Hi Jan,
On 17/02/2021 15:01, Jan Beulich wrote:
On 17.02.2021 15:24, Julien Grall wrote:
From: Julien Grall <jgr...@amazon.com>
The new x86 IOMMU page-tables allocator will release the pages when
relinquishing the domain resources. However, this is not sufficient
when the domain is dying because nothing prevents page-table to be
allocated.
Currently page-table allocations can only happen from iommu_map(). As
the domain is dying, there is no good reason to continue to modify the
IOMMU page-tables.
While I agree this to be the case right now, I'm not sure it is a
good idea to build on it (in that you leave the unmap paths
untouched).
I don't build on that assumption. See next patch.
Imo there's a fair chance this would be overlooked at
the point super page mappings get introduced (which has been long
overdue), and I thought prior discussion had lead to a possible
approach without risking use-after-free due to squashed unmap
requests.
I know you suggested to zap the root page-tables... However, I don't
think this is 4.15 material and you agree with this (you were the one
pointed out that out).
--- a/xen/drivers/passthrough/x86/iommu.c
+++ b/xen/drivers/passthrough/x86/iommu.c
@@ -273,6 +273,9 @@ int iommu_free_pgtables(struct domain *d)
/*
* Pages will be moved to the free list below. So we want to
* clear the root page-table to avoid any potential use after-free.
+ *
+ * After this call, no more IOMMU mapping can happen.
+ *
*/
hd->platform_ops->clear_root_pgtable(d);
I.e. you utilize the call in place of spin_barrier(). Maybe worth
saying in the comment?
Sure.
Also, nit: Stray blank comment line.
Cheers,
--
Julien Grall
