From: Jason Wang <jasowang@redhat.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: virtualization <virtualization@lists.linux-foundation.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
"Hetzelt, Felicitas" <f.hetzelt@tu-berlin.de>,
"kaplan, david" <david.kaplan@amd.com>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Subject: Re: [PATCH 7/9] virtio-pci: harden INTX interrupts
Date: Mon, 13 Sep 2021 15:17:32 +0800 [thread overview]
Message-ID: <CACGkMEtcmGJhs=ft-0_rYQ7ctWsdxvd=BuHM_dR2MZXNxy9Tig@mail.gmail.com> (raw)
In-Reply-To: <20210913030134-mutt-send-email-mst@kernel.org>
On Mon, Sep 13, 2021 at 3:02 PM Michael S. Tsirkin <mst@redhat.com> wrote:
>
> On Mon, Sep 13, 2021 at 02:45:38PM +0800, Jason Wang wrote:
> > On Mon, Sep 13, 2021 at 2:41 PM Michael S. Tsirkin <mst@redhat.com> wrote:
> > >
> > > On Mon, Sep 13, 2021 at 02:36:54PM +0800, Jason Wang wrote:
> > > > On Mon, Sep 13, 2021 at 2:33 PM Michael S. Tsirkin <mst@redhat.com> wrote:
> > > > >
> > > > > On Mon, Sep 13, 2021 at 01:53:51PM +0800, Jason Wang wrote:
> > > > > > This patch tries to make sure the virtio interrupt handler for INTX
> > > > > > won't be called after a reset and before virtio_device_ready(). We
> > > > > > can't use IRQF_NO_AUTOEN since we're using shared interrupt
> > > > > > (IRQF_SHARED). So this patch tracks the INTX enabling status in a new
> > > > > > intx_soft_enabled variable and toggle it during in
> > > > > > vp_disable/enable_vectors(). The INTX interrupt handler will check
> > > > > > intx_soft_enabled before processing the actual interrupt.
> > > > > >
> > > > > > Signed-off-by: Jason Wang <jasowang@redhat.com>
> > > > >
> > > > >
> > > > > Not all that excited about all the memory barriers for something
> > > > > that should be an extremely rare event (for most kernels -
> > > > > literally once per boot). Can't we do better?
> > > >
> > > > I'm not sure, but do we need to care about the slow path (INTX)?
> > >
> > > Otherwise we won't try to support this, right?
> >
> > Sorry, what I meant is "do we need to care about the performance of
> > the slow path".
> >
> > >
> > > > (Or do you have a better approach?)
> > > >
> > > > Thanks
> > >
> > > Don't know really, maybe rcu or whatever?
> >
> > I am sure it's worth it to bother since it's the slow path.
> >
> > > But let's try to be much more specific - is there anything
> > > specific we are trying to protect against here?
> >
> > The unexpected calling of the vring or config interrupt handler. (The
> > same as MSI-X, e.g the untrusted device can send irq at any time).
> >
> > Thanks
>
> And so, does this do more than crash the guest? Hypervisors
> already can do that ...
Yes, so for DOS and shutdown it should be fine, but for other kinds of
crash, it would be very hard to say what can happen (e.g manipulating
SWIOTLB or page table etc). So it's better to avoid non DOS crashes.
