Re: [PATCH v2 03/13] powerpc/spapr: vfio: Implement spapr_tce_iommu_ops

From: Alexey Kardashevskiy
Date: Thu Sep 25 2014 - 01:20:15 EST


On 09/24/2014 06:42 AM, Alex Williamson wrote:
> On Tue, 2014-09-23 at 13:00 +1000, Alexey Kardashevskiy wrote:
>> Modern IBM POWERPC systems support multiple IOMMU tables per PE
>> so we need a more reliable way (compared to container_of()) to get
>> a PE pointer from the iommu_table struct pointer used in IOMMU functions.
>>
>> At the moment IOMMU group data points to an iommu_table struct. This
>> introduces a spapr_tce_iommu_group struct which keeps an iommu_owner
>> and a spapr_tce_iommu_ops struct. For IODA, iommu_owner is a pointer to
>> the pnv_ioda_pe struct, for others it is still a pointer to
>> the iommu_table struct. The ops structs correspond to the type which
>> iommu_owner points to.
>>
>> This defines a get_table() callback which returns an iommu_table
>> by its number.
>>
>> As the IOMMU group data pointer points to variable type instead of
>> iommu_table, VFIO SPAPR TCE driver is updated to use the new type.
>> This changes the tce_container struct to store iommu_group instead of
>> iommu_table.
>>
>> So, it was:
>> - iommu_table points to iommu_group via iommu_table::it_group;
>> - iommu_group points to iommu_table via iommu_group_get_iommudata();
>>
>> now it is:
>> - iommu_table points to iommu_group via iommu_table::it_group;
>> - iommu_group points to spapr_tce_iommu_group via
>> iommu_group_get_iommudata();
>> - spapr_tce_iommu_group points to either (depending on .get_table()):
>> - iommu_table;
>> - pnv_ioda_pe;
>>
>> This uses pnv_ioda1_iommu_get_table for both IODA1&2 but IODA2 will
>> have own pnv_ioda2_iommu_get_table soon and pnv_ioda1_iommu_get_table
>> will only be used for IODA1.
>>
>> Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
>> ---
>> arch/powerpc/include/asm/iommu.h | 6 ++
>> arch/powerpc/include/asm/tce.h | 13 +++
>> arch/powerpc/kernel/iommu.c | 35 ++++++-
>> arch/powerpc/platforms/powernv/pci-ioda.c | 31 +++++-
>> arch/powerpc/platforms/powernv/pci-p5ioc2.c | 1 +
>> arch/powerpc/platforms/powernv/pci.c | 2 +-
>> arch/powerpc/platforms/pseries/iommu.c | 10 +-
>> drivers/vfio/vfio_iommu_spapr_tce.c | 148 ++++++++++++++++++++++------
>> 8 files changed, 208 insertions(+), 38 deletions(-)
>>
>> diff --git a/arch/powerpc/include/asm/iommu.h b/arch/powerpc/include/asm/iommu.h
>> index 42632c7..84ee339 100644
>> --- a/arch/powerpc/include/asm/iommu.h
>> +++ b/arch/powerpc/include/asm/iommu.h
>> @@ -108,13 +108,19 @@ extern void iommu_free_table(struct iommu_table *tbl, const char *node_name);
>> */
>> extern struct iommu_table *iommu_init_table(struct iommu_table * tbl,
>> int nid);
>> +
>> +struct spapr_tce_iommu_ops;
>> #ifdef CONFIG_IOMMU_API
>> extern void iommu_register_group(struct iommu_table *tbl,
>> + void *iommu_owner,
>> + struct spapr_tce_iommu_ops *ops,
>> int pci_domain_number, unsigned long pe_num);
>> extern int iommu_add_device(struct device *dev);
>> extern void iommu_del_device(struct device *dev);
>> #else
>> static inline void iommu_register_group(struct iommu_table *tbl,
>> + void *iommu_owner,
>> + struct spapr_tce_iommu_ops *ops,
>> int pci_domain_number,
>> unsigned long pe_num)
>> {
>> diff --git a/arch/powerpc/include/asm/tce.h b/arch/powerpc/include/asm/tce.h
>> index 743f36b..9f159eb 100644
>> --- a/arch/powerpc/include/asm/tce.h
>> +++ b/arch/powerpc/include/asm/tce.h
>> @@ -50,5 +50,18 @@
>> #define TCE_PCI_READ 0x1 /* read from PCI allowed */
>> #define TCE_VB_WRITE 0x1 /* write from VB allowed */
>>
>> +struct spapr_tce_iommu_group;
>> +
>> +struct spapr_tce_iommu_ops {
>> + struct iommu_table *(*get_table)(
>> + struct spapr_tce_iommu_group *data,
>> + int num);
>> +};
>> +
>> +struct spapr_tce_iommu_group {
>> + void *iommu_owner;
>> + struct spapr_tce_iommu_ops *ops;
>> +};
>> +
>> #endif /* __KERNEL__ */
>> #endif /* _ASM_POWERPC_TCE_H */
>> diff --git a/arch/powerpc/kernel/iommu.c b/arch/powerpc/kernel/iommu.c
>> index b378f78..1c5dae7 100644
>> --- a/arch/powerpc/kernel/iommu.c
>> +++ b/arch/powerpc/kernel/iommu.c
>> @@ -878,24 +878,53 @@ void iommu_free_coherent(struct iommu_table *tbl, size_t size,
>> */
>> static void group_release(void *iommu_data)
>> {
>> - struct iommu_table *tbl = iommu_data;
>> - tbl->it_group = NULL;
>> + kfree(iommu_data);
>> }
>>
>> +static struct iommu_table *spapr_tce_default_get_table(
>> + struct spapr_tce_iommu_group *data, int num)
>> +{
>> + struct iommu_table *tbl = data->iommu_owner;
>> +
>> + switch (num) {
>> + case 0:
>> + if (tbl->it_size)
>> + return tbl;
>> + /* fallthru */
>> + default:
>> + return NULL;
>> + }
>> +}
>> +
>> +static struct spapr_tce_iommu_ops spapr_tce_default_ops = {
>> + .get_table = spapr_tce_default_get_table
>> +};
>> +
>> void iommu_register_group(struct iommu_table *tbl,
>> + void *iommu_owner, struct spapr_tce_iommu_ops *ops,
>> int pci_domain_number, unsigned long pe_num)
>> {
>> struct iommu_group *grp;
>> char *name;
>> + struct spapr_tce_iommu_group *data;
>> +
>> + data = kzalloc(sizeof(*data), GFP_KERNEL);
>> + if (!data)
>> + return;
>> +
>> + data->iommu_owner = iommu_owner ? iommu_owner : tbl;
>> + data->ops = ops ? ops : &spapr_tce_default_ops;
>>
>> grp = iommu_group_alloc();
>> if (IS_ERR(grp)) {
>> pr_warn("powerpc iommu api: cannot create new group, err=%ld\n",
>> PTR_ERR(grp));
>> + kfree(data);
>> return;
>> }
>> +
>> tbl->it_group = grp;
>> - iommu_group_set_iommudata(grp, tbl, group_release);
>> + iommu_group_set_iommudata(grp, data, group_release);
>> name = kasprintf(GFP_KERNEL, "domain%d-pe%lx",
>> pci_domain_number, pe_num);
>> if (!name)
>> diff --git a/arch/powerpc/platforms/powernv/pci-ioda.c b/arch/powerpc/platforms/powernv/pci-ioda.c
