Re: [PATCH 1/2] IOMMU/MMU: Adjust top level functions for VT-d Device-TLB flush error.

["Jan Beulich" <JBeulich@suse.com>]

>>> On 17.03.16 at 07:54, <quan.xu@intel.com> wrote:
> @@ -53,11 +55,21 @@ static int device_power_down(void)
>  
>      ioapic_suspend();
>  
> -    iommu_suspend();
> +    err = iommu_suspend();
> +    if ( err )
> +        goto iommu_suspend_error;
>  
>      lapic_suspend();
>  
>      return 0;
> +
> +iommu_suspend_error:

Labels indented by at least one space please.

> --- a/xen/arch/x86/mm/p2m-ept.c
> +++ b/xen/arch/x86/mm/p2m-ept.c
> @@ -830,7 +830,15 @@ out:
>          {
>              if ( iommu_flags )
>                  for ( i = 0; i < (1 << order); i++ )
> -                    iommu_map_page(d, gfn + i, mfn_x(mfn) + i, iommu_flags);
> +                {
> +                    rc = iommu_map_page(d, gfn + i, mfn_x(mfn) + i, iommu_flags);
> +                    if ( rc )
> +                    {
> +                        while ( i-- > 0 )
> +                            iommu_unmap_page(d, gfn + i);
> +                        break;
> +                    }
> +                }
>              else
>                  for ( i = 0; i < (1 << order); i++ )
>                      iommu_unmap_page(d, gfn + i);

Earlier on in the PV mm code you also checked iommu_unmap_page()'s
return code - why not here (and also in p2m-pt.c)?

Also I'm quite unhappy about the inconsistent state you leave things
in: You unmap from the IOMMU, return an error, but leave the EPT
entry in place.

> --- a/xen/common/grant_table.c
> +++ b/xen/common/grant_table.c
> @@ -932,8 +932,9 @@ __gnttab_map_grant_ref(
>              {
>                  nr_gets++;
>                  (void)get_page(pg, rd);
> -                if ( !(op->flags & GNTMAP_readonly) )
> -                    get_page_type(pg, PGT_writable_page);
> +                if ( !(op->flags & GNTMAP_readonly) &&
> +                     !get_page_type(pg, PGT_writable_page) )
> +                        goto could_not_pin;

This needs explanation, as it doesn't look related to what your actual
goal is: If an error was possible here, I think this would be a security
issue. However, as also kind of documented by the explicitly ignored
return value from get_page(), it is my understanding there here we
only obtain an _extra_ reference.

> --- a/xen/common/memory.c
> +++ b/xen/common/memory.c
> @@ -678,8 +678,9 @@ static int xenmem_add_to_physmap(struct domain *d,
>      if ( need_iommu(d) )
>      {
>          this_cpu(iommu_dont_flush_iotlb) = 0;
> -        iommu_iotlb_flush(d, xatp->idx - done, done);
> -        iommu_iotlb_flush(d, xatp->gpfn - done, done);
> +        rc = iommu_iotlb_flush(d, xatp->idx - done, done);
> +        if ( !rc )
> +            rc = iommu_iotlb_flush(d, xatp->gpfn - done, done);
>      }

And the pattern repeats - you now return an error, but you don't
roll back the now failed operation. But wait - maybe that intended:
Are you meaning to crash the guest in such cases (somewhere
deep in the flush code)? If so, I think that's fine, but you
absolutely would need to say so in the commit message.

> --- a/xen/drivers/passthrough/x86/iommu.c
> +++ b/xen/drivers/passthrough/x86/iommu.c
> @@ -104,7 +104,11 @@ int arch_iommu_populate_page_table(struct domain *d)
>      this_cpu(iommu_dont_flush_iotlb) = 0;
>  
>      if ( !rc )
> -        iommu_iotlb_flush_all(d);
> +    {
> +        rc = iommu_iotlb_flush_all(d);
> +        if ( rc )
> +            iommu_teardown(d);
> +    }
>      else if ( rc != -ERESTART )
>          iommu_teardown(d);

Why can't you just use the existing call to iommu_teardown(), by
simply deleting the "else"?

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel