KEXEC: disconnect all PCI devices from the PCI bus on crash

In the case of a crash, IOMMU DMA remapping gets turned off so that
the kdump kernel may boot.  However, this is warned as being dangerous
in the VTD specification if a DMA transaction is in progress.

Also, in the case of a crash, DMA transactions and interrupts from
peripheral devices such as network cards are likely to keep coming in.
Without DMA remapping enabled, the transactions will be writing over
low memory, corrupting the crash state, and perhaps even the kdump
reserved memory.

Therefore, on the crash path, we can disconnect all PCI devices from
their respective buses so that they are no longer able to be DMA
busmasters.  This reduces the risk of DMA transactions corrupting
state (and will also reduce spurious interrupts arriving to the kdump
kernel) until the kdump kernel and properly reset the PCI devices.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff --git a/xen/arch/x86/crash.c b/xen/arch/x86/crash.c
index ab18abb4d177e99ca05c54e5497f1ab0f86514eb..392c8d2395d51f98211d29f8fee6c31770a99dd5 100644 (file)
--- a/xen/arch/x86/crash.c
+++ b/xen/arch/x86/crash.c
@@ -28,6 +28,7 @@
 #include <asm/apic.h>
 #include <asm/io_apic.h>
 #include <xen/iommu.h>
+#include <xen/pci.h>
 
 static atomic_t waiting_for_crash_ipi;
 static unsigned int crashing_cpu;
@@ -78,6 +79,8 @@ static void nmi_shootdown_cpus(void)
         msecs--;
     }
 
+    disconnect_pci_devices();
+
     /* Crash shutdown any IOMMU functionality as the crashdump kernel is not
      * happy when booting if interrupt/dma remapping is still enabled */
     iommu_crash_shutdown();

diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c
index 33443e4ebf7b1a227fb635a12be29cf8e2bf2a1d..f3e4113e54e2a5bc6637ae9cd8d797774d9ebea8 100644 (file)
--- a/xen/drivers/passthrough/pci.c
+++ b/xen/drivers/passthrough/pci.c
@@ -462,6 +462,25 @@ int __init scan_pci_devices(void)
     return 0;
 }
 
+/* Disconnect all PCI devices from the PCI buses. From the PCI spec:
+ *   "When a 0 is written to [the COMMAND] register, the device is
+ *    logically disconnected from the PCI bus for all accesses except
+ *    configuration accesses. All devices are required to support
+ *    this base level of functionality."
+ */
+void disconnect_pci_devices(void)
+{
+    struct pci_dev *pdev;
+
+    spin_lock(&pcidevs_lock);
+
+    list_for_each_entry ( pdev, &alldevs_list, alldevs_list )
+        pci_conf_write16(pdev->bus, PCI_SLOT(pdev->devfn),
+                         PCI_FUNC(pdev->devfn), PCI_COMMAND, 0);
+
+    spin_unlock(&pcidevs_lock);
+}
+
 #ifdef SUPPORT_MSI_REMAPPING
 static void dump_pci_devices(unsigned char ch)
 {

diff --git a/xen/include/xen/pci.h b/xen/include/xen/pci.h
index 49eabbcd49253f85288dc229fb4781d5c66650cf..56355c79b9c52bbf9d2f4adf5f208fd22bf3f7e2 100644 (file)
--- a/xen/include/xen/pci.h
+++ b/xen/include/xen/pci.h
@@ -92,6 +92,8 @@ int pci_add_device_ext(u8 bus, u8 devfn, struct pci_dev_info *info);
 struct pci_dev *pci_get_pdev(int bus, int devfn);
 struct pci_dev *pci_get_pdev_by_domain(struct domain *d, int bus, int devfn);
 
+void disconnect_pci_devices(void);
+
 uint8_t pci_conf_read8(
     unsigned int bus, unsigned int dev, unsigned int func, unsigned int reg);
 uint16_t pci_conf_read16(