From: Li Qiang <liq3ea@gmail.com>
To: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Cc: "Peter Maydell" <peter.maydell@linaro.org>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Jason Wang" <jasowang@redhat.com>,
"Mark Cave-Ayland" <mark.cave-ayland@ilande.co.uk>,
"Qemu Developers" <qemu-devel@nongnu.org>,
"Peter Xu" <peterx@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Edgar E. Iglesias" <edgar.iglesias@gmail.com>,
"Eduardo Habkost" <ehabkost@redhat.com>,
"Edgar E . Iglesias" <edgar.iglesias@xilinx.com>,
qemu-block@nongnu.org, "Li Qiang" <liq3ea@163.com>,
"Emilio G . Cota" <cota@braap.org>,
"Joel Stanley" <joel@jms.id.au>,
"David Gibson" <david@gibson.dropbear.id.au>,
"Laszlo Ersek" <lersek@redhat.com>,
"Robert Foley" <robert.foley@linaro.org>,
"Alistair Francis" <alistair@alistair23.me>,
"Richard Henderson" <richard.henderson@linaro.org>,
"Beniamino Galvani" <b.galvani@gmail.com>,
"Eric Auger" <eric.auger@redhat.com>,
qemu-arm@nongnu.org, "Peter Chubb" <peter.chubb@nicta.com.au>,
"Cédric Le Goater" <clg@kaod.org>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"John Snow" <jsnow@redhat.com>,
"Richard Henderson" <rth@twiddle.net>,
"Tony Nguyen" <tony.nguyen@bt.com>,
"Prasad J Pandit" <pjp@fedoraproject.org>,
"Alexander Bulekov" <alxndr@bu.edu>,
"Andrew Jeffery" <andrew@aj.id.au>,
"Klaus Jensen" <k.jensen@samsung.com>,
"Emanuele Giuseppe Esposito" <e.emanuelegiuseppe@gmail.com>,
"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
"Andrew Baumann" <Andrew.Baumann@microsoft.com>,
qemu-ppc@nongnu.org, "Jan Kiszka" <jan.kiszka@web.de>
Subject: Re: [RFC PATCH 00/12] hw: Forbid DMA write accesses to MMIO regions
Date: Sat, 5 Sep 2020 10:27:09 +0800 [thread overview]
Message-ID: <CAKXe6S+v4z_PYbZ6MMzEZk7Q0Qc+q9tzL+a8918U_-XR=aj7RA@mail.gmail.com> (raw)
In-Reply-To: <20200903110831.353476-1-philmd@redhat.com>
Philippe Mathieu-Daudé <philmd@redhat.com> 于2020年9月3日周四 下午7:09写道:
>
> Hi,
>
> I'm not suppose to work on this but I couldn't sleep so kept
> wondering about this problem the whole night and eventually
> woke up to write this quickly, so comments are scarce, sorry.
>
> The first part is obvious anyway, simply pass MemTxAttrs argument.
>
> The main patch is:
> "exec/memattrs: Introduce MemTxAttrs::direct_access field".
> This way we can restrict accesses to ROM/RAM by setting the
> 'direct_access' field. Illegal accesses return MEMTX_BUS_ERROR.
>
> Next patch restrict PCI DMA accesses by setting the direct_access
> field.
>
> Finally we add an assertion for any DMA write access to indirect
> memory to kill a class of bug recently found by Alexander while
> fuzzing.
>
Hi Philippe,
I have reviewed your patches.
Your patch just deny the DMA write to MMIO for PCI device.
1. The DMA write to MMIO is allowed for P2P. Unconditionally deny
is not right I think. Maybe we can add some flag for the device as property
so the device can indicate whether it supports DMA to MMIO.
But this method needs define we should apply the restrict to
DMA to MMIO initiator or target. If the target, we need to find the
target PCI device.
2. I think the MMIO read maybe also suffers the reentrant issue If the
MMIO read handler
does complicated work.
3. As your patch just consider the PCI case. This reentrant is quite
complicated if we consider
the no-PCI the qemu_irq cases. I agree to address the PCI cases first.
