On Mon, 20 Mar 2023 14:14:48 -0300 Jason Gunthorpe <jgg@xxxxxxxxxx> wrote: > On Fri, Mar 17, 2023 at 09:15:57AM -0600, Alex Williamson wrote: > > > If that is the intended usage then I don't see why this proposal will > > > promote userspace to ignore the _INFO ioctl. It should be always > > > queried no matter how the reset ioctl itself is designed. The motivation > > > of calling _INFO is not from the reset ioctl asking for an array of fds. > > > > The VFIO_DEVICE_PCI_HOT_RESET ioctl requires a set of group (or cdev) > > fds that encompass the set of affected devices reported by the > > VFIO_DEVICE_GET_PCI_HOT_RESET_INFO ioctl, so I don't agree with the > > last sentence above. > > There are two things going on - VFIO_DEVICE_PCI_HOT_RESET requires to > prove security that the userspace is not attempting to reset something > that it does not have ownership over. Eg a reset group that spans > multiple iommu groups. > > The second is for userspace to discover the reset group so it can > understand what is happening. > > IMHO it is perfectly fine for each API to be only concerned with its > own purpose. > > VFIO_DEVICE_PCI_HOT_RESET needs to check security, which the > iommufd_ctx check does just fine > > VFIO_DEVICE_GET_PCI_HOT_RESET_INFO needs to convey the reset group > span so userspace can do something with this. > > I think confusing security and scope and "acknowledgment" is not a > good idea. > > The APIs are well defined and userspace can always use them wrong. It > doesn't need to call RESET_INFO even today, it can just trivially pass > every group FD it owns to meet the security check. That's not actually true, in order to avoid arbitrarily large buffers from the user, the ioctl won't accept an array greater than the number of devices affected by the reset. > It is much simpler if VFIO_DEVICE_PCI_HOT_RESET can pass the security > check without code marshalling fds, which is why we went this > direction. I agree that nullifying the arg makes the ioctl easier to use, but my hesitation is whether it makes it more difficult to use correctly, which includes resetting devices unexpectedly. We're talking about something that's a relatively rare event, so I don't see that time overhead is a factor, nor has the complexity overhead in the QEMU implementation ever been raised as an issue previously. We can always blame the developer for using an interface incorrectly, but if we make it easier to use incorrectly in order to optimize something that doesn't need to be optimized, does that make it a good choice for the uAPI? Thanks, Alex
