From mboxrd@z Thu Jan  1 00:00:00 1970
From: Julien Grall <julien.grall@linaro.org>
Subject: Re: [RFC 12/19] xen/passthrough:
 iommu_deassign_device_dt: By default reassign device to nobody
Date: Thu, 03 Jul 2014 14:51:36 +0100
Message-ID: <53B55FE8.1080501@linaro.org>
References: <1402935486-29136-1-git-send-email-julien.grall@linaro.org>			
	<1402935486-29136-13-git-send-email-julien.grall@linaro.org>		
	<1404388132.17859.27.camel@kazak.uk.xensource.com>		
	<53B5478D.8070107@linaro.org>	
	<1404392037.19893.6.camel@kazak.uk.xensource.com>	
	<53B55419.9000000@linaro.org>
	<1404394933.19893.13.camel@kazak.uk.xensource.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta4.messagelabs.com ([85.158.143.247])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <julien.grall@linaro.org>) id 1X2hQP-0002To-0q
	for xen-devel@lists.xenproject.org; Thu, 03 Jul 2014 13:51:45 +0000
Received: by mail-wi0-f179.google.com with SMTP id cc10so2279004wib.6
	for <xen-devel@lists.xenproject.org>;
	Thu, 03 Jul 2014 06:51:41 -0700 (PDT)
In-Reply-To: <1404394933.19893.13.camel@kazak.uk.xensource.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Ian Campbell <Ian.Campbell@citrix.com>
Cc: xen-devel@lists.xenproject.org, stefano.stabellini@citrix.com, tim@xen.org
List-Id: xen-devel@lists.xenproject.org

On 07/03/2014 02:42 PM, Ian Campbell wrote:
> On Thu, 2014-07-03 at 14:01 +0100, Julien Grall wrote:
>> On 07/03/2014 01:53 PM, Ian Campbell wrote:
>>> On Thu, 2014-07-03 at 13:07 +0100, Julien Grall wrote:
>>>>>> If Xen reassigns the device to "nobody", it may receive some global/context
>>>>>> fault because the transaction has failed (indeed the context has been
>>>>>> marked invalid).
>>>>>
>>>>> Can you describe here what happen in this case (I presume Xen tears down
>>>>> the iommu to quiesce them somehow?)
>>>>
>>>> The SMMU drivers will mark the different Context Bank, S2CR, SMR as
>>>> invalid. If the device is attempt to access the memory then, we will
>>>> receive an interrupt in Xen.
>>>>
>>>> Actually it's only happen once, if the device is still enabled when the
>>>> domain is shutdown.
>>>
>>> My concern was with getting a storm of such interrupts after this point.
>>> If it only happens once and any subsequent ones are damped by some means
>>> then great.
>>
>> I guess, it can happen with a buggy device trying to access memory
>> alone. But I don't think we should care about this case.
> 
> Ideally such a device wouldn't be able to DoS the rest of the system.
> 
> Does the SMMU not have a bit to say: deny all MMIO from this context
> without raising an exception?

AFAIK, no. We receive a transaction fault via the global interrupt. If
we disable this interrupt we also disable potentially helpful message
when the register are misconfigured.

Regards,


-- 
Julien Grall