From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.3 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BA383C4338F for ; Wed, 25 Aug 2021 07:23:10 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 35D466128A for ; Wed, 25 Aug 2021 07:23:10 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 35D466128A Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id BFD5A6B006C; Wed, 25 Aug 2021 03:23:09 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id BAE648D0001; Wed, 25 Aug 2021 03:23:09 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A74C06B0072; Wed, 25 Aug 2021 03:23:09 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0018.hostedemail.com [216.40.44.18]) by kanga.kvack.org (Postfix) with ESMTP id 8C2AE6B006C for ; Wed, 25 Aug 2021 03:23:09 -0400 (EDT) Received: from smtpin20.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 319778249980 for ; Wed, 25 Aug 2021 07:23:09 +0000 (UTC) X-FDA: 78512761698.20.B8E5E49 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by imf09.hostedemail.com (Postfix) with ESMTP id C8B2F3000109 for ; Wed, 25 Aug 2021 07:23:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1629876188; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7E5N/nJlshM9hA3zETY6iInStLkJCq/cd1o1HlWKF9Y=; b=S6tnvbqu2AXWj12KVXDo5SjvVOm96LSH51j9s/yycG024Woerfd8Jx8IoK7XvpxtVkW6mA 94ItA75Vpa9khCVSlZqJD4F/LPunNHbKWx1AVQpFamgkinBWFsbDcURD+z00pz3y4Icv1L zJrapxvw6lwUesMKhSpWaysrtbzSxI8= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-353-fbt6scaBP1SXorr54P8PPg-1; Wed, 25 Aug 2021 03:23:05 -0400 X-MC-Unique: fbt6scaBP1SXorr54P8PPg-1 Received: by mail-wr1-f69.google.com with SMTP id o9-20020a5d6849000000b001574518a85aso2947348wrw.11 for ; Wed, 25 Aug 2021 00:23:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:cc:references:from:organization:subject :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=7E5N/nJlshM9hA3zETY6iInStLkJCq/cd1o1HlWKF9Y=; b=R6HeX+UJoi/LlkZxP4CJ7BICrTTL/PsPI4RdCTLAUE2SMdi17dTk6xuMhFRz8O9ukh EwKNwFC2OHGgf3NUUsxy1wcnuhP4UbIZ/0MM66ZF9DNhnNt9vSroLTvdhdR5oeG5PlC/ LUTC6m7JQGHgf5Pz+9ku3vX1EqI9aF3EWeFER8VjOeBq1HKnE9IARHSfruNagfjAT70k 6URg8gUJeBASCt9Hbse4TFjbcEarsOYMwmgPpLYGsnuclDvrcfwmkxSU3YEX47IcDQMq P/WwE6R8FX+AdOkxbGHwbX0+u1pPdls3aSHXtgd9PcJQq3GmZy4Sj4mub4fQ+jX8uNF9 ouYA== X-Gm-Message-State: AOAM533VLorauaH8lTtoAKgoaB40270/LAkvI4RWaWtC5JnX4/VCnDoe wC4m8GFFt3961bAGHOwk4KX4ti/mrpP9yw5FRyCvmYU4YMSlboCRoe3PBryWQlmuW4EpGEKRpv7 9Pxk90OedYh9jxZB/CzthfUY1wtsXptk+tPNzvV4mnxI+0ykiHKx02RGaFW8= X-Received: by 2002:adf:f403:: with SMTP id g3mr12011621wro.206.1629876184694; Wed, 25 Aug 2021 00:23:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwG4aiiyDZwx8VQJaBBxxomNtCUbza9LZ3DxHopkCg74ZqORlsPbhVeFhE2GgmrA26R7Jy9CA== X-Received: by 2002:adf:f403:: with SMTP id g3mr12011586wro.206.1629876184402; Wed, 25 Aug 2021 00:23:04 -0700 (PDT) Received: from [192.168.3.132] (p4ff23d6b.dip0.t-ipconnect.de. [79.242.61.107]) by smtp.gmail.com with ESMTPSA id v1sm19763706wrt.93.2021.08.25.00.23.03 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 25 Aug 2021 00:23:03 -0700 (PDT) To: Dan Williams Cc: Linux Kernel Mailing List , Arnd Bergmann , Greg Kroah-Hartman , "Michael S. Tsirkin" , Jason Wang , "Rafael J. Wysocki" , Andrew Morton , Hanjun Guo , Andy Shevchenko , virtualization@lists.linux-foundation.org, Linux MM References: <20210816142505.28359-1-david@redhat.com> <20210816142505.28359-2-david@redhat.com> From: David Hildenbrand Organization: Red Hat Subject: Re: [PATCH v2 1/3] /dev/mem: disallow access to explicitly excluded system RAM regions Message-ID: Date: Wed, 25 Aug 2021 09:23:02 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US X-Rspamd-Queue-Id: C8B2F3000109 Authentication-Results: imf09.