Thanks
>
>
> > >
> > >
> > >
> > > > >
> > > > > > ---
> > > > > > drivers/virtio/virtio_pci_common.c | 18 ++++++++++++++++--
> > > > > > drivers/virtio/virtio_pci_common.h | 1 +
> > > > > > 2 files changed, 17 insertions(+), 2 deletions(-)
> > > > > >
> > > > > > diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c
> > > > > > index 0b9523e6dd39..835197151dc1 100644
> > > > > > --- a/drivers/virtio/virtio_pci_common.c
> > > > > > +++ b/drivers/virtio/virtio_pci_common.c
> > > > > > @@ -30,8 +30,12 @@ void vp_disable_vectors(struct virtio_device *vdev)
> > > > > > struct virtio_pci_device *vp_dev = to_vp_device(vdev);
> > > > > > int i;
> > > > > >
> > > > > > - if (vp_dev->intx_enabled)
> > > > > > + if (vp_dev->intx_enabled) {
> > > > > > + vp_dev->intx_soft_enabled = false;
> > > > > > + /* ensure the vp_interrupt see this intx_soft_enabled value */
> > > > > > + smp_wmb();
> > > > > > synchronize_irq(vp_dev->pci_dev->irq);
> > > > > > + }
> > > > > >
> > > > > > for (i = 0; i < vp_dev->msix_vectors; ++i)
> > > > > > disable_irq(pci_irq_vector(vp_dev->pci_dev, i));
> > > > > > @@ -43,8 +47,12 @@ void vp_enable_vectors(struct virtio_device *vdev)
> > > > > > struct virtio_pci_device *vp_dev = to_vp_device(vdev);
> > > > > > int i;
> > > > > >
> > > > > > - if (vp_dev->intx_enabled)
> > > > > > + if (vp_dev->intx_enabled) {
> > > > > > + vp_dev->intx_soft_enabled = true;
> > > > > > + /* ensure the vp_interrupt see this intx_soft_enabled value */
> > > > > > + smp_wmb();
> > > > > > return;
> > > > > > + }
> > > > > >
> > > > > > for (i = 0; i < vp_dev->msix_vectors; ++i)
> > > > > > enable_irq(pci_irq_vector(vp_dev->pci_dev, i));
> > > > > > @@ -97,6 +105,12 @@ static irqreturn_t vp_interrupt(int irq, void *opaque)
> > > > > > struct virtio_pci_device *vp_dev = opaque;
> > > > > > u8 isr;
> > > > > >
> > > > > > + if (!vp_dev->intx_soft_enabled)
> > > > > > + return IRQ_NONE;
> > > > > > +
> > > > > > + /* read intx_soft_enabled before read others */
> > > > > > + smp_rmb();
> > > > > > +
> > > > > > /* reading the ISR has the effect of also clearing it so it's very
> > > > > > * important to save off the value. */
> > > > > > isr = ioread8(vp_dev->isr);
> > > > > > diff --git a/drivers/virtio/virtio_pci_common.h b/drivers/virtio/virtio_pci_common.h
> > > > > > index a235ce9ff6a5..3c06e0f92ee4 100644
> > > > > > --- a/drivers/virtio/virtio_pci_common.h
> > > > > > +++ b/drivers/virtio/virtio_pci_common.h
> > > > > > @@ -64,6 +64,7 @@ struct virtio_pci_device {
> > > > > > /* MSI-X support */
> > > > > > int msix_enabled;
> > > > > > int intx_enabled;
> > > > > > + bool intx_soft_enabled;
> > > > > > cpumask_var_t *msix_affinity_masks;
> > > > > > /* Name strings for interrupts. This size should be enough,
> > > > > > * and I'm too lazy to allocate each name separately. */
> > > > > > --
> > > > > > 2.25.1
> > > > >
> > >
>
WARNING: multiple messages have this Message-ID (diff)
From: Jason Wang <jasowang@redhat.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
"Hetzelt, Felicitas" <f.hetzelt@tu-berlin.de>,
linux-kernel <linux-kernel@vger.kernel.org>,
"kaplan, david" <david.kaplan@amd.com>,
virtualization <virtualization@lists.linux-foundation.org>
Subject: Re: [PATCH 7/9] virtio-pci: harden INTX interrupts
Date: Mon, 13 Sep 2021 15:17:32 +0800 [thread overview]
Message-ID: <CACGkMEtcmGJhs=ft-0_rYQ7ctWsdxvd=BuHM_dR2MZXNxy9Tig@mail.gmail.com> (raw)
In-Reply-To: <20210913030134-mutt-send-email-mst@kernel.org>
On Mon, Sep 13, 2021 at 3:02 PM Michael S. Tsirkin <mst@redhat.com> wrote:
>
> On Mon, Sep 13, 2021 at 02:45:38PM +0800, Jason Wang wrote:
> > On Mon, Sep 13, 2021 at 2:41 PM Michael S. Tsirkin <mst@redhat.com> wrote:
> > >
> > > On Mon, Sep 13, 2021 at 02:36:54PM +0800, Jason Wang wrote:
> > > > On Mon, Sep 13, 2021 at 2:33 PM Michael S. Tsirkin <mst@redhat.com> wrote:
> > > > >
> > > > > On Mon, Sep 13, 2021 at 01:53:51PM +0800, Jason Wang wrote:
> > > > > > This patch tries to make sure the virtio interrupt handler for INTX
> > > > > > won't be called after a reset and before virtio_device_ready(). We
> > > > > > can't use IRQF_NO_AUTOEN since we're using shared interrupt
> > > > > > (IRQF_SHARED). So this patch tracks the INTX enabling status in a new
> > > > > > intx_soft_enabled variable and toggle it during in
> > > > > > vp_disable/enable_vectors(). The INTX interrupt handler will check
> > > > > > intx_soft_enabled before processing the actual interrupt.
