say drivers/xen/dma-buf >> implement "wait" ioctl (wait for dma-buf->release): currently these are >> DRM_XEN_ZCOPY_DUMB_FROM_REFS, DRM_XEN_ZCOPY_DUMB_TO_REFS and >> DRM_XEN_ZCOPY_DUMB_WAIT_FREE >> 1.2. Xen balloon driver [6] to allow allocating contiguous buffers (not >> needed >> by current hyper-dmabuf, but is a must for xen-zcopy use-cases) > I think this needs clarifying. In which memory space do you need those > regions to be contiguous? Use-case: Dom0 has a HW driver which only works with contig memory and I want DomU to be able to directly write into that memory, thus implementing zero copying > > Do they need to be contiguous in host physical memory, or guest > physical memory? Host > > If it's in guest memory space, isn't there any generic interface that > you can use? > > If it's in host physical memory space, why do you need this buffer to > be contiguous in host physical memory space? The IOMMU should hide all > this. There are drivers/HW which can only work with contig memory and if it is backed by an IOMMU then still it has to be contig in IPA space (real device doesn't know that it is actually IPA contig, not PA) > Thanks, Roger. Thank you, Oleksandr [1] https://01.org/linuxgraphics/gfx-docs/drm/driver-api/dma-buf.html