Xen project Mailing List

[PATCH 3/9] VT-d: undo device mappings upon error

To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Date: Wed, 9 Jun 2021 11:27:37 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cqeP7V5sPiTn4G53r8FVAMkSkYXDA8o5CuxWXa7EIrQ=; b=k8Xl99bUmPu/vkXV+Bk4dNWRVUDvDOzzdujYM2IUFG6FYtuFGt/KZLbrnsW61Mtr/2YnfJfFJp9DBE624DW1BJTAm1Fi2TNieVC4Q+Y95/VWeWGs4jh/o+wH4D/6xHKejE6d8sxIT+yCPUDaVCZvYe3Dr5Xu76Yz/2TeXYctdp6sB6Tn7umm1ymLpvd0p9GSaVahzbXhEFNmI6OShm9Ka3cUrQQcPT08fdYVk1/+BSzasSQKzlTgC4+rI67so3+wNg7GKFKAoNCsmFE5OTgghQXnqVcL+g7xZuqLIsQFPzKxZCOnjmawCkRD+zvhvpk3lRwunRTu/UcZHOBErkPu5Q==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iWypa+c5uJfrbEJo1oDv3A8Wa1SR9fY39yXsZJH5OSpK4c4tzHZDBE46GM++M7wi7k1RM+PkYfNPt+QC9bRdWJMxDSDu1pZJLfWGbduNtRwK3wSG+IT2hYJ2QDWNJA3wXMg0vRrO+zPAtWhKHIWxwNq+D+mi7eVOx33gCsK1fo40MdDijww2s1j+F/pWhvLa/ek9DeNp+JqVKQk0MB+AU2X7nuDQPRqmZicuSFX/BBsUt35nmR85EdPSPUMZ8u0EljPlKoAYJHJBNpmMFXeHFO3kRx2L0Ku7yBLHP13kF+gwzWnil9K7ER6fIuCGwFCAgDHvd49B1/Mvhjx1ojVVFQ==

Authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=suse.com;

Cc: Paul Durrant <paul@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>

Delivery-date: Wed, 09 Jun 2021 09:27:50 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

When - flushes (supposedly not possible anymore after XSA-373), - secondary mappings for legacy PCI devices behind bridges, - secondary mappings for chipset quirks, or - find_upstream_bridge() invocations fail, the successfully established device mappings should not be left around. Further, when (parts of) unmapping fail, simply returning an error is typically not enough. Crash the domain instead in such cases, arranging for domain cleanup to continue in a best effort manner despite such failures. Finally make domain_context_unmap()'s error behavior consistent in the legacy PCI device case: Don't bail from the function in one special case, but always just exit the switch statement. Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Reviewed-by: Paul Durrant <paul@xxxxxxx> --- a/xen/drivers/passthrough/vtd/iommu.c +++ b/xen/drivers/passthrough/vtd/iommu.c @@ -1442,9 +1442,15 @@ int domain_context_mapping_one( if ( !seg && !rc ) rc = me_wifi_quirk(domain, bus, devfn, MAP_ME_PHANTOM_FUNC); + if ( rc ) + domain_context_unmap_one(domain, iommu, bus, devfn); + return rc; } +static int domain_context_unmap(struct domain *d, uint8_t devfn, + struct pci_dev *pdev); + static int domain_context_mapping(struct domain *domain, u8 devfn, struct pci_dev *pdev) { @@ -1505,16 +1511,21 @@ static int domain_context_mapping(struct if ( ret ) break; - if ( find_upstream_bridge(seg, &bus, &devfn, &secbus) < 1 ) - break; + if ( (ret = find_upstream_bridge(seg, &bus, &devfn, &secbus)) < 1 ) + { + if ( !ret ) + break; + ret = -ENXIO; + } /* * Mapping a bridge should, if anything, pass the struct pci_dev of * that bridge. Since bridges don't normally get assigned to guests, * their owner would be the wrong one. Pass NULL instead. */ - ret = domain_context_mapping_one(domain, drhd->iommu, bus, devfn, - NULL); + if ( ret >= 0 ) + ret = domain_context_mapping_one(domain, drhd->iommu, bus, devfn, + NULL); /* * Devices behind PCIe-to-PCI/PCIx bridge may generate different @@ -1531,6 +1542,9 @@ static int domain_context_mapping(struct ret = domain_context_mapping_one(domain, drhd->iommu, secbus, 0, NULL); + if ( ret ) + domain_context_unmap(domain, devfn, pdev); + break; default: @@ -1609,6 +1623,19 @@ int domain_context_unmap_one( if ( !iommu->drhd->segment && !rc ) rc = me_wifi_quirk(domain, bus, devfn, UNMAP_ME_PHANTOM_FUNC); + if ( rc && !is_hardware_domain(domain) && domain != dom_io ) + { + if ( domain->is_dying ) + { + printk(XENLOG_ERR "%pd: error %d unmapping %04x:%02x:%02x.%u\n", + domain, rc, iommu->drhd->segment, bus, + PCI_SLOT(devfn), PCI_FUNC(devfn)); + rc = 0; /* Make upper layers continue in a best effort manner. */ + } + else + domain_crash(domain); + } + return rc; } @@ -1661,17 +1688,29 @@ static int domain_context_unmap(struct d tmp_bus = bus; tmp_devfn = devfn; - if ( find_upstream_bridge(seg, &tmp_bus, &tmp_devfn, &secbus) < 1 ) + if ( (ret = find_upstream_bridge(seg, &tmp_bus, &tmp_devfn, + &secbus)) < 1 ) + { + if ( ret ) + { + ret = -ENXIO; + if ( !domain->is_dying && + !is_hardware_domain(domain) && domain != dom_io ) + { + domain_crash(domain); + /* Make upper layers continue in a best effort manner. */ + ret = 0; + } + } break; + } /* PCIe to PCI/PCIx bridge */ if ( pdev_type(seg, tmp_bus, tmp_devfn) == DEV_TYPE_PCIe2PCI_BRIDGE ) { ret = domain_context_unmap_one(domain, iommu, tmp_bus, tmp_devfn); - if ( ret ) - return ret; - - ret = domain_context_unmap_one(domain, iommu, secbus, 0); + if ( !ret ) + ret = domain_context_unmap_one(domain, iommu, secbus, 0); } else /* Legacy PCI bridge */ ret = domain_context_unmap_one(domain, iommu, tmp_bus, tmp_devfn);

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.