lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 27 Feb 2024 10:30:36 +0800
From: Ethan Zhao <haifeng.zhao@...ux.intel.com>
To: Bjorn Helgaas <helgaas@...nel.org>
Cc: Dan Carpenter <dan.carpenter@...aro.org>, baolu.lu@...ux.intel.com,
 bhelgaas@...gle.com, robin.murphy@....com, jgg@...pe.ca,
 kevin.tian@...el.com, dwmw2@...radead.org, will@...nel.org, lukas@...ner.de,
 yi.l.liu@...el.com, iommu@...ts.linux.dev, linux-kernel@...r.kernel.org,
 linux-pci@...r.kernel.org
Subject: Re: [PATCH v13 3/3] iommu/vt-d: improve ITE fault handling if target
 device isn't valid

On 2/27/2024 6:52 AM, Bjorn Helgaas wrote:
> On Fri, Feb 23, 2024 at 10:29:28AM +0800, Ethan Zhao wrote:
>> On 2/22/2024 7:24 PM, Dan Carpenter wrote:
>>> On Thu, Feb 22, 2024 at 04:02:51AM -0500, Ethan Zhao wrote:
>>>> Because surprise removal could happen anytime, e.g. user could request safe
>>>> removal to EP(endpoint device) via sysfs and brings its link down to do
>>>> surprise removal cocurrently. such aggressive cases would cause ATS
>>>> invalidation request issued to non-existence target device, then deadly
>>>> loop to retry that request after ITE fault triggered in interrupt context.
>>>> this patch aims to optimize the ITE handling by checking the target device
>>>> presence state to avoid retrying the timeout request blindly, thus avoid
>>>> hard lockup or system hang.
>>>>
>>>> Devices are valid ATS invalidation request target only when they reside
>>>> in the iommu->device_rbtree (probed, not released) and present.
>>> "valid invalidation" is awkward wording.  Can we instead say:
>> If you read them together, sounds like tongue twister. but here "ATS
>> invalidation request target" is one term in PCIe spec.
> "ATS invalidation request target" does not appear in the PCIe spec.  I
> think you're trying to avoid sending ATS Invalidate Requests when you
> know they will not be completed.

I meant "ATS Invalidation Request" here is one term in PCIe spec, 'valid'
is used to describe the word 'target'.

This patch isn't intended to work as the same logic as patch [2/3], this
aims to break the blindly dead loop not to retry the timeout request after
ITE fault happened.

>
> It is impossible to reliably determine whether a device will be
> present and able to complete an Invalidate Request.  No matter what
> you check to determine that a device is present *now*, it may be
> removed before an Invalidate Request reaches it.

Here we check to see if the ITE fault was caused by device is not present.
The opposite logic, not predict the future, but find the cause of the fault
already happened, if pci_device_is_present() tells us the device isn't
there, it is reliable I think.

>
> If an Invalidate Request to a non-existent device causes a "deadly
> loop" (I'm not sure what that means) or a hard lockup or a system

There is a dead loop here to blindly retry to timeout request if
ITE happened, we want to break that loop if the target device was
gone.

> hang, something is wrong with the hardware.  There should be a
> mechanism to recover from a timeout in that situation.
>
> You can avoid sending Invalidate Requests to devices that have been

That logic works for simple safe /surprise removal as described in
patch[2/3], no race there that case at all.

> removed, and that will reduce the number of timeout cases.  But if you
> rely on a check like pci_device_is_present() or
> pci_dev_is_disconnected(), there is *always* an unavoidable race

We are not relying on pci_device_is_present() here in this patch to close
the race window between aggressive surprise removal and ATS invalidation
Request, we are doing post-fault handling here.

