On Mon, Aug 23, 2021 at 08:10:50PM +0100, Peter Maydell wrote: > On Mon, 23 Aug 2021 at 17:42, Philippe Mathieu-Daudé <phi...@redhat.com> > wrote: > > > > This series aim to kill a recent class of bug, the infamous > > "DMA reentrancy" issues found by Alexander while fuzzing. > > > > Introduce the 'bus_perm' field in MemTxAttrs, defining 3 bits: > > > > - MEMTXPERM_UNSPECIFIED (current default, unchanged behavior) > > - MEMTXPERM_UNRESTRICTED (allow list approach) > > - MEMTXPERM_RAM_DEVICE (example of deny list approach) > > > > If a transaction permission is not allowed (for example access > > to non-RAM device), we return the specific MEMTX_BUS_ERROR. > > > > Permissions are checked in after the flatview is resolved, and > > before the access is done, in a new function: flatview_access_allowed(). > > So I'm not going to say 'no' to this, because we have a real > recursive-device-handling problem and I don't have a better > idea to hand, but the thing about this is that we end up with > behaviour which is not what the real hardware does. I'm not > aware of any DMA device which has this kind of "can only DMA > to/from RAM, and aborts on access to a device" behaviour...
Points that have come up in previous discussions on this topic: - We probably won't be able to find out the actual hardware behavior for all device models in QEMU. Strict RAM-only DMA restrictions can be merged early in the QEMU 6.2 development cycle so there's plenty of time to identify regressions. The benefit of a strict policy is that we eliminate this class of bugs for most devices now and in the future. - If the risk of regressions is too high, then this API can be used on a case-by-case basis to fix bugs such as those identified by Alexander's fuzzer. We'll be plagued with this class of bugs in the future though, so I prefer a strict policy. - DMA capabilities depend on the host bus adapter/controller. In order to faithfully emulate real hardware we need to know how it behaves. That needs to be done for each host bus adapter (e.g. PCI controllers). - SysBus devices each have their own behavior wrt device-to-device DMA. Stefan
signature.asc
Description: PGP signature
