[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACycT3so8iqySjx0JFOMNAXM85v1GtrXFhA=uR8J-KFdicg8Eg@mail.gmail.com>
Date: Fri, 14 May 2021 16:40:39 +0800
From: Yongji Xie <xieyongji@...edance.com>
To: Jason Wang <jasowang@...hat.com>
Cc: Stefan Hajnoczi <stefanha@...hat.com>,
"Michael S. Tsirkin" <mst@...hat.com>,
virtualization <virtualization@...ts.linux-foundation.org>,
linux-kernel <linux-kernel@...r.kernel.org>,
file@...t.tu-berlin.de, ashish.kalra@....com,
konrad.wilk@...cle.com, kvm <kvm@...r.kernel.org>,
Christoph Hellwig <hch@...radead.org>
Subject: Re: Re: Re: [RFC PATCH V2 0/7] Do not read from descripto ring
On Fri, May 14, 2021 at 3:31 PM Jason Wang <jasowang@...hat.com> wrote:
>
> On Fri, May 14, 2021 at 2:07 PM Yongji Xie <xieyongji@...edance.com> wrote:
> >
> > On Fri, May 14, 2021 at 12:27 AM Stefan Hajnoczi <stefanha@...hat.com> wrote:
> > >
> > > On Fri, Apr 23, 2021 at 04:09:35PM +0800, Jason Wang wrote:
> > > > Sometimes, the driver doesn't trust the device. This is usually
> > > > happens for the encrtpyed VM or VDUSE[1].
> > >
> > > Thanks for doing this.
> > >
> > > Can you describe the overall memory safety model that virtio drivers
> > > must follow? For example:
> > >
> > > - Driver-to-device buffers must be on dedicated pages to avoid
> > > information leaks.
> > >
> > > - Driver-to-device buffers must be on dedicated pages to avoid memory
> > > corruption.
> > >
> > > When I say "pages" I guess it's the IOMMU page size that matters?
> > >
> > > What is the memory access granularity of VDUSE?
> > >
> >
> > Now we use PAGE_SIZE as the access granularity. I think it should be
> > safe to access the Driver-to-device buffers in VDUSE case because we
> > also use bounce-buffering mechanism like swiotlb does.
> >
> > Thanks,
> > Yongji
> >
>
> Yes, while at this, I wonder it's possible the re-use the swiotlb
> codes for VDUSE, or having some common library for this. Otherwise
> there would be duplicated codes (bugs).
>
I think there are still some gaps between VDUSE codes and swiotlb
codes. For example, swiotlb allocates and uses contiguous memory for
bouncing but VDUSE doesn't. The swiotlb works in singleton mode
(designed for platform IOMMU) , but VDUSE is based on on-chip IOMMU
(supports multiple instances). So we will need some extra work if we
want a common library for them both.
And since the only duplicated codes now are swiotlb_bounce() (swiotlb)
and do_bounce() (VDUSE). So I prefer to do this work in future rather
than in the current series.
Thanks,
Yongji
Powered by blists - more mailing lists