Re: [PATCH v6 10/10] Documentation: Add documentation for VDUSE

[PATCH v6 00/10] Introduce VDUSE - vDPA Device in Userspace · Xie Yongji <hidden> · 2021-03-31
[PATCH v6 04/10] vhost-iotlb: Add an opaque pointer for vhost IOTLB · Xie Yongji <hidden> · 2021-03-31
[PATCH v6 05/10] vdpa: Add an opaque pointer for vdpa_config_ops.dma_map() · Xie Yongji <hidden> · 2021-03-31
[PATCH v6 02/10] eventfd: Increase the recursion depth of eventfd_signal() · Xie Yongji <hidden> · 2021-03-31
[PATCH v6 06/10] vdpa: factor out vhost_vdpa_pa_map() and vhost_vdpa_pa_unmap() · Xie Yongji <hidden> · 2021-03-31
[PATCH v6 07/10] vdpa: Support transferring virtual addressing during DMA mapping · Xie Yongji <hidden> · 2021-03-31
Re: [PATCH v6 07/10] vdpa: Support transferring virtual addressing during DMA mapping · Jason Wang <jasowang@redhat.com> · 2021-04-08
[PATCH v6 03/10] vhost-vdpa: protect concurrent access to vhost device iotlb · Xie Yongji <hidden> · 2021-03-31
Re: [PATCH v6 03/10] vhost-vdpa: protect concurrent access to vhost device iotlb · "Michael S. Tsirkin" <mst@redhat.com> · 2021-04-09
Re: Re: [PATCH v6 03/10] vhost-vdpa: protect concurrent access to vhost device iotlb · Yongji Xie <hidden> · 2021-04-11
Re: Re: [PATCH v6 03/10] vhost-vdpa: protect concurrent access to vhost device iotlb · "Michael S. Tsirkin" <mst@redhat.com> · 2021-04-11
Re: Re: Re: [PATCH v6 03/10] vhost-vdpa: protect concurrent access to vhost device iotlb · Yongji Xie <hidden> · 2021-04-12
Re: Re: Re: [PATCH v6 03/10] vhost-vdpa: protect concurrent access to vhost device iotlb · "Michael S. Tsirkin" <mst@redhat.com> · 2021-04-12
[PATCH v6 01/10] file: Export receive_fd() to modules · Xie Yongji <hidden> · 2021-03-31
Re: [PATCH v6 01/10] file: Export receive_fd() to modules · Christian Brauner <hidden> · 2021-03-31
Re: [PATCH v6 01/10] file: Export receive_fd() to modules · Dan Carpenter <hidden> · 2021-03-31
Re: [PATCH v6 01/10] file: Export receive_fd() to modules · Christian Brauner <hidden> · 2021-03-31
Re: Re: [PATCH v6 01/10] file: Export receive_fd() to modules · Yongji Xie <hidden> · 2021-03-31
Re: [PATCH v6 01/10] file: Export receive_fd() to modules · Christian Brauner <hidden> · 2021-03-31
Re: Re: [PATCH v6 01/10] file: Export receive_fd() to modules · Yongji Xie <hidden> · 2021-03-31
Re: [PATCH v6 01/10] file: Export receive_fd() to modules · Christian Brauner <hidden> · 2021-03-31
Re: Re: [PATCH v6 01/10] file: Export receive_fd() to modules · Yongji Xie <hidden> · 2021-03-31
[PATCH v6 08/10] vduse: Implement an MMU-based IOMMU driver · Xie Yongji <hidden> · 2021-03-31
Re: [PATCH v6 08/10] vduse: Implement an MMU-based IOMMU driver · Jason Wang <jasowang@redhat.com> · 2021-04-08
Re: Re: [PATCH v6 08/10] vduse: Implement an MMU-based IOMMU driver · Yongji Xie <hidden> · 2021-04-08
[PATCH v6 09/10] vduse: Introduce VDUSE - vDPA Device in Userspace · Xie Yongji <hidden> · 2021-03-31
Re: [PATCH v6 09/10] vduse: Introduce VDUSE - vDPA Device in Userspace · Jason Wang <jasowang@redhat.com> · 2021-04-08
Re: Re: [PATCH v6 09/10] vduse: Introduce VDUSE - vDPA Device in Userspace · Yongji Xie <hidden> · 2021-04-08
Re: [PATCH v6 09/10] vduse: Introduce VDUSE - vDPA Device in Userspace · Jason Wang <jasowang@redhat.com> · 2021-04-09
Re: Re: [PATCH v6 09/10] vduse: Introduce VDUSE - vDPA Device in Userspace · Yongji Xie <hidden> · 2021-04-09
Re: [PATCH v6 09/10] vduse: Introduce VDUSE - vDPA Device in Userspace · Jason Wang <jasowang@redhat.com> · 2021-04-12
