From: Alex Williamson <alex.williamson@redhat.com>
To: Zhou Jie <zhoujie2011@cn.fujitsu.com>
Cc: Chen Fan <fan.chen@easystack.cn>,
mst@redhat.com, qemu-devel@nongnu.org, caoj.fnst@cn.fujitsu.com,
izumi.taku@jp.fujitsu.com
Subject: Re: [Qemu-devel] [PATCH v8 11/12] vfio: register aer resume notification handler for aer resume
Date: Wed, 22 Jun 2016 09:42:36 -0600 [thread overview]
Message-ID: <20160622094236.515549fa@t450s.home> (raw)
In-Reply-To: <468b752b-a161-902b-d4cc-489dfa18c21e@cn.fujitsu.com>
On Wed, 22 Jun 2016 15:49:41 +0800
Zhou Jie <zhoujie2011@cn.fujitsu.com> wrote:
> Hi Alex,
>
> On 2016/6/22 13:45, Zhou Jie wrote:
> > Hi Alex,
> >
> >>>
> >>> In vfio I have some questions.
> >>> 1. How can I disable the access by mmap?
> >>> We can disable all access to vfio fd by returning a EAGAIN error
> >>> if user try to access it during the reset period until the host
> >>> reset finished.
> >>> But about the bar region which is maped by vfio_pci_mmap.
> >>> How can I disable it in vfio driver?
> >>> Even there is a way to do it,
> >>> how about the complexity to recovery the mmap?
> >>
> >> That's exactly the "sticky point" I refer to above, you'd need to
> >> solve that problem. MST would probably still argue that we don't need
> >> to disable all those interfaces, a userspace driver can already do
> >> things like disable mmio space and then attempt to read from the mmio
> >> space of the device.
> > You said we should not depend on user to protect the device
> > be accessed during the reset period.
> >
> >> So maybe the problem can be simplified to
> >> non-device specific interfaces, like config space access plus ioctls.
> > I don't understand what's your mean.
>
> When a fatal aer error occurs the process is following.
> For host
> aer driver detect aer error
> -> vfio driver send aer error
> -> aer driver reset bus
> -> qemu report aer error
> For guest
> -> aer driver detect aer error
> -> aer driver reset bus
> -> device driver maybe disable device
>
> I am not sure if all the device driver disable device
> when a fatal aer error occurs.
> Should we depend on the guest device driver to protect the device
> be accessed during the reset period?
We should never depend on the guest driver to behave in a certain way,
but we need to prioritize what that actually means. vfio in the kernel
has a responsibility first and foremost to the host kernel. User owned
devices cannot be allowed to exploit or interfere with the host
regardless of user behavior. The next priority is correct operation
for the user. When the host kernel is handling the AER event between
the error and resume notifies, it doesn't have device specific drivers,
it's manipulating the device as a generic PCI device. That makes me
think that vfio should not allow the user to interact (interfere) with
the device during that process and that such interference can be
limited to standard PCI level interactions. That means config space,
and things that operate on config space (like interrupt ioctls and
resets). On the QEMU side, we've sent a notification that an error
occurred, how the user and the guest respond to that is beyond the
concern of vfio in the kernel. If the user/guest driver continues to
interact with resources on the device, that's fine, but I think vfio in
the kernel does need to prevent the user from interfering with the PCI
state of the device for that brief window when we know the host kernel
is operating on the device. Otherwise the results are unpredictable
and therefore unsupportable. Does that make sense? Thanks,
Alex
next prev parent reply other threads:[~2016-06-22 15:42 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-27 2:12 [Qemu-devel] [PATCH v8 11/12] vfio: register aer resume notification handler for aer resume Zhou Jie
2016-05-27 16:06 ` Alex Williamson
2016-06-12 2:38 ` Zhou Jie
2016-06-20 7:41 ` Zhou Jie
2016-06-20 16:32 ` Alex Williamson
2016-06-21 2:16 ` Zhou Jie
2016-06-21 3:13 ` Alex Williamson
2016-06-21 12:41 ` Chen Fan
2016-06-21 14:44 ` Alex Williamson
2016-06-22 3:28 ` Zhou Jie
2016-06-22 3:56 ` Alex Williamson
2016-06-22 5:45 ` Zhou Jie
2016-06-22 7:49 ` Zhou Jie
2016-06-22 15:42 ` Alex Williamson [this message]
2016-06-25 1:24 ` Zhou Jie
2016-06-27 15:54 ` Alex Williamson
2016-06-28 3:26 ` Zhou Jie
2016-06-28 3:58 ` Alex Williamson
2016-06-28 5:27 ` Zhou Jie
2016-06-28 14:40 ` Alex Williamson
2016-06-29 8:54 ` Zhou Jie
2016-06-29 18:22 ` Alex Williamson
2016-06-30 1:45 ` Zhou Jie
2016-07-03 4:00 ` Zhou Jie
2016-07-05 1:36 ` Zhou Jie
2016-07-05 17:03 ` Alex Williamson
2016-07-06 2:01 ` Zhou Jie
2016-07-07 19:04 ` Alex Williamson
2016-07-08 1:38 ` Zhou Jie
2016-07-08 17:33 ` Alex Williamson
2016-07-10 1:28 ` Zhou Jie
2016-07-11 16:24 ` Alex Williamson
2016-07-12 1:42 ` Zhou Jie
2016-07-12 15:45 ` Alex Williamson
2016-07-13 1:04 ` Zhou Jie
2016-07-13 2:54 ` Alex Williamson
2016-07-13 3:33 ` Zhou Jie
2016-06-22 15:25 ` Alex Williamson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160622094236.515549fa@t450s.home \
--to=alex.williamson@redhat.com \
--cc=caoj.fnst@cn.fujitsu.com \
--cc=fan.chen@easystack.cn \
--cc=izumi.taku@jp.fujitsu.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=zhoujie2011@cn.fujitsu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).