From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Jan Beulich" <JBeulich@suse.com>
Subject: [PATCH] AMD IOMMU: don't free page table prematurely
Date: Mon, 26 May 2014 11:16:43 +0100
Message-ID: <538330AB0200007800015B2F@mail.emea.novell.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=__Part3705EA9B.1__="
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta4.messagelabs.com ([85.158.143.247])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <JBeulich@suse.com>) id 1WorxX-00022f-Jp
	for xen-devel@lists.xenproject.org; Mon, 26 May 2014 10:16:47 +0000
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: xen-devel <xen-devel@lists.xenproject.org>
Cc: Aravind Gopalakrishnan <aravind.gopalakrishnan@amd.com>, suravee.suthikulpanit@amd.com
List-Id: xen-devel@lists.xenproject.org

This is a MIME message. If you are reading this text, you may want to 
consider changing to a mail reader or gateway that understands how to 
properly handle MIME multipart messages.

--=__Part3705EA9B.1__=
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

iommu_merge_pages() still wants to look at the next level page table,
the TLB flush necessary before freeing too happens in that function,
and if it fails no free should happen at all. Hence the freeing must
be done after that function returned successfully, not before it's
being called.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/drivers/passthrough/amd/iommu_map.c
+++ b/xen/drivers/passthrough/amd/iommu_map.c
@@ -691,8 +691,6 @@ int amd_iommu_map_page(struct domain *d,
         if ( !iommu_update_pde_count(d, pt_mfn[merge_level],
                                      gfn, mfn, merge_level) )
             break;
-        /* Deallocate lower level page table */
-        free_amd_iommu_pgtable(mfn_to_page(pt_mfn[merge_level - 1]));
=20
         if ( iommu_merge_pages(d, pt_mfn[merge_level], gfn,=20
                                flags, merge_level) )
@@ -703,6 +701,9 @@ int amd_iommu_map_page(struct domain *d,
             domain_crash(d);
             return -EFAULT;
         }
+
+        /* Deallocate lower level page table */
+        free_amd_iommu_pgtable(mfn_to_page(pt_mfn[merge_level - 1]));
     }
=20
 out:




--=__Part3705EA9B.1__=
Content-Type: text/plain; name="AMD-IOMMU-defer-merge-free.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename="AMD-IOMMU-defer-merge-free.patch"

AMD IOMMU: don't free page table prematurely=0A=0Aiommu_merge_pages() =
still wants to look at the next level page table,=0Athe TLB flush =
necessary before freeing too happens in that function,=0Aand if it fails =
no free should happen at all. Hence the freeing must=0Abe done after that =
function returned successfully, not before it's=0Abeing called.=0A=0ASigned=
-off-by: Jan Beulich <jbeulich@suse.com>=0A=0A--- a/xen/drivers/passthrough=
/amd/iommu_map.c=0A+++ b/xen/drivers/passthrough/amd/iommu_map.c=0A@@ =
-691,8 +691,6 @@ int amd_iommu_map_page(struct domain *d,=0A         if ( =
!iommu_update_pde_count(d, pt_mfn[merge_level],=0A                         =
             gfn, mfn, merge_level) )=0A             break;=0A-        /* =
Deallocate lower level page table */=0A-        free_amd_iommu_pgtable(mfn_=
to_page(pt_mfn[merge_level - 1]));=0A =0A         if ( iommu_merge_pages(d,=
 pt_mfn[merge_level], gfn, =0A                                flags, =
merge_level) )=0A@@ -703,6 +701,9 @@ int amd_iommu_map_page(struct domain =
*d,=0A             domain_crash(d);=0A             return -EFAULT;=0A      =
   }=0A+=0A+        /* Deallocate lower level page table */=0A+        =
free_amd_iommu_pgtable(mfn_to_page(pt_mfn[merge_level - 1]));=0A     }=0A =
=0A out:=0A
--=__Part3705EA9B.1__=
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

--=__Part3705EA9B.1__=--