Re: Re: [PATCH v6 09/10] vduse: Introduce VDUSE - vDPA Device in Userspace · Yongji Xie <hidden> · 2021-04-12
Re: [PATCH v6 09/10] vduse: Introduce VDUSE - vDPA Device in Userspace · Jason Wang <jasowang@redhat.com> · 2021-04-12
Re: Re: [PATCH v6 09/10] vduse: Introduce VDUSE - vDPA Device in Userspace · Yongji Xie <hidden> · 2021-04-12
Re: [PATCH v6 09/10] vduse: Introduce VDUSE - vDPA Device in Userspace · Jason Wang <jasowang@redhat.com> · 2021-04-13
Re: Re: [PATCH v6 09/10] vduse: Introduce VDUSE - vDPA Device in Userspace · Yongji Xie <hidden> · 2021-04-13
Re: [PATCH v6 09/10] vduse: Introduce VDUSE - vDPA Device in Userspace · Jason Wang <jasowang@redhat.com> · 2021-04-14
Re: [PATCH v6 09/10] vduse: Introduce VDUSE - vDPA Device in Userspace · Jason Wang <jasowang@redhat.com> · 2021-04-16
Re: Re: [PATCH v6 09/10] vduse: Introduce VDUSE - vDPA Device in Userspace · Yongji Xie <hidden> · 2021-04-16
[PATCH v6 10/10] Documentation: Add documentation for VDUSE · Xie Yongji <hidden> · 2021-03-31
Re: [PATCH v6 10/10] Documentation: Add documentation for VDUSE · Jason Wang <jasowang@redhat.com> · 2021-04-08
Re: Re: [PATCH v6 10/10] Documentation: Add documentation for VDUSE · Yongji Xie <hidden> · 2021-04-08
Re: [PATCH v6 10/10] Documentation: Add documentation for VDUSE · Stefan Hajnoczi <stefanha@redhat.com> · 2021-04-14
Re: Re: [PATCH v6 10/10] Documentation: Add documentation for VDUSE · Yongji Xie <hidden> · 2021-04-15
Re: Re: [PATCH v6 10/10] Documentation: Add documentation for VDUSE · Stefan Hajnoczi <stefanha@redhat.com> · 2021-04-15
Re: Re: Re: [PATCH v6 10/10] Documentation: Add documentation for VDUSE · Yongji Xie <hidden> · 2021-04-15
Re: Re: Re: [PATCH v6 10/10] Documentation: Add documentation for VDUSE · Stefan Hajnoczi <stefanha@redhat.com> · 2021-04-15
Re: [PATCH v6 10/10] Documentation: Add documentation for VDUSE · Jason Wang <jasowang@redhat.com> · 2021-04-15
Re: [PATCH v6 10/10] Documentation: Add documentation for VDUSE · Jason Wang <jasowang@redhat.com> · 2021-04-15
Re: Re: [PATCH v6 10/10] Documentation: Add documentation for VDUSE · Yongji Xie <hidden> · 2021-04-15
Re: [PATCH v6 10/10] Documentation: Add documentation for VDUSE · Jason Wang <jasowang@redhat.com> · 2021-04-16
Re: Re: [PATCH v6 10/10] Documentation: Add documentation for VDUSE · Yongji Xie <hidden> · 2021-04-16
Re: [PATCH v6 10/10] Documentation: Add documentation for VDUSE · Jason Wang <jasowang@redhat.com> · 2021-04-16
Re: Re: [PATCH v6 10/10] Documentation: Add documentation for VDUSE · Yongji Xie <hidden> · 2021-04-16
Re: [PATCH v6 10/10] Documentation: Add documentation for VDUSE · Stefan Hajnoczi <stefanha@redhat.com> · 2021-04-15
Re: [PATCH v6 10/10] Documentation: Add documentation for VDUSE · Jason Wang <jasowang@redhat.com> · 2021-04-16
Re: Re: [PATCH v6 10/10] Documentation: Add documentation for VDUSE · Yongji Xie <hidden> · 2021-04-16
Re: [PATCH v6 10/10] Documentation: Add documentation for VDUSE · Jason Wang <jasowang@redhat.com> · 2021-04-16
Re: Re: [PATCH v6 10/10] Documentation: Add documentation for VDUSE · Yongji Xie <hidden> · 2021-04-16
Re: [PATCH v6 00/10] Introduce VDUSE - vDPA Device in Userspace · "Michael S. Tsirkin" <mst@redhat.com> · 2021-04-14
Re: [PATCH v6 00/10] Introduce VDUSE - vDPA Device in Userspace · Jason Wang <jasowang@redhat.com> · 2021-04-14
Re: Re: [PATCH v6 00/10] Introduce VDUSE - vDPA Device in Userspace · Yongji Xie <hidden> · 2021-04-14

