lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20191209034225.GK31791@joy-OptiPlex-7040>
Date:   Sun, 8 Dec 2019 22:42:25 -0500
From:   Yan Zhao <yan.y.zhao@...el.com>
To:     Alex Williamson <alex.williamson@...hat.com>
Cc:     "kvm@...r.kernel.org" <kvm@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "libvir-list@...hat.com" <libvir-list@...hat.com>,
        "qemu-devel@...gnu.org" <qemu-devel@...gnu.org>,
        "cohuck@...hat.com" <cohuck@...hat.com>,
        "zhenyuw@...ux.intel.com" <zhenyuw@...ux.intel.com>,
        "Wang, Zhi A" <zhi.a.wang@...el.com>,
        "Tian, Kevin" <kevin.tian@...el.com>,
        "He, Shaopeng" <shaopeng.he@...el.com>
Subject: Re: [RFC PATCH 1/9] vfio/pci: introduce mediate ops to intercept
 vfio-pci ops

On Sat, Dec 07, 2019 at 05:22:26AM +0800, Alex Williamson wrote:
> On Fri, 6 Dec 2019 02:56:55 -0500
> Yan Zhao <yan.y.zhao@...el.com> wrote:
> 
> > On Fri, Dec 06, 2019 at 07:55:19AM +0800, Alex Williamson wrote:
> > > On Wed,  4 Dec 2019 22:25:36 -0500
> > > Yan Zhao <yan.y.zhao@...el.com> wrote:
> > >   
> > > > when vfio-pci is bound to a physical device, almost all the hardware
> > > > resources are passthroughed.
> > > > Sometimes, vendor driver of this physcial device may want to mediate some
> > > > hardware resource access for a short period of time, e.g. dirty page
> > > > tracking during live migration.
> > > > 
> > > > Here we introduce mediate ops in vfio-pci for this purpose.
> > > > 
> > > > Vendor driver can register a mediate ops to vfio-pci.
> > > > But rather than directly bind to the passthroughed device, the
> > > > vendor driver is now either a module that does not bind to any device or
> > > > a module binds to other device.
> > > > E.g. when passing through a VF device that is bound to vfio-pci modules,
> > > > PF driver that binds to PF device can register to vfio-pci to mediate
> > > > VF's regions, hence supporting VF live migration.
> > > > 
> > > > The sequence goes like this:
> > > > 1. Vendor driver register its vfio_pci_mediate_ops to vfio-pci driver
> > > > 
> > > > 2. vfio-pci maintains a list of those registered vfio_pci_mediate_ops
> > > > 
> > > > 3. Whenever vfio-pci opens a device, it searches the list and call
> > > > vfio_pci_mediate_ops->open() to check whether a vendor driver supports
> > > > mediating this device.
> > > > Upon a success return value of from vfio_pci_mediate_ops->open(),
> > > > vfio-pci will stop list searching and store a mediate handle to
> > > > represent this open into vendor driver.
> > > > (so if multiple vendor drivers support mediating a device through
> > > > vfio_pci_mediate_ops, only one will win, depending on their registering
> > > > sequence)
> > > > 
> > > > 4. Whenever a VFIO_DEVICE_GET_REGION_INFO ioctl is received in vfio-pci
> > > > ops, it will chain into vfio_pci_mediate_ops->get_region_info(), so that
> > > > vendor driver is able to override a region's default flags and caps,
> > > > e.g. adding a sparse mmap cap to passthrough only sub-regions of a whole
> > > > region.
> > > > 
