Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2200612imu;
        Sat, 12 Jan 2019 18:40:16 -0800 (PST)
X-Google-Smtp-Source: ALg8bN7BpC+UQAI1q4+OB3tk2XpAY9f8hLmWJM0VV5d/pti17hQv19MR5Qa5YTMXBfuXT0dodvAz
X-Received: by 2002:a63:68c4:: with SMTP id d187mr16117004pgc.11.1547347215975;
        Sat, 12 Jan 2019 18:40:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1547347215; cv=none;
        d=google.com; s=arc-20160816;
        b=uHBsqYUIsbAZJHPWayTRtR7+cSD/1kxMtKJvmgVqcYGt3qC4F7Ze3O0iqWk2L1c1Ij
         r6O8GPcyFO/OVhSktlHqoUBSQVWdME+2rUycPKgm3fgA1XEq/L3gFek8Z1cd8nVoXFj4
         W2/uKTOxm4DZZp5CDp05YIiAcCJpX4uw1yGwp5eVJ1nOOlJ7DWaNo60jTYhjxw5unizq
         GXUzuXGXaONFjhUzM9VDtZI0SQ3pBrG8gOY39zf8AFperRkhCKMokqsTXRLdY07mNU6l
         VCH6X3ZBAjqT4NJ7R4kC3IYR57MOCQDlBM/r4a2K04DrYX957VwiEjfQYPZ9g6OuUMLU
         P9cw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:thread-index:thread-topic
         :content-transfer-encoding:mime-version:subject:references
         :in-reply-to:message-id:cc:to:from:date;
        bh=Q4VQfElhFet0ix7or0OiYg4wDZrEBaeKHxa0zszOtWk=;
        b=L0pZBCthc3KlE3uHim/q21ARDnjqhPw1V2NbjPWvw22aN95fwmT4j9JWLeLuqllsJ3
         PNEJT5I+ngYDZ+cdN6IiBoJqYf9nmNdZ9ozJvgIVGUny9TOFVz3lEQjRnPfADBG3iReH
         vrz6M5uJ3I3KM1P19fjqz+CAP7VCh28TRG15cDbYaYk3pFUNhp+38zVOQu+WsgN1qOT3
         KVyQMoaKp+d1cPs6vEumGfzvGUzL+NtekkgDlzN93mGjNIwdlEEqckjUANeL9Aj6OisD
         rVt/IzR1VQOct0oDddAoDGNhqjvARMSWKTSaSOwEe0xLYcuYwW+yeHDrel34bOE3DzmL
         SLTw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 33si47143713plu.169.2019.01.12.18.40.00;
        Sat, 12 Jan 2019 18:40:15 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726628AbfAMBio (ORCPT <rfc822;cesare.gargano@gmail.com>
        + 99 others); Sat, 12 Jan 2019 20:38:44 -0500
Received: from mx1.redhat.com ([209.132.183.28]:34792 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726474AbfAMBin (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 12 Jan 2019 20:38:43 -0500
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 3A74FC04BE18;
        Sun, 13 Jan 2019 01:38:42 +0000 (UTC)
Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
        by smtp.corp.redhat.com (Postfix) with ESMTPS id B548917AA8;
        Sun, 13 Jan 2019 01:38:41 +0000 (UTC)
Received: from zmail21.collab.prod.int.phx2.redhat.com (zmail21.collab.prod.int.phx2.redhat.com [10.5.83.24])
        by colo-mx.corp.redhat.com (Postfix) with ESMTP id CA09F4A460;
        Sun, 13 Jan 2019 01:38:40 +0000 (UTC)
Date:   Sat, 12 Jan 2019 20:38:39 -0500 (EST)
From:   Pankaj Gupta <pagupta@redhat.com>
To:     Jan Kara <jack@suse.cz>
Cc:     Dave Chinner <david@fromorbit.com>, linux-kernel@vger.kernel.org,
        kvm@vger.kernel.org, qemu-devel@nongnu.org,
        linux-nvdimm@ml01.01.org, linux-fsdevel@vger.kernel.org,
        virtualization@lists.linux-foundation.org,
        linux-acpi@vger.kernel.org, linux-ext4@vger.kernel.org,
        linux-xfs@vger.kernel.org, stefanha@redhat.com,
        dan j williams <dan.j.williams@intel.com>, riel@surriel.com,
        nilal@redhat.com, kwolf@redhat.com, pbonzini@redhat.com,
        zwisler@kernel.org, vishal l verma <vishal.l.verma@intel.com>,
        dave jiang <dave.jiang@intel.com>, david@redhat.com,
        jmoyer@redhat.com,
        xiaoguangrong eric <xiaoguangrong.eric@gmail.com>,
        hch@infradead.org, mst@redhat.com, jasowang@redhat.com,
        lcapitulino@redhat.com, imammedo@redhat.com, eblake@redhat.com,
        willy@infradead.org, tytso@mit.edu,
        adilger kernel <adilger.kernel@dilger.ca>,
        darrick wong <darrick.wong@oracle.com>, rjw@rjwysocki.net
Message-ID: <1354249849.63357171.1547343519970.JavaMail.zimbra@redhat.com>
In-Reply-To: <20190110101757.GC15790@quack2.suse.cz>
References: <20190109144736.17452-1-pagupta@redhat.com> <20190110012617.GA4205@dastard> <20190110101757.GC15790@quack2.suse.cz>
Subject: Re: [PATCH v3 0/5] kvm "virtio pmem" device
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.67.116.34, 10.4.195.30]
Thread-Topic: kvm "virtio pmem" device
Thread-Index: PtlhdNMlT300YqsPBVbwN8Z2TALW0A==
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Sun, 13 Jan 2019 01:38:42 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



> 
> On Thu 10-01-19 12:26:17, Dave Chinner wrote:
> > On Wed, Jan 09, 2019 at 08:17:31PM +0530, Pankaj Gupta wrote:
> > >  This patch series has implementation for "virtio pmem".
> > >  "virtio pmem" is fake persistent memory(nvdimm) in guest
> > >  which allows to bypass the guest page cache. This also
> > >  implements a VIRTIO based asynchronous flush mechanism.
> > 
> > Hmmmm. Sharing the host page cache direct into the guest VM. Sounds
> > like a good idea, but.....
> > 
> > This means the guest VM can now run timing attacks to observe host
> > side page cache residency, and depending on the implementation I'm
> > guessing that the guest will be able to control host side page
> > cache eviction, too (e.g. via discard or hole punch operations).
> > 
> > Which means this functionality looks to me like a new vector for
> > information leakage into and out of the guest VM via guest
> > controlled host page cache manipulation.
> > 
> > https://arxiv.org/pdf/1901.01161
> > 
> > I might be wrong, but if I'm not we're going to have to be very
> > careful about how guest VMs can access and manipulate host side
> > resources like the page cache.....
> 
> Right. Thinking about this I would be more concerned about the fact that
> guest can effectively pin amount of host's page cache upto size of the
> device/file passed to guest as PMEM, can't it Pankaj? Or is there some QEMU
> magic that avoids this?

Yes, guest will pin these host page cache pages using 'get_user_pages' by
elevating the page reference count. But these pages can be reclaimed by host
at any time when there is memory pressure.

KVM does not permanently pin pages. vfio does that but we are not using
it here.

Could you please elaborate what you are thinking?

Thanks,
Pankaj