Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp284762pxj; Fri, 14 May 2021 03:28:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxAe/hJiKE32tvqVeTp5adGq+zgcASFO7KMY00/YyPKozDoV9ROywnEl6zUkO6kj5B2L5EW X-Received: by 2002:a5d:8481:: with SMTP id t1mr35256444iom.39.1620988088381; Fri, 14 May 2021 03:28:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620988088; cv=none; d=google.com; s=arc-20160816; b=yS4ga1R0sLlLAiqSU1mAqrpgiVnb8nU115B688BYpKo1JyERyYSPDlTeaV/22c56bi GthBPn4G3HFprILUKQ1XySXCNtYHbmkRBWLo9oPS3TuS/Ak/EPAA1vVS78nVmJcAQwn7 QWsEXmcu0oCtCDDiH8mqL4Fk/34kGl2ojfdKtqYdDIAhXJjoYFHP9bxW0JIVzHMFzSDu F8PYvpZm+a3TSqBmD8Xhy/DZf7bnnu+zs76VoAyKlZNGZBeysiI4vL9YlgxVKBSl2j0X I4MLeixaG8I/ruyHJGpC7N9owexyLK55VmZR7kP+owvcKqWhe+QONO47jjZDAPW4x4OI fv5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=+wZab5pINZpwdaHt/bHMqJV5s7yiKsmN12nleLzipVI=; b=sKD8UeqgJHHeZEqWwKPctJG7+k6hv50q3afcJw/S79yOyeHz7Jfz/rft3O8wBnB86r qEzo66QKYib/ZrvlrEi4tbqJ4CyYeetfXmpIrK0SiltVwNaZHe6S74WcTDDM252VPUFW KkWP8KDz0SS1cE5lM+UBlKXF+6UFdiDEW0tCTRhzWQqCqwMhbpVmldRiD6zj1PhcjRU2 whB2xmxNnL5m9Ml+fVAb5vjots5gJplBYbfXyS+Xv/Osm1SEfXClo3giLujF+3kbS3Xa 9ne4zv0dGXD5UeIkv0XMsd+Ev/0srCSJi3bWimfRDWLo0H1vCZZTxcOVVzWdAt5y5cra qeaQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@bytedance-com.20150623.gappssmtp.com header.s=20150623 header.b=rUAG4q59; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bytedance.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z6si2961023ilq.89.2021.05.14.03.27.56; Fri, 14 May 2021 03:28:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@bytedance-com.20150623.gappssmtp.com header.s=20150623 header.b=rUAG4q59; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bytedance.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233668AbhENImE (ORCPT + 99 others); Fri, 14 May 2021 04:42:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58538 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233676AbhENImD (ORCPT ); Fri, 14 May 2021 04:42:03 -0400 Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5D69BC061574 for ; Fri, 14 May 2021 01:40:51 -0700 (PDT) Received: by mail-ej1-x633.google.com with SMTP id l1so7588556ejb.6 for ; Fri, 14 May 2021 01:40:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+wZab5pINZpwdaHt/bHMqJV5s7yiKsmN12nleLzipVI=; b=rUAG4q59lGFY+rT56KuTKMwS7etbeEVaacrURJbzUpHXBSlZZQjXTtA9QlTYv0kyRL GzQyq7nc7hQIJ9q19Zaf1gHWj8BCUMMQqnsp6z1thhfNd4+H6kU7OHdddjaPlLIvEcMj C+ijieV3F5OosGKQaAdRbzUkebJOEwdc2BK/oYqU5Ws/7lEdt2kLShiYj8fnZnx/+B1x CmSGcEUgYHVwvosm7EdxRcGdGonMcafbT9tiCzHD7lq30vgMP9dsgLSCm7fRZ55evYQS WaS0KpWWAkIPoiFXd740zrQ8myLp6wdMiSjju7N6y4JWp5tNJV3lcqWkxcyT62xyyA1O h4rw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+wZab5pINZpwdaHt/bHMqJV5s7yiKsmN12nleLzipVI=; b=I7DQ6WYjG3xMGQfonidT5mUFBd8yR/tL2U2DToYdVCnFjb+TrCth00XQjA0Cmzc5dE m1R+qexRpCiH0LgLC+yO2yeEQIUVu23agft4nuWAYUxvr0Jp0KKyglxcNZvc/LsI2j0P emM6sJuKZySoCxKosJ1rexDf7mgNnVcuuRUuQq4AjZiBIPZrdHs4oPNK2LNiruz6fM6e 3fnpC0FFYzovq5ax1BCx+gFvsFfl+rw9rS8/PSQha5sCoRDWVwjXssKcitGFMf51Jg+d /q+A0WfCGjLg3bNS3x9avjVXi5gE5U3CP5XSH7n7fkMqsGqX83SvOBk0/U8IWiuU+lKR AbEg== X-Gm-Message-State: AOAM533Eymw2b5cqBIox0dyHiSgdgrsq/Kc6VK5+8RBsn+5ToAGgk95y nik5Yqdw1goWqwg9FWWIAZ9BEoKYVZmMjKXc8Sii X-Received: by 2002:a17:906:edaf:: with SMTP id sa15mr10209317ejb.174.1620981650150; Fri, 14 May 2021 01:40:50 -0700 (PDT) MIME-Version: 1.0 References: <20210423080942.2997-1-jasowang@redhat.com> In-Reply-To: From: Yongji Xie Date: Fri, 14 May 2021 16:40:39 +0800 Message-ID: Subject: Re: Re: Re: [RFC PATCH V2 0/7] Do not read from descripto ring To: Jason Wang Cc: Stefan Hajnoczi , "Michael S. Tsirkin" , virtualization , linux-kernel , file@sect.tu-berlin.de, ashish.kalra@amd.com, konrad.wilk@oracle.com, kvm , Christoph Hellwig Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 14, 2021 at 3:31 PM Jason Wang wrote: > > On Fri, May 14, 2021 at 2:07 PM Yongji Xie wrote: > > > > On Fri, May 14, 2021 at 12:27 AM Stefan Hajnoczi wrote: > > > > > > On Fri, Apr 23, 2021 at 04:09:35PM +0800, Jason Wang wrote: > > > > Sometimes, the driver doesn't trust the device. This is usually > > > > happens for the encrtpyed VM or VDUSE[1]. > > > > > > Thanks for doing this. > > > > > > Can you describe the overall memory safety model that virtio drivers > > > must follow? For example: > > > > > > - Driver-to-device buffers must be on dedicated pages to avoid > > > information leaks. > > > > > > - Driver-to-device buffers must be on dedicated pages to avoid memory > > > corruption. > > > > > > When I say "pages" I guess it's the IOMMU page size that matters? > > > > > > What is the memory access granularity of VDUSE? > > > > > > > Now we use PAGE_SIZE as the access granularity. I think it should be > > safe to access the Driver-to-device buffers in VDUSE case because we > > also use bounce-buffering mechanism like swiotlb does. > > > > Thanks, > > Yongji > > > > Yes, while at this, I wonder it's possible the re-use the swiotlb > codes for VDUSE, or having some common library for this. Otherwise > there would be duplicated codes (bugs). > I think there are still some gaps between VDUSE codes and swiotlb codes. For example, swiotlb allocates and uses contiguous memory for bouncing but VDUSE doesn't. The swiotlb works in singleton mode (designed for platform IOMMU) , but VDUSE is based on on-chip IOMMU (supports multiple instances). So we will need some extra work if we want a common library for them both. And since the only duplicated codes now are swiotlb_bounce() (swiotlb) and do_bounce() (VDUSE). So I prefer to do this work in future rather than in the current series. Thanks, Yongji