Xen project Mailing List

RE: [for-4.15][PATCH v2 3/5] xen/iommu: iommu_map: Don't crash the domain if it is dying

To: "'Julien Grall'" <julien@xxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Paul Durrant <xadimgnik@xxxxxxxxx>

Date: Tue, 9 Feb 2021 20:28:26 -0000

Cc: <hongyxia@xxxxxxxxxxxx>, <iwj@xxxxxxxxxxxxxx>, "'Julien Grall'" <jgrall@xxxxxxxxxx>, "'Jan Beulich'" <jbeulich@xxxxxxxx>

Delivery-date: Tue, 09 Feb 2021 20:28:34 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQJkA3sfHUQVO5jg8t87X8qwyW0VowHF7mi9qSgLgIA=

> -----Original Message----- > From: Julien Grall <julien@xxxxxxx> > Sent: 09 February 2021 15:28 > To: xen-devel@xxxxxxxxxxxxxxxxxxxx > Cc: hongyxia@xxxxxxxxxxxx; iwj@xxxxxxxxxxxxxx; Julien Grall > <jgrall@xxxxxxxxxx>; Jan Beulich > <jbeulich@xxxxxxxx>; Paul Durrant <paul@xxxxxxx> > Subject: [for-4.15][PATCH v2 3/5] xen/iommu: iommu_map: Don't crash the > domain if it is dying > > From: Julien Grall <jgrall@xxxxxxxxxx> > > It is a bit pointless to crash a domain that is already dying. This will > become more an annoyance with a follow-up change where page-table > allocation will be forbidden when the domain is dying. > > Security wise, there is no change as the devices would still have access > to the IOMMU page-tables even if the domain has crashed until Xen > start to relinquish the resources. > > For x86, we rely on dom_iommu(d)->arch.mapping.lock to ensure > d->is_dying is correctly observed (a follow-up patch will held it in the s/held/hold > relinquish path). > > For Arm, there is still a small race possible. But there is so far no > failure specific to a domain dying. > > Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx> > > --- > > This was spotted when trying to destroy IOREQ servers while the domain > is dying. The code will try to add the entry back in the P2M and > therefore update the P2M (see arch_ioreq_server_disable() -> > hvm_add_ioreq_gfn()). > > It should be possible to skip the mappin in hvm_add_ioreq_gfn(), however s/mappin/mapping > I didn't try a patch yet because checking d->is_dying can be racy (I > can't find a proper lock). > > Changes in v2: > - Patch added > --- > xen/drivers/passthrough/iommu.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/xen/drivers/passthrough/iommu.c b/xen/drivers/passthrough/iommu.c > index 879d238bcd31..75419f20f76d 100644 > --- a/xen/drivers/passthrough/iommu.c > +++ b/xen/drivers/passthrough/iommu.c > @@ -272,7 +272,7 @@ int iommu_map(struct domain *d, dfn_t dfn, mfn_t mfn, > flush_flags) ) > continue; > > - if ( !is_hardware_domain(d) ) > + if ( !is_hardware_domain(d) && !d->is_dying ) > domain_crash(d); Would it make more sense to check is_dying inside domain_crash() (and turn it into a no-op in that case)? Paul > > break; > -- > 2.17.1

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.