Re-cc’ing xen-devel... > On Oct 5, 2018, at 11:34 AM, George Dunlap <george.dun...@citrix.com> wrote: > > > >> On Oct 5, 2018, at 11:27 AM, Paul Durrant <paul.durr...@citrix.com> wrote: >> >>> -----Original Message----- >>> From: George Dunlap >>> Sent: 05 October 2018 11:25 >>> To: Paul Durrant <paul.durr...@citrix.com> >>> Subject: Re: [Xen-devel] [PATCH v14 4/9] iommu: don't domain_crash() >>> inside iommu_map/unmap_page() >>> >>> [Sorry, my mail client crashed and I can’t figure out how to make it re- >>> edit this draft, so I’m replying to it instead.] >>> >>>> On Oct 5, 2018, at 11:22 AM, George Dunlap <george.dun...@citrix.com> >>> wrote: >>>> >>>> >>>> >>>>> On Oct 5, 2018, at 10:02 AM, Paul Durrant <paul.durr...@citrix.com> >>> wrote: >>>>> >>>>>> -----Original Message----- >>>>>> From: Jan Beulich [mailto:jbeul...@suse.com] >>>>>> Sent: 05 October 2018 08:33 >>>>>> To: Paul Durrant <paul.durr...@citrix.com> >>>>>> Cc: Andrew Cooper <andrew.coop...@citrix.com>; George Dunlap >>>>>> <george.dun...@citrix.com>; Ian Jackson <ian.jack...@citrix.com>; Wei >>> Liu >>>>>> <wei.l...@citrix.com>; Jun Nakajima <jun.nakaj...@intel.com>; Stefano >>>>>> Stabellini <sstabell...@kernel.org>; xen-devel <xen- >>>>>> de...@lists.xenproject.org>; Konrad Rzeszutek Wilk >>>>>> <konrad.w...@oracle.com>; Tim (Xen.org) <t...@xen.org> >>>>>> Subject: Re: [Xen-devel] [PATCH v14 4/9] iommu: don't domain_crash() >>>>>> inside iommu_map/unmap_page() >>>>>> >>>>>>>>> On 04.10.18 at 18:36, <paul.durr...@citrix.com> wrote: >>>>>>> I still think an implicit domain_crash() doesn't really belong in >>>>>> something >>>>>>> that looks like a straightforward wrapper around a per-implementation >>>>>> jump >>>>>>> table. How about iommu_map/unmap_may_crash() instead to highlight the >>>>>>> semantic? >>>>>> >>>>>> If anything then the other way around, i.e. iommu_unmap_no_crash(), >>>>>> such that only callers who explicitly mean to deal with the crashing >>>>>> themselves would use the otherwise insecure variant. >>>>>> >>>>> >>>>> Ok. George, what is your preference? >>>>> >>>>> At this point my proposal is to drop this patch and replace it with one >>> that removes the implicit crash from from everything except the unmap. I >>> can then introduce a 'nocrash' variant of unmap if I need it... although >>> I'm no longer convinced I can really do anything else if a PV-IOMMU unmap >>> fails. >>>> >>>> Sorry, ‘mayfail’ was meant to be short for “may fail [without crashing >>> the guest]”; as opposed to “must succeed [or crash the guest]”. IOW, I >>> agree with Jan that the default should be to crash the guest unless the >>> caller explicitly opts to handle the failure themselves. Don’t have a >>> strong opinion on the name. >> >> But for mapping too? It seems unnecessary to crash the domain in that case. > > ISTR that the domain_crash() was added only a few years ago; I’d have to go > back and see the reasoning for it being added in the first place. I’ll do > that Monday if Jan doesn’t beat me to it. > > -George
_______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
