From: Jason Wang <jasowang@redhat.com> To: "Michael S. Tsirkin" <mst@redhat.com> Cc: virtualization <virtualization@lists.linux-foundation.org>, linux-kernel <linux-kernel@vger.kernel.org>, "Hetzelt, Felicitas" <f.hetzelt@tu-berlin.de>, "kaplan, david" <david.kaplan@amd.com>, Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Subject: Re: [PATCH 7/9] virtio-pci: harden INTX interrupts Date: Mon, 13 Sep 2021 15:17:32 +0800 [thread overview] Message-ID: <CACGkMEtcmGJhs=ft-0_rYQ7ctWsdxvd=BuHM_dR2MZXNxy9Tig@mail.gmail.com> (raw) In-Reply-To: <20210913030134-mutt-send-email-mst@kernel.org> On Mon, Sep 13, 2021 at 3:02 PM Michael S. Tsirkin <mst@redhat.com> wrote: > > On Mon, Sep 13, 2021 at 02:45:38PM +0800, Jason Wang wrote: > > On Mon, Sep 13, 2021 at 2:41 PM Michael S. Tsirkin <mst@redhat.com> wrote: > > > > > > On Mon, Sep 13, 2021 at 02:36:54PM +0800, Jason Wang wrote: > > > > On Mon, Sep 13, 2021 at 2:33 PM Michael S. Tsirkin <mst@redhat.com> wrote: > > > > > > > > > > On Mon, Sep 13, 2021 at 01:53:51PM +0800, Jason Wang wrote: > > > > > > This patch tries to make sure the virtio interrupt handler for INTX > > > > > > won't be called after a reset and before virtio_device_ready(). We > > > > > > can't use IRQF_NO_AUTOEN since we're using shared interrupt > > > > > > (IRQF_SHARED). So this patch tracks the INTX enabling status in a new > > > > > > intx_soft_enabled variable and toggle it during in > > > > > > vp_disable/enable_vectors(). The INTX interrupt handler will check > > > > > > intx_soft_enabled before processing the actual interrupt. > > > > > > > > > > > > Signed-off-by: Jason Wang <jasowang@redhat.com> > > > > > > > > > > > > > > > Not all that excited about all the memory barriers for something > > > > > that should be an extremely rare event (for most kernels - > > > > > literally once per boot). Can't we do better? > > > > > > > > I'm not sure, but do we need to care about the slow path (INTX)? > > > > > > Otherwise we won't try to support this, right? > > > > Sorry, what I meant is "do we need to care about the performance of > > the slow path". > > > > > > > > > (Or do you have a better approach?) > > > > > > > > Thanks > > > > > > Don't know really, maybe rcu or whatever? > > > > I am sure it's worth it to bother since it's the slow path. > > > > > But let's try to be much more specific - is there anything > > > specific we are trying to protect against here? > > > > The unexpected calling of the vring or config interrupt handler. (The > > same as MSI-X, e.g the untrusted device can send irq at any time). > > > > Thanks > > And so, does this do more than crash the guest? Hypervisors > already can do that ... Yes, so for DOS and shutdown it should be fine, but for other kinds of crash, it would be very hard to say what can happen (e.g manipulating SWIOTLB or page table etc). So it's better to avoid non DOS crashes. Thanks > > > > > > > > > > > > > > > > > > > > > > --- > > > > > > drivers/virtio/virtio_pci_common.c | 18 ++++++++++++++++-- > > > > > > drivers/virtio/virtio_pci_common.h | 1 + > > > > > > 2 files changed, 17 insertions(+), 2 deletions(-) > > > > > > > > > > > > diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c > > > > > > index 0b9523e6dd39..835197151dc1 100644 > > > > > > --- a/drivers/virtio/virtio_pci_common.c > > > > > > +++ b/drivers/virtio/virtio_pci_common.c > > > > > > @@ -30,8 +30,12 @@ void vp_disable_vectors(struct virtio_device *vdev) > > > > > > struct virtio_pci_device *vp_dev = to_vp_device(vdev); > > > > > > int i; > > > > > > > > > > > > - if (vp_dev->intx_enabled) > > > > > > + if (vp_dev->intx_enabled) { > > > > > > + vp_dev->intx_soft_enabled = false; > > > > > > + /* ensure the vp_interrupt see this intx_soft_enabled value */ > > > > > > + smp_wmb(); > > > > > > synchronize_irq(vp_dev->pci_dev->irq); > > > > > > + } > > > > > > > > > > > > for (i = 0; i < vp_dev->msix_vectors; ++i) > > > > > > disable_irq(pci_irq_vector(vp_dev->pci_dev, i)); > > > > > > @@ -43,8 +47,12 @@ void vp_enable_vectors(struct virtio_device *vdev) > > > > > > struct virtio_pci_device *vp_dev = to_vp_device(vdev); > > > > > > int i; > > > > > > > > > > > > - if (vp_dev->intx_enabled) > > > > > > + if (vp_dev->intx_enabled) { > > > > > > + vp_dev->intx_soft_enabled = true; > > > > > > + /* ensure the vp_interrupt see this intx_soft_enabled value */ > > > > > > + smp_wmb(); > > > > > > return; > > > > > > + } > > > > > > > > > > > > for (i = 0; i < vp_dev->msix_vectors; ++i) > > > > > > enable_irq(pci_irq_vector(vp_dev->pci_dev, i)); > > > > > > @@ -97,6 +105,12 @@ static irqreturn_t vp_interrupt(int irq, void *opaque) > > > > > > struct virtio_pci_device *vp_dev = opaque; > > > > > > u8 isr; > > > > > > > > > > > > + if (!vp_dev->intx_soft_enabled) > > > > > > + return IRQ_NONE; > > > > > > + > > > > > > + /* read intx_soft_enabled before read others */ > > > > > > + smp_rmb(); > > > > > > + > > > > > > /* reading the ISR has the effect of also clearing it so it's very > > > > > > * important to save off the value. */ > > > > > > isr = ioread8(vp_dev->isr); > > > > > > diff --git a/drivers/virtio/virtio_pci_common.h b/drivers/virtio/virtio_pci_common.h > > > > > > index a235ce9ff6a5..3c06e0f92ee4 100644 > > > > > > --- a/drivers/virtio/virtio_pci_common.h > > > > > > +++ b/drivers/virtio/virtio_pci_common.h > > > > > > @@ -64,6 +64,7 @@ struct virtio_pci_device { > > > > > > /* MSI-X support */ > > > > > > int msix_enabled; > > > > > > int intx_enabled; > > > > > > + bool intx_soft_enabled; > > > > > > cpumask_var_t *msix_affinity_masks; > > > > > > /* Name strings for interrupts. This size should be enough, > > > > > > * and I'm too lazy to allocate each name separately. */ > > > > > > -- > > > > > > 2.25.1 > > > > > > > > >
WARNING: multiple messages have this Message-ID (diff)
From: Jason Wang <jasowang@redhat.com> To: "Michael S. Tsirkin" <mst@redhat.com> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>, "Hetzelt, Felicitas" <f.hetzelt@tu-berlin.de>, linux-kernel <linux-kernel@vger.kernel.org>, "kaplan, david" <david.kaplan@amd.com>, virtualization <virtualization@lists.linux-foundation.org> Subject: Re: [PATCH 7/9] virtio-pci: harden INTX interrupts Date: Mon, 13 Sep 2021 15:17:32 +0800 [thread overview] Message-ID: <CACGkMEtcmGJhs=ft-0_rYQ7ctWsdxvd=BuHM_dR2MZXNxy9Tig@mail.gmail.com> (raw) In-Reply-To: <20210913030134-mutt-send-email-mst@kernel.org> On Mon, Sep 13, 2021 at 3:02 PM Michael S. Tsirkin <mst@redhat.com> wrote: > > On Mon, Sep 13, 2021 at 02:45:38PM +0800, Jason Wang wrote: > > On Mon, Sep 13, 