From: Klaus Jensen <its@irrelevant.dk>
To: Qiuhao Li <Qiuhao.Li@outlook.com>
Cc: "Laurent Vivier" <lvivier@redhat.com>,
"Peter Maydell" <peter.maydell@linaro.org>,
"Mauro Matteo Cascella" <mcascell@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Darren Kenny" <darren.kenny@oracle.com>,
"David Hildenbrand" <david@redhat.com>,
"Jason Wang" <jasowang@redhat.com>,
"Bin Meng" <bin.meng@windriver.com>,
"Li Qiang" <liq3ea@gmail.com>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
"Peter Xu" <peterx@redhat.com>,
"Eduardo Habkost" <eduardo@habkost.net>,
"Alexander Bulekov" <alxndr@bu.edu>,
"Bandan Das" <bsd@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Edgar E . Iglesias" <edgar.iglesias@gmail.com>,
"Thomas Huth" <thuth@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>
Subject: Re: [RFC PATCH] memory: Fix dma-reentrancy issues at the MMIO level
Date: Fri, 17 Dec 2021 09:37:30 +0100 [thread overview]
Message-ID: <YbxMSpb7Eaiw0azn@apples> (raw)
In-Reply-To: <PN0PR01MB6352C2E496E5723275EB1878FC789@PN0PR01MB6352.INDPRD01.PROD.OUTLOOK.COM>
[-- Attachment #1: Type: text/plain, Size: 2487 bytes --]
On Dec 17 06:27, Qiuhao Li wrote:
> Thanks Alex. It seems this patch sets and checks if the destination device is busy. But how about the data transfers not triggered directly by PMIO/MMIO handlers? For example:
>
> 1. Device A Timer's callback -> Device A MMIO handler
> 2. Device A BH's callback -> Device A MMIO handler
>
> In these situations, when A launches a DMA to itself, the dev->engaged_in_direct_io is not set, so the operation is allowed. Maybe we should log the source and check the destination when we launch data transfers. Is there a way to do that?
>
> Below is a reproducer in NVMe which triggers DMA in a timer's callback (nvme_process_sq). I can still trigger use-after-free exception with this patch on qemu-6.1.0:
>
> cat << EOF | ./qemu-system-x86_64 -display none -machine accel=qtest \
> -machine q35 -nodefaults -drive file=null-co://,if=none,format=raw,id=disk0 \
> -device nvme,drive=disk0,serial=1 -qtest stdio \
>
> outl 0xcf8 0x80000810 /* MLBAR (BAR0) – Memory Register Base Address, lower 32-bits */
> outl 0xcfc 0xe0000000 /* MMIO Base Address = 0xe0000000 */
> outl 0xcf8 0x80000804 /* CMD - Command */
> outw 0xcfc 0x06 /* Bus Master Enable, Memory Space Enable */
> write 0xe0000024 0x4 0x02000200 /* [3] 3.1.8, Admin Queue Attributes */
> write 0xe0000028 0x4 0x00100000 /* asq = 0x1000 */
> write 0xe0000030 0x4 0x00200000 /* acq = 0x2000 */
> write 0xe0000014 0x4 0x01004600 /* [3] 3.1.5, Controller Configuration, start ctrl */
> write 0xe0001000 0x1 0x01 /* [3] 3.1.24, SQyTDBL – Submission Queue y Tail Doorbell */
> write 0x1000 0x1 0x02 /* cmd->opcode, NVME_ADM_CMD_GET_LOG_PAGE, nvme_get_log() */
> write 0x1018 0x4 0x140000e0 /* prp1 = 0xe0000014, NVME_REG_CC, nvme_ctrl_reset() */
> write 0x1028 0x4 0x03000004 /* cmd->cdw10, lid = 3 NVME_LOG_FW_SLOT_INFO, nvme_fw_log_info, buf_len = 4 */
> write 0x1030 0x4 0xfc010000 /* cmd->cdw12 = 0x1fc, Log Page Offset, trans_len = sizeof(fw_log) - 0x1fc = 4 */
> clock_step
> EOF
>
> CC: Mauro Matteo Cascella and Philippe Mathieu-Daudé. Should we put the reproducer above to https://gitlab.com/qemu-project/qemu/-/issues/556?
>
This is a good reproducer. Does it still work if you do the `write
0xe0001000 0x1 0x01` at the end instead? It looks weird that you ring
the doorbell prior to writing the command in the queue.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2021-12-17 8:44 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-17 3:08 [RFC PATCH] memory: Fix dma-reentrancy issues at the MMIO level Alexander Bulekov
2021-12-17 6:27 ` Qiuhao Li
2021-12-17 8:37 ` Klaus Jensen [this message]
2021-12-17 9:44 ` Mauro Matteo Cascella
2021-12-17 14:20 ` Alexander Bulekov
2021-12-17 13:58 ` Philippe Mathieu-Daudé
2021-12-17 14:30 ` Alexander Bulekov
2021-12-17 15:25 ` Philippe Mathieu-Daudé
2021-12-17 16:51 ` Alexander Bulekov
-- strict thread matches above, loose matches on Subject: below --
2021-12-17 8:51 Qiuhao Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YbxMSpb7Eaiw0azn@apples \
--to=its@irrelevant.dk \
--cc=Qiuhao.Li@outlook.com \
--cc=alxndr@bu.edu \
--cc=berrange@redhat.com \
--cc=bin.meng@windriver.com \
--cc=bsd@redhat.com \
--cc=darren.kenny@oracle.com \
--cc=david@redhat.com \
--cc=edgar.iglesias@gmail.com \
--cc=eduardo@habkost.net \
--cc=jasowang@redhat.com \
--cc=kraxel@redhat.com \
--cc=liq3ea@gmail.com \
--cc=lvivier@redhat.com \
--cc=mcascell@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=peterx@redhat.com \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.