Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp109009pxb; Wed, 3 Nov 2021 00:36:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwwryZI2/Jy3C3FijID1AxGsBNkIwdR+hDPWiXGW8N1r9vn0TjhKWVcsF7pzPiWP6iCy/S5 X-Received: by 2002:a05:6402:254d:: with SMTP id l13mr1906344edb.165.1635924996462; Wed, 03 Nov 2021 00:36:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635924996; cv=none; d=google.com; s=arc-20160816; b=q+bpCcqoQLzPSOmevl0jJ3KyiT+Id1f3//Red7cQq/vfLDNoxcTkn0JNQsH3a/gpmx I49RzbkNvYE7BL1ja3Jwd+7DiK+RMi/Syjebbx95vlqaTCqEM3CNl2GuStlDCkfNvYPL 0QEwKWTKoKp79fpdT+9xOepJy6FJ/cA9gdFHnkoep/eJcV7EXRkvoxlYCvReaMBITEPn hOTkKKBw+OFX5P33fEe5CxE3ZjoiZrWF+CO0rXrm06H9t9b/lUyj/xyPN5U8fIJf4eGp S/lbO/KziN9ENZXWldq9NQnDQZ6PcYfYODq3GPWbUWSOuZu4PVtzZOmOFAMbChd75thp DPDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=2evzeN2dUJ97RkJYIYZWd1y4ZdCaTHeSbdPXFeoqPXY=; b=JrpV2BLRuxroagJWLeK3xcdfX+EXlllukXaojitQXWfw9JTYnmSgAb5HeobUcjBrPT UIKWu+xfhsaOBUkh9nlPznBzkPX6OAL7gqsaD9mScFyh23TqBNWp9blLFq3h2pTVI+oa /jcaukMiqf4ppXUX0yRyp//IT+PYqRfZnUFFljaQ484028cjAY4+DBkh/OqZi6bkmULJ HeKHJOCC3l2lFZOiPjJHhv9fym/rmSyPvcPUsC7wQkuhiLp+RXNFca1TdWFS//Hqdo6+ AkCExIbbR0fb2E9ay1FJlj3rSFkK5WEESHzjiUIu8MyYuNaxAMr7TP/cRPrO6tzo6S0y K1XQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=SebnF1Pk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 5si2192251ejj.698.2021.11.03.00.36.11; Wed, 03 Nov 2021 00:36:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=SebnF1Pk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232134AbhKCHg4 (ORCPT + 99 others); Wed, 3 Nov 2021 03:36:56 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:44836 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231985AbhKCHgz (ORCPT ); Wed, 3 Nov 2021 03:36:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1635924859; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=2evzeN2dUJ97RkJYIYZWd1y4ZdCaTHeSbdPXFeoqPXY=; b=SebnF1PktGsv7KYc26W1XANb0FtlWABmYo4ZAc4lvp4HjMqNyezxMeuvFM0AOYCYFLiSeM QIo+DuVwYfdJzbEsnf3JDwTY3wv+VsnX4vf6SICrQVvjyChoSDvoXCPjtgfz7xQBCXFMPu aLGQofRn+QiPHwCpJrJZuQXpks9X5IA= Received: from mail-lf1-f70.google.com (mail-lf1-f70.google.com [209.85.167.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-549-nNeTRXbCOLOjF3LnAztLDw-1; Wed, 03 Nov 2021 03:34:18 -0400 X-MC-Unique: nNeTRXbCOLOjF3LnAztLDw-1 Received: by mail-lf1-f70.google.com with SMTP id t62-20020a19c341000000b004000224ab0cso313712lff.8 for ; Wed, 03 Nov 2021 00:34:18 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2evzeN2dUJ97RkJYIYZWd1y4ZdCaTHeSbdPXFeoqPXY=; b=YzQNLn6ZoiIE9WubA/AVvlJ9wtmxBahbubNjYaQBoeDmH1qNtmafo9ZswVsPi/K9s7 lTxbz2nKPgmDNEEz2i/HIkn+Q1IP9/CTcpjvjJrSlu1J1RWt+82hKU/I1c7PXeA78css DbdWupo7vRnYdmpwm/jYWRrMoOKJ8AUszhUS34DBlTSedj6nDaWyhbVlfst5ig1ckpAp Jy4XmJOrbRC7E0+NZf9dYGwA1NDdBqjP0GLLoKl82yTzo2ZnDjAXvihj+HYbi23YnZZz nkNhI9SegZbHS0ePUnpFNXSfjHwEM8v9997/AeHXYhkCzW3EVEu3N2OQILlXY2Qn3upv UEPw== X-Gm-Message-State: AOAM530GIKRnIwpBwM+gLdlqUaW2EaQLtGRC3AKkOG5W7e97YzT4cniQ bxgnoTQAt4iHj38koR8r27g/vIpqy9DOwLDD2DBvq7gFbqNvOAClTd0P7oDqynTYSxACNDrZZrT EYSW1z8MuFKe80zN/7xxZHNP0JBatoFz0Lz245sVZ X-Received: by 2002:a2e:9155:: with SMTP id q21mr44928335ljg.217.1635924856892; Wed, 03 Nov 2021 00:34:16 -0700 (PDT) X-Received: by 2002:a2e:9155:: with SMTP id q21mr44928307ljg.217.1635924856684; Wed, 03 Nov 2021 00:34:16 -0700 (PDT) MIME-Version: 1.0 References: <20200326140125.19794-1-jasowang@redhat.com> <20200326140125.19794-8-jasowang@redhat.com> <20211101141133.GA1073864@nvidia.com> <20211102155611.GL2744544@nvidia.com> In-Reply-To: <20211102155611.GL2744544@nvidia.com> From: Jason Wang Date: Wed, 3 Nov 2021 15:34:05 +0800 Message-ID: Subject: Re: [PATCH V9 7/9] vhost: introduce vDPA-based backend To: Jason Gunthorpe Cc: mst , linux-kernel , kvm , virtualization , netdev , Maxime Coquelin , "Liang, Cunming" , zhihong.wang@intel.com, rob.miller@broadcom.com, Xiao W Wang , Zhu Lingshan , eperezma , Cindy Lu , Parav Pandit , "Tian, Kevin" , Stefan Hajnoczi , Randy Dunlap , Christoph Hellwig , Ariel