|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [PATCH for-4.15 4/4] xen/iommu: x86: Don't leak the IOMMU page-tables
From: Julien Grall <jgrall@xxxxxxxxxx>
The new IOMMU page-tables allocator will release the pages when
relinquish the domain resources. However, this is not sufficient in two
cases:
1) domain_relinquish_resources() is not called when the domain
creation fails.
2) There is nothing preventing page-table allocations when the
domain is dying.
In both cases, this can be solved by freeing the page-tables again
when the domain destruction. Although, this may result to an high
number of page-tables to free.
In the second case, it is pointless to allow page-table allocation when
the domain is going to die. iommu_alloc_pgtable() will now return an
error when it is called while the domain is dying.
Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx>
---
xen/arch/x86/domain.c | 2 +-
xen/drivers/passthrough/x86/iommu.c | 32 +++++++++++++++++++++++++++--
xen/include/asm-x86/iommu.h | 2 +-
3 files changed, 32 insertions(+), 4 deletions(-)
diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
index b9ba04633e18..1b7ee5c1a8cb 100644
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -2290,7 +2290,7 @@ int domain_relinquish_resources(struct domain *d)
PROGRESS(iommu_pagetables):
- ret = iommu_free_pgtables(d);
+ ret = iommu_free_pgtables(d, false);
if ( ret )
return ret;
diff --git a/xen/drivers/passthrough/x86/iommu.c
b/xen/drivers/passthrough/x86/iommu.c
index 99a23177b3d2..4a083e4b8f11 100644
--- a/xen/drivers/passthrough/x86/iommu.c
+++ b/xen/drivers/passthrough/x86/iommu.c
@@ -149,6 +149,21 @@ int arch_iommu_domain_init(struct domain *d)
void arch_iommu_domain_destroy(struct domain *d)
{
+ struct domain_iommu *hd = dom_iommu(d);
+ int rc;
+
+ /*
+ * The relinquish code will not be executed if the domain creation
+ * failed. To avoid any memory leak, we want to free any IOMMU
+ * page-tables that may have been allocated.
+ */
+ rc = iommu_free_pgtables(d, false);
+
+ /* The preemption was disabled, so the call should never fail. */
+ if ( rc )
+ ASSERT_UNREACHABLE();
+
+ ASSERT(page_list_empty(&hd->arch.pgtables.list));
}
static bool __hwdom_init hwdom_iommu_map(const struct domain *d,
@@ -261,7 +276,7 @@ void __hwdom_init arch_iommu_hwdom_init(struct domain *d)
return;
}
-int iommu_free_pgtables(struct domain *d)
+int iommu_free_pgtables(struct domain *d, bool preempt)
{
struct domain_iommu *hd = dom_iommu(d);
struct page_info *pg;
@@ -282,7 +297,7 @@ int iommu_free_pgtables(struct domain *d)
{
free_domheap_page(pg);
- if ( !(++done & 0xff) && general_preempt_check() )
+ if ( !(++done & 0xff) && preempt && general_preempt_check() )
{
spin_unlock(&hd->arch.pgtables.lock);
return -ERESTART;
@@ -305,6 +320,19 @@ struct page_info *iommu_alloc_pgtable(struct domain *d)
memflags = MEMF_node(hd->node);
#endif
+ /*
+ * The IOMMU page-tables are freed when relinquishing the domain, but
+ * nothing prevent allocation to happen afterwards. There is no valid
+ * reasons to continue to update the IOMMU page-tables while the
+ * domain is dying.
+ *
+ * So prevent page-table allocation when the domain is dying. Note
+ * this doesn't fully prevent the race because d->is_dying may not
+ * yet be seen.
+ */
+ if ( d->is_dying )
+ return NULL;
+
pg = alloc_domheap_page(NULL, memflags);
if ( !pg )
return NULL;
diff --git a/xen/include/asm-x86/iommu.h b/xen/include/asm-x86/iommu.h
index 970eb06ffac5..874bb5bbfbde 100644
--- a/xen/include/asm-x86/iommu.h
+++ b/xen/include/asm-x86/iommu.h
@@ -135,7 +135,7 @@ int pi_update_irte(const struct pi_desc *pi_desc, const
struct pirq *pirq,
iommu_vcall(ops, sync_cache, addr, size); \
})
-int __must_check iommu_free_pgtables(struct domain *d);
+int __must_check iommu_free_pgtables(struct domain *d, bool preempt);
struct page_info *__must_check iommu_alloc_pgtable(struct domain *d);
#endif /* !__ARCH_X86_IOMMU_H__ */
--
2.17.1
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |