Re: [PATCH V2 5/7] vhost-vdpa: VHOST_IOTLB_REMAP

[Steven Sistare]

On 7/18/2024 3:39 PM, Michael S. Tsirkin wrote:
> On Thu, Jul 18, 2024 at 08:45:31AM +0800, Jason Wang wrote:
> > > > For example:
> > > >
> > > > 1) old owner pass fd to new owner which is another process
> > > > 2) the new owner do VHOST_NEW_OWNER
> > > > 3) new owner doesn't do remap correctly
> > > >
> > > > There's no way for the old owner to remove/unpin the mappings as we
> > > > have the owner check in IOTLB_UPDATE. Looks like a potential way for
> > > > DOS.
> > >
> > > This is a bug in the second cooperating process, not a DOS.  The application
> > > must fix it.  Sometimes you cannot recover from an application bug at run time.
> > >
> > > BTW, at one time vfio enforced the concept of an owner, but Alex deleted it.
> > > It adds no value, because possession of the fd is the key.
> > >     ffed0518d871 ("vfio: remove useless judgement")
> >
> > This seems to be a great relaxation of the ownership check. I would
> > like to hear from Michael first.
> >
> > Thanks
>
> It could be that the ownership model is too restrictive.
> But again, this is changing a security assumption.
> Looks like yes another reason to tie this to the switch to iommufd.

iommufd, like vfio, does not impose an ownership requirement.  If vdpa has a
stricter requirement, such as allowing the vhost-net sharing that Jason
described, then we need to surface that now, and extend it to allow change
of ownership for live update.

Is the vhost-net scenario currently used, or aspirational?
Copying from Jason's email:
  1) Two processes (A and B) share a part of the memory
  2) A is the owner of the vhost-net who is in charge of building memory
  mappings via IOTLB
  3) A passes vhost-net fd to process B

- Steve