kvm.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Alex Williamson <alex.williamson@redhat.com>
To: Jason Gunthorpe <jgg@nvidia.com>
Cc: "Tian, Kevin" <kevin.tian@intel.com>,
	"kvm@vger.kernel.org" <kvm@vger.kernel.org>,
	"jasowang@redhat.com" <jasowang@redhat.com>,
	"Hao, Xudong" <xudong.hao@intel.com>,
	"peterx@redhat.com" <peterx@redhat.com>,
	"Xu, Terrence" <terrence.xu@intel.com>,
	"chao.p.peng@linux.intel.com" <chao.p.peng@linux.intel.com>,
	"linux-s390@vger.kernel.org" <linux-s390@vger.kernel.org>,
	"Liu, Yi L" <yi.l.liu@intel.com>,
	"mjrosato@linux.ibm.com" <mjrosato@linux.ibm.com>,
	"lulu@redhat.com" <lulu@redhat.com>,
	"joro@8bytes.org" <joro@8bytes.org>,
	"nicolinc@nvidia.com" <nicolinc@nvidia.com>,
	"Zhao, Yan Y" <yan.y.zhao@intel.com>,
	"intel-gfx@lists.freedesktop.org"
	<intel-gfx@lists.freedesktop.org>,
	"eric.auger@redhat.com" <eric.auger@redhat.com>,
	"intel-gvt-dev@lists.freedesktop.org" 
	<intel-gvt-dev@lists.freedesktop.org>,
	"yi.y.sun@linux.intel.com" <yi.y.sun@linux.intel.com>,
	"cohuck@redhat.com" <cohuck@redhat.com>,
	"shameerali.kolothum.thodi@huawei.com" 
	<shameerali.kolothum.thodi@huawei.com>,
	"suravee.suthikulpanit@amd.com" <suravee.suthikulpanit@amd.com>,
	"robin.murphy@arm.com" <robin.murphy@arm.com>
Subject: Re: [PATCH v6 12/24] vfio/pci: Allow passing zero-length fd array in VFIO_DEVICE_PCI_HOT_RESET
Date: Mon, 20 Mar 2023 16:52:17 -0600	[thread overview]
Message-ID: <20230320165217.5b1019a4.alex.williamson@redhat.com> (raw)
In-Reply-To: <ZBiUiEC8Xj9sOphr@nvidia.com>

On Mon, 20 Mar 2023 14:14:48 -0300
Jason Gunthorpe <jgg@nvidia.com> wrote:

> On Fri, Mar 17, 2023 at 09:15:57AM -0600, Alex Williamson wrote:
> > > If that is the intended usage then I don't see why this proposal will
> > > promote userspace to ignore the _INFO ioctl. It should be always
> > > queried no matter how the reset ioctl itself is designed. The motivation
> > > of calling _INFO is not from the reset ioctl asking for an array of fds.  
> > 
> > The VFIO_DEVICE_PCI_HOT_RESET ioctl requires a set of group (or cdev)
> > fds that encompass the set of affected devices reported by the
> > VFIO_DEVICE_GET_PCI_HOT_RESET_INFO ioctl, so I don't agree with the
> > last sentence above.  
> 
> There are two things going on - VFIO_DEVICE_PCI_HOT_RESET requires to
> prove security that the userspace is not attempting to reset something
> that it does not have ownership over. Eg a reset group that spans
> multiple iommu groups.
> 
> The second is for userspace to discover the reset group so it can
> understand what is happening.
> 
> IMHO it is perfectly fine for each API to be only concerned with its
> own purpose.
> 
> VFIO_DEVICE_PCI_HOT_RESET needs to check security, which the
> iommufd_ctx check does just fine
> 
> VFIO_DEVICE_GET_PCI_HOT_RESET_INFO needs to convey the reset group
> span so userspace can do something with this.
> 
> I think confusing security and scope and "acknowledgment" is not a
> good idea.
> 
> The APIs are well defined and userspace can always use them wrong. It
> doesn't need to call RESET_INFO even today, it can just trivially pass
> every group FD it owns to meet the security check.

That's not actually true, in order to avoid arbitrarily large buffers
from the user, the ioctl won't accept an array greater than the number
of devices affected by the reset.

> It is much simpler if VFIO_DEVICE_PCI_HOT_RESET can pass the security
> check without code marshalling fds, which is why we went this
> direction.

I agree that nullifying the arg makes the ioctl easier to use, but my
hesitation is whether it makes it more difficult to use correctly,
which includes resetting devices unexpectedly.

We're talking about something that's a relatively rare event, so I
don't see that time overhead is a factor, nor has the complexity
overhead in the QEMU implementation ever been raised as an issue
previously.