2021 at 2:41 PM Michael S. Tsirkin <mst@redhat.com> wrote: > > > > > > On Mon, Sep 13, 2021 at 02:36:54PM +0800, Jason Wang wrote: > > > > On Mon, Sep 13, 2021 at 2:33 PM Michael S. Tsirkin <mst@redhat.com> wrote: > > > > > > > > > > On Mon, Sep 13, 2021 at 01:53:51PM +0800, Jason Wang wrote: > > > > > > This patch tries to make sure the virtio interrupt handler for INTX > > > > > > won't be called after a reset and before virtio_device_ready(). We > > > > > > can't use IRQF_NO_AUTOEN since we're using shared interrupt > > > > > > (IRQF_SHARED). So this patch tracks the INTX enabling status in a new > > > > > > intx_soft_enabled variable and toggle it during in > > > > > > vp_disable/enable_vectors(). The INTX interrupt handler will check > > > > > > intx_soft_enabled before processing the actual interrupt. > > > > > > > > > > > > Signed-off-by: Jason Wang <jasowang@redhat.com> > > > > > > > > > > > > > > > Not all that excited about all the memory barriers for something > > > > > that should be an extremely rare event (for most kernels - > > > > > literally once per boot). Can't we do better? > > > > > > > > I'm not sure, but do we need to care about the slow path (INTX)? > > > > > > Otherwise we won't try to support this, right? > > > > Sorry, what I meant is "do we need to care about the performance of > > the slow path". > > > > > > > > > (Or do you have a better approach?) > > > > > > > > Thanks > > > > > > Don't know really, maybe rcu or whatever? > > > > I am sure it's worth it to bother since it's the slow path. > > > > > But let's try to be much more specific - is there anything > > > specific we are trying to protect against here? > > > > The unexpected calling of the vring or config interrupt handler. (The > > same as MSI-X, e.g the untrusted device can send irq at any time). > > > > Thanks > > And so, does this do more than crash the guest? Hypervisors > already can do that ... Yes, so for DOS and shutdown it should be fine, but for other kinds of crash, it would be very hard to say what can happen (e.g manipulating SWIOTLB or page table etc). So it's better to avoid non DOS crashes. Thanks > > > > > > > > > > > > > > > > > > > > > > --- > > > > > > drivers/virtio/virtio_pci_common.c | 18 ++++++++++++++++-- > > > > > > drivers/virtio/virtio_pci_common.h | 1 + > > > > > > 2 files changed, 17 insertions(+), 2 deletions(-) > > > > > > > > > > > > diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c > > > > > > index 0b9523e6dd39..835197151dc1 100644 > > > > > > --- a/drivers/virtio/virtio_pci_common.c > > > > > > +++ b/drivers/virtio/virtio_pci_common.c > > > > > > @@ -30,8 +30,12 @@ void vp_disable_vectors(struct virtio_device *vdev) > > > > > > struct virtio_pci_device *vp_dev = to_vp_device(vdev); > > > > > > int i; > > > > > > > > > > > > - if (vp_dev->intx_enabled) > > > > > > + if (vp_dev->intx_enabled) { > > > > > > + vp_dev->intx_soft_enabled = false; > > > > > > + /* ensure the vp_interrupt see this intx_soft_enabled value */ > > > > > > + smp_wmb(); > > > > > > synchronize_irq(vp_dev->pci_dev->irq); > > > > > > + } > > > > > > > > > > > > for (i = 0; i < vp_dev->msix_vectors; ++i) > > > > > > disable_irq(pci_irq_vector(vp_dev->pci_dev, i)); > > > > > > @@ -43,8 +47,12 @@ void vp_enable_vectors(struct