lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20211026084212.36b0142c.alex.williamson@redhat.com>
Date:   Tue, 26 Oct 2021 08:42:12 -0600
From:   Alex Williamson <alex.williamson@...hat.com>
To:     Jason Gunthorpe <jgg@...dia.com>
Cc:     Cornelia Huck <cohuck@...hat.com>,
        Yishai Hadas <yishaih@...dia.com>, bhelgaas@...gle.com,
        saeedm@...dia.com, linux-pci@...r.kernel.org, kvm@...r.kernel.org,
        netdev@...r.kernel.org, kuba@...nel.org, leonro@...dia.com,
        kwankhede@...dia.com, mgurtovoy@...dia.com, maorg@...dia.com,
        "Dr. David Alan Gilbert" <dgilbert@...hat.com>
Subject: Re: [PATCH V2 mlx5-next 12/14] vfio/mlx5: Implement vfio_pci driver
 for mlx5 devices

On Mon, 25 Oct 2021 11:56:46 -0300
Jason Gunthorpe <jgg@...dia.com> wrote:

> On Mon, Oct 25, 2021 at 08:28:57AM -0600, Alex Williamson wrote:
> > On Mon, 25 Oct 2021 09:29:38 -0300
> > Jason Gunthorpe <jgg@...dia.com> wrote:
> >   
> > > On Thu, Oct 21, 2021 at 03:47:29PM -0600, Alex Williamson wrote:  
> > > > I recall that we previously suggested a very strict interpretation of
> > > > clearing the _RUNNING bit, but again I'm questioning if that's a real
> > > > requirement or simply a nice-to-have feature for some undefined
> > > > debugging capability.  In raising the p2p DMA issue, we can see that a
> > > > hard stop independent of other devices is not really practical but I
> > > > also don't see that introducing a new state bit solves this problem any
> > > > more elegantly than proposed here.  Thanks,    
> > > 
> > > I still disagree with this - the level of 'frozenness' of a device is
> > > something that belongs in the defined state exposed to userspace, not
> > > as a hidden internal state that userspace can't see.
> > > 
> > > It makes the state transitions asymmetric between suspend/resume as
> > > resume does have a defined uAPI state for each level of frozeness and
> > > suspend does not.
> > > 
> > > With the extra bit resume does:
> > >   
> > >   0000, 0100, 1000, 0001
> > > 
> > > And suspend does:
> > > 
> > >   0001, 1001, 0010, 0000
> > > 
> > > However, without the extra bit suspend is only
> > >   
> > >   001,  010, 000
> > > 
> > > With hidden state inside the 010  
> > 
> > And what is the device supposed to do if it receives a DMA while in
> > this strictly defined stopped state?  If it generates an unsupported
> > request, that can trigger a fatal platform error.    
> 
> I don't see that this question changes anything, we always have a
> state where the device is unable to respond to incoming DMA.

I think that depends on the device implementation.  If all devices can
receive incoming DMA, but all devices are also quiesced not to send
DMA, there's not necessarily a need to put the device in a state where
it errors TLPs.  This ventures into conversations about why assigning
VFs can be considered safer than assigning PFs, users cannot disable
memory space of VFs and therefore cannot generate URs on writes to
MMIO, which may generate fatal faults on some platforms.  If we create
a uAPI that requires dropping TLPs, then we provide userspace with a
means to specifically generate those faults.

> In all cases entry to this state is triggered only by user space
> action, if userspace does the ioctls in the wrong order then it will
> hit it.

And if userspace does not quiesce DMA and gets an intermediate device
state, that's a failure to follow the protocol.

> > If it silently drops the DMA, then we have data loss.  We're
> > defining a catch-22 scenario for drivers versus placing the onus on
> > the user to quiesce the set of devices in order to consider the
> > migration status as valid.    
> 
> The device should error the TLP.

That's a bit of a landmine as outlined above.
 
> Userspace must globally fence access to the device before it enters
> the device into the state where it errors TLPs.
> 
> This is also why I don't like it being so transparent as it is
> something userspace needs to care about - especially if the HW cannot
> support such a thing, if we intend to allow that.

Userspace does need to care, but userspace's concern over this should
not be able to compromise the platform and therefore making VF
assignment more susceptible to fatal error conditions to comply with a
migration uAPI is troublesome for me.  Thanks,

Alex

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