From: Julien Grall <julien@xen.org>
To: Jan Beulich <jbeulich@suse.com>
Cc: hongyxia@amazon.co.uk, iwj@xenproject.org,
Julien Grall <jgrall@amazon.com>, Paul Durrant <paul@xen.org>,
xen-devel@lists.xenproject.org
Subject: Re: [for-4.15][PATCH v2 4/5] xen/iommu: x86: Don't leak the IOMMU page-tables
Date: Wed, 17 Feb 2021 11:49:28 +0000 [thread overview]
Message-ID: <8c9ec11b-6ee8-4bc5-ed2d-c84c0dc23afb@xen.org> (raw)
In-Reply-To: <01546a53-1b1a-af35-a67e-7612e619961d@suse.com>
Hi Jan,
On 10/02/2021 16:12, Jan Beulich wrote:
> On 10.02.2021 16:04, Julien Grall wrote:
>> On 10/02/2021 14:32, Jan Beulich wrote:
>>> On 09.02.2021 16:28, Julien Grall wrote:
>>>> From: Julien Grall <jgrall@amazon.com>
>>>>
>>>> The new IOMMU page-tables allocator will release the pages when
>>>> relinquish the domain resources. However, this is not sufficient when
>>>> the domain is dying because nothing prevents page-table to be allocated.
>>>>
>>>> iommu_alloc_pgtable() is now checking if the domain is dying before
>>>> adding the page in the list. We are relying on &hd->arch.pgtables.lock
>>>> to synchronize d->is_dying.
>>>
>>> As said in reply to an earlier patch, I think suppressing
>>> (really: ignoring) new mappings would be better.
>>
>> This is exactly what I suggested in v1 but you wrote:
>>
>> "Ignoring requests there seems fragile to me. Paul - what are your
>> thoughts about bailing early from hvm_add_ioreq_gfn() when the
>> domain is dying?"
>
> Was this on the thread of this patch? I didn't find such a
> reply of mine. I need more context here because you name
> hvm_add_ioreq_gfn() above, while I refer to iommu_map()
> (and downwards the call stack).
See [1].
>
>> Are you know saying that the following snipped would be fine:
>>
>> if ( d->is_dying )
>> return 0;
>
> In {amd,intel}_iommu_map_page(), after the lock was acquired
> and with it suitably released, yes. And if that's what you
> suggested, then I'm sorry - I don't think I can see anything
> fragile there anymore.
Duplicating the check sounds good to me.
>
>>> You could
>>> utilize the same lock, but you'd need to duplicate the
>>> checking in {amd,intel}_iommu_map_page().
>>>
>>> I'm not entirely certain in the case about unmap requests:
>>> It may be possible to also suppress/ignore them, but this
>>> may require some further thought.
>>
>> I think the unmap part is quite risky to d->is_dying because the PCI
>> devices may not quiesced and still assigned to the domain.
>
> Hmm, yes, good point. Of course upon first unmap with is_dying
> observed set we could zap the root page table, but I don't
> suppose that's something we want to do for 4.15.
We would still need to zap the root page table in the relinquish path.
So I am not sure what benefits it would give us to zap the page tables
on the first iommu_unmap() afther domain dies.
Cheers,
[1]
https://lore.kernel.org/xen-devel/f21f1f61-5213-55a8-320c-43e5fe80100f@suse.com/
--
Julien Grall
next prev parent reply other threads:[~2021-02-17 11:49 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-09 15:28 [for-4.15][PATCH v2 0/5] xen/iommu: Collection of bug fixes for IOMMU teadorwn Julien Grall
2021-02-09 15:28 ` [for-4.15][PATCH v2 1/5] xen/x86: p2m: Don't map the special pages in the IOMMU page-tables Julien Grall
2021-02-09 20:19 ` Paul Durrant
2021-02-10 8:29 ` Roger Pau Monné
2021-02-10 8:50 ` Julien Grall
2021-02-10 9:34 ` Julien Grall
2021-02-10 11:10 ` Jan Beulich
2021-02-10 11:34 ` Roger Pau Monné
2021-02-10 11:38 ` Jan Beulich
2021-02-10 11:40 ` Julien Grall
2021-02-10 11:45 ` Jan Beulich
2021-02-10 11:48 ` Julien Grall
2021-02-10 11:54 ` Roger Pau Monné
2021-02-10 13:12 ` Jan Beulich
2021-02-10 15:24 ` Roger Pau Monné
2021-02-10 15:53 ` Jan Beulich
2021-02-10 13:08 ` Jan Beulich
2021-02-10 11:26 ` Jan Beulich
2021-02-15 11:38 ` Julien Grall
2021-02-15 12:36 ` Jan Beulich
2021-02-15 12:54 ` Julien Grall
2021-02-15 13:14 ` Jan Beulich
2021-02-17 11:21 ` Julien Grall
2021-02-09 15:28 ` [for-4.15][PATCH v2 2/5] xen/iommu: Check if the IOMMU was initialized before tearing down Julien Grall
2021-02-09 20:22 ` Paul Durrant
2021-02-17 11:25 ` Julien Grall
2021-02-09 15:28 ` [for-4.15][PATCH v2 3/5] xen/iommu: iommu_map: Don't crash the domain if it is dying Julien Grall
2021-02-09 20:28 ` Paul Durrant
2021-02-09 21:14 ` Julien Grall
2021-02-10 14:14 ` Jan Beulich
2021-02-10 14:58 ` Julien Grall
2021-02-10 15:56 ` Jan Beulich
2021-02-09 15:28 ` [for-4.15][PATCH v2 4/5] xen/iommu: x86: Don't leak the IOMMU page-tables Julien Grall
2021-02-09 20:33 ` Paul Durrant
2021-02-10 14:32 ` Jan Beulich
2021-02-10 15:04 ` Julien Grall
2021-02-10 16:12 ` Jan Beulich
2021-02-17 11:49 ` Julien Grall [this message]
2021-02-17 12:57 ` Jan Beulich
2021-02-10 14:44 ` Jan Beulich
2021-02-09 15:28 ` [for-4.15][PATCH v2 5/5] xen/iommu: x86: Clear the root page-table before freeing the page-tables Julien Grall
2021-02-09 20:36 ` Paul Durrant
2021-02-10 2:21 ` Tian, Kevin
2021-02-17 13:54 ` Julien Grall
2021-02-10 14:39 ` Jan Beulich
2021-02-09 16:47 ` [for-4.15][PATCH v2 0/5] xen/iommu: Collection of bug fixes for IOMMU teadorwn Ian Jackson
2021-02-17 11:33 ` Julien Grall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8c9ec11b-6ee8-4bc5-ed2d-c84c0dc23afb@xen.org \
--to=julien@xen.org \
--cc=hongyxia@amazon.co.uk \
--cc=iwj@xenproject.org \
--cc=jbeulich@suse.com \
--cc=jgrall@amazon.com \
--cc=paul@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).