From: Markus Armbruster <armbru@redhat.com>
To: Akihiko Odaki <akihiko.odaki@daynix.com>
Cc: qemu-devel@nongnu.org, qemu-block@nongnu.org,
qemu-arm@nongnu.org,
Alex Williamson <alex.williamson@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
Marcel Apfelbaum <marcel.apfelbaum@gmail.com>,
Gerd Hoffmann <kraxel@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Richard Henderson <richard.henderson@linaro.org>,
Eduardo Habkost <eduardo@habkost.net>,
John Snow <jsnow@redhat.com>,
Dmitry Fleytman <dmitry.fleytman@gmail.com>,
Jason Wang <jasowang@redhat.com>, Stefan Weil <sw@weilnetz.de>,
Keith Busch <kbusch@kernel.org>,
Klaus Jensen <its@irrelevant.dk>,
Peter Maydell <peter.maydell@linaro.org>,
Andrey Smirnov <andrew.smirnov@gmail.com>,
Paul Burton <paulburton@kernel.org>,
Aleksandar Rikalo <aleksandar.rikalo@syrmia.com>
Subject: Re: [PATCH v2] pci: Assert that capabilities never overlap
Date: Mon, 05 Sep 2022 11:26:34 +0200 [thread overview]
Message-ID: <875yi2mat1.fsf@pond.sub.org> (raw)
In-Reply-To: <CAE=JJXdg=Miisek8WeqQ12NqL8obzmuyzD0mbv1SfiJTyVBLuw@mail.gmail.com> (Akihiko Odaki's message of "Sun, 4 Sep 2022 16:06:55 +0900")
Akihiko Odaki <akihiko.odaki@daynix.com> writes:
> On Fri, Sep 2, 2022 at 7:23 PM Markus Armbruster <armbru@redhat.com> wrote:
>>
>> Akihiko Odaki <akihiko.odaki@daynix.com> writes:
>>
>> > pci_add_capability appears most PCI devices. Its error handling required
>> > lots of code, and led to inconsistent behaviors such as:
>> > - passing error_abort
>> > - passing error_fatal
>> > - asserting the returned value
>> > - propagating the error to the caller
>> > - skipping the rest of the function
>> > - just ignoring
>> >
>> > The code generating errors in pci_add_capability had a comment which
>> > says:
>> >> Verify that capabilities don't overlap. Note: device assignment
>> >> depends on this check to verify that the device is not broken.
>> >> Should never trigger for emulated devices, but it's helpful for
>> >> debugging these.
>> >
>> > Indeed vfio has some code that passes capability offsets and sizes from
>> > a physical device, but it explicitly pays attention so that the
>> > capabilities never overlap.
>>
>> I can't see that at a glance. Can you give me a clue?
>>
>> > Therefore, we can always assert that
>> > capabilities never overlap when pci_add_capability is called, resolving
>> > these inconsistencies.
>> >
>> > Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
>>
>
> Looking at vfio_add_std_cap(), and vfio_add_ext_cap() it seems that
> they are clipping the size of capabilities so that they do not
> overlap, if I read it correctly.
If we want to deal gracefully with buggy physical devices, we need to
treat pdev->config[] as untrusted input.
As far as I can tell:
* vfio_add_capabilities() replicates the physical device's capabilities
(starting at pdev->config[PCI_CAPABILITY_LIST]) in the virtual device.
* vfio_add_std_cap() is a helper to add the tail starting at
pdev->config[pos].
Could the physical device's capabilities overlap? If yes, what would
happen before and after your series?
next prev parent reply other threads:[~2022-09-05 9:29 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-31 1:32 [PATCH v2] pci: Assert that capabilities never overlap Akihiko Odaki
2022-09-02 10:23 ` Markus Armbruster
2022-09-04 7:06 ` Akihiko Odaki
2022-09-05 9:26 ` Markus Armbruster [this message]
2022-09-05 10:11 ` Akihiko Odaki
2022-09-29 9:25 ` Akihiko Odaki
2022-09-29 10:55 ` Markus Armbruster
2022-10-13 5:39 ` Akihiko Odaki
2022-10-13 14:45 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=875yi2mat1.fsf@pond.sub.org \
--to=armbru@redhat.com \
--cc=akihiko.odaki@daynix.com \
--cc=aleksandar.rikalo@syrmia.com \
--cc=alex.williamson@redhat.com \
--cc=andrew.smirnov@gmail.com \
--cc=dmitry.fleytman@gmail.com \
--cc=eduardo@habkost.net \
--cc=its@irrelevant.dk \
--cc=jasowang@redhat.com \
--cc=jsnow@redhat.com \
--cc=kbusch@kernel.org \
--cc=kraxel@redhat.com \
--cc=marcel.apfelbaum@gmail.com \
--cc=mst@redhat.com \
--cc=paulburton@kernel.org \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=sw@weilnetz.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).