On 2021/10/20 19:03, Viresh Kumar wrote:> On 20-10-21, 12:55, Vincent Whitchurch wrote: >> If the timeout cannot be disabled, then the driver should be fixed to >> always copy buffers and hold on to them to avoid memory corruption in >> the case of timeout, as I mentioned in my commit message. That would be >> quite a substantial change to the driver so it's not something I'm >> personally comfortable with doing, especially not this late in the -rc >> cycle, so I'd leave that to others. > Or we can avoid clearing up and freeing the buffers here until the > point where the buffers are returned by the host. Until that happens, > we can avoid taking new requests but return to the earlier caller with > timeout failure. That would avoid corruption, by freeing buffers > sooner, and not hanging of the kernel.It seems similar to use "wait_for_completion". If the other side is hacked, the guest may never get the buffers returned by the host, right ? For this moment, we can solve the problem by using a hardcoded big value or disabling the timeout. Over the long term, I think the backend should provide that timeout value and guarantee that its processing time should not exceed that value.
Vincent Whitchurch
2021-Oct-29 12:24 UTC
[PATCH 1/2] i2c: virtio: disable timeout handling
On Thu, Oct 21, 2021 at 05:30:28AM +0200, Jie Deng wrote:> On 2021/10/20 19:03, Viresh Kumar wrote: > > On 20-10-21, 12:55, Vincent Whitchurch wrote: > >> If the timeout cannot be disabled, then the driver should be fixed to > >> always copy buffers and hold on to them to avoid memory corruption in > >> the case of timeout, as I mentioned in my commit message. That would be > >> quite a substantial change to the driver so it's not something I'm > >> personally comfortable with doing, especially not this late in the -rc > >> cycle, so I'd leave that to others. > > Or we can avoid clearing up and freeing the buffers here until the > > point where the buffers are returned by the host. Until that happens, > > we can avoid taking new requests but return to the earlier caller with > > timeout failure. That would avoid corruption, by freeing buffers > > sooner, and not hanging of the kernel. > > It seems similar to use "wait_for_completion". If the other side is > hacked, the guest may never get the buffers returned by the host, > right ?Note that it is trivial for the host to DoS the guest. All the host has to do is stop responding to I/O requests (I2C or others), then the guest will not be able to perform its intended functions, regardless of whether this particular driver waits forever or not. Even TDX (which Greg mentioned) does not prevent that, see: https://lore.kernel.org/virtualization/?q=tdx+dos> For this moment, we can solve the problem by using a hardcoded big > value or disabling the timeout.Is that an Acked-by on this patch which does the latter?> Over the long term, I think the backend should provide that timeout > value and guarantee that its processing time should not exceed that > value.If you mean that the spec should be changed to allow the virtio driver to be able to program a certain timeout for I2C transactions in the virtio device, yes, that does sound reasonable.
On 2021/10/29 20:24, Vincent Whitchurch wrote:> On Thu, Oct 21, 2021 at 05:30:28AM +0200, Jie Deng wrote: >> For this moment, we can solve the problem by using a hardcoded big >> value or disabling the timeout. > Is that an Acked-by on this patch which does the latter?Yes, you can add my Acked-by. Let's see if other people still have different opinions.> >> Over the long term, I think the backend should provide that timeout >> value and guarantee that its processing time should not exceed that >> value. > If you mean that the spec should be changed to allow the virtio driver > to be able to program a certain timeout for I2C transactions in the > virtio device, yes, that does sound reasonable.Due to changes in my work, I will pass my virtio-i2c maintenance to Conghui. She may work on this in the future.