[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RFC PATCH v2 0/5] physmem: Have flaview API check bus permission fr
|
From: |
Stefan Hajnoczi |
|
Subject: |
Re: [RFC PATCH v2 0/5] physmem: Have flaview API check bus permission from MemTxAttrs argument |
|
Date: |
Tue, 24 Aug 2021 14:26:12 +0100 |
On Mon, Aug 23, 2021 at 08:10:50PM +0100, Peter Maydell wrote:
> On Mon, 23 Aug 2021 at 17:42, Philippe Mathieu-Daudé <philmd@redhat.com>
> wrote:
> >
> > This series aim to kill a recent class of bug, the infamous
> > "DMA reentrancy" issues found by Alexander while fuzzing.
> >
> > Introduce the 'bus_perm' field in MemTxAttrs, defining 3 bits:
> >
> > - MEMTXPERM_UNSPECIFIED (current default, unchanged behavior)
> > - MEMTXPERM_UNRESTRICTED (allow list approach)
> > - MEMTXPERM_RAM_DEVICE (example of deny list approach)
> >
> > If a transaction permission is not allowed (for example access
> > to non-RAM device), we return the specific MEMTX_BUS_ERROR.
> >
> > Permissions are checked in after the flatview is resolved, and
> > before the access is done, in a new function: flatview_access_allowed().
>
> So I'm not going to say 'no' to this, because we have a real
> recursive-device-handling problem and I don't have a better
> idea to hand, but the thing about this is that we end up with
> behaviour which is not what the real hardware does. I'm not
> aware of any DMA device which has this kind of "can only DMA
> to/from RAM, and aborts on access to a device" behaviour...
Points that have come up in previous discussions on this topic:
- We probably won't be able to find out the actual hardware behavior for
all device models in QEMU. Strict RAM-only DMA restrictions can be
merged early in the QEMU 6.2 development cycle so there's plenty of
time to identify regressions. The benefit of a strict policy is that
we eliminate this class of bugs for most devices now and in the
future.
- If the risk of regressions is too high, then this API can be used on a
case-by-case basis to fix bugs such as those identified by Alexander's
fuzzer. We'll be plagued with this class of bugs in the future though,
so I prefer a strict policy.
- DMA capabilities depend on the host bus adapter/controller. In order
to faithfully emulate real hardware we need to know how it behaves.
That needs to be done for each host bus adapter (e.g. PCI
controllers).
- SysBus devices each have their own behavior wrt device-to-device DMA.
Stefan
signature.asc
Description: PGP signature
- Re: [RFC PATCH v2 5/5] softmmu/physmem: Have flaview API check MemTxAttrs::bus_perm field, (continued)
Re: [RFC PATCH v2 0/5] physmem: Have flaview API check bus permission from MemTxAttrs argument, Edgar E. Iglesias, 2021/08/24
Re: [RFC PATCH v2 0/5] physmem: Have flaview API check bus permission from MemTxAttrs argument,
Stefan Hajnoczi <=
Re: [RFC PATCH v2 0/5] physmem: Have flaview API check bus permission from MemTxAttrs argument, Stefan Hajnoczi, 2021/08/24