Re: [RFC v4 PATCH 13/49] multi-process: introduce proxy object

2019-11-21 Thread Stefan Hajnoczi 
On Thu, Oct 24, 2019 at 05:08:54AM -0400, Jagannathan Raman wrote:
> diff --git a/hw/proxy/qemu-proxy.c b/hw/proxy/qemu-proxy.c
> new file mode 100644
> index 000..baba4da
> --- /dev/null
> +++ b/hw/proxy/qemu-proxy.c
> @@ -0,0 +1,247 @@
> +/*
> + * Copyright 2019, Oracle and/or its affiliates.
> + *
> + * Permission is hereby granted, free of charge, to any person obtaining a 
> copy
> + * of this software and associated documentation files (the "Software"), to 
> deal
> + * in the Software without restriction, including without limitation the 
> rights
> + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
> + * copies of the Software, and to permit persons to whom the Software is
> + * furnished to do so, subject to the following conditions:
> + *
> + * The above copyright notice and this permission notice shall be included in
> + * all copies or substantial portions of the Software.
> + *
> + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
> + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
> + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
> + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
> + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 
> FROM,
> + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
> + * THE SOFTWARE.
> + */
> +
> +#include 
> +#include 
> +#include 
> +#include 
> +#include 
> +#include 
> +#include 
> +#include "qemu/osdep.h"

Most of these includes are not necessary.  Please see "Include
directives" in CODING_STYLE.rst.  "qemu/osdep.h" is always first (even
before system headers) and it already includes the common system
headers.

> +int remote_spawn(PCIProxyDev *pdev, const char *command, Error **errp)
> +{
> +char *args[3];
> +pid_t rpid;
> +int fd[2] = {-1, -1};
> +Error *local_error = NULL;
> +
> +if (pdev->managed) {
> +/* Child is forked by external program (such as libvirt). */
> +return -1;
> +}
> +
> +if (socketpair(AF_UNIX, SOCK_STREAM, 0, fd)) {
> +error_setg(errp, "Unable to create unix socket.");
> +return -1;
> +}
> +/* TODO: Restrict the forked process' permissions and capabilities. */
> +rpid = qemu_fork(_error);
> +
> +if (rpid == -1) {
> +error_setg(errp, "Unable to spawn emulation program.");
> +close(fd[0]);
> +close(fd[1]);
> +return -1;
> +}
> +
> +if (rpid == 0) {
> +close(fd[0]);
> +
> +args[0] = g_strdup(command);
> +args[1] = g_strdup_printf("%d", fd[1]);
> +args[2] = NULL;
> +execvp(args[0], (char *const *)args);

execv(3) is safer because it doesn't search PATH.  Unless searching PATH
is really needed I would use that instead just in case this is ever
deployed in an environment where an attacker controls a directory in
PATH or is able to set PATH.

> +static int config_op_send(PCIProxyDev *dev, uint32_t addr, uint32_t *val, 
> int l,
> +  unsigned int op)
> +{
> +MPQemuMsg msg;
> +struct conf_data_msg conf_data;
> +int wait;
> +
> +memset(, 0, sizeof(MPQemuMsg));
> +conf_data.addr = addr;
> +conf_data.val = (op == CONF_WRITE) ? *val : 0;
> +conf_data.l = l;
> +
> +msg.data2 = (uint8_t *)malloc(sizeof(conf_data));
> +if (!msg.data2) {
> +return -ENOMEM;
> +}
> +
> +memcpy(msg.data2, (const uint8_t *)_data, sizeof(conf_data));
> +msg.size = sizeof(conf_data);

Why malloc msg.data2 instead of simply pointing it at conf_data?

> +msg.cmd = op;
> +msg.bytestream = 1;
> +
> +if (op == CONF_WRITE) {
> +msg.num_fds = 0;
> +} else {
> +wait = GET_REMOTE_WAIT;

It seems slow to create an fd and pass it for each 32-bit PCI
Configuration Space read operation.  This doesn't need to be changed
right now, but eventually the protocol should handle this more
efficiently.

> +msg.num_fds = 1;
> +msg.fds[0] = wait;
> +}
> +
> +mpqemu_msg_send(dev->mpqemu_link, , dev->mpqemu_link->com);
> +
> +if (op == CONF_READ) {
> +*val = (uint32_t)wait_for_remote(wait);
> +PUT_REMOTE_WAIT(wait);
> +}

Waiting for the eventfd blocks the event loop.  This means timers and
other fds won't be serviced when the remote is slow to respond.  Please
avoid blocking operations in event loop threads.

> +
> +free(msg.data2);
> +
> +return 0;
> +}
> +
> +static uint32_t pci_proxy_read_config(PCIDevice *d, uint32_t addr, int len)
> +{
> +uint32_t val;
> +
> +(void)pci_default_read_config(d, addr, len);

What is the purpose of this call?