> > > > 5. vfio_pci_rw()/vfio_pci_mmap() first calls into
> > > > vfio_pci_mediate_ops->rw()/vfio_pci_mediate_ops->mmaps().
> > > > if pt=true is rteturned, vfio_pci_rw()/vfio_pci_mmap() will further
> > > > passthrough this read/write/mmap to physical device, otherwise it just
> > > > returns without touch physical device.
> > > > 
> > > > 6. When vfio-pci closes a device, vfio_pci_release() chains into
> > > > vfio_pci_mediate_ops->release() to close the reference in vendor driver.
> > > > 
> > > > 7. Vendor driver unregister its vfio_pci_mediate_ops when driver exits
> > > > 
> > > > Cc: Kevin Tian <kevin.tian@...el.com>
> > > > 
> > > > Signed-off-by: Yan Zhao <yan.y.zhao@...el.com>
> > > > ---
> > > >  drivers/vfio/pci/vfio_pci.c         | 146 ++++++++++++++++++++++++++++
> > > >  drivers/vfio/pci/vfio_pci_private.h |   2 +
> > > >  include/linux/vfio.h                |  16 +++
> > > >  3 files changed, 164 insertions(+)
> > > > 
> > > > diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
> > > > index 02206162eaa9..55080ff29495 100644
> > > > --- a/drivers/vfio/pci/vfio_pci.c
> > > > +++ b/drivers/vfio/pci/vfio_pci.c
> > > > @@ -54,6 +54,14 @@ module_param(disable_idle_d3, bool, S_IRUGO | S_IWUSR);
> > > >  MODULE_PARM_DESC(disable_idle_d3,
> > > >  		 "Disable using the PCI D3 low power state for idle, unused devices");
> > > >  
> > > > +static LIST_HEAD(mediate_ops_list);
> > > > +static DEFINE_MUTEX(mediate_ops_list_lock);
> > > > +struct vfio_pci_mediate_ops_list_entry {
> > > > +	struct vfio_pci_mediate_ops	*ops;
> > > > +	int				refcnt;
> > > > +	struct list_head		next;
> > > > +};
> > > > +
> > > >  static inline bool vfio_vga_disabled(void)
> > > >  {
> > > >  #ifdef CONFIG_VFIO_PCI_VGA
> > > > @@ -472,6 +480,10 @@ static void vfio_pci_release(void *device_data)
> > > >  	if (!(--vdev->refcnt)) {
> > > >  		vfio_spapr_pci_eeh_release(vdev->pdev);
> > > >  		vfio_pci_disable(vdev);
> > > > +		if (vdev->mediate_ops && vdev->mediate_ops->release) {
> > > > +			vdev->mediate_ops->release(vdev->mediate_handle);
> > > > +			vdev->mediate_ops = NULL;
> > > > +		}
> > > >  	}
> > > >  
> > > >  	mutex_unlock(&vdev->reflck->lock);
> > > > @@ -483,6 +495,7 @@ static int vfio_pci_open(void *device_data)
> > > >  {
> > > >  	struct vfio_pci_device *vdev = device_data;
> > > >  	int ret = 0;
> > > > +	struct vfio_pci_mediate_ops_list_entry *mentry;
> > > >  
> > > >  	if (!try_module_get(THIS_MODULE))
> > > >  		return -ENODEV;
> > > > @@ -495,6 +508,30 @@ static int vfio_pci_open(void *device_data)
> > > >  			goto error;
> > > >  
> > > >  		vfio_spapr_pci_eeh_open(vdev->pdev);
> > > > +		mutex_lock(&mediate_ops_list_lock);
> > > > +		list_for_each_entry(mentry, &mediate_ops_list, next) {
> > > > +			u64 caps;
> > > > +			u32 handle;  
> > > 
> > > Wouldn't it seem likely that the ops provider might use this handle as
> > > a pointer, so we'd want it to be an opaque void*?
> > >  
> > yes, you are right, handle as a pointer is much better. will change it.
> > Thanks :)
> > 
> > > > +
> > > > +			memset(&caps, 0, sizeof(caps));  
> > > 