We can always blame the developer for using an interface incorrectly,
but if we make it easier to use incorrectly in order to optimize
something that doesn't need to be optimized, does that make it a good
choice for the uAPI?  Thanks,

Alex


  reply	other threads:[~2023-03-20 22:53 UTC|newest]

Thread overview: 101+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-08 13:28 [PATCH v6 00/24] cover-letter: Add vfio_device cdev for iommufd support Yi Liu
2023-03-08 13:28 ` [PATCH v6 01/24] vfio: Allocate per device file structure Yi Liu
2023-03-08 13:28 ` [PATCH v6 02/24] vfio: Refine vfio file kAPIs for KVM Yi Liu
2023-03-08 13:28 ` [PATCH v6 03/24] vfio: Accept vfio device file in the KVM facing kAPI Yi Liu
2023-03-08 13:28 ` [PATCH v6 04/24] kvm/vfio: Rename kvm_vfio_group to prepare for accepting vfio device fd Yi Liu
2023-03-08 13:28 ` [PATCH v6 05/24] kvm/vfio: Accept vfio device file from userspace Yi Liu
2023-03-22 14:10   ` Xu Yilun
2023-03-28  3:48     ` Liu, Yi L
2023-03-08 13:28 ` [PATCH v6 06/24] vfio: Pass struct vfio_device_file * to vfio_device_open/close() Yi Liu
2023-03-08 13:28 ` [PATCH v6 07/24] vfio: Block device access via device fd until device is opened Yi Liu
2023-03-10  4:50   ` Tian, Kevin
2023-03-08 13:28 ` [PATCH v6 08/24] vfio/pci: Update comment around group_fd get in vfio_pci_ioctl_pci_hot_reset() Yi Liu
2023-03-08 13:28 ` [PATCH v6 09/24] vfio/pci: Only need to check opened devices in the dev_set for hot reset Yi Liu
2023-03-10  5:00   ` Tian, Kevin
2023-03-08 13:28 ` [PATCH v6 10/24] vfio/pci: Rename the helpers and data in hot reset path to accept device fd Yi Liu
2023-03-10  5:01   ` Tian, Kevin
2023-03-08 13:28 ` [PATCH v6 11/24] vfio/pci: Accept device fd in VFIO_DEVICE_PCI_HOT_RESET ioctl Yi Liu
2023-03-10  5:08   ` Tian, Kevin
2023-03-10  5:38     ` Liu, Yi L
2023-03-08 13:28 ` [PATCH v6 12/24] vfio/pci: Allow passing zero-length fd array in VFIO_DEVICE_PCI_HOT_RESET Yi Liu
2023-03-10  5:31   ` Tian, Kevin
2023-03-10  6:04     ` Liu, Yi L
2023-03-10  9:08       ` Tian, Kevin
2023-03-10 17:42       ` Jason Gunthorpe
2023-03-15 22:53   ` Alex Williamson
2023-03-15 23:31     ` Tian, Kevin
2023-03-16  3:54       ` [offlist] " Liu, Yi L
2023-03-16  6:09         ` Tian, Kevin
2023-03-16  6:28           ` Liu, Yi L
2023-03-16  6:49             ` Nicolin Chen
2023-03-16 13:22               ` Liu, Yi L
2023-03-16 21:27                 ` Nicolin Chen
2023-03-16 18:45       ` Alex Williamson
2023-03-16 23:29         ` Tian, Kevin
2023-03-17  0:22           ` Alex Williamson
2023-03-17  0:57             ` Tian, Kevin
2023-03-17 15:15               ` Alex Williamson
2023-03-20 17:14                 ` Jason Gunthorpe
2023-03-20 22:52                   ` Alex Williamson [this message]
2023-03-20 23:39                     ` Jason Gunthorpe
2023-03-21 20:31                       ` Alex Williamson
2023-03-21 20:50                         ` Jason Gunthorpe
2023-03-21 21:01                           ` Alex Williamson
2023-03-21 22:20                             ` Jason Gunthorpe
2023-03-21 22:47                               ` Alex Williamson
2023-03-22  4:42                                 ` Liu, Yi L
2023-03-22 12:23                                   ` Alex Williamson
2023-03-22 12:27                                 ` Jason Gunthorpe
2023-03-22 12:36                                   ` Alex Williamson
2023-03-22 12:47                                     ` Jason Gunthorpe
2023-03-24  9:09                             ` Tian, Kevin
2023-03-24 13:14                               ` Jason Gunthorpe
2023-03-22  8:17                           ` Liu, Yi L
2023-03-22 12:17                             ` Jason Gunthorpe
