lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 21 Feb 2024 11:19:23 -0400
From: Jason Gunthorpe <jgg@...dia.com>
To: Yi Liu <yi.l.liu@...el.com>
Cc: joro@...tes.org, kevin.tian@...el.com, baolu.lu@...ux.intel.com,
	alex.williamson@...hat.com, robin.murphy@....com,
	eric.auger@...hat.com, nicolinc@...dia.com, kvm@...r.kernel.org,
	chao.p.peng@...ux.intel.com, yi.y.sun@...ux.intel.com,
	iommu@...ts.linux.dev, linux-kernel@...r.kernel.org,
	linux-kselftest@...r.kernel.org, zhenzhong.duan@...el.com,
	joao.m.martins@...cle.com
Subject: Re: [PATCH rc 3/8] iommu/vt-d: Add missing iotlb flush for parent
 domain

On Thu, Feb 08, 2024 at 12:23:02AM -0800, Yi Liu wrote:
> If a domain is used as the parent in nested translation its mappings might
> be cached using DID of the nested domain. But the existing code ignores
> this fact to only invalidate the iotlb entries tagged by the domain's own
> DID.

> Loop the s1_domains list, if any, to invalidate all iotlb entries related
> to the target s2 address range. According to VT-d spec there is no need for
> software to explicitly flush the affected s1 cache. It's implicitly done by
> HW when s2 cache is invalidated.

I had to look this up to understand what it means.. The HW caches
per-DID and if you invalidate the DID's S2 then the HW flushes the S1
as well within that DID only.

It doesn't mean that the S2 is globally shared across all the nesting
translations (like ARM does), and you still have to iterate over every
nesting DID.

In light of that this design seems to have gone a bit off..

A domain should have a list of places that need invalidation,
specifically a list of DIDs and ATCs that need an invalidation to be
issued.

Instead we now somehow have 4 different lists in the domain the
invalidation code iterates over?

So I would think this:

struct dmar_domain {
	struct xarray iommu_array;	/* Attached IOMMU array */
	struct list_head devices;	/* all devices' list */
	struct list_head dev_pasids;	/* all attached pasids */
	struct list_head s1_domains;

Would make sense to be collapsed into one logical list of attached
devices:

struct intel_iommu_domain_attachment {
   unsigned int did;
   ioasid_t pasid;
   struct device_domain_info *info;
   list_head item;
};

When you attach a S1/S2 nest you allocate two of the above structs and
one is linked on the S1 and one is linked on the S2..

Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