Adam , jiri@mellanox.com, shahafs@mellanox.com, Harpreet Singh Anand , mhabets@solarflare.com, Gautam Dawar , Saugat Mitra , vmireyno@marvell.com, zhangweining@ruijie.com.cn, Tiwei Bie , Lu Baolu Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 2, 2021 at 11:56 PM Jason Gunthorpe wrote: > > On Tue, Nov 02, 2021 at 11:52:20AM +0800, Jason Wang wrote: > > On Mon, Nov 1, 2021 at 10:11 PM Jason Gunthorpe wrote: > > > > > > On Thu, Mar 26, 2020 at 10:01:23PM +0800, Jason Wang wrote: > > > > From: Tiwei Bie > > > > > > > > This patch introduces a vDPA-based vhost backend. This backend is > > > > built on top of the same interface defined in virtio-vDPA and provides > > > > a generic vhost interface for userspace to accelerate the virtio > > > > devices in guest. > > > > > > > > This backend is implemented as a vDPA device driver on top of the same > > > > ops used in virtio-vDPA. It will create char device entry named > > > > vhost-vdpa-$index for userspace to use. Userspace can use vhost ioctls > > > > on top of this char device to setup the backend. > > > > > > > > Vhost ioctls are extended to make it type agnostic and behave like a > > > > virtio device, this help to eliminate type specific API like what > > > > vhost_net/scsi/vsock did: > > > > > > > > - VHOST_VDPA_GET_DEVICE_ID: get the virtio device ID which is defined > > > > by virtio specification to differ from different type of devices > > > > - VHOST_VDPA_GET_VRING_NUM: get the maximum size of virtqueue > > > > supported by the vDPA device > > > > - VHSOT_VDPA_SET/GET_STATUS: set and get virtio status of vDPA device > > > > - VHOST_VDPA_SET/GET_CONFIG: access virtio config space > > > > - VHOST_VDPA_SET_VRING_ENABLE: enable a specific virtqueue > > > > > > > > For memory mapping, IOTLB API is mandated for vhost-vDPA which means > > > > userspace drivers are required to use > > > > VHOST_IOTLB_UPDATE/VHOST_IOTLB_INVALIDATE to add or remove mapping for > > > > a specific userspace memory region. > > > > > > > > The vhost-vDPA API is designed to be type agnostic, but it allows net > > > > device only in current stage. Due to the lacking of control virtqueue > > > > support, some features were filter out by vhost-vdpa. > > > > > > > > We will enable more features and devices in the near future. > > > > > > [..] > > > > > > > +static int vhost_vdpa_alloc_domain(struct vhost_vdpa *v) > > > > +{ > > > > + struct vdpa_device *vdpa = v->vdpa; > > > > + const struct vdpa_config_ops *ops = vdpa->config; > > > > + struct device *dma_dev = vdpa_get_dma_dev(vdpa); > > > > + struct bus_type *bus; > > > > + int ret; > > > > + > > > > + /* Device want to do DMA by itself */ > > > > + if (ops->set_map || ops->dma_map) > > > > + return 0; > > > > + > > > > + bus = dma_dev->bus; > > > > + if (!bus) > > > > + return -EFAULT; > > > > + > > > > + if (!iommu_capable(bus, IOMMU_CAP_CACHE_COHERENCY)) > > > > + return -ENOTSUPP; > > > > + > > > > + v->domain = iommu_domain_alloc(bus); > > > > + if (!v->domain) > > > > + return -EIO; > > > > + > > > > + ret = iommu_attach_device(v->domain, dma_dev); > > > > + if (ret) > > > > + goto err_attach; > > > > > > > > > > I've been looking at the security of iommu_attach_device() users, and > > > I wonder if this is safe? > > > > > > The security question is if userspace is able to control the DMA > > > address the devices uses? Eg if any of the cpu to device ring's are in > > > userspace memory? > > > > > > For instance if userspace can tell the device to send a packet from an > > > arbitrary user controlled address. > > > > The map is validated via pin_user_pages() which guarantees that the > > address is not arbitrary and must belong to userspace? > > That controls what gets put into the IOMMU, it doesn't restrict what > DMA the device itself can issue. > > Upon investigating more it seems the answer is that > iommu_attach_device() requires devices to be in singleton groups, so > there is no leakage from rouge DMA Yes, I think so. Thanks > > Jason >