virtualization.lists.linux-foundation.org archive mirror
 help / color / mirror / Atom feed
From: "Michael S. Tsirkin" <mst@redhat.com>
To: Marc Zyngier <maz@kernel.org>
Cc: keirf@google.com, "Paul E . McKenney" <paulmck@kernel.org>,
	david.kaplan@amd.com, konrad.wilk@oracle.com,
	Peter Zijlstra <peterz@infradead.org>,
	f.hetzelt@tu-berlin.de, linux-kernel@vger.kernel.org,
	virtualization@lists.linux-foundation.org,
	Thomas Gleixner <tglx@linutronix.de>,
	Will Deacon <will@kernel.org>, Boqun Feng <boqun.feng@gmail.com>
Subject: Re: [PATCH V3 05/10] virtio-pci: harden INTX interrupts
Date: Wed, 9 Mar 2022 06:27:42 -0500	[thread overview]
Message-ID: <20220309060703-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <87wnh3z9nm.wl-maz@kernel.org>

On Wed, Mar 09, 2022 at 10:45:49AM +0000, Marc Zyngier wrote:
> [Adding Will to check on my understanding of the interactions between
>  spinlocks and WRITE_ONCE()]
> 
> On Tue, 19 Oct 2021 08:01:47 +0100,
> Jason Wang <jasowang@redhat.com> wrote:
> > 
> > This patch tries to make sure the virtio interrupt handler for INTX
> > won't be called after a reset and before virtio_device_ready(). We
> > can't use IRQF_NO_AUTOEN since we're using shared interrupt
> > (IRQF_SHARED). So this patch tracks the INTX enabling status in a new
> > intx_soft_enabled variable and toggle it during in
> > vp_disable/enable_vectors(). The INTX interrupt handler will check
> > intx_soft_enabled before processing the actual interrupt.
> > 
> > Cc: Boqun Feng <boqun.feng@gmail.com>
> > Cc: Thomas Gleixner <tglx@linutronix.de>
> > Cc: Peter Zijlstra <peterz@infradead.org>
> > Cc: Paul E. McKenney <paulmck@kernel.org>
> > Signed-off-by: Jason Wang <jasowang@redhat.com>
> > ---
> >  drivers/virtio/virtio_pci_common.c | 23 +++++++++++++++++++++--
> >  drivers/virtio/virtio_pci_common.h |  1 +
> >  2 files changed, 22 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c
> > index 8d8f83aca721..1bce254a462a 100644
> > --- a/drivers/virtio/virtio_pci_common.c
> > +++ b/drivers/virtio/virtio_pci_common.c
> > @@ -30,8 +30,16 @@ void vp_disable_cbs(struct virtio_device *vdev)
> >  	struct virtio_pci_device *vp_dev = to_vp_device(vdev);
> >  	int i;
> >  
> > -	if (vp_dev->intx_enabled)
> > +	if (vp_dev->intx_enabled) {
> > +		/*
> > +		 * The below synchronize() guarantees that any
> > +		 * interrupt for this line arriving after
> > +		 * synchronize_irq() has completed is guaranteed to see
> > +		 * intx_soft_enabled == false.
> > +		 */
> > +		WRITE_ONCE(vp_dev->intx_soft_enabled, false);
> >  		synchronize_irq(vp_dev->pci_dev->irq);
> > +	}
> >  
> >  	for (i = 0; i < vp_dev->msix_vectors; ++i)
> >  		disable_irq(pci_irq_vector(vp_dev->pci_dev, i));
> > @@ -43,8 +51,16 @@ void vp_enable_cbs(struct virtio_device *vdev)
> >  	struct virtio_pci_device *vp_dev = to_vp_device(vdev);
> >  	int i;
> >  
> > -	if (vp_dev->intx_enabled)
> > +	if (vp_dev->intx_enabled) {
> > +		disable_irq(vp_dev->pci_dev->irq);
> > +		/*
> > +		 * The above disable_irq() provides TSO ordering and
> > +		 * as such promotes the below store to store-release.
> > +		 */
> > +		WRITE_ONCE(vp_dev->intx_soft_enabled, true);
> 
> What do you mean by TSO here? AFAICT, the CPU is allowed hoist this
> write up into the lock used by disable_irq(), as the unlock only has
> release semantics. Is that what you are relying on? I don't see how
> this upgrades WRITE_ONCE() to have release semantics.
> 
> > +		enable_irq(vp_dev->pci_dev->irq);
> 
> Same thing does here: my understanding is that the write can be pushed
> down into the lock, which has acquire semantics only.
> 
> Thanks,
> 
> 	M.

