All of lore.kernel.org
 help / color / mirror / Atom feed
From: Alvaro Karsz <alvaro.karsz@solid-run.com>
To: Stefan Hajnoczi <stefanha@redhat.com>
Cc: Jens Axboe <axboe@kernel.dk>, Paolo Bonzini <pbonzini@redhat.com>,
	Chaitanya Kulkarni <chaitanyak@nvidia.com>,
	"virtualization@lists.linux-foundation.org"
	<virtualization@lists.linux-foundation.org>,
	"Michael S. Tsirkin" <mst@redhat.com>
Subject: Re: [PATCH v2] virtio_blk: add VIRTIO_BLK_F_LIFETIME feature support
Date: Fri, 25 Nov 2022 00:02:45 +0200	[thread overview]
Message-ID: <CAJs=3_An8uCfAAek4ga-NkQ4dAgsFN1TSL5goi5Y59m_Goojww@mail.gmail.com> (raw)
In-Reply-To: <Y3/WXWoV1jcJnohR@fedora>

Thanks Stefan

> How about naming it VBLK_GET_LIFETIME? It's clearer what the ioctl does
> and it follows the name of virtio-blk request type.

You're right, I'll rename it.

> ENOTTY already has meaning for ioctl(2):
>
>
>   ENOTTY fd is not associated with a character special device.
>
>
>   ENOTTY The specified request does not apply to the kind of object that the file descriptor fd references.
>
>
> Use ENOTSUP instead?

 ENOTSUP seems like a better fit, I'll change the error code.

> In terms of security, any process with access to the block device node
> is allowed to get the lifetime?
>
>
> Usually only privileged processes have access to block device nodes, but
> I wanted to check whether anyone can think of a scenario where this is
> not okay.
>
>
> For example, a virtio-blk device may have a partition that an untrusted
> process like a database or key-value store accesses. Can the untrusted
> process read the lifetime information of the entire device?


I agree that only a privileged process should be able to read the lifetime.
I could add something like:
if (!capable(CAP_SYS_ADMIN))
        return -EPERM;

> It's unusual for an ioctl to produce a struct that's not in CPU
> endianness. I think the kernel should deal with endianness here.

The endianness was discussed in the first version:

> > After more thought, I think that the driver should handle the
> > virtio_blk_lifetime struct endianness.
> > Something like:
> > ...
> > lifetime.pre_eol_info = __le16_to_cpu(lifetime.pre_eol_info);
> > lifetime. device_lifetime_est_typ_a  = __le16_to_cpu(lifetime.
> > device_lifetime_est_typ_a);
> > lifetime. device_lifetime_est_typ_b  = __le16_to_cpu(lifetime.
> > device_lifetime_est_typ_b);
> >
> > if (copy_to_user((void __user *)arg, (void *)&lifetime,
> > ...
> >
> > What do you think?
>
>
> I think if you are going to pass struct virtio_blk_lifetime to
> userspace, better pass it as defined in the spec, in LE format.


I tend to agree that endianness should be taken care of in the kernel.

> We need to check that vblk->vdev is non-NULL before accessing it in
> virtblk_ioctl_lifetime():
>
>
>   if (!vblk->vdev) {
>       mutex_unlock(&vblk->dev_mutex);
>       return -ENXIO;
>   }
>
>
> Without the check I expect virtblk_ioctl_lifetime() to dereference a
> NULL pointer.

Right

Alvaro
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization

  reply	other threads:[~2022-11-24 22:03 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-21  8:59 [PATCH v2] virtio_blk: add VIRTIO_BLK_F_LIFETIME feature support Alvaro Karsz
     [not found] ` <1bd1c77e-d8c3-b04a-4fbc-bbc85391e630@nvidia.com>
2022-11-24  6:42   ` Michael S. Tsirkin
2022-11-24 20:38     ` Stefan Hajnoczi
2022-11-24 22:02       ` Alvaro Karsz [this message]
2022-11-24 22:09       ` Alvaro Karsz
2022-11-28 19:07         ` Stefan Hajnoczi
     [not found]           ` <dc8bf007-a6f6-9824-63e1-9447335da732@nvidia.com>
2022-11-29  5:28             ` Michael S. Tsirkin
     [not found]               ` <b76ad252-3f6a-8f4b-cb2d-0a4f45860aae@nvidia.com>
2022-12-04  8:19                 ` Alvaro Karsz
2022-12-04 10:59                   ` Michael S. Tsirkin
2022-12-04 12:00                     ` Alvaro Karsz
2022-12-04 12:27                       ` Michael S. Tsirkin
2022-12-04 14:37                         ` Alvaro Karsz
2022-12-04 16:51                           ` Michael S. Tsirkin
     [not found]                   ` <ce455ec6-353b-d273-0d52-44673f4dc0cc@nvidia.com>
2022-12-05  5:43                     ` Michael S. Tsirkin
2022-11-28 20:02         ` Michael S. Tsirkin
     [not found] ` <1b8d59e1-8702-8b81-f82c-a743116da799@nvidia.com>
2022-11-24  6:46   ` Michael S. Tsirkin
2022-11-24  8:07     ` Alvaro Karsz
2022-11-24 20:35 ` Stefan Hajnoczi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAJs=3_An8uCfAAek4ga-NkQ4dAgsFN1TSL5goi5Y59m_Goojww@mail.gmail.com' \
    --to=alvaro.karsz@solid-run.com \
    --cc=axboe@kernel.dk \
    --cc=chaitanyak@nvidia.com \
    --cc=mst@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=stefanha@redhat.com \
    --cc=virtualization@lists.linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.