2023-03-22 13:33                               ` Liu, Yi L
2023-03-22 13:43                                 ` Jason Gunthorpe
2023-03-23  3:15                                   ` Liu, Yi L
2023-03-23 12:02                                     ` Jason Gunthorpe
2023-03-24  9:25                                       ` Liu, Yi L
2023-03-27 11:57                                         ` Liu, Yi L
2023-03-08 13:28 ` [PATCH v6 13/24] vfio/iommufd: Split the compat_ioas attach out from vfio_iommufd_bind() Yi Liu
2023-03-10  8:08   ` Tian, Kevin
2023-03-10  8:22     ` Liu, Yi L
2023-03-10  9:10       ` Tian, Kevin
2023-03-11 10:24       ` Liu, Yi L
2023-03-13  2:06         ` Tian, Kevin
2023-03-08 13:28 ` [PATCH v6 14/24] vfio: Add cdev_device_open_cnt to vfio_group Yi Liu
2023-03-08 13:28 ` [PATCH v6 15/24] vfio: Make vfio_device_open() single open for device cdev path Yi Liu
2023-03-08 13:28 ` [PATCH v6 16/24] vfio: Make vfio_device_first_open() to cover the noiommu mode in " Yi Liu
2023-03-10  8:30   ` Tian, Kevin
2023-03-08 13:28 ` [PATCH v6 17/24] vfio-iommufd: Make vfio_iommufd_bind() selectively return devid Yi Liu
2023-03-10  8:31   ` Tian, Kevin
2023-03-08 13:28 ` [PATCH v6 18/24] vfio-iommufd: Add detach_ioas support for physical VFIO devices Yi Liu
2023-03-08 13:28 ` [PATCH v6 19/24] vfio-iommufd: Add detach_ioas support for emulated " Yi Liu
2023-03-10 23:42   ` Nicolin Chen
2023-03-15  6:15     ` Liu, Yi L
2023-03-15  6:25       ` Nicolin Chen
2023-03-08 13:28 ` [PATCH v6 20/24] vfio: Add cdev for vfio_device Yi Liu
2023-03-10  8:48   ` Tian, Kevin
2023-03-10  9:59     ` Liu, Yi L
2023-03-08 13:29 ` [PATCH v6 21/24] vfio: Add VFIO_DEVICE_BIND_IOMMUFD Yi Liu
2023-03-10  9:01   ` Tian, Kevin
2023-03-10  9:58     ` Liu, Yi L
2023-03-10 10:06       ` Tian, Kevin
2023-03-15  4:40         ` Liu, Yi L
2023-03-15  6:57           ` Tian, Kevin
2023-03-20 14:09           ` Jason Gunthorpe
2023-03-20 14:31             ` Yi Liu
2023-03-20 17:16               ` Jason Gunthorpe
2023-03-21  1:30                 ` Tian, Kevin
2023-03-21 12:00                   ` Jason Gunthorpe
2023-03-21 14:37                     ` Liu, Yi L
2023-03-21 14:41                       ` Jason Gunthorpe
2023-03-21 14:51                         ` Liu, Yi L
2023-03-21 14:58                           ` Jason Gunthorpe
2023-03-21 15:10                             ` Liu, Yi L
2023-03-21 16:54                               ` Jason Gunthorpe
2023-03-08 13:29 ` [PATCH v6 22/24] vfio: Add VFIO_DEVICE_AT[DE]TACH_IOMMUFD_PT Yi Liu
2023-03-08 13:29 ` [PATCH v6 23/24] vfio: Compile group optionally Yi Liu
2023-03-10  9:03   ` Tian, Kevin
2023-03-08 13:29 ` [PATCH v6 24/24] docs: vfio: Add vfio device cdev description Yi Liu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230320165217.5b1019a4.alex.williamson@redhat.com \
    --to=alex.williamson@redhat.com \
    --cc=chao.p.peng@linux.intel.com \
    --cc=cohuck@redhat.com \
    --cc=eric.auger@redhat.com \
    --cc=intel-gfx@lists.freedesktop.org \
    --cc=intel-gvt-dev@lists.freedesktop.org \
    --cc=jasowang@redhat.com \
    --cc=jgg@nvidia.com \
    --cc=joro@8bytes.org \
    --cc=kevin.tian@intel.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=lulu@redhat.com \
    --cc=mjrosato@linux.ibm.com \
    --cc=nicolinc@nvidia.com \
    --cc=peterx@redhat.com \
    --cc=robin.murphy@arm.com \
    --cc=shameerali.kolothum.thodi@huawei.com \
    --cc=suravee.suthikulpanit@amd.com \
    --cc=terrence.xu@intel.com \
    --cc=xudong.hao@intel.com \
    --cc=yan.y.zhao@intel.com \
    --cc=yi.l.liu@intel.com \
    --cc=yi.y.sun@linux.intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).