lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <e1885255-34f2-9e90-6478-ff0850a5a3d4@redhat.com>
Date:   Thu, 22 Apr 2021 10:37:38 +0800
From:   Jason Wang <jasowang@...hat.com>
To:     Eli Cohen <elic@...dia.com>, mst@...hat.com
Cc:     virtualization@...ts.linux-foundation.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] vdpa/mlx5: Add support for doorbell bypassing


在 2021/4/21 下午6:41, Eli Cohen 写道:
> Implement mlx5_get_vq_notification() to return the doorbell address.
> Size is set to one system page as required.
>
> Signed-off-by: Eli Cohen <elic@...dia.com>
> ---
>   drivers/vdpa/mlx5/core/mlx5_vdpa.h | 1 +
>   drivers/vdpa/mlx5/core/resources.c | 1 +
>   drivers/vdpa/mlx5/net/mlx5_vnet.c  | 6 ++++++
>   3 files changed, 8 insertions(+)
>
> diff --git a/drivers/vdpa/mlx5/core/mlx5_vdpa.h b/drivers/vdpa/mlx5/core/mlx5_vdpa.h
> index b6cc53ba980c..49de62cda598 100644
> --- a/drivers/vdpa/mlx5/core/mlx5_vdpa.h
> +++ b/drivers/vdpa/mlx5/core/mlx5_vdpa.h
> @@ -41,6 +41,7 @@ struct mlx5_vdpa_resources {
>   	u32 pdn;
>   	struct mlx5_uars_page *uar;
>   	void __iomem *kick_addr;
> +	u64 phys_kick_addr;
>   	u16 uid;
>   	u32 null_mkey;
>   	bool valid;
> diff --git a/drivers/vdpa/mlx5/core/resources.c b/drivers/vdpa/mlx5/core/resources.c
> index 6521cbd0f5c2..665f8fc1710f 100644
> --- a/drivers/vdpa/mlx5/core/resources.c
> +++ b/drivers/vdpa/mlx5/core/resources.c
> @@ -247,6 +247,7 @@ int mlx5_vdpa_alloc_resources(struct mlx5_vdpa_dev *mvdev)
>   		goto err_key;
>   
>   	kick_addr = mdev->bar_addr + offset;
> +	res->phys_kick_addr = kick_addr;
>   
>   	res->kick_addr = ioremap(kick_addr, PAGE_SIZE);
>   	if (!res->kick_addr) {
> diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> index 10c5fef3c020..680751074d2a 100644
> --- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> +++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> @@ -1865,8 +1865,14 @@ static void mlx5_vdpa_free(struct vdpa_device *vdev)
>   
>   static struct vdpa_notification_area mlx5_get_vq_notification(struct vdpa_device *vdev, u16 idx)
>   {
> +	struct mlx5_vdpa_dev *mvdev = to_mvdev(vdev);
>   	struct vdpa_notification_area ret = {};
> +	struct mlx5_vdpa_net *ndev;
> +
> +	ndev = to_mlx5_vdpa_ndev(mvdev);
>   
> +	ret.addr = (phys_addr_t)ndev->mvdev.res.phys_kick_addr;
> +	ret.size = PAGE_SIZE;


Note that the page will be mapped in to guest, so it's only safe if the 
doorbeel exclusively own the page. This means if there're other 
registers in the page, we can not let the doorbell bypass to work.

So this is suspicious at least in the case of subfunction where we 
calculate the bar length in mlx5_sf_dev_table_create() as:

table->sf_bar_length = 1 << (MLX5_CAP_GEN(dev, log_min_sf_size) + 12);

It looks to me this can only work for the arch with PAGE_SIZE = 4096, 
otherwise we can map more into the userspace(guest).

Thanks



>   	return ret;
>   }
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