> > > @caps has no purpose here, add it if/when we do something with it.
> > > It's also a standard type, why are we memset'ing it rather than just
> > > =0??
> > >   
> > > > +			ret = mentry->ops->open(vdev->pdev, &caps, &handle);
> > > > +			if (!ret)  {
> > > > +				vdev->mediate_ops = mentry->ops;
> > > > +				vdev->mediate_handle = handle;
> > > > +
> > > > +				pr_info("vfio pci found mediate_ops %s, caps=%llx, handle=%x for %x:%x\n",
> > > > +						vdev->mediate_ops->name, caps,
> > > > +						handle, vdev->pdev->vendor,
> > > > +						vdev->pdev->device);  
> > > 
> > > Generally not advisable to make user accessible printks.
> > >  
> > ok.
> > 
> > > > +				/*
> > > > +				 * only find the first matching mediate_ops,
> > > > +				 * and add its refcnt
> > > > +				 */
> > > > +				mentry->refcnt++;
> > > > +				break;
> > > > +			}
> > > > +		}
> > > > +		mutex_unlock(&mediate_ops_list_lock);
> > > >  	}
> > > >  	vdev->refcnt++;
> > > >  error:
> > > > @@ -736,6 +773,14 @@ static long vfio_pci_ioctl(void *device_data,
> > > >  			info.size = pdev->cfg_size;
> > > >  			info.flags = VFIO_REGION_INFO_FLAG_READ |
> > > >  				     VFIO_REGION_INFO_FLAG_WRITE;
> > > > +
> > > > +			if (vdev->mediate_ops &&
> > > > +					vdev->mediate_ops->get_region_info) {
> > > > +				vdev->mediate_ops->get_region_info(
> > > > +						vdev->mediate_handle,
> > > > +						&info, &caps, NULL);
> > > > +			}  
> > > 
> > > These would be a lot cleaner if we could just call a helper function:
> > > 
> > > void vfio_pci_region_info_mediation_hook(vdev, info, caps, etc...)
> > > {
> > >    if (vdev->mediate_ops 
> > >        vdev->mediate_ops->get_region_info)
> > > 	vdev->mediate_ops->get_region_info(vdev->mediate_handle,
> > > 					   &info, &caps, NULL);
> > > }
> > > 
> > > I'm not thrilled with all these hooks, but not open coding every one of
> > > them might help.  
> > 
> > ok. got it.
> > >   
> > > > +
> > > >  			break;
> > > >  		case VFIO_PCI_BAR0_REGION_INDEX ... VFIO_PCI_BAR5_REGION_INDEX:
> > > >  			info.offset = VFIO_PCI_INDEX_TO_OFFSET(info.index);
> > > > @@ -756,6 +801,13 @@ static long vfio_pci_ioctl(void *device_data,
> > > >  				}
> > > >  			}
> > > >  
> > > > +			if (vdev->mediate_ops &&
> > > > +					vdev->mediate_ops->get_region_info) {
> > > > +				vdev->mediate_ops->get_region_info(
> > > > +						vdev->mediate_handle,
> > > > +						&info, &caps, NULL);
> > > > +			}
> > > > +
> > > >  			break;
> > > >  		case VFIO_PCI_ROM_REGION_INDEX:
> > > >  		{
> > > > @@ -794,6 +846,14 @@ static long vfio_pci_ioctl(void *device_data,
> > > >  			}
> > > >  
> > > >  			pci_write_config_word(pdev, PCI_COMMAND, orig_cmd);
> > > > +
> > > > +			if (vdev->mediate_ops &&
> > > > +					vdev->mediate_ops->get_region_info) {
> > > > +				vdev->mediate_ops->get_region_info(
> > > > +						vdev->mediate_handle,
> > > > +						&info, &caps, NULL);
> > > > +			}
> > > > +
> > > >  			break;
> > > >  		}
> > > >  		case VFIO_PCI_VGA_REGION_INDEX:
> > > > @@ -805,6 +865,13 @@ static long vfio_pci_ioctl(void *device_data,
> > > >  			info.flags = VFIO_REGION_INFO_FLAG_READ |
> > > >  				     VFIO_REGION_INFO_FLAG_WRITE;
> > > >  
> > > > +			if (vdev->mediate_ops &&
> > > > +					vdev->mediate_ops->get_region_info) {
> > > > +				vdev->mediate_ops->get_region_info(
> > > > +						vdev->mediate_handle,
> > > > +						&info, &caps, NULL);
> > > > +			}
> > > > +
> > > >  			break;
> > > >  		default:
> > > >  		{
> > > > @@ -839,6 +906,13 @@ static long vfio_pci_ioctl(void *device_data,
> > > >  				if (ret)
> > > >  					return ret;
> > > >  			}
> > > > +
> > > > +			if (vdev->mediate_ops &&
> > > > +					vdev->mediate_ops->get_region_info) {
> > > > +				vdev->mediate_ops->get_region_info(
> > > > +						vdev->mediate_handle,
> > > > +						&info, &caps, &cap_type);
> > > > +			}
> > > >  		}
> > > >  		}
> > > >  
> > > > @@ -1151,6 +1225,16 @@ static ssize_t vfio_pci_rw(void *device_data, char __user *buf,
> > > >  	if (index >= VFIO_PCI_NUM_REGIONS + vdev->num_regions)
> > > >  		return -EINVAL;
> > > >  
> > > > +	if (vdev->mediate_ops && vdev->mediate_ops->rw) {
> > > > +		int ret;
> > > > +		bool pt = true;
> > > > +
> > > > +		ret = vdev->mediate_ops->rw(vdev->mediate_handle,
> > > > +				buf, count, ppos, iswrite, &pt);
> > > > +		if (!pt)
> > > > +			return ret;
> > > > +	}
> > > > +
> > > >  	switch (index) {
> > > >  	case VFIO_PCI_CONFIG_REGION_INDEX:
> > > >  		return vfio_pci_config_rw(vdev, buf, count, ppos, iswrite);
> > > > @@ -1200,6 +1284,15 @@ static int vfio_pci_mmap(void *device_data, struct vm_area_struct *vma)
> > > >  	u64 phys_len, req_len, pgoff, req_start;
> > > >  	int ret;
> > > >  
> > > > +	if (vdev->mediate_ops && vdev->mediate_ops->mmap) {
> > > > +		int ret;
> > > > +		bool pt = true;
> > > > +
> > > > +		ret = vdev->mediate_ops->mmap(vdev->mediate_handle, vma, &pt);
> > > > +		if (!pt)
> > > > +			return ret;
> > > > +	}  
> > > 
> > > There must be a better way to do all these.  Do we really want to call
> > > into ops for every rw or mmap, have the vendor code decode a region,
> > > and maybe or maybe not have it handle it?  It's pretty ugly.  Do we  
> > 
> > do you think below flow is good ?
> > 1. in mediate_ops->open(), return
> > (1) region[] indexed by region index, if a mediate driver supports mediating
> > region[i], region[i].ops->get_region_info, regions[i].ops->rw, or
> > regions[i].ops->mmap is not null.
> > (2) irq_info[] indexed by irq index, if a mediate driver supports mediating
> > irq_info[i], irq_info[i].ops->get_irq_info or irq_info[i].ops->set_irq_info
> > is not null.
> > 
> > Then, vfio_pci_rw/vfio_pci_mmap/vfio_pci_ioctl only call into those
> > non-null hooks.
> 
> Or would it be better to always call into the hooks and the vendor
> driver is allowed to selectively replace the hooks for regions they
> want to mediate.  For example, region[i].ops->rw could by default point
> to vfio_pci_default_rw() and the mediation driver would have a
> mechanism to replace that with its own vendorABC_vfio_pci_rw().  We
> could export vfio_pci_default_rw() such that the vendor driver would be
> responsible for calling it as necessary.
>
good idea :)

