[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: RFC: virtio-hostmem (+ Continuation of discussion from [virtio-dev] Memory sharing device)
On Mon, Feb 25, 2019 at 10:54:03AM -0800, Roman Kiryanov wrote: > > > â The host does not back the region at all and a page fault happens. > > > > Then what? Guest dies? > > That doesn't sound reasonable, in particular if you want to > > allow userspace to map this memory. > > In our implementation we call mmap after asking the host to back the region. So I guess spec should not say host does not have to back the region then. > https://photos.app.goo.gl/NJvPBvvFS3S3n9mn6 > > Nothing prevents a guest to call mmap on an unbacked region, then the > guest will die. If it is possible for the device to figure out if an > address range > is backed in VM, the guest driver could talk to the device to fail an mmap > call if a region is not accessible. So if driver needs specific knowlegde from the device that needs to be in the spec. > > > â The host has already allocated host RAM (from some source; vkMapMemory, > > > malloc(), mmap, etc) memory of some kind and maps a page-aligned host > > > pointer to the guest physical address corresponding to the region. > > > > I'm not sure what does "of some kind" mean here. > > Memory from any API call that could be used for access through this > address range. So just RAM really? > > Also host and guest might have different ideas about > > what does page-aligned mean. > > In our implementation we do aligning (for VM operations) and unaligning in the > guest userspace (because mmap is page aligned) to get the pointer to handle > pointers in the middle of a page (we have no control on pointers returned > from a third party API). > > Regards, > Roman. I'm not sure how does above answer the comment. I understand you are using all kind of APIs internally in your hypervisor but please put things in terms that can apply to host/guest communication. I can kind of read it between the lines if I squint hard enough but this makes my head hurt and there's no guarantee I do it correctly. To try and put things in your terms, if you try to map a range of memory you get access to a page that can be bigger than the range you asked for. It can cause two ranges to violate a security boundary, cause information leaks, etc. A library can play with offsets and give a well behaved application an illusion of a private range but if it ends up sharing a page of memory with a malicious application then there's no security boundary between them. HTH -- MST
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]