[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2] libxl: disallow PCI device assignment for HVM guest when PoD is enabled

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Campbell <Ian.Campbell@xxxxxxxxxx>
From: George Dunlap <george.dunlap@xxxxxxxxxxxxx>
Date: Mon, 20 Jan 2014 14:04:12 +0000
Cc: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx
Delivery-date: Mon, 20 Jan 2014 14:04:29 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 01/14/2014 02:54 PM, Andrew Cooper wrote:

On 14/01/14 14:50, Ian Campbell wrote:

On Mon, 2014-01-13 at 11:52 +0000, Wei Liu wrote:

This replicates a Xend behavior, see ec789523749 ("xend: Dis-allow
device assignment if PoD is enabled.").

This change is restricted to HVM guest, as only HVM is relevant in the
counterpart in Xend. We're late in release cycle so the change should
only do what's necessary. Probably we can revisit it if we need to do
the same thing for PV guest in the future.

Signed-off-by: Wei Liu <wei.liu2@xxxxxxxxxx>

Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>

Release hat: The risk here is of a false positive detecting whether PoD
would be used and therefore refusing to start a domain. However Wei
directed me earlier on to the code in setup_guest which sets
XENMEMF_populate_on_demand and I believe it is using the same logic.

The benefit of this is that it will stop people starting a domain in an
invalid configuration -- but what is the downside here? Is it an
unhandled IOMMU fault or another host-fatal error? That would make the
argument for taking this patch pretty strong. On the other hand if the
failure were simply to kill this domain, that would be a less serious
issue and I'd be in two minds, mainly due to George not being here to
confirm that the pod_enabled logic is correct (although if he were here
I wouldn't be wrestling with this question at all ;-)).

I'm leaning towards taking this fix, but I'd really like to know what
the current failure case looks like.

Ian.

The answer is likely hardware specific.

An IOMMU fault (however handled by Xen) will result in a master abort on
the DMA transaction for the PCI device which has suffered the fault.
That device can then do anything from continue blindly to issuing an NMI
IOCK/SERR which will likely be fatal to the entire server.

I thought we changed the behavior of Xen not to crash on SERR? Or was Iconfused about that?

Since a VM should be able to craft a DMA pointing to invalid p2m spacefairly easily, it seems like having the host crash in that scenariowould basically remove half of the reason for having am IOMMU in thefirst place.


 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v2] libxl: disallow PCI device assignment for HVM guest when PoD is enabled
  - From: Andrew Cooper

References:
- [Xen-devel] [PATCH v2] libxl: disallow PCI device assignment for HVM guest when PoD is enabled
  - From: Wei Liu
- Re: [Xen-devel] [PATCH v2] libxl: disallow PCI device assignment for HVM guest when PoD is enabled
  - From: Ian Campbell
- Re: [Xen-devel] [PATCH v2] libxl: disallow PCI device assignment for HVM guest when PoD is enabled
  - From: Andrew Cooper

Prev by Date: Re: [Xen-devel] [PATCH v6 2/7] x86: dynamically attach/detach CQM service for a guest
Next by Date: [Xen-devel] Delays on usleep calls
Previous by thread: Re: [Xen-devel] [PATCH v2] libxl: disallow PCI device assignment for HVM guest when PoD is enabled
Next by thread: Re: [Xen-devel] [PATCH v2] libxl: disallow PCI device assignment for HVM guest when PoD is enabled
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.