> > > > > >
> > > > > > Signed-off-by: Jason Wang <jasowang@redhat.com>
> > > > >
> > > > >
> > > > > Not all that excited about all the memory barriers for something
> > > > > that should be an extremely rare event (for most kernels -
> > > > > literally once per boot). Can't we do better?
> > > >
> > > > I'm not sure, but do we need to care about the slow path (INTX)?
> > >
> > > Otherwise we won't try to support this, right?
> >
> > Sorry, what I meant is "do we need to care about the performance of
> > the slow path".
> >
> > >
> > > > (Or do you have a better approach?)
> > > >
> > > > Thanks
> > >
> > > Don't know really, maybe rcu or whatever?
> >
> > I am sure it's worth it to bother since it's the slow path.
> >
> > > But let's try to be much more specific - is there anything
> > > specific we are trying to protect against here?
> >
> > The unexpected calling of the vring or config interrupt handler. (The
> > same as MSI-X, e.g the untrusted device can send irq at any time).
> >
> > Thanks
>
> And so, does this do more than crash the guest? Hypervisors
> already can do that ...
Yes, so for DOS and shutdown it should be fine, but for other kinds of
crash, it would be very hard to say what can happen (e.g manipulating
SWIOTLB or page table etc). So it's better to avoid non DOS crashes.
Thanks
>
>
> > >
> > >
> > >
> > > > >
> > > > > > ---
> > > > > > drivers/virtio/virtio_pci_common.c | 18 ++++++++++++++++--
> > > > > > drivers/virtio/virtio_pci_common.h | 1 +
> > > > > > 2 files changed, 17 insertions(+), 2 deletions(-)
> > > > > >
> > > > > > diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c
> > > > > > index 0b9523e6dd39..835197151dc1 100644
> > > > > > --- a/drivers/virtio/virtio_pci_common.c
> > > > > > +++ b/drivers/virtio/virtio_pci_common.c
> > > > > > @@ -30,8 +30,12 @@ void vp_disable_vectors(struct virtio_device *vdev)
> > > > > > struct virtio_pci_device *vp_dev = to_vp_device(vdev);
> > > > > > int i;
> > > > > >
> > > > > > - if (vp_dev->intx_enabled)
> > > > > > + if (vp_dev->intx_enabled) {
> > > > > > + vp_dev->intx_soft_enabled = false;
> > > > > > + /* ensure the vp_interrupt see this intx_soft_enabled value */
> > > > > > + smp_wmb();
> > > > > > synchronize_irq(vp_dev->pci_dev->irq);
> > > > > > + }
> > > > > >
> > > > > > for (i = 0; i < vp_dev->msix_vectors; ++i)
> > > > > > disable_irq(pci_irq_vector(vp_dev->pci_dev, i));
> > > > > > @@ -43,8 +47,12 @@ void vp_enable_vectors(struct virtio_device *vdev)
> > > > > > struct virtio_pci_device *vp_dev = to_vp_device(vdev);
> > > > > > int i;
> > > > > >
> > > > > > - if (vp_dev->intx_enabled)
> > > > > > + if (vp_dev->intx_enabled) {
> > > > > > + vp_dev->intx_soft_enabled = true;
> > > > > > + /* ensure the vp_interrupt see this intx_soft_enabled value */
> > > > > > + smp_wmb();
> > > > > > return;
> > > > > > + }
> > > > > >
> > > > > > for (i = 0; i < vp_dev->msix_vectors; ++i)
