diff mbox series

[v3,3/6] vpci: crash domain if we wasn't able to (un) map vPCI regions

Message ID 20230314205612.3703668-4-volodymyr_babchuk@epam.com (mailing list archive)
State New, archived
Headers show
Series vpci: first series in preparation for vpci on ARM | expand

Commit Message

Volodymyr Babchuk March 14, 2023, 8:56 p.m. UTC 
In that unlikely case, when map_range() fails to do it's job,
domain memory mapping will be left in inconsistent state. As there is
no easy way to remove stale p2m mapping we need to crash domain, as
FIXME suggests.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>

---

v3:
 - new patch
---
 xen/drivers/vpci/header.c | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

Comments

Roger Pau Monné March 16, 2023, 4:32 p.m. UTC | #1 
On Tue, Mar 14, 2023 at 08:56:30PM +0000, Volodymyr Babchuk wrote:
> In that unlikely case, when map_range() fails to do it's job,
> domain memory mapping will be left in inconsistent state. As there is
> no easy way to remove stale p2m mapping we need to crash domain, as
> FIXME suggests.
> 
> Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
> 
> ---
> 
> v3:
>  - new patch
> ---
>  xen/drivers/vpci/header.c | 11 ++++-------
>  1 file changed, 4 insertions(+), 7 deletions(-)
> 
> diff --git a/xen/drivers/vpci/header.c b/xen/drivers/vpci/header.c
> index ec2e978a4e..8319fe4c1d 100644
> --- a/xen/drivers/vpci/header.c
> +++ b/xen/drivers/vpci/header.c
> @@ -162,14 +162,11 @@ bool vpci_process_pending(struct vcpu *v)
>          rangeset_destroy(v->vpci.mem);
>          v->vpci.mem = NULL;
>          if ( rc )
> -            /*
> -             * FIXME: in case of failure remove the device from the domain.
> -             * Note that there might still be leftover mappings. While this is
> -             * safe for Dom0, for DomUs the domain will likely need to be
> -             * killed in order to avoid leaking stale p2m mappings on
> -             * failure.
> -             */
> +        {
>              vpci_remove_device(v->vpci.pdev);
> +            if ( !is_hardware_domain(v->domain) )
> +                domain_crash(v->domain);

No need to remove the device if you are crashing the domain, so the
vpci_remove_device() call can be placed in the else branch of the
conditional.

Thanks, Roger.
diff mbox series

Patch

diff --git a/xen/drivers/vpci/header.c b/xen/drivers/vpci/header.c
index ec2e978a4e..8319fe4c1d 100644
--- a/xen/drivers/vpci/header.c
+++ b/xen/drivers/vpci/header.c
@@ -162,14 +162,11 @@  bool vpci_process_pending(struct vcpu *v)
         rangeset_destroy(v->vpci.mem);
         v->vpci.mem = NULL;
         if ( rc )
-            /*
-             * FIXME: in case of failure remove the device from the domain.
-             * Note that there might still be leftover mappings. While this is
-             * safe for Dom0, for DomUs the domain will likely need to be
-             * killed in order to avoid leaking stale p2m mappings on
-             * failure.
-             */
+        {
             vpci_remove_device(v->vpci.pdev);
+            if ( !is_hardware_domain(v->domain) )
+                domain_crash(v->domain);
+        }
     }
 
     return false;