> +static const TypeInfo pci_proxy_dev_type_info = {
> +.name  = TYPE_PCI_PROXY_DEV,
> +.parent= TYPE_PCI_DEVICE,
> +.instance_size = sizeof(PCIProxyDev),
> +.abstract  = true,
> +.class_size=

[RFC v4 PATCH 13/49] multi-process: introduce proxy object

2019-10-24 Thread Jagannathan Raman 
From: Elena Ufimtseva 

Defines a PCI Device proxy object as a parent of TYPE_PCI_DEVICE.
PCI Proxy Object is responsible for registering PCI BARs,i
MemoryRegionOps to handle access to the BARs and forwarding those
to the remote device.
PCI Proxy object intercepts config space reads and writes. In case
of pci config write it forwards it to the remote device using
communication channel set by proxy-link object.

Signed-off-by: Elena Ufimtseva 
Signed-off-by: Jagannathan Raman 
Signed-off-by: John G Johnson 
---
 hw/Makefile.objs  |   2 +
 hw/proxy/Makefile.objs|   1 +
 hw/proxy/qemu-proxy.c | 247 ++
 include/hw/proxy/qemu-proxy.h |  81 ++
 remote/remote-main.c  |  28 +
 5 files changed, 359 insertions(+)
 create mode 100644 hw/proxy/Makefile.objs
 create mode 100644 hw/proxy/qemu-proxy.c
 create mode 100644 include/hw/proxy/qemu-proxy.h

diff --git a/hw/Makefile.objs b/hw/Makefile.objs
index 4e28053..e016100 100644
--- a/hw/Makefile.objs
+++ b/hw/Makefile.objs
@@ -44,6 +44,8 @@ endif
 common-obj-y += $(devices-dirs-y)
 obj-y += $(devices-dirs-y)
 
+common-obj-$(CONFIG_MPQEMU) += proxy/
+
 remote-pci-obj-$(CONFIG_MPQEMU) += core/
 remote-pci-obj-$(CONFIG_MPQEMU) += block/
 remote-pci-obj-$(CONFIG_MPQEMU) += pci/
diff --git a/hw/proxy/Makefile.objs b/hw/proxy/Makefile.objs
new file mode 100644
index 000..eb81624
--- /dev/null
+++ b/hw/proxy/Makefile.objs
@@ -0,0 +1 @@
+common-obj-$(CONFIG_MPQEMU) += qemu-proxy.o
diff --git a/hw/proxy/qemu-proxy.c b/hw/proxy/qemu-proxy.c
new file mode 100644
index 000..baba4da
--- /dev/null
+++ b/hw/proxy/qemu-proxy.c
@@ -0,0 +1,247 @@
+/*
+ * Copyright 2019, Oracle and/or its affiliates.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to 
deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 
FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "io/mpqemu-link.h"
+#include "exec/memory.h"
+#include "exec/cpu-common.h"
+#include "exec/address-spaces.h"
+#include "qemu/int128.h"
+#include "qemu/range.h"
+#include "hw/pci/pci.h"
+#include "qemu/option.h"
+#include "qemu/config-file.h"
+#include "qapi/qmp/qjson.h"
+#include "qapi/qmp/qstring.h"
+#include "sysemu/sysemu.h"
+#include "hw/proxy/qemu-proxy.h"
+
+static void pci_proxy_dev_realize(PCIDevice *dev, Error **errp);
+
+int remote_spawn(PCIProxyDev *pdev, const char *command, Error **errp)
+{
+char *args[3];
+pid_t rpid;
+int fd[2] = {-1, -1};
+Error *local_error = NULL;
+
+if (pdev->managed) {
+/* Child is forked by external program (such as libvirt). */
+return -1;
+}
+
+if (socketpair(AF_UNIX, SOCK_STREAM, 0, fd)) {
+error_setg(errp, "Unable to create unix socket.");
+return -1;
+}
+/* TODO: Restrict the forked process' permissions and capabilities. */
+rpid = qemu_fork(_error);
+
+if (rpid == -1) {
+error_setg(errp, "Unable to spawn emulation program.");
+close(fd[0]);
+close(fd[1]);
+return -1;
+}
+
+if (rpid == 0) {
+close(fd[0]);
+
+args[0] = g_strdup(command);
+args[1] = g_strdup_printf("%d", fd[1]);
+args[2] = NULL;
+execvp(args[0], (char *const *)args);
+exit(1);
+}
+pdev->remote_pid = rpid;
+pdev->rsocket = fd[0];
+
+close(fd[1]);
+
+return 0;
+}
+
+static int get_proxy_sock(PCIDevice *dev)
+{
+PCIProxyDev *pdev;
+
+pdev = PCI_PROXY_DEV(dev);
+
+return pdev->rsocket;
+}
+
+static void set_proxy_sock(PCIDevice *dev, int socket)
+{
+PCIProxyDev *pdev;
+
+pdev = PCI_PROXY_DEV(dev);
+
+pdev->rsocket = socket;
+pdev->managed = true;
+
+}
+
+static int config_op_send(PCIProxyDev *dev, uint32_t addr, uint32_t *val, int 
l,
+  unsigned int op)
+{
+MPQemuMsg msg;
+struct conf_data_msg conf_data;
+int wait;
+
+memset(,