>> index 136e765..2d32a1c 100644
>> --- a/arch/powerpc/platforms/powernv/pci-ioda.c
>> +++ b/arch/powerpc/platforms/powernv/pci-ioda.c
>> @@ -23,6 +23,7 @@
>> #include <linux/io.h>
>> #include <linux/msi.h>
>> #include <linux/memblock.h>
>> +#include <linux/iommu.h>
>>
>> #include <asm/sections.h>
>> #include <asm/io.h>
>> @@ -988,6 +989,26 @@ static void pnv_pci_ioda2_tce_invalidate(struct pnv_ioda_pe *pe,
>> }
>> }
>>
>> +static struct iommu_table *pnv_ioda1_iommu_get_table(
>> + struct spapr_tce_iommu_group *data,
>> + int num)
>> +{
>> + struct pnv_ioda_pe *pe = data->iommu_owner;
>> +
>> + switch (num) {
>> + case 0:
>> + if (pe->tce32.table.it_size)
>> + return &pe->tce32.table;
>> + /* fallthru */
>> + default:
>> + return NULL;
>> + }
>> +}
>> +
>> +static struct spapr_tce_iommu_ops pnv_pci_ioda1_ops = {
>> + .get_table = pnv_ioda1_iommu_get_table,
>> +};
>> +
>> static void pnv_pci_ioda_setup_dma_pe(struct pnv_phb *phb,
>> struct pnv_ioda_pe *pe, unsigned int base,
>> unsigned int segs)
>> @@ -1067,7 +1088,8 @@ static void pnv_pci_ioda_setup_dma_pe(struct pnv_phb *phb,
>> TCE_PCI_SWINV_PAIR);
>> }
>> iommu_init_table(tbl, phb->hose->node);
>> - iommu_register_group(tbl, phb->hose->global_number, pe->pe_number);
>> + iommu_register_group(tbl, pe, &pnv_pci_ioda1_ops,
>> + phb->hose->global_number, pe->pe_number);
>>
>> if (pe->pdev)
>> set_iommu_table_base_and_group(&pe->pdev->dev, tbl);
>> @@ -1137,6 +1159,10 @@ static void pnv_pci_ioda2_setup_bypass_pe(struct pnv_phb *phb,
>> pnv_pci_ioda2_set_bypass(&pe->tce32.table, true);
>> }
>>
>> +static struct spapr_tce_iommu_ops pnv_pci_ioda2_ops = {
>> + .get_table = pnv_ioda1_iommu_get_table,
>> +};
>> +
>> static void pnv_pci_ioda2_setup_dma_pe(struct pnv_phb *phb,
>> struct pnv_ioda_pe *pe)
>> {
>> @@ -1202,7 +1228,8 @@ static void pnv_pci_ioda2_setup_dma_pe(struct pnv_phb *phb,
>> tbl->it_type |= (TCE_PCI_SWINV_CREATE | TCE_PCI_SWINV_FREE);
>> }
>> iommu_init_table(tbl, phb->hose->node);
>> - iommu_register_group(tbl, phb->hose->global_number, pe->pe_number);
>> + iommu_register_group(tbl, pe, &pnv_pci_ioda2_ops,
>> + phb->hose->global_number, pe->pe_number);
>>
>> if (pe->pdev)
>> set_iommu_table_base_and_group(&pe->pdev->dev, tbl);
>> diff --git a/arch/powerpc/platforms/powernv/pci-p5ioc2.c b/arch/powerpc/platforms/powernv/pci-p5ioc2.c
>> index 94ce348..b79066d 100644
>> --- a/arch/powerpc/platforms/powernv/pci-p5ioc2.c
>> +++ b/arch/powerpc/platforms/powernv/pci-p5ioc2.c
>> @@ -89,6 +89,7 @@ static void pnv_pci_p5ioc2_dma_dev_setup(struct pnv_phb *phb,
>> if (phb->p5ioc2.iommu_table.it_map == NULL) {
>> iommu_init_table(&phb->p5ioc2.iommu_table, phb->hose->node);
>> iommu_register_group(&phb->p5ioc2.iommu_table,
>> + NULL, NULL,
>> pci_domain_nr(phb->hose->bus), phb->opal_id);
>> }
>>
>> diff --git a/arch/powerpc/platforms/powernv/pci.c b/arch/powerpc/platforms/powernv/pci.c
