[6/7] vfio: Accpet device file from vfio PCI hot reset path

Message ID	20230316124156.12064-7-yi.l.liu@intel.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <intel-gfx-bounces@lists.freedesktop.org> From: Yi Liu <yi.l.liu@intel.com> To: alex.williamson@redhat.com, jgg@nvidia.com, kevin.tian@intel.com Date: Thu, 16 Mar 2023 05:41:55 -0700 Message-Id: <20230316124156.12064-7-yi.l.liu@intel.com> In-Reply-To: <20230316124156.12064-1-yi.l.liu@intel.com> References: <20230316124156.12064-1-yi.l.liu@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [Intel-gfx] [PATCH 6/7] vfio: Accpet device file from vfio PCI hot reset path Precedence: list Cc: linux-s390@vger.kernel.org, yi.l.liu@intel.com, yi.y.sun@linux.intel.com, mjrosato@linux.ibm.com, kvm@vger.kernel.org, intel-gvt-dev@lists.freedesktop.org, joro@8bytes.org, cohuck@redhat.com, xudong.hao@intel.com, peterx@redhat.com, yan.y.zhao@intel.com, eric.auger@redhat.com, terrence.xu@intel.com, nicolinc@nvidia.com, shameerali.kolothum.thodi@huawei.com, suravee.suthikulpanit@amd.com, intel-gfx@lists.freedesktop.org, chao.p.peng@linux.intel.com, lulu@redhat.com, robin.murphy@arm.com, jasowang@redhat.com Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" <intel-gfx-bounces@lists.freedesktop.org>
Series	Introduce new methods for verifying ownership in vfio PCI hot reset \| expand [0/7] Introduce new methods for verifying ownership in vfio PCI hot reset [1/7] vfio/pci: Update comment around group_fd get in vfio_pci_ioctl_pci_hot_reset() [2/7] vfio/pci: Only check ownership of opened devices in hot reset [3/7] vfio/pci: Allow passing zero-length fd array in VFIO_DEVICE_PCI_HOT_RESET [4/7] vfio/pci: Renaming for accepting device fd in hot reset path [5/7] vfio: Refine vfio file kAPIs for vfio PCI hot reset [6/7] vfio: Accpet device file from vfio PCI hot reset path [7/7] vfio/pci: Accept device fd in VFIO_DEVICE_PCI_HOT_RESET ioctl

Message ID

20230316124156.12064-7-yi.l.liu@intel.com (mailing list archive)

State

New, archived

Headers

From: Yi Liu <yi.l.liu@intel.com>
To: alex.williamson@redhat.com,
	jgg@nvidia.com,
	kevin.tian@intel.com
Date: Thu, 16 Mar 2023 05:41:55 -0700
Message-Id: <20230316124156.12064-7-yi.l.liu@intel.com>
In-Reply-To: <20230316124156.12064-1-yi.l.liu@intel.com>
References: <20230316124156.12064-1-yi.l.liu@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [Intel-gfx] [PATCH 6/7] vfio: Accpet device file from vfio PCI hot
 reset path
Precedence: list
Cc: linux-s390@vger.kernel.org, yi.l.liu@intel.com, yi.y.sun@linux.intel.com,
 mjrosato@linux.ibm.com, kvm@vger.kernel.org,
 intel-gvt-dev@lists.freedesktop.org, joro@8bytes.org, cohuck@redhat.com,
 xudong.hao@intel.com, peterx@redhat.com, yan.y.zhao@intel.com,
 eric.auger@redhat.com, terrence.xu@intel.com, nicolinc@nvidia.com,
 shameerali.kolothum.thodi@huawei.com, suravee.suthikulpanit@amd.com,
 intel-gfx@lists.freedesktop.org, chao.p.peng@linux.intel.com,
 lulu@redhat.com,
 robin.murphy@arm.com, jasowang@redhat.com
Errors-To: intel-gfx-bounces@lists.freedesktop.org
Sender: "Intel-gfx" <intel-gfx-bounces@lists.freedesktop.org>

Series

Introduce new methods for verifying ownership in vfio PCI hot reset | expand

Commit Message

Yi Liu March 16, 2023, 12:41 p.m. UTC

This extends both vfio_file_is_valid() and vfio_file_has_dev() to accept
device file from the vfio PCI hot reset.