virtio_device *vdev) > > > > > > struct virtio_pci_device *vp_dev = to_vp_device(vdev); > > > > > > int i; > > > > > > > > > > > > - if (vp_dev->intx_enabled) > > > > > > + if (vp_dev->intx_enabled) { > > > > > > + vp_dev->intx_soft_enabled = true; > > > > > > + /* ensure the vp_interrupt see this intx_soft_enabled value */ > > > > > > + smp_wmb(); > > > > > > return; > > > > > > + } > > > > > > > > > > > > for (i = 0; i < vp_dev->msix_vectors; ++i) > > > > > > enable_irq(pci_irq_vector(vp_dev->pci_dev, i)); > > > > > > @@ -97,6 +105,12 @@ static irqreturn_t vp_interrupt(int irq, void *opaque) > > > > > > struct virtio_pci_device *vp_dev = opaque; > > > > > > u8 isr; > > > > > > > > > > > > + if (!vp_dev->intx_soft_enabled) > > > > > > + return IRQ_NONE; > > > > > > + > > > > > > + /* read intx_soft_enabled before read others */ > > > > > > + smp_rmb(); > > > > > > + > > > > > > /* reading the ISR has the effect of also clearing it so it's very > > > > > > * important to save off the value. */ > > > > > > isr = ioread8(vp_dev->isr); > > > > > > diff --git a/drivers/virtio/virtio_pci_common.h b/drivers/virtio/virtio_pci_common.h > > > > > > index a235ce9ff6a5..3c06e0f92ee4 100644 > > > > > > --- a/drivers/virtio/virtio_pci_common.h > > > > > > +++ b/drivers/virtio/virtio_pci_common.h > > > > > > @@ -64,6 +64,7 @@ struct virtio_pci_device { > > > > > > /* MSI-X support */ > > > > > > int msix_enabled; > > > > > > int intx_enabled; > > > > > > + bool intx_soft_enabled; > > > > > > cpumask_var_t *msix_affinity_masks; > > > > > > /* Name strings for interrupts. This size should be enough, > > > > > > * and I'm too lazy to allocate each name separately. */ > > > > > > -- > > > > > > 2.25.1 > > > > > > > > > _______________________________________________ Virtualization mailing list Virtualization@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/virtualization
next prev parent reply other threads:[~2021-09-13 7:17 UTC|newest] Thread overview: 110+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-09-13 5:53 [PATCH 0/9] More virtio hardening Jason Wang 2021-09-13 5:53 ` Jason Wang 2021-09-13 5:53 ` [PATCH 1/9] virtio-blk: validate num_queues during probe Jason Wang 2021-09-13 5:53 ` Jason Wang 2021-09-13 7:48 ` Stefano Garzarella 2021-09-13 7:48 ` Stefano Garzarella 2021-09-14 2:29 ` Jason Wang 2021-09-14 2:29 ` Jason Wang 2021-09-13 12:05 ` Stefan Hajnoczi 2021-09-13 12:05 ` Stefan Hajnoczi 2021-09-13 5:53 ` [PATCH 2/9] virtio: add doc for validate() method Jason Wang 2021-09-13 5:53 ` Jason Wang 2021-09-13 5:53 ` [PATCH 3/9] virtio-console: switch to use .validate() Jason Wang 2021-09-13 5:53 ` Jason Wang 2021-09-13 5:53 ` [PATCH 4/9] virtio_console: validate max_nr_ports before trying to use it Jason Wang 2021-09-13 5:53 ` Jason Wang 2021-09-13 5:53 ` [PATCH 5/9] virtio_config: introduce a new ready method Jason Wang 2021-09-13 5:53 ` Jason Wang 2021-09-13 5:53 ` [PATCH 6/9] virtio_pci: harden MSI-X interrupts Jason Wang 2021-09-13 5:53 ` Jason Wang 2021-09-13 6:03 ` Michael S. Tsirkin 2021-09-13 6:03 ` Michael S. Tsirkin 2021-09-13 6:08 ` Jason Wang 2021-09-13 6:08 ` Jason Wang 2021-09-13 6:28 ` Michael S. Tsirkin 2021-09-13 6:28 ` Michael S. Tsirkin 2021-09-13 6:34 ` Jason Wang 2021-09-13 6:34 ` Jason Wang 2021-09-13 6:37 ` Michael S. Tsirkin 2021-09-13 6:37 ` Michael S. Tsirkin 2021-09-13 6:43 ` Jason Wang 2021-09-13 6:43 ` Jason Wang 2021-09-13 7:01 ` Michael S. Tsirkin 2021-09-13 7:01 ` Michael S. Tsirkin 2021-09-13 7:15 ` Jason Wang 2021-09-13 7:15 ` Jason Wang 2021-09-13 6:50 ` Michael S. Tsirkin 2021-09-13 6:50 ` Michael S. Tsirkin 2021-09-13 7:07 ` Jason Wang 2021-09-13 7:07 ` Jason Wang 2021-09-13 19:38 ` Thomas Gleixner 2021-09-13 19:38 ` Thomas Gleixner 2021-09-13 20:54 ` Michael S. Tsirkin 2021-09-13 20:54 ` Michael S. Tsirkin 2021-09-13 22:31 ` Thomas Gleixner 2021-09-13 22:31 ` Thomas Gleixner 2021-09-14 2:20 ` Jason Wang 2021-09-14 2:20 ` Jason Wang 2021-09-14 8:29 ` Thomas Gleixner 2021-09-14 8:29 ` Thomas Gleixner 2021-09-13 5:53 ` [PATCH 7/9] virtio-pci: harden INTX interrupts Jason Wang 2021-09-13 5:53 ` Jason Wang 2021-09-13 6:33 ` Michael S. Tsirkin 2021-09-13 6:33 ` Michael S. Tsirkin 2021-09-13 6:36 ` Jason Wang 2021-09-13 6:36 ` Jason Wang 2021-09-13 6:41 ` Michael S. Tsirkin 2021-09-13 6:41 ` Michael S. Tsirkin 2021-09-13 6:45 ` Jason Wang 2021-09-13 6:45 ` Jason Wang 2021-09-13 7:02 ` Michael S. Tsirkin 2021-09-13 7:02 ` Michael S. Tsirkin 2021-09-13 7:17 ` Jason Wang [this message] 2021-09-13 7:17 ` Jason Wang 2021-09-13 21:36 ` Thomas Gleixner 2021-09-13 21:36 ` Thomas Gleixner 2021-09-13 22:01 ` Michael S. Tsirkin 2021-09-13 22:01 ` Michael S. Tsirkin 2021-09-13 22:20 ` Thomas Gleixner 2021-09-13 22:20 ` Thomas Gleixner 2021-09-14 2:50 ` Jason Wang 2021-09-14 2:50 ` Jason Wang 2021-09-14 9:34 ` Boqun Feng 2021-09-14 9:34 ` Boqun Feng 2021-09-14 11:03 ` Peter Zijlstra 2021-09-14 11:03 ` Peter Zijlstra 2021-09-14 11:09 ` Thomas Gleixner 2021-09-14 11:09 ` Thomas Gleixner 2021-09-13 5:53 ` [PATCH 8/9] virtio_ring: fix typos in vring_desc_extra Jason Wang 2021-09-13 5:53 ` Jason Wang 2021-09-13 5:53 ` [PATCH 9/9] virtio_ring: validate used buffer length Jason Wang 2021-09-13 5:53 ` Jason Wang 2021-09-13 6:36 ` Michael S. Tsirkin 2021-09-13 6:36 ` Michael S. Tsirkin 2021-09-13 6:40 ` Jason Wang 2021-09-13 6:40 ` Jason Wang 2021-09-13 6:57 ` Michael S. Tsirkin 2021-09-13 6:57 ` Michael S. Tsirkin 2021-09-13 7:13 ` Jason Wang 2021-09-13 7:13 ` Jason Wang 2021-10-05 7:42 ` [PATCH 0/9] More virtio hardening Michael S. Tsirkin 2021-10-05 7:42 ` Michael S. Tsirkin 2021-10-11 7:36 ` Jason Wang 2021-10-11 7:36 ` Jason Wang 2021-10-11 12:36 ` Michael S. Tsirkin 2021-10-11 12:36 ` Michael S. Tsirkin 2021-10-12 2:43 ` Jason Wang 2021-10-12 2:43 ` Jason Wang 2021-10-12 5:44 ` Michael S. Tsirkin 2021-10-12 5:44 ` Michael S. Tsirkin 2021-10-12 6:11 ` Jason Wang 2021-10-12 6:11 ` Jason Wang 2021-10-12 6:35 ` Michael S. Tsirkin 2021-10-12 6:35 ` Michael S. Tsirkin 2021-10-12 6:43 ` Jason Wang 2021-10-12 6:43 ` Jason Wang 2021-10-12 7:03 ` Michael S. Tsirkin 2021-10-12 7:03 ` Michael S. Tsirkin 2021-10-12 8:46 ` Jason Wang 2021-10-12 8:46 ` Jason Wang
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to='CACGkMEtcmGJhs=ft-0_rYQ7ctWsdxvd=BuHM_dR2MZXNxy9Tig@mail.gmail.com' \ --to=jasowang@redhat.com \ --cc=david.kaplan@amd.com \ --cc=f.hetzelt@tu-berlin.de \ --cc=konrad.wilk@oracle.com \ --cc=linux-kernel@vger.kernel.org \ --cc=mst@redhat.com \ --cc=virtualization@lists.linux-foundation.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.