On Fri, Nov 12, 2021 at 02:45:14PM +0100, Jan Beulich wrote: > On 12.11.2021 14:42, Roger Pau Monné wrote: > > On Fri, Nov 12, 2021 at 10:48:43AM +0100, Jan Beulich wrote: > >> While domain_context_mapping() invokes domain_context_unmap() in a sub- > >> case of handling DEV_TYPE_PCI when encountering an error, thus avoiding > >> a leak, individual calls to domain_context_mapping_one() aren't > >> similarly covered. Such a leak might persist until domain destruction. > >> Leverage that these cases can be recognized by pdev being non-NULL. > > > > Would it help to place the domid cleanup in domain_context_unmap_one, > > as that would then cover calls from domain_context_unmap and the > > failure path in domain_context_mapping_one. > > I don't think that would work (without further convolution), because of > the up to 3 successive calls in DEV_TYPE_PCI handling. Cleanup may happen > only on the first map's error path or after the last unmap.
Hm, I see. And AFAICT that's because some devices that get assigned to a guest iommu context are not actually assigned to the guest (ie: pdev->domain doesn't get set, neither the device is added to the per-domain list), which makes them invisible to any_pdev_behind_iommu. I dislike that the domid is added in domain_context_mapping_one, while the cleanup is not done in domain_context_unmap_one, and that some devices context could be using the domain id without being assigned to the domain. Thanks, Roger.