Signed-off-by: Yi Liu <yi.l.liu@intel.com>
---
 drivers/vfio/vfio_main.c | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

Comments

Tian, Kevin March 17, 2023, 1:17 a.m. UTC | #1

> From: Liu, Yi L <yi.l.liu@intel.com>
> Sent: Thursday, March 16, 2023 8:42 PM
> 
> This extends both vfio_file_is_valid() and vfio_file_has_dev() to accept
> device file from the vfio PCI hot reset.
> 
> Signed-off-by: Yi Liu <yi.l.liu@intel.com>

Reviewed-by: Kevin Tian <kevin.tian@intel.com>

Jason Gunthorpe March 20, 2023, 7:07 p.m. UTC | #2

On Thu, Mar 16, 2023 at 05:41:55AM -0700, Yi Liu wrote:
> This extends both vfio_file_is_valid() and vfio_file_has_dev() to accept
> device file from the vfio PCI hot reset.
> 
> Signed-off-by: Yi Liu <yi.l.liu@intel.com>
> ---
>  drivers/vfio/vfio_main.c | 23 +++++++++++++++++++----
>  1 file changed, 19 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/vfio/vfio_main.c b/drivers/vfio/vfio_main.c
> index fe7446805afd..ebbb6b91a498 100644
> --- a/drivers/vfio/vfio_main.c
> +++ b/drivers/vfio/vfio_main.c
> @@ -1154,13 +1154,23 @@ const struct file_operations vfio_device_fops = {
>  	.mmap		= vfio_device_fops_mmap,
>  };
>  
> +static struct vfio_device *vfio_device_from_file(struct file *file)
> +{
> +	struct vfio_device *device = file->private_data;

Isn't this a df now?

> +	if (file->f_op != &vfio_device_fops)
> +		return NULL;
> +	return device;
> +}

The device has to be bound to be a security proof.

Jason

Yi Liu March 23, 2023, 10:14 a.m. UTC | #3

> From: Jason Gunthorpe <jgg@nvidia.com>
> Sent: Tuesday, March 21, 2023 3:08 AM
> 
> On Thu, Mar 16, 2023 at 05:41:55AM -0700, Yi Liu wrote:
> > This extends both vfio_file_is_valid() and vfio_file_has_dev() to accept
> > device file from the vfio PCI hot reset.
> >
> > Signed-off-by: Yi Liu <yi.l.liu@intel.com>
> > ---
> >  drivers/vfio/vfio_main.c | 23 +++++++++++++++++++----
> >  1 file changed, 19 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/vfio/vfio_main.c b/drivers/vfio/vfio_main.c
> > index fe7446805afd..ebbb6b91a498 100644
> > --- a/drivers/vfio/vfio_main.c
> > +++ b/drivers/vfio/vfio_main.c
> > @@ -1154,13 +1154,23 @@ const struct file_operations vfio_device_fops
> = {
> >  	.mmap		= vfio_device_fops_mmap,
> >  };
> >
> > +static struct vfio_device *vfio_device_from_file(struct file *file)
> > +{
> > +	struct vfio_device *device = file->private_data;
> 
> Isn't this a df now?

Not yet. It is placed before the cdev series. So it is vfio_device here.

> > +	if (file->f_op != &vfio_device_fops)
> > +		return NULL;
> > +	return device;
> > +}
> 
> The device has to be bound to be a security proof.

I think it is because this helper is used by vfio_file_has_dev(). This
requires to be bound to security proof. For now, the device fd is
got via group. So as long s user can get it, it should have been bound.

In the later cdev series, the below helper is added to ensure
given device file has bound to security proof (a.k.a access_granted).