>> index 97895d4..6ffac79 100644
>> --- a/arch/powerpc/platforms/powernv/pci.c
>> +++ b/arch/powerpc/platforms/powernv/pci.c
>> @@ -723,7 +723,7 @@ static struct iommu_table *pnv_pci_setup_bml_iommu(struct pci_controller *hose)
>> pnv_pci_setup_iommu_table(tbl, __va(be64_to_cpup(basep)),
>> be32_to_cpup(sizep), 0, IOMMU_PAGE_SHIFT_4K);
>> iommu_init_table(tbl, hose->node);
>> - iommu_register_group(tbl, pci_domain_nr(hose->bus), 0);
>> + iommu_register_group(tbl, NULL, NULL, pci_domain_nr(hose->bus), 0);
>>
>> /* Deal with SW invalidated TCEs when needed (BML way) */
>> swinvp = of_get_property(hose->dn, "linux,tce-sw-invalidate-info",
>> diff --git a/arch/powerpc/platforms/pseries/iommu.c b/arch/powerpc/platforms/pseries/iommu.c
>> index 4642d6a..b95f8cf 100644
>> --- a/arch/powerpc/platforms/pseries/iommu.c
>> +++ b/arch/powerpc/platforms/pseries/iommu.c
>> @@ -616,7 +616,7 @@ static void pci_dma_bus_setup_pSeries(struct pci_bus *bus)
>>
>> iommu_table_setparms(pci->phb, dn, tbl);
>> pci->iommu_table = iommu_init_table(tbl, pci->phb->node);
>> - iommu_register_group(tbl, pci_domain_nr(bus), 0);
>> + iommu_register_group(tbl, NULL, NULL, pci_domain_nr(bus), 0);
>>
>> /* Divide the rest (1.75GB) among the children */
>> pci->phb->dma_window_size = 0x80000000ul;
>> @@ -661,7 +661,7 @@ static void pci_dma_bus_setup_pSeriesLP(struct pci_bus *bus)
>> ppci->phb->node);
>> iommu_table_setparms_lpar(ppci->phb, pdn, tbl, dma_window);
>> ppci->iommu_table = iommu_init_table(tbl, ppci->phb->node);
>> - iommu_register_group(tbl, pci_domain_nr(bus), 0);
>> + iommu_register_group(tbl, NULL, NULL, pci_domain_nr(bus), 0);
>> pr_debug(" created table: %p\n", ppci->iommu_table);
>> }
>> }
>> @@ -688,7 +688,8 @@ static void pci_dma_dev_setup_pSeries(struct pci_dev *dev)
>> phb->node);
>> iommu_table_setparms(phb, dn, tbl);
>> PCI_DN(dn)->iommu_table = iommu_init_table(tbl, phb->node);
>> - iommu_register_group(tbl, pci_domain_nr(phb->bus), 0);
>> + iommu_register_group(tbl, NULL, NULL,
>> + pci_domain_nr(phb->bus), 0);
>> set_iommu_table_base_and_group(&dev->dev,
>> PCI_DN(dn)->iommu_table);
>> return;
>> @@ -1105,7 +1106,8 @@ static void pci_dma_dev_setup_pSeriesLP(struct pci_dev *dev)
>> pci->phb->node);
>> iommu_table_setparms_lpar(pci->phb, pdn, tbl, dma_window);
>> pci->iommu_table = iommu_init_table(tbl, pci->phb->node);
>> - iommu_register_group(tbl, pci_domain_nr(pci->phb->bus), 0);
>> + iommu_register_group(tbl, NULL, NULL,
>> + pci_domain_nr(pci->phb->bus), 0);
>> pr_debug(" created table: %p\n", pci->iommu_table);
>> } else {
>> pr_debug(" found DMA window, table: %p\n", pci->iommu_table);
>> diff --git a/drivers/vfio/vfio_iommu_spapr_tce.c b/drivers/vfio/vfio_iommu_spapr_tce.c
>> index 730b4ef..a8adfbd 100644
>> --- a/drivers/vfio/vfio_iommu_spapr_tce.c
>> +++ b/drivers/vfio/vfio_iommu_spapr_tce.c