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=S6tnvbqu; dmarc=pass (policy=none) header.from=redhat.com; spf=none (imf09.hostedemail.com: domain of david@redhat.com has no SPF policy when checking 216.205.24.124) smtp.mailfrom=david@redhat.com X-Rspamd-Server: rspam01 X-Stat-Signature: f57sybh9s87p5fbkaynsytayhfhfcdu3 X-HE-Tag: 1629876188-132857 Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 25.08.21 02:58, Dan Williams wrote: > On Mon, Aug 16, 2021 at 7:25 AM David Hildenbrand wr= ote: >> >> virtio-mem dynamically exposes memory inside a device memory region as >> system RAM to Linux, coordinating with the hypervisor which parts are >> actually "plugged" and consequently usable/accessible. On the one hand= , the >> virtio-mem driver adds/removes whole memory blocks, creating/removing = busy >> IORESOURCE_SYSTEM_RAM resources, on the other hand, it logically (un)p= lugs >> memory inside added memory blocks, dynamically either exposing them to >> the buddy or hiding them from the buddy and marking them PG_offline. >> >> virtio-mem wants to make sure that in a sane environment, nobody >> "accidentially" accesses unplugged memory inside the device managed >> region. After /proc/kcore has been sanitized and /dev/kmem has been >> removed, /dev/mem is the remaining interface that still allows uncontr= olled >> access to the device-managed region of virtio-mem devices from user >> space. >> >> There is no known sane use case for mapping virtio-mem device memory >> via /dev/mem while virtio-mem driver concurrently (un)plugs memory ins= ide >> that region. So once the driver was loaded and detected the device >> along the device-managed region, we just want to disallow any access v= ia >> /dev/mem to it. >> >> Let's add the basic infrastructure to exclude some physical memory >> regions completely from /dev/mem access, on any architecture and under >> any system configuration (independent of CONFIG_STRICT_DEVMEM and >> independent of "iomem=3D"). >=20 > I'm certainly on team "/dev/mem considered harmful", but this approach > feels awkward. It feels wrong for being non-committal about whether > CONFIG_STRICT_DEVMEM is in wide enough use that the safety can be > turned on all the time, and the configuration option dropped, or there > are users clinging onto /dev/mem where they expect to be able to build > a debug kernel to turn all of these restrictions off, even the > virtio-mem ones. This splits the difference and says some /dev/mem > accesses are always disallowed for "reasons", but I could say the same > thing about pmem, there's no sane reason to allow /dev/mem which has > no idea about the responsibilities of properly touching pmem to get > access to it. For virtio-mem, there is no use case *and* access could be harmful; I=20 don't even want to allow if for debugging purposes. If you want to=20 inspect virtio-mem device memory content, use /proc/kcore, which=20 performs proper synchronized access checks. Modifying random virtio-mem=20 memory via /dev/mem in a debug kernel will not be possible: if you=20 really have to play with fire, use kdb or better don't load the=20 virtio-mem driver during boot, such that the kernel won't even be making=20 use of device memory. I don't want people disabling CONFIG_STRICT_DEVMEM, or booting with=20 "iomem=3Drelaxed", and "accidentally" accessing any of virtio-mem memory=20 via /dev/mem, while it gets concurrently plugged/unplugged by the=20 virtio-mem driver. Not even for debugging purposes. We disallow mapping to some other regions independent of=20 CONFIG_STRICT_DEVMEM already, so the idea to ignore CONFIG_STRICT_DEVMEM=20 is not completely new: "Note that with PAT support enabled, even in this case there are=20 restrictions on /dev/mem use due to the cache aliasing requirements." Maybe you even want to do something similar with PMEM now that there is=20 infrastructure for it and just avoid having to deal with revoking=20 /dev/mem mappings later. I think there are weird debugging/educational setups [1] that still=20 require CONFIG_STRICT_DEVMEM=3Dn even with iomem=3Drelaxed. Take a look a= t=20 lib/devmem_is_allowed.c:devmem_is_allowed(), it disallows any access to=20 (what's currently added as) System RAM. It might just do what people=20 want when dealing with system RAM that doesn't suddenly vanish , so I=20 don't ultimately see why we should remove CONFIG_STRICT_DEVMEM=3Dn. [1] https://bakhi.github.io/devmem/ Thanks! --=20 Thanks, David / dhildenb