Overall I feel what we are doing here is very standard and should be
pretty common for a driver that wants to be protected against a
malicious device:


1- get IRQ
2- initialize device with IRQ
3- enable IRQ

Doing it in the core kernel helps make sure interrupts are
not lost if they trigger during 2.

Without core kernel support one has to refactor the driver along the lines of:

a- initialize driver
b- get IRQ
c- initialize device with IRQ

and this is often tricky especially if one wants to do things like
discover device configuration and reconfigure the driver accordingly.


> -- 
> Without deviation from the norm, progress is not possible.

_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization

  parent reply	other threads:[~2022-03-09 11:27 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-19  7:01 [PATCH V3 00/10] More virtio hardening Jason Wang
2021-10-19  7:01 ` [PATCH V3 01/10] virtio-blk: validate num_queues during probe Jason Wang
2021-10-20  7:18   ` Stefano Garzarella
2021-10-20  7:37     ` Michael S. Tsirkin
2021-10-20  8:44       ` Stefano Garzarella
2021-10-20  7:55   ` Stefan Hajnoczi
2021-10-19  7:01 ` [PATCH V3 02/10] virtio_console: validate max_nr_ports before trying to use it Jason Wang
2021-10-19  7:01 ` [PATCH V3 03/10] virtio_config: introduce a new .enable_cbs method Jason Wang
2021-10-19  7:01 ` [PATCH V3 04/10] virtio_pci: harden MSI-X interrupts Jason Wang
     [not found]   ` <87y21kzd3f.wl-maz@kernel.org>
2022-03-08 16:35     ` Michael S. Tsirkin
2022-03-09  3:41       ` Jason Wang
2022-03-09  7:04         ` Michael S. Tsirkin
2022-03-09  8:14           ` Jason Wang
     [not found]       ` <87v8wnz8li.wl-maz@kernel.org>
2022-03-09 12:13         ` Michael S. Tsirkin
2021-10-19  7:01 ` [PATCH V3 05/10] virtio-pci: harden INTX interrupts Jason Wang
     [not found]   ` <87wnh3z9nm.wl-maz@kernel.org>
2022-03-09 11:27     ` Michael S. Tsirkin [this message]
     [not found]       ` <87tuc7z5k9.wl-maz@kernel.org>
2022-03-09 12:30         ` Michael S. Tsirkin
2021-10-19  7:01 ` [PATCH V3 06/10] virtio_ring: fix typos in vring_desc_extra Jason Wang
2021-10-19  7:01 ` [PATCH V3 07/10] virtio_ring: validate used buffer length Jason Wang
2021-10-19  7:01 ` [PATCH V3 08/10] virtio-net: don't let virtio core to validate used length Jason Wang
2021-10-19  7:01 ` [PATCH V3 09/10] virtio-blk: " Jason Wang
2021-10-19  7:01 ` [PATCH V3 10/10] virtio-scsi: don't let virtio core to validate used buffer length Jason Wang
2021-10-23 21:31 ` [PATCH V3 00/10] More virtio hardening Michael S. Tsirkin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220309060703-mutt-send-email-mst@kernel.org \
    --to=mst@redhat.com \
    --cc=boqun.feng@gmail.com \
    --cc=david.kaplan@amd.com \
    --cc=f.hetzelt@tu-berlin.de \
    --cc=keirf@google.com \
    --cc=konrad.wilk@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=maz@kernel.org \
    --cc=paulmck@kernel.org \
    --cc=peterz@infradead.org \
    --cc=tglx@linutronix.de \
    --cc=virtualization@lists.linux-foundation.org \
    --cc=will@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).