From: Alex Williamson <alex.williamson@redhat.com>
To: Andreas Hartmann <andihartmann@01019freenet.de>
Cc: Jan Kiszka <jan.kiszka@siemens.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
kvm@vger.kernel.org
Subject: Re: [PATCH] uio_pci_generic does not export memory resources
Date: Sat, 09 Jun 2012 10:55:36 -0600 [thread overview]
Message-ID: <1339260936.26976.182.camel@ul30vt> (raw)
In-Reply-To: <4FD3790E.2010808@01019freenet.de>
On Sat, 2012-06-09 at 18:25 +0200, Andreas Hartmann wrote:
> Alex Williamson wrote:
> > On Sat, 2012-06-09 at 11:28 +0200, Andreas Hartmann wrote:
>
> [...]
>
> >> What's the risk of this patch? Machine crash? Data loss for an active
> >> file in an application? Complete filesystem damage? The latter would be
> >> worse.
> >
> > What we're trying to prevent by testing whether devices support ACS is
> > peer-to-peer transactions that would not be translated via the IOMMU.
> > For instance, imagine if your WLAN controller behind 14.4 does a DMA
> > write to an address that happens to be within the MMIO resources of
> > device 14.2, the audio device.
>
> Why should it do that intentionally - I can't see any reason. Remains
> unintentionally. But that's already enough :-) .
We don't know the internal design of multifunction devices.
> > Instead of the transaction going up to
> > the IOMMU and resulting in a memory write, internal routing on device
> > 14.x results in that transaction being redirected to the 14.2. So
> > you're looking at potential data loss from the guest as well as
> > corrupting device state in the host.
>
> My guest does have no data. Besides that, the VM can be easily backuped
> before.
> The corrupting device state probably is limited to the devices behind
> the bridge. Correct?
No, we're talking about the multifunction device here. A legacy PCI bus
is always susceptible to this as it's a shared bus. Another device on
the bus can claim the transaction. The IOMMU also only has visibility
to the bridge devices, all devices behind it are masked. So the
difference we're looking at is whether 14.4 is grouped with all the
other devices on 14.x or not. Bus 6 will always be grouped with device
14.4. So then you have to consider what can happen if your guest that
owns 14.4 and bus 6 can corrupt the state of device 14.2 and how that
corrupted state could be propagated out to the host.
> >>> Hmm, I wonder if we should make a kernel boot parameter that allows
> >>> whitelisting some devices. I think it would have to taint the kernel
> >>> but there's probably sufficient interest for usability vs
> >>> supportability.
> >>
> >> Good idea. I would print an additional big fat warning of dataloss /
> >> filesystem damage / crash if this could be the case.
> >
> > Well, outlining the risk above makes me a little more nervous about
> > making such a config option, even if it taints the kernel, available so
> > easily... :^\
>
> That's true, too. Anyway, out of curiosity, if the corruption of the
> device states is limited to the devices behind the bridge, I'm going to
> test it. I hope that a hardware damage isn't possible by that action.
Hardware damage should not be possible, but the interactions would be
between host and guest as noted above. Thanks,
Alex
next prev parent reply other threads:[~2012-06-09 16:55 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-08 11:56 [PATCH] uio_pci_generic does not export memory resources Dominic Eschweiler
2012-06-08 13:03 ` Michael S. Tsirkin
2012-06-08 13:16 ` Jan Kiszka
2012-06-08 14:16 ` Alex Williamson
2012-06-08 14:47 ` Dominic Eschweiler
2012-06-08 15:06 ` Alex Williamson
2012-06-08 16:16 ` Andreas Hartmann
2012-06-08 16:41 ` Alex Williamson
2012-06-09 9:28 ` Andreas Hartmann
2012-06-09 14:50 ` Alex Williamson
2012-06-09 16:25 ` Andreas Hartmann
2012-06-09 16:55 ` Alex Williamson [this message]
2012-06-10 7:21 ` Andreas Hartmann
2012-06-10 19:12 ` Andreas Hartmann
2012-06-10 14:12 ` Michael S. Tsirkin
2012-06-08 16:44 ` Hans J. Koch
2012-06-08 16:59 ` Jan Kiszka
2012-06-08 17:11 ` Alex Williamson
2012-06-10 14:18 ` Michael S. Tsirkin
2012-06-10 16:09 ` Alex Williamson
2012-06-10 16:44 ` Michael S. Tsirkin
2012-06-10 17:38 ` Alex Williamson
2012-06-10 18:43 ` Michael S. Tsirkin
2012-06-10 19:00 ` Michael S. Tsirkin
2012-06-10 19:11 ` Hans J. Koch
2012-06-10 19:16 ` Michael S. Tsirkin
2012-06-10 20:19 ` Hans J. Koch
2012-06-10 19:01 ` Hans J. Koch
2012-06-08 14:28 ` Dominic Eschweiler
2012-06-08 15:18 ` Hans J. Koch
2012-06-08 15:45 ` Dominic Eschweiler
2012-06-08 15:57 ` Hans J. Koch
2012-06-08 16:23 ` Dominic Eschweiler
2012-06-08 16:37 ` Hans J. Koch
2012-06-08 17:07 ` Dominic Eschweiler
2012-06-08 17:11 ` Hans J. Koch
2012-06-08 16:39 ` Michael S. Tsirkin
2012-06-08 16:07 ` Hans J. Koch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1339260936.26976.182.camel@ul30vt \
--to=alex.williamson@redhat.com \
--cc=andihartmann@01019freenet.de \
--cc=jan.kiszka@siemens.com \
--cc=kvm@vger.kernel.org \
--cc=mst@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox