From: Anthony Liguori <anthony@codemonkey.ws>
To: Marcelo Tosatti <mtosatti@redhat.com>
Cc: quintela@redhat.com, "Michael S. Tsirkin" <mst@redhat.com>,
qemu-devel@nongnu.org, kraxel@redhat.com, amit.shah@redhat.com,
Paul Brook <paul@codesourcery.com>
Subject: Re: [Qemu-devel] Re: [PATCHv2 10/12] tap: add vhost/vhostfd options
Date: Tue, 02 Mar 2010 10:56:48 -0600 [thread overview]
Message-ID: <4B8D4350.6040506@codemonkey.ws> (raw)
In-Reply-To: <20100302161247.GA25371@amt.cnet>
On 03/02/2010 10:12 AM, Marcelo Tosatti wrote:
> On Sun, Feb 28, 2010 at 02:57:56PM -0600, Anthony Liguori wrote:
>
>> On 02/28/2010 11:19 AM, Michael S. Tsirkin wrote:
>>
>>>> Both have security implications so I think it's important that they
>>>> be addressed. Otherwise, I'm pretty happy with how things are.
>>>>
>>> Care suggesting some solutions?
>>>
>> The obvious thing to do would be to use the memory notifier in vhost
>> to keep track of whenever something remaps the ring's memory region
>> and if that happens, issue an ioctl to vhost to change the location
>> of the ring. Also, you would need to merge the vhost slot
>> management code with the KVM slot management code.
>>
> There are no security implications as long as vhost uses the qemu
> process mappings.
>
There potentially are within a guest. If a guest can trigger a qemu bug
that results in qemu writing to a different location than what the guest
told it to write, a malicious software may use this to escalate it's
privileges within a guest.
>> cpu_ram_add() never gets called with overlapping regions. We'll
>> modify cpu_register_physical_memory() to ensure that a ram mapping
>> is never changed after initial registration.
>>
> What is the difference between your proposal and
> cpu_physical_memory_map?
>
cpu_physical_memory_map() has the following semantics:
- it always returns a transient mapping
- it may (transparently) bounce
- it may fail to bounce, caller must deal
The new function I'm proposing has the following semantics:
- it always returns a persistent mapping
- it never bounces
- it will only fail if the mapping isn't ram
A caller can use the new function to implement an optimization to force
the device to only work with real ram. IOW, this is something we can
use in virtio, but very little else. cpu_physical_memory_map can be
used in more circumstances.
> What i'd like to see is binding between cpu_physical_memory_map and qdev
> devices, so that you can use different host memory mappings for device
> context and for CPU context (and provide the possibility for, say, map
> a certain memory region as read-only).
>
We really want per-bus mappings. At the lowest level, we'll have
sysbus_memory_map() but we'll also have pci_memory_map(),
virtio_memory_map(), etc.
Nothing should ever call cpu_physical_memory_map() directly.
Regards,
Anthony Liguori
next prev parent reply other threads:[~2010-03-02 16:56 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-25 18:27 [Qemu-devel] [PATCHv2 00/12] vhost-net: upstream integration Michael S. Tsirkin
2010-02-25 18:27 ` [Qemu-devel] [PATCHv2 05/12] virtio: add APIs for queue fields Michael S. Tsirkin
2010-02-25 18:49 ` Blue Swirl
2010-02-26 14:53 ` Michael S. Tsirkin
2010-02-25 19:25 ` [Qemu-devel] " Anthony Liguori
2010-02-26 8:46 ` Gleb Natapov
2010-02-25 18:28 ` [Qemu-devel] [PATCHv2 09/12] vhost: vhost net support Michael S. Tsirkin
