Re: PCI passthrough resource remapping

[Avi Kivity <avi@redhat.com>]

On 01/14/2010 09:34 PM, Ryan C. Underwood wrote:
> On Thu, Jan 14, 2010 at 09:09:32PM +0200, Avi Kivity wrote:
>    
>> PCI cards can access system memory directly.  If you assign a card
>> to a guest, the guest will program the card to transfer data to
>> system memory using guest addresses; since guest addresses don't
>> correspond to host addresses, memory corruption will ensue.
>>      
> I see, so the only way to fix this would be either with a special guest
> driver for the device that does not perform DMA, or if that is
> impossible (due to no docs), to trap and rewrite any command writes to
> the device's MMIO region that reference a DMA write target buffer.
>
> Forgive my ignorance, but is it possible that the latter is already
> possible with qemu-kvm (somewhat like hardware memory breakpoints in
> Soft-ICE)?
>
>    

Yes, you can easily trap mmio writes to a device, and in fact kvm does 
this in some non-default scenarios.

> If qemu-kvm can be made to break and log on PCI memory accesses, I would
> then hack around the safety limitations, assuming that's all they are,
> and analyze the PCI writes one by one to find the cases where a physical
> address is passed to the card.
>
> Then I would perform the IOMMU translation myself in software whenever a
> physmem address shows up in the command stream.  (Somewhat like the
> security validation of a 3D graphics card command stream in the DRM.)
>
>    

That's definitely doable, but you would need to know exactly how the 
device does dma.  You would also need to lock all pages into memory 
(mlockall()) and how pages are mapped (/proc/$pid/pagemap?)

-- 
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.