From mboxrd@z Thu Jan 1 00:00:00 1970 From: Julien Grall Subject: Re: [RFC 12/19] xen/passthrough: iommu_deassign_device_dt: By default reassign device to nobody Date: Thu, 03 Jul 2014 15:09:41 +0100 Message-ID: <53B56425.5060809@linaro.org> References: <1402935486-29136-1-git-send-email-julien.grall@linaro.org> <1402935486-29136-13-git-send-email-julien.grall@linaro.org> <1404388132.17859.27.camel@kazak.uk.xensource.com> <53B5478D.8070107@linaro.org> <1404392037.19893.6.camel@kazak.uk.xensource.com> <53B55419.9000000@linaro.org> <1404394933.19893.13.camel@kazak.uk.xensource.com> <53B55FE8.1080501@linaro.org> <1404396248.19893.31.camel@kazak.uk.xensource.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1X2hhr-0005Ne-37 for xen-devel@lists.xenproject.org; Thu, 03 Jul 2014 14:09:47 +0000 Received: by mail-wg0-f50.google.com with SMTP id m15so300341wgh.21 for ; Thu, 03 Jul 2014 07:09:45 -0700 (PDT) In-Reply-To: <1404396248.19893.31.camel@kazak.uk.xensource.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Ian Campbell Cc: xen-devel@lists.xenproject.org, stefano.stabellini@citrix.com, tim@xen.org List-Id: xen-devel@lists.xenproject.org On 07/03/2014 03:04 PM, Ian Campbell wrote: > On Thu, 2014-07-03 at 14:51 +0100, Julien Grall wrote: >> On 07/03/2014 02:42 PM, Ian Campbell wrote: >>> On Thu, 2014-07-03 at 14:01 +0100, Julien Grall wrote: >>>> On 07/03/2014 01:53 PM, Ian Campbell wrote: >>>>> On Thu, 2014-07-03 at 13:07 +0100, Julien Grall wrote: >>>>>>>> If Xen reassigns the device to "nobody", it may receive some global/context >>>>>>>> fault because the transaction has failed (indeed the context has been >>>>>>>> marked invalid). >>>>>>> >>>>>>> Can you describe here what happen in this case (I presume Xen tears down >>>>>>> the iommu to quiesce them somehow?) >>>>>> >>>>>> The SMMU drivers will mark the different Context Bank, S2CR, SMR as >>>>>> invalid. If the device is attempt to access the memory then, we will >>>>>> receive an interrupt in Xen. >>>>>> >>>>>> Actually it's only happen once, if the device is still enabled when the >>>>>> domain is shutdown. >>>>> >>>>> My concern was with getting a storm of such interrupts after this point. >>>>> If it only happens once and any subsequent ones are damped by some means >>>>> then great. >>>> >>>> I guess, it can happen with a buggy device trying to access memory >>>> alone. But I don't think we should care about this case. >>> >>> Ideally such a device wouldn't be able to DoS the rest of the system. >>> >>> Does the SMMU not have a bit to say: deny all MMIO from this context >>> without raising an exception? >> >> AFAIK, no. We receive a transaction fault via the global interrupt. If >> we disable this interrupt we also disable potentially helpful message >> when the register are misconfigured. > > That seems like something of a hardware shortcoming. > > It might be worth asking one of the ARM guys what we should do with a > device which won't shut up. I will send an email to Marc & Will. -- Julien Grall