+static bool vfio_file_has_device_access(struct file *file,
+					struct vfio_device *device)
+{
+	struct vfio_device *vdev = vfio_device_from_file(file);
+	struct vfio_device_file *df;
+
+	if (!vdev || vdev != device)
+		return false;
+
+	df = file->private_data;
+
+	return READ_ONCE(df->access_granted);
+}

https://lore.kernel.org/kvm/20230316125534.17216-9-yi.l.liu@intel.com/

Regards,
Yi Liu

Jason Gunthorpe March 23, 2023, 2:43 p.m. UTC | #4

On Thu, Mar 23, 2023 at 10:14:31AM +0000, Liu, Yi L wrote:
> > From: Jason Gunthorpe <jgg@nvidia.com>
> > Sent: Tuesday, March 21, 2023 3:08 AM
> > 
> > On Thu, Mar 16, 2023 at 05:41:55AM -0700, Yi Liu wrote:
> > > This extends both vfio_file_is_valid() and vfio_file_has_dev() to accept
> > > device file from the vfio PCI hot reset.
> > >
> > > Signed-off-by: Yi Liu <yi.l.liu@intel.com>
> > > ---
> > >  drivers/vfio/vfio_main.c | 23 +++++++++++++++++++----
> > >  1 file changed, 19 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/drivers/vfio/vfio_main.c b/drivers/vfio/vfio_main.c
> > > index fe7446805afd..ebbb6b91a498 100644
> > > --- a/drivers/vfio/vfio_main.c
> > > +++ b/drivers/vfio/vfio_main.c
> > > @@ -1154,13 +1154,23 @@ const struct file_operations vfio_device_fops
> > = {
> > >  	.mmap		= vfio_device_fops_mmap,
> > >  };
> > >
> > > +static struct vfio_device *vfio_device_from_file(struct file *file)
> > > +{
> > > +	struct vfio_device *device = file->private_data;
> > 
> > Isn't this a df now?
> 
> Not yet. It is placed before the cdev series. So it is vfio_device here.
> 
> > > +	if (file->f_op != &vfio_device_fops)
> > > +		return NULL;
> > > +	return device;
> > > +}
> > 
> > The device has to be bound to be a security proof.
> 
> I think it is because this helper is used by vfio_file_has_dev(). This
> requires to be bound to security proof. For now, the device fd is
> got via group. So as long s user can get it, it should have been bound.
> 
> In the later cdev series, the below helper is added to ensure
> given device file has bound to security proof (a.k.a access_granted).

Yes OK that makes senese

Jason

diff --git a/drivers/vfio/vfio_main.c b/drivers/vfio/vfio_main.c
index fe7446805afd..ebbb6b91a498 100644
--- a/drivers/vfio/vfio_main.c
+++ b/drivers/vfio/vfio_main.c
@@ -1154,13 +1154,23 @@  const struct file_operations vfio_device_fops = {
 	.mmap		= vfio_device_fops_mmap,
 };
 
+static struct vfio_device *vfio_device_from_file(struct file *file)
+{
+	struct vfio_device *device = file->private_data;
+
+	if (file->f_op != &vfio_device_fops)
+		return NULL;
+	return device;
+}
+
 /**
  * vfio_file_is_valid - True if the file is valid vfio file
  * @file: VFIO group file or VFIO device file
  */
 bool vfio_file_is_valid(struct file *file)
 {
-	return vfio_group_from_file(file);
+	return vfio_group_from_file(file) ||
+	       vfio_device_from_file(file);
 }
 EXPORT_SYMBOL_GPL(vfio_file_is_valid);
 
@@ -1174,12 +1184,17 @@  EXPORT_SYMBOL_GPL(vfio_file_is_valid);
 bool vfio_file_has_dev(struct file *file, struct vfio_device *device)
 {
 	struct vfio_group *group;
+	struct vfio_device *vdev;
 
 	group = vfio_group_from_file(file);
-	if (!group)
-		return false;
+	if (group)
+		return vfio_group_has_dev(group, device);
+
+	vdev = vfio_device_from_file(file);
+	if (vdev)
+		return vdev == device;
 
-	return vfio_group_has_dev(group, device);
+	return false;
 }
 EXPORT_SYMBOL_GPL(vfio_file_has_dev);

[6/7] vfio: Accpet device file from vfio PCI hot reset path

Commit Message

Comments

Patch