2010-02-25 19:04 ` [Qemu-devel] " Juan Quintela
2010-02-26 14:32 ` Michael S. Tsirkin
2010-02-26 14:38 ` Anthony Liguori
2010-02-26 14:54 ` Michael S. Tsirkin
2010-02-25 19:44 ` Anthony Liguori
2010-02-26 14:49 ` Michael S. Tsirkin
2010-02-26 15:18 ` Anthony Liguori
2010-02-27 19:38 ` Michael S. Tsirkin
2010-02-28 1:59 ` Paul Brook
2010-02-28 10:15 ` Michael S. Tsirkin
2010-02-28 12:45 ` Paul Brook
2010-02-28 14:44 ` Michael S. Tsirkin
2010-02-28 15:23 ` Paul Brook
2010-02-28 15:37 ` Michael S. Tsirkin
2010-02-28 16:02 ` Anthony Liguori
2010-02-25 18:28 ` [Qemu-devel] [PATCHv2 02/12] kvm: add API to set ioeventfd Michael S. Tsirkin
2010-02-25 19:19 ` [Qemu-devel] " Anthony Liguori
2010-03-02 17:41 ` Michael S. Tsirkin
2010-02-25 18:28 ` [Qemu-devel] [PATCHv2 04/12] virtio: add notifier support Michael S. Tsirkin
2010-02-25 18:28 ` [Qemu-devel] [PATCHv2 01/12] tap: add interface to get device fd Michael S. Tsirkin
2010-02-25 18:28 ` [Qemu-devel] [PATCHv2 07/12] virtio: move typedef to qemu-common Michael S. Tsirkin
2010-02-25 18:28 ` [Qemu-devel] [PATCHv2 10/12] tap: add vhost/vhostfd options Michael S. Tsirkin
2010-02-25 19:47 ` [Qemu-devel] " Anthony Liguori
2010-02-26 14:51 ` Michael S. Tsirkin
2010-02-26 15:23 ` Anthony Liguori
2010-02-27 19:44 ` Michael S. Tsirkin
2010-02-28 16:08 ` Anthony Liguori
2010-02-28 17:19 ` Michael S. Tsirkin
2010-02-28 20:57 ` Anthony Liguori
2010-02-28 21:01 ` Michael S. Tsirkin
2010-02-28 22:38 ` Anthony Liguori
2010-02-28 22:39 ` Paul Brook
2010-03-01 19:27 ` Michael S. Tsirkin
2010-03-01 21:54 ` Anthony Liguori
2010-03-02 9:57 ` Michael S. Tsirkin
2010-03-02 14:07 ` Anthony Liguori
2010-03-02 14:33 ` Paul Brook
2010-03-02 14:39 ` Anthony Liguori
2010-03-02 14:55 ` Paul Brook
2010-03-02 15:33 ` Anthony Liguori
2010-03-02 15:53 ` Paul Brook
2010-03-02 15:56 ` Michael S. Tsirkin
2010-03-02 16:12 ` Anthony Liguori
2010-03-02 16:21 ` Marcelo Tosatti
2010-03-02 16:12 ` Marcelo Tosatti
2010-03-02 16:56 ` Anthony Liguori [this message]
2010-03-02 17:00 ` Michael S. Tsirkin
2010-03-02 18:00 ` Marcelo Tosatti
2010-03-02 18:13 ` Anthony Liguori
2010-03-02 22:41 ` Paul Brook
2010-03-03 14:15 ` Anthony Liguori
2010-03-03 14:43 ` Paul Brook
2010-03-03 16:24 ` Marcelo Tosatti
2010-02-25 18:28 ` [Qemu-devel] [PATCHv2 11/12] tap: add API to retrieve vhost net header Michael S. Tsirkin
2010-02-25 18:28 ` [Qemu-devel] [PATCHv2 06/12] virtio: add set_status callback Michael S. Tsirkin
2010-02-25 18:28 ` [Qemu-devel] [PATCHv2 08/12] virtio-pci: fill in notifier support Michael S. Tsirkin
2010-02-25 19:30 ` [Qemu-devel] " Anthony Liguori
2010-02-28 20:02 ` Michael S. Tsirkin
2010-02-25 18:28 ` [Qemu-devel] [PATCHv2 03/12] notifier: event notifier implementation Michael S. Tsirkin
2010-02-25 19:22 ` [Qemu-devel] " Anthony Liguori
2010-02-28 19:59 ` Michael S. Tsirkin
2010-02-25 18:28 ` [Qemu-devel] [PATCHv2 12/12] virtio-net: vhost net support Michael S. Tsirkin
2010-02-25 19:49 ` [Qemu-devel] Re: [PATCHv2 00/12] vhost-net: upstream integration Anthony Liguori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B8D4350.6040506@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=amit.shah@redhat.com \
--cc=kraxel@redhat.com \
--cc=mst@redhat.com \
--cc=mtosatti@redhat.com \
--cc=paul@codesourcery.com \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).