>> @@ -43,17 +43,51 @@ static void tce_iommu_detach_group(void *iommu_data,
>> */
>> struct tce_container {
>> struct mutex lock;
>> - struct iommu_table *tbl;
>> + struct iommu_group *grp;
>> + long windows_num;
>> bool enabled;
>> };
>>
>> +static struct iommu_table *spapr_tce_find_table(
>> + struct tce_container *container,
>> + struct spapr_tce_iommu_group *data,
>> + phys_addr_t ioba)
>> +{
>> + long i;
>> + struct iommu_table *ret = NULL;
>> +
>> + mutex_lock(&container->lock);
>> + for (i = 0; i < container->windows_num; ++i) {
>> + struct iommu_table *tbl = data->ops->get_table(data, i);
>> +
>> + if (tbl) {
>> + unsigned long entry = ioba >> tbl->it_page_shift;
>> + unsigned long start = tbl->it_offset;
>> + unsigned long end = start + tbl->it_size;
>> +
>> + if ((start <= entry) && (entry < end)) {
>> + ret = tbl;
>> + break;
>> + }
>> + }
>> + }
>> + mutex_unlock(&container->lock);
>> +
>> + return ret;
>> +}
>> +
>> static int tce_iommu_enable(struct tce_container *container)
>> {
>> int ret = 0;
>> unsigned long locked, lock_limit, npages;
>> - struct iommu_table *tbl = container->tbl;
>> + struct iommu_table *tbl;
>> + struct spapr_tce_iommu_group *data;
>>
>> - if (!container->tbl)
>> + if (!container->grp)
>> + return -ENXIO;
>> +
>> + data = iommu_group_get_iommudata(container->grp);
>> + if (!data || !data->iommu_owner || !data->ops->get_table)
>> return -ENXIO;
>>
>> if (!current->mm)
>> @@ -80,6 +114,10 @@ static int tce_iommu_enable(struct tce_container *container)
>> * that would effectively kill the guest at random points, much better
>> * enforcing the limit based on the max that the guest can map.
>> */
>> + tbl = data->ops->get_table(data, 0);
>
> Can we define an enum to avoid sprinkling magic zeros in the code?

Right. Missed it in one of iterations :-/


>> + if (!tbl)
>> + return -ENXIO;
>> +
>> down_write(&current->mm->mmap_sem);
>> npages = (tbl->it_size << IOMMU_PAGE_SHIFT_4K) >> PAGE_SHIFT;
>> locked = current->mm->locked_vm + npages;
>> @@ -89,7 +127,6 @@ static int tce_iommu_enable(struct tce_container *container)
>> rlimit(RLIMIT_MEMLOCK));
>> ret = -ENOMEM;
>> } else {
>> -
>> current->mm->locked_vm += npages;
>> container->enabled = true;
>> }
>> @@ -100,16 +137,27 @@ static int tce_iommu_enable(struct tce_container *container)
>>
>> static void tce_iommu_disable(struct tce_container *container)
>> {
>> + struct spapr_tce_iommu_group *data;
>> + struct iommu_table *tbl;
>> +
>> if (!container->enabled)
>> return;
>>
>> container->enabled = false;
>>
>> - if (!container->tbl || !current->mm)
>> + if (!container->grp || !current->mm)
>> + return;
>> +
>> + data = iommu_group_get_iommudata(container->grp);
>> + if (!data || !data->iommu_owner || !data->ops->get_table)
>> + return;
>> +
>> + tbl = data->ops->get_table(data, 0);
>> + if (!tbl)
>> return;
>>
>> down_write(&current->mm->mmap_sem);