Thanks,
Li Qiang
> Regards,
>
> Phil.
>
> Klaus Jensen (1):
> pci: pass along the return value of dma_memory_rw
>
> Philippe Mathieu-Daudé (11):
> dma: Let dma_memory_valid() take MemTxAttrs argument
> dma: Let dma_memory_set() take MemTxAttrs argument
> dma: Let dma_memory_rw_relaxed() take MemTxAttrs argument
> dma: Let dma_memory_rw() take MemTxAttrs argument
> dma: Let dma_memory_read/write() take MemTxAttrs argument
> dma: Let dma_memory_map() take MemTxAttrs argument
> docs/devel/loads-stores: Add regexp for DMA functions
> dma: Let load/store DMA functions take MemTxAttrs argument
> exec/memattrs: Introduce MemTxAttrs::direct_access field
> hw/pci: Only allow PCI slave devices to write to direct memory
> dma: Assert when device writes to indirect memory (such MMIO regions)
>
> docs/devel/loads-stores.rst | 2 ++
> include/exec/memattrs.h | 3 ++
> include/hw/pci/pci.h | 21 ++++++++++---
> include/hw/ppc/spapr_vio.h | 26 +++++++++------
> include/sysemu/dma.h | 59 +++++++++++++++++++++--------------
> dma-helpers.c | 12 ++++---
> exec.c | 8 +++++
> hw/arm/musicpal.c | 13 ++++----
> hw/arm/smmu-common.c | 3 +-
> hw/arm/smmuv3.c | 14 ++++++---
> hw/core/generic-loader.c | 3 +-
> hw/display/virtio-gpu.c | 8 +++--
> hw/dma/pl330.c | 12 ++++---
> hw/dma/sparc32_dma.c | 16 ++++++----
> hw/dma/xlnx-zynq-devcfg.c | 6 ++--
> hw/dma/xlnx_dpdma.c | 10 +++---
> hw/hyperv/vmbus.c | 8 +++--
> hw/i386/amd_iommu.c | 16 +++++-----
> hw/i386/intel_iommu.c | 28 ++++++++++-------
> hw/ide/ahci.c | 9 ++++--
> hw/ide/macio.c | 2 +-
> hw/intc/pnv_xive.c | 7 +++--
> hw/intc/spapr_xive.c | 3 +-
> hw/intc/xive.c | 7 +++--
> hw/misc/bcm2835_property.c | 3 +-
> hw/misc/macio/mac_dbdma.c | 10 +++---
> hw/net/allwinner-sun8i-emac.c | 21 ++++++++-----
> hw/net/ftgmac100.c | 25 +++++++++------
> hw/net/imx_fec.c | 32 ++++++++++++-------
> hw/nvram/fw_cfg.c | 16 ++++++----
> hw/pci-host/pnv_phb3.c | 5 +--
> hw/pci-host/pnv_phb3_msi.c | 9 ++++--
> hw/pci-host/pnv_phb4.c | 7 +++--
> hw/sd/allwinner-sdhost.c | 14 +++++----
> hw/sd/sdhci.c | 35 +++++++++++++--------
> hw/usb/hcd-dwc2.c | 8 ++---
> hw/usb/hcd-ehci.c | 6 ++--
> hw/usb/hcd-ohci.c | 28 ++++++++++-------
> hw/usb/libhw.c | 3 +-
> hw/virtio/virtio.c | 6 ++--
> trace-events | 1 +
> 41 files changed, 334 insertions(+), 191 deletions(-)
>
> --
> 2.26.2
>
>
next prev parent reply other threads:[~2020-09-05 2:28 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-03 11:08 [RFC PATCH 00/12] hw: Forbid DMA write accesses to MMIO regions Philippe Mathieu-Daudé
2020-09-03 11:08 ` [PATCH 01/12] pci: pass along the return value of dma_memory_rw Philippe Mathieu-Daudé
2020-09-03 11:08 ` [PATCH 02/12] dma: Let dma_memory_valid() take MemTxAttrs argument Philippe Mathieu-Daudé