> > > > > > enable_irq(pci_irq_vector(vp_dev->pci_dev, i));
> > > > > > @@ -97,6 +105,12 @@ static irqreturn_t vp_interrupt(int irq, void *opaque)
> > > > > > struct virtio_pci_device *vp_dev = opaque;
> > > > > > u8 isr;
> > > > > >
> > > > > > + if (!vp_dev->intx_soft_enabled)
> > > > > > + return IRQ_NONE;
> > > > > > +
> > > > > > + /* read intx_soft_enabled before read others */
> > > > > > + smp_rmb();
> > > > > > +
> > > > > > /* reading the ISR has the effect of also clearing it so it's very
> > > > > > * important to save off the value. */
> > > > > > isr = ioread8(vp_dev->isr);
> > > > > > diff --git a/drivers/virtio/virtio_pci_common.h b/drivers/virtio/virtio_pci_common.h
> > > > > > index a235ce9ff6a5..3c06e0f92ee4 100644
> > > > > > --- a/drivers/virtio/virtio_pci_common.h
> > > > > > +++ b/drivers/virtio/virtio_pci_common.h
> > > > > > @@ -64,6 +64,7 @@ struct virtio_pci_device {
> > > > > > /* MSI-X support */
> > > > > > int msix_enabled;
> > > > > > int intx_enabled;
> > > > > > + bool intx_soft_enabled;
> > > > > > cpumask_var_t *msix_affinity_masks;
> > > > > > /* Name strings for interrupts. This size should be enough,
> > > > > > * and I'm too lazy to allocate each name separately. */
> > > > > > --
> > > > > > 2.25.1
> > > > >
> > >
>
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
next prev parent reply other threads:[~2021-09-13 7:17 UTC|newest]
Thread overview: 110+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-13 5:53 [PATCH 0/9] More virtio hardening Jason Wang
2021-09-13 5:53 ` Jason Wang
2021-09-13 5:53 ` [PATCH 1/9] virtio-blk: validate num_queues during probe Jason Wang
2021-09-13 5:53 ` Jason Wang
2021-09-13 7:48 ` Stefano Garzarella
2021-09-13 7:48 ` Stefano Garzarella
2021-09-14 2:29 ` Jason Wang
2021-09-14 2:29 ` Jason Wang
2021-09-13 12:05 ` Stefan Hajnoczi
2021-09-13 12:05 ` Stefan Hajnoczi
2021-09-13 5:53 ` [PATCH 2/9] virtio: add doc for validate() method Jason Wang
2021-09-13 5:53 ` Jason Wang
2021-09-13 5:53 ` [PATCH 3/9] virtio-console: switch to use .validate() Jason Wang
2021-09-13 5:53 ` Jason Wang
2021-09-13 5:53 ` [PATCH 4/9] virtio_console: validate max_nr_ports before trying to use it Jason Wang
2021-09-13 5:53 ` Jason Wang
2021-09-13 5:53 ` [PATCH 5/9] virtio_config: introduce a new ready method Jason Wang
2021-09-13 5:53 ` Jason Wang
2021-09-13 5:53 ` [PATCH 6/9] virtio_pci: harden MSI-X interrupts Jason Wang
2021-09-13 5:53 ` Jason Wang
2021-09-13 6:03 ` Michael S. Tsirkin
2021-09-13 6:03 ` Michael S. Tsirkin
2021-09-13 6:08 ` Jason Wang
2021-09-13 6:08 ` Jason Wang
2021-09-13 6:28 ` Michael S. Tsirkin
2021-09-13 6:28 ` Michael S. Tsirkin
2021-09-13 6:34 ` Jason Wang
2021-09-13 6:34 ` Jason Wang
2021-09-13 6:37 ` Michael S. Tsirkin
2021-09-13 6:37 ` Michael S. Tsirkin
2021-09-13 6:43 ` Jason Wang
2021-09-13 6:43 ` Jason Wang
2021-09-13 7:01 ` Michael S. Tsirkin
2021-09-13 7:01 ` Michael S. Tsirkin
2021-09-13 7:15 ` Jason Wang
