From mboxrd@z Thu Jan 1 00:00:00 1970 From: Julien Grall Subject: [RFC 12/19] xen/passthrough: iommu_deassign_device_dt: By default reassign device to nobody Date: Mon, 16 Jun 2014 17:17:59 +0100 Message-ID: <1402935486-29136-13-git-send-email-julien.grall@linaro.org> References: <1402935486-29136-1-git-send-email-julien.grall@linaro.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WwZc9-0006nV-89 for xen-devel@lists.xenproject.org; Mon, 16 Jun 2014 16:18:33 +0000 Received: by mail-wg0-f51.google.com with SMTP id x12so5698351wgg.34 for ; Mon, 16 Jun 2014 09:18:31 -0700 (PDT) In-Reply-To: <1402935486-29136-1-git-send-email-julien.grall@linaro.org> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-devel@lists.xenproject.org Cc: stefano.stabellini@citrix.com, Julien Grall , tim@xen.org, ian.campbell@citrix.com List-Id: xen-devel@lists.xenproject.org Currently, when the device is deassigned from a domain, we directly reassign to DOM0. As the device may not have been correctly reset, this may lead to corrupt or expose some part of DOM0 memory. If Xen reassigns the device to "nobody", it may receive some global/context fault because the transaction has failed (indeed the context has been marked invalid). DOM0 will have to issue an hypercall to assign the device to itself if it wants to use it. Signed-off-by: Julien Grall --- xen/drivers/passthrough/arm/smmu.c | 7 ++++--- xen/drivers/passthrough/device_tree.c | 8 +++----- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/xen/drivers/passthrough/arm/smmu.c b/xen/drivers/passthrough/arm/smmu.c index f4eb2a2..b25034e 100644 --- a/xen/drivers/passthrough/arm/smmu.c +++ b/xen/drivers/passthrough/arm/smmu.c @@ -1245,8 +1245,8 @@ static int arm_smmu_reassign_dt_dev(struct domain *s, struct domain *t, { int ret = 0; - /* Don't allow remapping on other domain than hwdom */ - if ( t != hardware_domain ) + /* Allow remapping either on the hardware domain or to nothing */ + if ( t && t != hardware_domain ) return -EPERM; if ( t == s ) @@ -1256,7 +1256,8 @@ static int arm_smmu_reassign_dt_dev(struct domain *s, struct domain *t, if ( ret ) return ret; - ret = arm_smmu_attach_dev(t, dev); + if ( t ) + ret = arm_smmu_attach_dev(t, dev); return ret; } diff --git a/xen/drivers/passthrough/device_tree.c b/xen/drivers/passthrough/device_tree.c index afb4dfc..8a4bc69 100644 --- a/xen/drivers/passthrough/device_tree.c +++ b/xen/drivers/passthrough/device_tree.c @@ -75,14 +75,12 @@ int iommu_deassign_dt_device(struct domain *d, struct dt_device_node *dev) spin_lock(&dtdevs_lock); - rc = hd->platform_ops->reassign_dt_device(d, hardware_domain, dev); + rc = hd->platform_ops->reassign_dt_device(d, NULL, dev); if ( rc ) goto fail; - list_del(&dev->domain_list); - - dt_device_set_used_by(dev, hardware_domain->domain_id); - list_add(&dev->domain_list, &domain_hvm_iommu(hardware_domain)->dt_devices); + list_del_init(&dev->domain_list); + dt_device_set_used_by(dev, DOMID_IO); fail: spin_unlock(&dtdevs_lock); -- 1.7.10.4