> > > need the mediation provider to be able to dynamically setup the ops per  
> > May I confirm that you are not saying dynamic registering mediate ops
> > after vfio-pci already opened a device, right?
> 
> I'm not necessarily excluding or advocating for that.
> 
ok. got it.

> > > region and export the default handlers out for them to call?
> > >  
> > could we still keep checking return value of the hooks rather than
> > export default handlers? Otherwise at least vfio_pci_default_ioctl(),
> > vfio_pci_default_rw(), and vfio_pci_default_mmap() need to be exported.
> 
> The ugliness of vfio-pci having all these vendor branches is what I'm
> trying to avoid, so I really am not a fan of the idea or mechanism that
> the vfio-pci core code is directly involving a mediation driver and
> handling the return for every entry point.
>
I see :)
> > > > +
> > > >  	index = vma->vm_pgoff >> (VFIO_PCI_OFFSET_SHIFT - PAGE_SHIFT);
> > > >  
> > > >  	if (vma->vm_end < vma->vm_start)
> > > > @@ -1629,8 +1722,17 @@ static void vfio_pci_try_bus_reset(struct vfio_pci_device *vdev)
> > > >  
> > > >  static void __exit vfio_pci_cleanup(void)
> > > >  {
> > > > +	struct vfio_pci_mediate_ops_list_entry *mentry, *n;
> > > > +
> > > >  	pci_unregister_driver(&vfio_pci_driver);
> > > >  	vfio_pci_uninit_perm_bits();
> > > > +
> > > > +	mutex_lock(&mediate_ops_list_lock);
> > > > +	list_for_each_entry_safe(mentry, n,  &mediate_ops_list, next) {
> > > > +		list_del(&mentry->next);
> > > > +		kfree(mentry);
> > > > +	}
> > > > +	mutex_unlock(&mediate_ops_list_lock);  
> > > 
> > > Is it even possible to unload vfio-pci while there are mediation
> > > drivers registered?  I don't think the module interactions are well
> > > thought out here, ex. do you really want i40e to have build and runtime
> > > dependencies on vfio-pci?  I don't think so.
> > >   
> > Currently, yes, i40e has build dependency on vfio-pci.
> > It's like this, if i40e decides to support SRIOV and compiles in vf
> > related code who depends on vfio-pci, it will also have build dependency
> > on vfio-pci. isn't it natural?
> 
> No, this is not natural.  There are certainly i40e VF use cases that
> have no interest in vfio and having dependencies between the two
> modules is unacceptable.  I think you probably want to modularize the
> i40e vfio support code and then perhaps register a table in vfio-pci
> that the vfio-pci code can perform a module request when using a
> compatible device.  Just and idea, there might be better options.  I
> will not accept a solution that requires unloading the i40e driver in
> order to unload the vfio-pci driver.  It's inconvenient with just one
> NIC driver, imagine how poorly that scales.
> 
what about this way:
mediate driver registers a module notifier and every time when
vfio_pci is loaded, register to vfio_pci its mediate ops?
(Just like in below sample code)
This way vfio-pci is free to unload and this registering only gives
vfio-pci a name of what module to request.
After that,
in vfio_pci_open(), vfio-pci requests the mediate driver. (or puts
the mediate driver when mediate driver does not support mediating the
device)
in vfio_pci_release(), vfio-pci puts the mediate driver.

