| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 3 May 2024 12:44:09 -0700
From: Tomasz Jeznach <tjeznach@...osinc.com>
To: Jason Gunthorpe <jgg@...pe.ca>
Cc: Joerg Roedel <joro@...tes.org>, Will Deacon <will@...nel.org>,
Robin Murphy <robin.murphy@....com>, Paul Walmsley <paul.walmsley@...ive.com>,
Palmer Dabbelt <palmer@...belt.com>, Albert Ou <aou@...s.berkeley.edu>,
Anup Patel <apatel@...tanamicro.com>, Sunil V L <sunilvl@...tanamicro.com>,
Nick Kossifidis <mick@....forth.gr>, Sebastien Boeuf <seb@...osinc.com>, Rob Herring <robh+dt@...nel.org>,
Krzysztof Kozlowski <krzk+dt@...nel.org>, Conor Dooley <conor+dt@...nel.org>, devicetree@...r.kernel.org,
iommu@...ts.linux.dev, linux-riscv@...ts.infradead.org,
linux-kernel@...r.kernel.org, linux@...osinc.com
Subject: Re: [PATCH v3 7/7] iommu/riscv: Paging domain support
On Fri, May 3, 2024 at 11:11 AM Jason Gunthorpe <jgg@...pe.ca> wrote:
>
> On Fri, May 03, 2024 at 10:44:14AM -0700, Tomasz Jeznach wrote:
> > > > + list_for_each_entry_rcu(bond, &domain->bonds, list) {
> > > > + if (bond->dev == dev) {
> > > > + list_del_rcu(&bond->list);
> > > > + found = bond;
> > > > + }
> > > > + }
> > > > + spin_unlock_irqrestore(&domain->lock, flags);
> > > > +
> > > > + /* Release and wait for all read-rcu critical sections have completed. */
> > > > + kfree_rcu(found, rcu);
> > > > + synchronize_rcu();
> > >
> > > Please no, synchronize_rcu() on a path like this is not so
> > > reasonable.. Also you don't need kfree_rcu() if you write it like this.
> > >
> > > This still looks better to do what I said before, put the iommu not
> > > the dev in the bond struct.
> > >
> > >
> >
> > I was trying not to duplicate data in bond struct and use whatever is
> > available to be referenced from dev pointer (eg iommu / ids / private
> > iommu dev data).
>
> I'm not sure that is a valuable goal considering the RCU
> complexity.. But I suppose it would be a bit of a hassle to replicate
> the ids list into bond structurs. Maybe something to do when you get
> to ATS since you'll probably want to replicate the ATS RIDs. (see what
> Intel did, which I think is pretty good)
>
> > If I'm reading core iommu code correctly, device pointer and iommu
> > pointers should be valid between _probe_device and _release_device
> > calls. I've moved synchronize_rcu out of the domain attach path to
> > _release_device, LMK if that would be ok for now. I'll have a
> > second another to rework other patches to avoid storing dev pointers
> > at all.
>
> Yes, that seems better.. I'm happier to see device hot-unplug be slow
> than un attach
>
> There is another issue with the RCU that I haven't wrapped my head
> around..
>
> Technically we can have concurrent map/unmap/invalidation along side
> device attach/detach. Does the invalidation under RCU work correctly?
>
> For detach I think yes:
>
> Inv CPU Detach CPU
>
> write io_pte Update device descriptor
> rcu_read_lock
> list_for_each
> <make invalidation command> <make description inv cmd>
> dma_wmb() dma_wmb()
> <doorbell> <cmd doorbell>
> rcu_read_unlock
> list_del_rcu()
> <wipe ASID>
>
> In this case I think we never miss an invalidation, the list_del is
> always after the HW has been fully fenced, so I don't think we can
> have any issue. Maybe a suprious invalidation if the ASID gets
> re-used, but who cares.
>
> Attach is different..
>
> Inv CPU Attach CPU
>
> write io_pte
> rcu_read_lock
> list_for_each // empty
> list_add_rcu()
> Update device descriptor
> <make description inv cmd>
> dma_wmb()
> <cmd doorbell>
> rcu_read_unlock
>
> As above shows we can "miss" an invalidation. The issue is narrow, the
> io_pte could still be sitting in write buffers in "Inv CPU" and not
> yet globally visiable. "Attach CPU" could get the device descriptor
> installed in the IOMMU and the IOMMU could walk an io_pte that is in
> the old state. Effectively this is because there is no release/acquire
> barrier passing the io_pte store from the Inv CPU to the Attach CPU to the
> IOMMU.
>
> It seems like it should be solvable somehow:
> 1) Inv CPU releases all the io ptes
> 2) Attach CPU acquires the io ptes before updating the DDT
> 3) Inv CPU acquires the RCU list in such a way that either attach
> CPU will acquire the io_pte or inv CPU will acquire the RCU list.
> 4) Either invalidation works or we release the new iopte to the SMMU
> and don't need it.
>
> But #3 is a really weird statement. smb_mb() on both sides may do the
> job??
>
Actual attach sequence is slightly different.
Inv CPU Attach CPU
write io_pte
rcu_read_lock
list_for_each // empty
list_add_rcu()
IOTLB.INVAL(PSCID)
<make description inv cmd>
dma_wmb()
<cmd doorbell>
rcu_read_unlock
I've tried to cover this case with riscv_iommu_iotlb_inval() called
before the attached domain is visible to the device. This is something
to optimize to avoid invalidating the whole PSCID if the domain was
already attached to the same IOMMU, but I'd leave it for a separate
patch series.
> > > The number of radix levels is a tunable alot of iommus have that we
> > > haven't really exposed to anything else yet.
> >
> > Makes sense. I've left an option to pick mode from MMU for cases where
> > dev/iommu is not known at allocation time (with iommu_domain_alloc()).
> > I'd guess it's reasonable to assume IOMMU supported page modes will
> > match MMU.
>
> Reasonable, but for this case you'd be best to have a global static
> that unifies the capability of all the iommu instances. Then you can
> pick the right thing from the installed iommus, and arguably, that is
> the right thing to do in all cases as we'd slightly prefer domains
> that work everywhere in that edge case.
>
That is a viable option. If you're ok I'll address this as a separate patch.
I've been trying to avoid adding more global variables, but it might
not be avoidable.
> Jason
Best,
- Tomasz
Powered by blists - more mailing lists