Thanks,
Ethan

> between a device removal and the Invalidate Request.
>
>>>> @@ -1273,6 +1273,9 @@ static int qi_check_fault(struct intel_iommu *iommu, int index, int wait_index)
>>>>    {
>>>>    	u32 fault;
>>>>    	int head, tail;
>>>> +	u64 iqe_err, ite_sid;
>>>> +	struct device *dev = NULL;
>>>> +	struct pci_dev *pdev = NULL;
>>>>    	struct q_inval *qi = iommu->qi;
>>>>    	int shift = qi_shift(iommu);
>>>> @@ -1317,6 +1320,13 @@ static int qi_check_fault(struct intel_iommu *iommu, int index, int wait_index)
>>>>    		tail = readl(iommu->reg + DMAR_IQT_REG);
>>>>    		tail = ((tail >> shift) - 1 + QI_LENGTH) % QI_LENGTH;
>>>> +		/*
>>>> +		 * SID field is valid only when the ITE field is Set in FSTS_REG
>>>> +		 * see Intel VT-d spec r4.1, section 11.4.9.9
>>>> +		 */
>>>> +		iqe_err = dmar_readq(iommu->reg + DMAR_IQER_REG);
>>>> +		ite_sid = DMAR_IQER_REG_ITESID(iqe_err);
>>>> +
>>>>    		writel(DMA_FSTS_ITE, iommu->reg + DMAR_FSTS_REG);
>>>>    		pr_info("Invalidation Time-out Error (ITE) cleared\n");
>>>> @@ -1326,6 +1336,21 @@ static int qi_check_fault(struct intel_iommu *iommu, int index, int wait_index)
>>>>    			head = (head - 2 + QI_LENGTH) % QI_LENGTH;
>>>>    		} while (head != tail);
>>>> +		/*
>>>> +		 * If got ITE, we need to check if the sid of ITE is one of the
>>>> +		 * current valid ATS invalidation target devices, if no, or the
>>>> +		 * target device isn't presnet, don't try this request anymore.
>>>> +		 * 0 value of ite_sid means old VT-d device, no ite_sid value.
>>>> +		 */
>>> This comment is kind of confusing.
>> Really confusing ? this is typo there, resnet-> "present"
>>
>>> /*
>>>    * If we have an ITE, then we need to check whether the sid of the ITE
>>>    * is in the rbtree (meaning it is probed and not released), and that
>>>    * the PCI device is present.
>>>    */
>>>
>>> My comment is slightly shorter but I think it has the necessary
>>> information.
>>>
>>>> +		if (ite_sid) {
>>>> +			dev = device_rbtree_find(iommu, ite_sid);
>>>> +			if (!dev || !dev_is_pci(dev))
>>>> +				return -ETIMEDOUT;
>>> -ETIMEDOUT is weird.  The callers don't care which error code we return.
>>> Change this to -ENODEV or something
>> -ETIMEDOUT means prior ATS invalidation request hit timeout fault, and the
>> caller really cares about the returned value.
>>
>>>> +			pdev = to_pci_dev(dev);
>>>> +			if (!pci_device_is_present(pdev) &&
>>>> +				ite_sid == pci_dev_id(pci_physfn(pdev)))
>>> The && confused me, but then I realized that probably "ite_sid ==
>>> pci_dev_id(pci_physfn(pdev))" is always true.  Can we delete that part?
>> Here is the fault handling, just double confirm nothing else goes wrong --
>> beyond the assumption.
>>
>>> 		pdev = to_pci_dev(dev);
>>> 		if (!pci_device_is_present(pdev))
>>> 			return -ENODEV;
>>>
>>>
>>>> +				return -ETIMEDOUT;
>>> -ENODEV.
>> The ATS invalidation request could be sent from userland in later code,
>> the userland code will care about the returned value,  -ENODEV is one aspect
>> of the fact (target device not present), while -ETIMEDOUT is another
>> (timeout happened). we couldn't return them both.
>>
>>>> +		}
>>>>    		if (qi->desc_status[wait_index] == QI_ABORT)
>>>>    			return -EAGAIN;
>>>>    	}
>>> Sorry, again for nit picking a v13 patch.  I'm not a domain expert but
>>> this patchset seems reasonable to me.
>> Though this is the v13, it is based on new rbtree code, you are welcome.
>>
>> Thanks,
>> Ethan
>>
>>> regards,
>>> dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