lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <47d4bfd6-1d76-4bb8-a33c-c9c99b86656b@arm.com>
Date: Tue, 16 Apr 2024 12:25:52 +0100
From: Robin Murphy <robin.murphy@....com>
To: Jason Gunthorpe <jgg@...pe.ca>, Vasant Hegde <vasant.hegde@....com>
Cc: Eric Wagner <ewagner12@...il.com>, Joerg Roedel <joro@...tes.org>,
 Will Deacon <will@...nel.org>,
 Suravee Suthikulpanit <suravee.suthikulpanit@....com>,
 iommu@...ts.linux.dev, linux-kernel@...r.kernel.org
Subject: Re: Kernel 6.7 regression doesn't boot if using AMD eGPU

On 2024-04-16 1:39 am, Jason Gunthorpe wrote:
> On Mon, Apr 15, 2024 at 10:44:34PM +0100, Robin Murphy wrote:
>> On 2024-04-15 7:57 pm, Eric Wagner wrote:
>>> Apologies if I made a mistake in the first bisect, I'm new to kernel
>>> debugging.
>>>
>>> I tested cedc811c76778bdef91d405717acee0de54d8db5 (x86/amd) and
>>> 3613047280ec42a4e1350fdc1a6dd161ff4008cc (core) directly and both were good.
>>> Then I ran git bisect again with e8cca466a84a75f8ff2a7a31173c99ee6d1c59d2
>>> as the bad and 6e6c6d6bc6c96c2477ddfea24a121eb5ee12b7a3 as the good and the
>>> bisect log is attached. It ended up at the same commit as before.
>>>
>>> I've also attached a picture of the boot screen that occurs when it hangs.
>>> 0000:05:00.0 is the PCIe bus address of the RX 580 eGPU that's causing the
>>> problem.
>>
>> Looks like 59ddce4418da483 probably broke things most - prior to that, the
>> fact that it's behind a Thunderbolt port would have always taken precedence
>> and forced IOMMU_DOMAIN_DMA regardless of what the driver may have wanted to
>> saywhereas now we ask the driver first, then complain that it conflicts
>> with the untrusted status and ultimately don't configure the IOMMU
>> at all.
> 
> Yes, if the driver wants to force a domain type it should be
> forced. Driver knows best. Eg AMD forces IDENTITY when the HW/driver
> is incapable of supporting otherwise.

No, in the case of AMD it only forces identity if it thinks the device 
might want to use PASIDs (because of the architectural limitation that 
the RID always operates in GPA space so can't have its own independent 
translation).

Either way, though, there's really little sense to that argument - if 
enforcing strict translation *might* compromise the device's 
functionality, we should instead go out of our way to ensure it's 
definitely as broken as possible? I fail to see how that can be 
justified as useful or desirable behaviour.

>> Meanwhile the GPU driver presumably goes on to believe it's using dma-direct
>> with no IOMMU present, resulting in fireworks when its traffic reaches the
>> IOMMU. Great :(
> 
> I wonder where is the missing error handling.. iommu probe failure
> should not go on to allow driver attach, there is no guarentee any DMA
> works now that many iommus are booting up in BLOCKED.

What do you mean error handling? After you spent a year rewriting the 
probing code to your own grand design, don't suggest you don't even know 
how it fundamentally works...

"Failing" iommu_probe_device is merely how we tell ourselves that we're 
not interested in a device, and consequently tell the rest of the kernel 
it doesn't have an IOMMU (via device_iommu_mapped() returning false). 
This is normal and expected for devices which legitimately have no IOMMU 
in the first place; conversely we don't do a great deal for unexpected 
failures since those typically represent system-fatal conditions 
whatever we might try to do. We've never had much of a notion of 
expected failures when an IOMMU *is* present, but even then, denying any 
trace of the IOMMU and removing ourselves from the picture is clearly 
not the ideal way to approach that. We're running off a bus notifier (or 
even later), so ultimately our return value is meaningless; at that 
point the device already exists and has been added to its bus, we can't 
undo that.

However it looks to be even more fun if failure occurs in *deferred* 
default domain creation via bus_iommu_probe(), since then we give up and 
dismiss the entire IOMMU. Except the x86 drivers ignore the return from 
iommu_device_register(), so further hilarity ensues...

I think I've now satisfied myself that a simple fix for the core code is 
appropriate and will write that up now; one other thing I couldn't quite 
figure out is whether the AMD driver somehow prevents PASIDs being used 
while the group is attached to a non-identity (and non-nested) domain - 
that's probably one for Vasant to confirm.

Thanks,
Robin.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