[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <cover.1756682135.git.nicolinc@nvidia.com>
Date: Sun, 31 Aug 2025 16:31:52 -0700
From: Nicolin Chen <nicolinc@...dia.com>
To: <joro@...tes.org>, <jgg@...dia.com>, <bhelgaas@...gle.com>
CC: <suravee.suthikulpanit@....com>, <will@...nel.org>,
<robin.murphy@....com>, <sven@...nel.org>, <j@...nau.net>,
<alyssa@...enzweig.io>, <neal@...pa.dev>, <robin.clark@....qualcomm.com>,
<m.szyprowski@...sung.com>, <krzk@...nel.org>, <alim.akhtar@...sung.com>,
<dwmw2@...radead.org>, <baolu.lu@...ux.intel.com>, <kevin.tian@...el.com>,
<yong.wu@...iatek.com>, <matthias.bgg@...il.com>,
<angelogioacchino.delregno@...labora.com>, <tjeznach@...osinc.com>,
<paul.walmsley@...ive.com>, <palmer@...belt.com>, <aou@...s.berkeley.edu>,
<alex@...ti.fr>, <heiko@...ech.de>, <schnelle@...ux.ibm.com>,
<mjrosato@...ux.ibm.com>, <gerald.schaefer@...ux.ibm.com>,
<orsonzhai@...il.com>, <baolin.wang@...ux.alibaba.com>,
<zhang.lyra@...il.com>, <wens@...e.org>, <jernej.skrabec@...il.com>,
<samuel@...lland.org>, <jean-philippe@...aro.org>, <rafael@...nel.org>,
<lenb@...nel.org>, <yi.l.liu@...el.com>, <cwabbott0@...il.com>,
<quic_pbrahma@...cinc.com>, <iommu@...ts.linux.dev>,
<linux-kernel@...r.kernel.org>, <asahi@...ts.linux.dev>,
<linux-arm-kernel@...ts.infradead.org>, <linux-arm-msm@...r.kernel.org>,
<linux-samsung-soc@...r.kernel.org>, <linux-mediatek@...ts.infradead.org>,
<linux-riscv@...ts.infradead.org>, <linux-rockchip@...ts.infradead.org>,
<linux-s390@...r.kernel.org>, <linux-sunxi@...ts.linux.dev>,
<linux-tegra@...r.kernel.org>, <virtualization@...ts.linux.dev>,
<linux-acpi@...r.kernel.org>, <linux-pci@...r.kernel.org>,
<patches@...ts.linux.dev>, <vsethi@...dia.com>, <helgaas@...nel.org>,
<etzhao1900@...il.com>
Subject: [PATCH v4 0/7] Disable ATS via iommu during PCI resets
Hi all,
PCIe permits a device to ignore ATS invalidation TLPs, while processing a
reset. This creates a problem visible to the OS where an ATS invalidation
command will time out: e.g. an SVA domain will have no coordination with a
reset event and can racily issue ATS invalidations to a resetting device.
The OS should do something to mitigate this as we do not want production
systems to be reporting critical ATS failures, especially in a hypervisor
environment. Broadly, OS could arrange to ignore the timeouts, block page
table mutations to prevent invalidations, or disable and block ATS.
The PCIe spec in sec 10.3.1 IMPLEMENTATION NOTE recommends to disable and
block ATS before initiating a Function Level Reset. It also mentions that
other reset methods could have the same vulnerability as well.
Provide a callback from the PCI subsystem that will enclose the reset and
have the iommu core temporarily change domains to group->blocking_domain,
so IOMMU drivers would fence any incoming ATS queries, synchronously stop
issuing new ATS invalidations, and wait for existing ATS invalidations to
complete. Doing this can avoid any ATS invaliation timeouts.
When a device is resetting, any new domain attachment has to be rejected,
until the reset is finished, to prevent ATS activity from being activated
between the two callback functions. Introduce a new pending_reset flag to
reject a concurrent __iommu_attach_device/set_group_pasid().
Finally, apply these iommu_dev_reset_prepare/done() functions in the PCI
reset functions.
Note that this series doesn't work well for a resetting alias device or a
SRIOV PF, so skip these two corner cases. There is nothing we can do for
alias devices since they share the same RID. For SRIOV PF, its VFs would
need to be blocked as well, and new dryrun attach_dev/set_group_pasid ops
will be required to allow compatible domain to be cached concurrently.
Some future followups after this series:
- A pair of dryrun testing ops for attach_dev/set_dev_pasid to make sure
no incompatible attempt will be given to attach_dev/set_dev_pasid().
