Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp255118pxj; Fri, 14 May 2021 02:37:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw4opCsvitlBNCHAsZbid5Ge34QHE65hV/OkWRejsqRXpyDfFXGsbrAU0ygbyymUcQlrbAD X-Received: by 2002:a50:fe19:: with SMTP id f25mr55446098edt.341.1620985027254; Fri, 14 May 2021 02:37:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620985027; cv=none; d=google.com; s=arc-20160816; b=NGFLF/waKxBD2dJTMFK4UEPO1DUwbxldbdxurO7+7lIv6siBejpwW8fauInixRziUD RFGoW0ysf+Ge5+0+d/3Fm7jlvFAi83zNFtlsWE2ThQcsYNGBWku4Fe4rkQL3JN2aMf9g lc2E6pSC68M7f8BwXdfrRNSCMk9OMy4hIA33wYpBugFZAWYA/oXCjOxCa8NarLkirjls Qh3rau5QKf7yvdl1j6sPTASCLbB4jHc9ln5rJRHl9MyaKuXOemsQHJcCtMiITGOlI0X4 T5iDO8TZtNi24nUmrdIW/6WdfkQ7jBGrAVzBzlV56qM9WwZcIE2AbPYxYZ0BRCP4M1ly aQGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=9ardcHHy4HMFsCCm362jCRSfkYTJCg6gBa+dhQsSbY4=; b=AiBhpbiizQChuzQzIo5u8hZWZSxLLmBcWfzpuWHL4v9RWDLCtq20AvkgXuKznOcA4V D4S4kl7BsMI8pklHYQNHbTK8+e2QXMYrycXDXsWI0rMrp099ADMYuxISZ8ebVZ2kzKy9 OFnrifbYrk9NtLO1HwIZCpzjqGKF65hLEktJzLbXAyBDGQgqfIJ8y/TEE4PEAPe2idTA ARPU+UtTcnxnDKiPLiHJ9dGRljZcUDKJVGxcKaoIol6IezVguhdI5/BsWdAgAbmTKqYn I09MdryFjAKX+3eL18pJ8b16VVXq39XeryZjWx3aJC4Y85VKKodoth0+hQN4kigxsMQd 15rQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@bytedance-com.20150623.gappssmtp.com header.s=20150623 header.b=A2CJn1ll; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bytedance.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t21si5175722edw.597.2021.05.14.02.36.43; Fri, 14 May 2021 02:37:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@bytedance-com.20150623.gappssmtp.com header.s=20150623 header.b=A2CJn1ll; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bytedance.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231980AbhENGIE (ORCPT + 99 others); Fri, 14 May 2021 02:08:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52468 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230506AbhENGIC (ORCPT ); Fri, 14 May 2021 02:08:02 -0400 Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9CAFAC061574 for ; Thu, 13 May 2021 23:06:50 -0700 (PDT) Received: by mail-ed1-x52e.google.com with SMTP id t15so5762569edr.11 for ; Thu, 13 May 2021 23:06:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9ardcHHy4HMFsCCm362jCRSfkYTJCg6gBa+dhQsSbY4=; b=A2CJn1llgWZrjHBlQvOTdwAXuSCV6nI6+uHLtxIqI1lc6b5Mfjpn1D2FZHksL2XDxh IxK7s3C+aKefX2AbMa3aES0aFy9SLNXWof9I88eLl6JikgIr9j09QeqVEaWrq7vLyA4B OL0NeiNgBg6jUZDnn0KQN4twb4FjRzLzjQCS2b9BzERy+Ha22YPIWqo9yB1LOARy/f72 +Vv0A3HL0z4gEpZZPmBJW8EqFxv0m59H5j0sZIo5/0sijpY4IM7z+ShPqwtNd5jkXnpJ vNbw9626XR5Dk6BjUbcPn+Bt/8C7jmfnqXFczd/4Chs8jcvY4AnWbvcE4+kWG6zMzOGt 2HzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9ardcHHy4HMFsCCm362jCRSfkYTJCg6gBa+dhQsSbY4=; b=XNXyokuJrnUHzFjfpem4GUAkcmHkb58n84shrIInGd0/4k7BSWwmzVibbCo4BZNxwT Ngff4nfiUlmGBbj9gIOMutc/wHvWq2GUs0o21SEo6HOh7VG/8gMlsjEcxoc/Bw9H61jK lohh9L6Dgf20A5obnEVsMa745hg3CTFhGnK/iBZbgQnPII+tI2WpQ/bC32CIvG9S6k5f OBEiBxllci4g8CL4xJg18ehtlH2azMfr4lGDJC6E8nFIfwTrejLOskEWO0tINXkfx7Zp dZSWx6zRUQfE4Lckh6gKsfKAlYWpvyz6LyJLFNIN1Ok4LL1geLJHZF9E2zEv4M0lgVqP afRw== X-Gm-Message-State: AOAM53173qJohdixas3QzN3hCkjIEFoVOExVi5Mq+ctlGCi3j0izudQa 6Ac7pL/XIiPARZXTxFOS0Hymxg2ssHtzehM5uG4+IX1xTw== X-Received: by 2002:a50:8a99:: with SMTP id j25mr53348075edj.253.1620972409303; Thu, 13 May 2021 23:06:49 -0700 (PDT) MIME-Version: 1.0 References: <20210423080942.2997-1-jasowang@redhat.com> In-Reply-To: From: Yongji Xie Date: Fri, 14 May 2021 14:06:38 +0800 Message-ID: Subject: Re: Re: [RFC PATCH V2 0/7] Do not read from descripto ring To: Stefan Hajnoczi Cc: Jason Wang , "Michael S. Tsirkin" , virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, file@sect.tu-berlin.de, ashish.kalra@amd.com, konrad.wilk@oracle.com, kvm@vger.kernel.org, Christoph Hellwig Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 14, 2021 at 12:27 AM Stefan Hajnoczi wrote: > > On Fri, Apr 23, 2021 at 04:09:35PM +0800, Jason Wang wrote: > > Sometimes, the driver doesn't trust the device. This is usually > > happens for the encrtpyed VM or VDUSE[1]. > > Thanks for doing this. > > Can you describe the overall memory safety model that virtio drivers > must follow? For example: > > - Driver-to-device buffers must be on dedicated pages to avoid > information leaks. > > - Driver-to-device buffers must be on dedicated pages to avoid memory > corruption. > > When I say "pages" I guess it's the IOMMU page size that matters? > > What is the memory access granularity of VDUSE? > Now we use PAGE_SIZE as the access granularity. I think it should be safe to access the Driver-to-device buffers in VDUSE case because we also use bounce-buffering mechanism like swiotlb does. Thanks, Yongji