From: Jason Wang <jasowang@redhat.com>
Date: 2021-04-16 02:20:47
Also in: kvm, linux-fsdevel, virtualization

在 2021/4/15 下午7:17, Yongji Xie 写道:

On Thu, Apr 15, 2021 at 5:05 PM Jason Wang [off-list ref] wrote:

quoted

在 2021/4/15 下午4:36, Jason Wang 写道:

quoted

Please state this explicitly at the start of the document. Existing
interfaces like FUSE are designed to avoid trusting userspace.

There're some subtle difference here. VDUSE present a device to kernel
which means IOMMU is probably the only thing to prevent a malicous
device.

quoted

Therefore
people might think the same is the case here. It's critical that people
are aware of this before deploying VDUSE with virtio-vdpa.

We should probably pause here and think about whether it's possible to
avoid trusting userspace. Even if it takes some effort and costs some
performance it would probably be worthwhile.

Since the bounce buffer is used the only attack surface is the
coherent area, if we want to enforce stronger isolation we need to use
shadow virtqueue (which is proposed in earlier version by me) in this
case. But I'm not sure it's worth to do that.


So this reminds me the discussion in the end of last year. We need to
make sure we don't suffer from the same issues for VDUSE at least

https://yhbt.net/lore/all/c3629a27-3590-1d9f-211b-c0b7be152b32@redhat.com/T/#mc6b6e2343cbeffca68ca7a97e0f473aaa871c95b

Or we can solve it at virtio level, e.g remember the dma address instead
of depending on the addr in the descriptor ring

I might miss something. But VDUSE has recorded the dma address during
dma mapping, so we would not do bouncing if the addr/length is invalid
during dma unmapping. Is it enough?


E.g malicous device write a buggy dma address in the descriptor ring, so 
we had:

vring_unmap_one_split(desc->addr, desc->len)
     dma_unmap_single()
         vduse_dev_unmap_page()
             vduse_domain_bounce()

And in vduse_domain_bounce() we had:

         while (size) {
                 map = &domain->bounce_maps[iova >> PAGE_SHIFT];
                 offset = offset_in_page(iova);
                 sz = min_t(size_t, PAGE_SIZE - offset, size);

This means we trust the iova which is dangerous and exacly the issue 
mentioned in the above link.

 From VDUSE level need to make sure iova is legal.

 From virtio level, we should not truse desc->addr.

Thanks

Thanks,
Yongji

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help