- Stage all VFs to the blocked domain as well, if their PF is resetting.
- Clean up all unlocked iommu_get_domain_for_dev() call for UAF concern.
Replace with safer alternative APIs.
This is on Github:
https://github.com/nicolinc/iommufd/commits/iommu_dev_reset-v4
Changelog
v4
* Add Reviewed-by from Baolu
* [iommu] Use guard(mutex)
* [iommu] Update kdocs for typos and revisings
* [iommu] Skip two corner cases (alias and SRIOV)
* [iommu] Rework attach_dev to pass in old domain pointer
* [iommu] Reject concurrent attach_dev/set_dev_pasid for compatibility
concern
* [smmuv3] Drop the old_domain depedency in its release_dev callback
* [pci] Add pci_reset_iommu_prepare/_done() wrappers checking ATS cap
v3
https://lore.kernel.org/all/cover.1754952762.git.nicolinc@nvidia.com/
* Add Reviewed-by from Jason
* [iommu] Add a fast return in iommu_deferred_attach()
* [iommu] Update kdocs, inline comments, and commit logs
* [iommu] Use group->blocking_domain v.s. ops->blocked_domain
* [iommu] Drop require_direct, iommu_group_get(), and xa_lock()
* [iommu] Set the pending_reset flag after RID/PASID domain setups
* [iommu] Do not bypass PASID domains when RID domain is already the
blocking_domain
* [iommu] Add iommu_get_domain_for_dev_locked to correctly return the
blocking_domain
v2
https://lore.kernel.org/all/cover.1751096303.git.nicolinc@nvidia.com/
* [iommu] Update kdocs, inline comments, and commit logs
* [iommu] Replace long-holding group->mutex with a pending_reset flag
* [pci] Abort reset routines if iommu_dev_reset_prepare() fails
* [pci] Apply the same vulnerability fix to other reset functions
v1
https://lore.kernel.org/all/cover.1749494161.git.nicolinc@nvidia.com/
Thanks
Nicolin
Nicolin Chen (7):
iommu/arm-smmu-v3: Add release_domain to attach prior to release_dev()
iommu: Lock group->mutex in iommu_deferred_attach()
iommu: Pass in gdev to __iommu_device_set_domain
iommu: Pass in old domain to attach_dev callback functions
iommu: Add iommu_get_domain_for_dev_locked() helper
iommu: Introduce iommu_dev_reset_prepare() and iommu_dev_reset_done()
pci: Suspend iommu function prior to resetting a device
drivers/pci/pci.h | 2 +
include/linux/iommu.h | 16 +-
drivers/iommu/amd/iommu.c | 11 +-
drivers/iommu/apple-dart.c | 9 +-
.../arm/arm-smmu-v3/arm-smmu-v3-iommufd.c | 5 +-
drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 66 +++--
drivers/iommu/arm/arm-smmu/arm-smmu.c | 9 +-
drivers/iommu/arm/arm-smmu/qcom_iommu.c | 11 +-
drivers/iommu/dma-iommu.c | 2 +-
drivers/iommu/exynos-iommu.c | 6 +-
drivers/iommu/fsl_pamu_domain.c | 12 +-
drivers/iommu/intel/iommu.c | 10 +-
drivers/iommu/intel/nested.c | 2 +-
drivers/iommu/iommu.c | 256 +++++++++++++++++-
drivers/iommu/iommufd/selftest.c | 2 +-
drivers/iommu/ipmmu-vmsa.c | 10 +-
drivers/iommu/msm_iommu.c | 8 +-
drivers/iommu/mtk_iommu.c | 8 +-
drivers/iommu/mtk_iommu_v1.c | 7 +-
drivers/iommu/omap-iommu.c | 12 +-
drivers/iommu/riscv/iommu.c | 9 +-
drivers/iommu/rockchip-iommu.c | 20 +-
drivers/iommu/s390-iommu.c | 9 +-
drivers/iommu/sprd-iommu.c | 3 +-
drivers/iommu/sun50i-iommu.c | 8 +-
drivers/iommu/tegra-smmu.c | 10 +-
drivers/iommu/virtio-iommu.c | 6 +-
drivers/pci/pci-acpi.c | 12 +-
drivers/pci/pci.c | 68 ++++-
drivers/pci/quirks.c | 18 +-
30 files changed, 509 insertions(+), 118 deletions(-)
--
2.43.0
Powered by blists - more mailing lists