2020-09-03 11:08 ` [PATCH 03/12] dma: Let dma_memory_set() " Philippe Mathieu-Daudé
2020-09-03 11:08 ` [PATCH 04/12] dma: Let dma_memory_rw_relaxed() " Philippe Mathieu-Daudé
2020-09-03 11:08 ` [PATCH 05/12] dma: Let dma_memory_rw() " Philippe Mathieu-Daudé
2020-09-03 11:08 ` [PATCH 06/12] dma: Let dma_memory_read/write() " Philippe Mathieu-Daudé
2020-09-03 11:08 ` [PATCH 07/12] dma: Let dma_memory_map() " Philippe Mathieu-Daudé
2020-09-03 11:08 ` [PATCH 08/12] docs/devel/loads-stores: Add regexp for DMA functions Philippe Mathieu-Daudé
2020-09-03 11:08 ` [PATCH 09/12] dma: Let load/store DMA functions take MemTxAttrs argument Philippe Mathieu-Daudé
2020-09-03 11:08 ` [RFC PATCH 10/12] exec/memattrs: Introduce MemTxAttrs::direct_access field Philippe Mathieu-Daudé
2020-09-03 11:08 ` [RFC PATCH 11/12] hw/pci: Only allow PCI slave devices to write to direct memory Philippe Mathieu-Daudé
2020-09-03 12:26 ` Paolo Bonzini
2020-09-03 13:18 ` Philippe Mathieu-Daudé
2020-09-03 21:43 ` Paolo Bonzini
2020-09-03 11:08 ` [RFC PATCH 12/12] dma: Assert when device writes to indirect memory (such MMIO regions) Philippe Mathieu-Daudé
2020-09-03 13:51 ` Edgar E. Iglesias
2020-09-03 13:37 ` [RFC PATCH 00/12] hw: Forbid DMA write accesses to MMIO regions Laszlo Ersek
2020-09-03 13:58 ` Peter Maydell
2020-09-03 14:24 ` Edgar E. Iglesias
2020-09-03 15:46 ` Paolo Bonzini
2020-09-03 15:50 ` Edgar E. Iglesias
2020-09-03 17:53 ` Paolo Bonzini
2020-09-03 19:46 ` Edgar E. Iglesias
2020-09-04 2:50 ` Jason Wang
2020-09-05 2:27 ` Li Qiang [this message]
2020-09-08 14:37 ` Stefan Hajnoczi
2020-09-09 13:23 ` Peter Maydell
2020-09-09 13:41 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAKXe6S+v4z_PYbZ6MMzEZk7Q0Qc+q9tzL+a8918U_-XR=aj7RA@mail.gmail.com' \
--to=liq3ea@gmail.com \
--cc=Andrew.Baumann@microsoft.com \
--cc=alistair@alistair23.me \
--cc=alxndr@bu.edu \
--cc=andrew@aj.id.au \
--cc=b.galvani@gmail.com \
--cc=clg@kaod.org \
--cc=cota@braap.org \
--cc=david@gibson.dropbear.id.au \
--cc=e.emanuelegiuseppe@gmail.com \
--cc=edgar.iglesias@gmail.com \
--cc=edgar.iglesias@xilinx.com \
--cc=ehabkost@redhat.com \
--cc=eric.auger@redhat.com \
--cc=f4bug@amsat.org \
--cc=jan.kiszka@web.de \
--cc=jasowang@redhat.com \
--cc=joel@jms.id.au \
--cc=jsnow@redhat.com \
--cc=k.jensen@samsung.com \
--cc=kraxel@redhat.com \
--cc=lersek@redhat.com \
--cc=liq3ea@163.com \
--cc=mark.cave-ayland@ilande.co.uk \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.chubb@nicta.com.au \
--cc=peter.maydell@linaro.org \
--cc=peterx@redhat.com \
--cc=philmd@redhat.com \
--cc=pjp@fedoraproject.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=robert.foley@linaro.org \
--cc=rth@twiddle.net \
--cc=stefanha@redhat.com \
--cc=tony.nguyen@bt.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).