Re: [RFC PATCHES 00/17] IOMMUFD: Deliver IO page faults to user space

From: Baolu Lu
Date: Sun Jun 18 2023 - 23:37:15 EST

Next message: kernel test robot: "Re: [PATCH V2] Revert "PCI: tegra194: Enable support for 256 Byte payload""
Previous message: Jiasheng Jiang: "[PATCH] libnvdimm/of_pmem: Add check and kfree for kstrdup"
In reply to: Jean-Philippe Brucker: "Re: [RFC PATCHES 00/17] IOMMUFD: Deliver IO page faults to user space"
Next in thread: Jason Gunthorpe: "Re: [RFC PATCHES 00/17] IOMMUFD: Deliver IO page faults to user space"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/16/23 7:32 PM, Jean-Philippe Brucker wrote:

Hi Baolu,

Hi Jean,

Thank you for the informational reply.

On Tue, May 30, 2023 at 01:37:07PM +0800, Lu Baolu wrote:

- The timeout value for the pending page fault messages. Ideally we
should determine the timeout value from the device configuration, but
I failed to find any statement in the PCI specification (version 6.x).
A default 100 milliseconds is selected in the implementation, but it
leave the room for grow the code for per-device setting.

If it helps we had some discussions about this timeout [1]. It's useful to
print out a warning for debugging, but I don't think completing the fault
on timeout is correct, we should leave the fault pending. Given that the
PCI spec does not indicate a timeout, the guest can wait as long as it
wants to complete the fault (and 100ms may even be reasonable on an
emulator, who knows how many layers and context switches the fault has to
go through).

When I was designing this, I was also hesitant about whether to use a
timer. Even worse, I didn't see any description of timeout in the PCI
spec.

I agree with you that a better approach might be to ensure that devices
respect the number of in-flight PPRs that are allocated to them. We need
to design a queue that is large enough to prevent device from flooding
it with page requests.

Another outstanding issue was what to do for PASID stop. When the guest
device driver stops using a PASID it issues a PASID stop request to the
device (a device-specific mechanism). If the device is not using PRI stop
markers it waits for pending PRs to complete and we're fine. Otherwise it
sends a stop marker which is flushed to the PRI queue, but does not wait
for pending PRs.

Handling stop markers is annoying. If the device issues one, then the PRI
queue contains stale faults, a stop marker, followed by valid faults for
the next address space bound to this PASID. The next address space will
get all the spurious faults because the fault handler doesn't know that
there is a stop marker coming. Linux is probably alright with spurious
faults, though maybe not in all cases, and other guests may not support
them at all.

We might need to revisit supporting stop markers: request that each device
driver declares whether their device uses stop markers on unbind() ("This
mechanism must indicate that a Stop Marker Message will be generated."
says the spec, but doesn't say if the function always uses one or the
other mechanism so it's per-unbind). Then we still have to synchronize
unbind() with the fault handler to deal with the pending stop marker,
which might have already gone through or be generated later.

I don't quite follow here. Once a PASID is unbound from the device, the
device driver should be free to release the PASID. The PASID could then
be used for any other purpose. The device driver has no idea when the
pending page requests are flushed after unbind(), so it cannot decide
how long should the PASID be delayed for reuse. Therefore, I understand
that a successful return from the unbind() function denotes that all
pending page requests have been flushed and the PASID is viable for
other use.

Currently we ignore all that and just flush the PRI queue, followed by the
IOPF queue, to get rid of any stale fault before reassigning the PASID. A
guest however would also need to first flush the HW PRI queue, but doesn't
have a direct way to do that. If we want to support guests that don't deal
with stop markers, the host needs to flush the PRI queue when a PASID is
detached. I guess on Intel detaching the PASID goes through the host which
can flush the host queue. On Arm we'll probably need to flush the queue
when receiving a PASID cache invalidation, which the guest issues after
clearing a PASID table entry.

The Intel VT-d driver follows below steps to drain pending page requests
when a PASID is unbound from a device.

- Tear down the device's pasid table entry for the stopped pasid.
This ensures that ATS/PRI will stop putting more page requests for the
pasid in VT-d PRQ.
- Sync with the PRQ handling thread until all related page requests in
PRQ have been delivered.
- Flush the iopf queue with iopf_queue_flush_dev().
- Follow the steps defined in VT-d spec section 7.10 to drain all page
requests and responses between VT-d and the endpoint device.

Thanks,
Jean

[1] https://lore.kernel.org/linux-iommu/20180423153622.GC38106@ostrya.localdomain/
Also unregistration, not sure if relevant here
https://lore.kernel.org/linux-iommu/20190605154553.0d00ad8d@jacob-builder/

Best regards,
baolu

Next message: kernel test robot: "Re: [PATCH V2] Revert "PCI: tegra194: Enable support for 256 Byte payload""
Previous message: Jiasheng Jiang: "[PATCH] libnvdimm/of_pmem: Add check and kfree for kstrdup"
In reply to: Jean-Philippe Brucker: "Re: [RFC PATCHES 00/17] IOMMUFD: Deliver IO page faults to user space"
Next in thread: Jason Gunthorpe: "Re: [RFC PATCHES 00/17] IOMMUFD: Deliver IO page faults to user space"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]