>> - current->mm->locked_vm -= (container->tbl->it_size <<
>> + current->mm->locked_vm -= (tbl->it_size <<
>> IOMMU_PAGE_SHIFT_4K) >> PAGE_SHIFT;
>> up_write(&current->mm->mmap_sem);
>> }
>> @@ -129,6 +177,8 @@ static void *tce_iommu_open(unsigned long arg)
>>
>> mutex_init(&container->lock);
>>
>> + container->windows_num = 1;
>> +
>> return container;
>> }
>>
>> @@ -136,11 +186,11 @@ static void tce_iommu_release(void *iommu_data)
>> {
>> struct tce_container *container = iommu_data;
>>
>> - WARN_ON(container->tbl && !container->tbl->it_group);
>> + WARN_ON(container->grp);
>> tce_iommu_disable(container);
>>
>> - if (container->tbl && container->tbl->it_group)
>> - tce_iommu_detach_group(iommu_data, container->tbl->it_group);
>> + if (container->grp)
>> + tce_iommu_detach_group(iommu_data, container->grp);
>>
>> mutex_destroy(&container->lock);
>>
>> @@ -169,8 +219,17 @@ static long tce_iommu_ioctl(void *iommu_data,
>>
>> case VFIO_IOMMU_SPAPR_TCE_GET_INFO: {
>> struct vfio_iommu_spapr_tce_info info;
>> - struct iommu_table *tbl = container->tbl;
>> + struct iommu_table *tbl;
>> + struct spapr_tce_iommu_group *data;
>>
>> + if (WARN_ON(!container->grp))
>> + return -ENXIO;
>> +
>> + data = iommu_group_get_iommudata(container->grp);
>> + if (WARN_ON(!data || !data->iommu_owner || !data->ops))
>> + return -ENXIO;
>> +
>> + tbl = data->ops->get_table(data, 0);
>> if (WARN_ON(!tbl))
>> return -ENXIO;
>>
>> @@ -194,13 +253,16 @@ static long tce_iommu_ioctl(void *iommu_data,
>> }
>> case VFIO_IOMMU_MAP_DMA: {
>> struct vfio_iommu_type1_dma_map param;
>> - struct iommu_table *tbl = container->tbl;
>> + struct iommu_table *tbl;
>> + struct spapr_tce_iommu_group *data;
>> unsigned long tce, i;
>>
>> - if (!tbl)
>> + if (WARN_ON(!container->grp))
>
> If a user can get here by their own mistake, return an error and be
> done, no warning. If a user can get here via a kernel ordering issue,
> it's a problem in the design. Which is it?


I'll remove here and below these WARN's. I just cannot force myself to
start thinking of malicious userspace which can trigger many of those :)


>
>> return -ENXIO;
>>
>> - BUG_ON(!tbl->it_group);
>> + data = iommu_group_get_iommudata(container->grp);
>> + if (WARN_ON(!data || !data->iommu_owner || !data->ops))
>> + return -ENXIO;
>
> Same
>
>>
>> minsz = offsetofend(struct vfio_iommu_type1_dma_map, size);
>>
>> @@ -225,6 +287,11 @@ static long tce_iommu_ioctl(void *iommu_data,
>> if (param.flags & VFIO_DMA_MAP_FLAG_WRITE)
>> tce |= TCE_PCI_WRITE;
>>
>> + tbl = spapr_tce_find_table(container, data, param.iova);
>
> Why aren't we using ops->find_table() here?


I am trying to keep spapr_tce_iommu_ops as simple as possible and now it
only provides a search-by-window-number callback and the helper to search
by IOBA uses it.




--
Alexey
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/