2021-09-13 7:15 ` Jason Wang
2021-09-13 6:50 ` Michael S. Tsirkin
2021-09-13 6:50 ` Michael S. Tsirkin
2021-09-13 7:07 ` Jason Wang
2021-09-13 7:07 ` Jason Wang
2021-09-13 19:38 ` Thomas Gleixner
2021-09-13 19:38 ` Thomas Gleixner
2021-09-13 20:54 ` Michael S. Tsirkin
2021-09-13 20:54 ` Michael S. Tsirkin
2021-09-13 22:31 ` Thomas Gleixner
2021-09-13 22:31 ` Thomas Gleixner
2021-09-14 2:20 ` Jason Wang
2021-09-14 2:20 ` Jason Wang
2021-09-14 8:29 ` Thomas Gleixner
2021-09-14 8:29 ` Thomas Gleixner
2021-09-13 5:53 ` [PATCH 7/9] virtio-pci: harden INTX interrupts Jason Wang
2021-09-13 5:53 ` Jason Wang
2021-09-13 6:33 ` Michael S. Tsirkin
2021-09-13 6:33 ` Michael S. Tsirkin
2021-09-13 6:36 ` Jason Wang
2021-09-13 6:36 ` Jason Wang
2021-09-13 6:41 ` Michael S. Tsirkin
2021-09-13 6:41 ` Michael S. Tsirkin
2021-09-13 6:45 ` Jason Wang
2021-09-13 6:45 ` Jason Wang
2021-09-13 7:02 ` Michael S. Tsirkin
2021-09-13 7:02 ` Michael S. Tsirkin
2021-09-13 7:17 ` Jason Wang [this message]
2021-09-13 7:17 ` Jason Wang
2021-09-13 21:36 ` Thomas Gleixner
2021-09-13 21:36 ` Thomas Gleixner
2021-09-13 22:01 ` Michael S. Tsirkin
2021-09-13 22:01 ` Michael S. Tsirkin
2021-09-13 22:20 ` Thomas Gleixner
2021-09-13 22:20 ` Thomas Gleixner
2021-09-14 2:50 ` Jason Wang
2021-09-14 2:50 ` Jason Wang
2021-09-14 9:34 ` Boqun Feng
2021-09-14 9:34 ` Boqun Feng
2021-09-14 11:03 ` Peter Zijlstra
2021-09-14 11:03 ` Peter Zijlstra
2021-09-14 11:09 ` Thomas Gleixner
2021-09-14 11:09 ` Thomas Gleixner
2021-09-13 5:53 ` [PATCH 8/9] virtio_ring: fix typos in vring_desc_extra Jason Wang
2021-09-13 5:53 ` Jason Wang
2021-09-13 5:53 ` [PATCH 9/9] virtio_ring: validate used buffer length Jason Wang
2021-09-13 5:53 ` Jason Wang
2021-09-13 6:36 ` Michael S. Tsirkin
2021-09-13 6:36 ` Michael S. Tsirkin
2021-09-13 6:40 ` Jason Wang
2021-09-13 6:40 ` Jason Wang
2021-09-13 6:57 ` Michael S. Tsirkin
2021-09-13 6:57 ` Michael S. Tsirkin
2021-09-13 7:13 ` Jason Wang
2021-09-13 7:13 ` Jason Wang
2021-10-05 7:42 ` [PATCH 0/9] More virtio hardening Michael S. Tsirkin
2021-10-05 7:42 ` Michael S. Tsirkin
2021-10-11 7:36 ` Jason Wang
2021-10-11 7:36 ` Jason Wang
2021-10-11 12:36 ` Michael S. Tsirkin
2021-10-11 12:36 ` Michael S. Tsirkin
2021-10-12 2:43 ` Jason Wang
2021-10-12 2:43 ` Jason Wang
2021-10-12 5:44 ` Michael S. Tsirkin
2021-10-12 5:44 ` Michael S. Tsirkin
2021-10-12 6:11 ` Jason Wang
2021-10-12 6:11 ` Jason Wang
2021-10-12 6:35 ` Michael S. Tsirkin
2021-10-12 6:35 ` Michael S. Tsirkin
2021-10-12 6:43 ` Jason Wang
2021-10-12 6:43 ` Jason Wang
2021-10-12 7:03 ` Michael S. Tsirkin
2021-10-12 7:03 ` Michael S. Tsirkin
2021-10-12 8:46 ` Jason Wang
2021-10-12 8:46 ` Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACGkMEtcmGJhs=ft-0_rYQ7ctWsdxvd=BuHM_dR2MZXNxy9Tig@mail.gmail.com' \
--to=jasowang@redhat.com \
--cc=david.kaplan@amd.com \
--cc=f.hetzelt@tu-berlin.de \
--cc=konrad.wilk@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.