From mboxrd@z Thu Jan  1 00:00:00 1970
From: Muli Ben-Yehuda <muli@il.ibm.com>
Subject: Re: [PATCH] Enable non page boundary BAR device assignment
Date: Thu, 10 Dec 2009 07:16:04 +0200
Message-ID: <20091210051604.GA9049@il.ibm.com>
References: <1260380334-8323-1-git-send-email-agraf@suse.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: kvm@vger.kernel.org, mst@redhat.com
To: Alexander Graf <agraf@suse.de>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mtagate4.uk.ibm.com ([194.196.100.164]:57464 "EHLO
	mtagate4.uk.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932704AbZLJFQD (ORCPT <rfc822;kvm@vger.kernel.org>);
	Thu, 10 Dec 2009 00:16:03 -0500
Received: from d06nrmr1407.portsmouth.uk.ibm.com (d06nrmr1407.portsmouth.uk.ibm.com [9.149.38.185])
	by mtagate4.uk.ibm.com (8.13.1/8.13.1) with ESMTP id nBA5G7K2001284
	for <kvm@vger.kernel.org>; Thu, 10 Dec 2009 05:16:07 GMT
Received: from d06av02.portsmouth.uk.ibm.com (d06av02.portsmouth.uk.ibm.com [9.149.37.228])
	by d06nrmr1407.portsmouth.uk.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id nBA5G7HU659552
	for <kvm@vger.kernel.org>; Thu, 10 Dec 2009 05:16:07 GMT
Received: from d06av02.portsmouth.uk.ibm.com (loopback [127.0.0.1])
	by d06av02.portsmouth.uk.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id nBA5G6hS020462
	for <kvm@vger.kernel.org>; Thu, 10 Dec 2009 05:16:06 GMT
Content-Disposition: inline
In-Reply-To: <1260380334-8323-1-git-send-email-agraf@suse.de>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On Wed, Dec 09, 2009 at 06:38:54PM +0100, Alexander Graf wrote:

> While trying to get device passthrough working with an emulex hba,
> kvm refused to pass it through because it has a BAR of 256 bytes:
>
>         Region 0: Memory at d2100000 (64-bit, non-prefetchable) [size=4K]
>         Region 2: Memory at d2101000 (64-bit, non-prefetchable) [size=256]
>         Region 4: I/O ports at b100 [size=256]
>
> Since the page boundary is an arbitrary optimization to allow 1:1
> mapping of physical to virtual addresses, we can still take the old
> MMIO callback route.
>
> So let's add a second code path that allows for size & 0xFFF != 0
> sized regions by looping it through userspace.

That makes sense in general *but* the 4K-aligned check isn't just an
optimization, it also has a security implication. Consider the
theoretical case where has a multi-function device has BARs for two
functions on the same page (within a 4K boundary), and each function
is assigned to a different guest. With your current patch both guests
will be able to write to each other's BARs. Another case is where a
device has a bug and you must not write beyond the BAR or Bad Things
Happen. With this patch an *unprivileged* guest could exploit that bug
and make bad things happen.

This can be fixed if the slow userspace mmio path checks that all MMIO
accesses by a guest fall within the portion of the page that is
assigned to it.

Cheers,
Muli
-- 
Muli Ben-Yehuda | muli@il.ibm.com | +972-4-8281080
Manager, Virtualization and Systems Architecture
Master Inventor, IBM Research -- Haifa
Second Workshop on I/O Virtualization (WIOV '10):
http://sysrun.haifa.il.ibm.com/hrl/wiov2010/