static void register_mediate_ops(void)
{
        int (*func)(struct vfio_pci_mediate_ops *ops) = NULL;

        func = symbol_get(vfio_pci_register_mediate_ops);

        if (func) {
                func(&igd_dt_ops);
                symbol_put(vfio_pci_register_mediate_ops);
        }
}

static int igd_module_notify(struct notifier_block *self,
                              unsigned long val, void *data)
{
        struct module *mod = data;
        int ret = 0;

        switch (val) {
        case MODULE_STATE_LIVE:
                if (!strcmp(mod->name, "vfio_pci"))
                        register_mediate_ops();
                break;
        case MODULE_STATE_GOING:
                break;
        default:
                break;
        }
        return ret;
}

static struct notifier_block igd_module_nb = {
        .notifier_call = igd_module_notify,
        .priority = 0,
};



static int __init igd_dt_init(void)
{
	...
	register_mediate_ops();
	register_module_notifier(&igd_module_nb);
	...
	return 0;
}


> > > >  }
> > > >  
> > > >  static void __init vfio_pci_fill_ids(void)
> > > > @@ -1697,6 +1799,50 @@ static int __init vfio_pci_init(void)
> > > >  	return ret;
> > > >  }
> > > >  
> > > > +int vfio_pci_register_mediate_ops(struct vfio_pci_mediate_ops *ops)
> > > > +{
> > > > +	struct vfio_pci_mediate_ops_list_entry *mentry;
> > > > +
> > > > +	mutex_lock(&mediate_ops_list_lock);
> > > > +	mentry = kzalloc(sizeof(*mentry), GFP_KERNEL);
> > > > +	if (!mentry) {
> > > > +		mutex_unlock(&mediate_ops_list_lock);
> > > > +		return -ENOMEM;
> > > > +	}
> > > > +
> > > > +	mentry->ops = ops;
> > > > +	mentry->refcnt = 0;  
> > > 
> > > It's kZalloc'd, this is unnecessary.
> > >  
> > right :) 
> > > > +	list_add(&mentry->next, &mediate_ops_list);  
> > > 
> > > Check for duplicates?
> > >   
> > ok. will do it.
> > > > +
> > > > +	pr_info("registered dm ops %s\n", ops->name);
> > > > +	mutex_unlock(&mediate_ops_list_lock);
> > > > +
> > > > +	return 0;
> > > > +}
> > > > +EXPORT_SYMBOL(vfio_pci_register_mediate_ops);
> > > > +
> > > > +void vfio_pci_unregister_mediate_ops(struct vfio_pci_mediate_ops *ops)
> > > > +{
> > > > +	struct vfio_pci_mediate_ops_list_entry *mentry, *n;
> > > > +
> > > > +	mutex_lock(&mediate_ops_list_lock);
> > > > +	list_for_each_entry_safe(mentry, n,  &mediate_ops_list, next) {
> > > > +		if (mentry->ops != ops)
> > > > +			continue;
> > > > +
> > > > +		mentry->refcnt--;  
> > > 
> > > Whose reference is this removing?
> > >   
> > I intended to prevent mediate driver from calling unregister mediate ops
> > while there're still opened devices in it.
> > after a successful mediate_ops->open(), mentry->refcnt++.
> > after calling mediate_ops->release(). mentry->refcnt--.
> > 
> > (seems in this RFC, I missed a mentry->refcnt-- after calling
> > mediate_ops->release())
> > 
> > 
> > > > +		if (!mentry->refcnt) {
> > > > +			list_del(&mentry->next);
> > > > +			kfree(mentry);
> > > > +		} else
> > > > +			pr_err("vfio_pci unregister mediate ops %s error\n",
> > > > +					mentry->ops->name);  
> > > 
> > > This is bad, we should hold a reference to the module providing these
> > > ops for each use of it such that the module cannot be removed while
> > > it's in use.  Otherwise we enter a very bad state here and it's
> > > trivially accessible by an admin remove the module while in use.  
> > mediate driver is supposed to ref its own module on a success
> > mediate_ops->open(), and deref its own module on mediate_ops->release().
> > so, it can't be accidentally removed.
> 
> Where was that semantic expressed in this series?  We should create
> interfaces that are hard to use incorrectly.  It is far too easy for a
> vendor driver to overlook such a requirement, which means fixing the
> same bugs repeatedly for each vendor.  It needs to be improved.  Thanks,

right. will improve it.

Thanks
Yan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