Re: [PATCH v2 2/2] iommu: Probe right iommu_ops for device
From: Jason Gunthorpe
Date: Mon Jan 29 2024 - 10:38:04 EST
On Fri, Jan 26, 2024 at 06:53:41PM +0800, Lu Baolu wrote:
> Previously, in the iommu probe device path, __iommu_probe_device() gets
> the iommu_ops for the device from dev->iommu->fwspec if this field has
> been initialized before probing. Otherwise, it is assumed that only one
> of Intel, AMD, s390, PAMU or legacy SMMUv2 can be present, hence it's
> feasible to lookup the global iommu device list and use the iommu_ops of
> the first iommu device which has no dev->iommu->fwspec.
>
> The assumption mentioned above is no longer correct with the introduction
> of the IOMMUFD mock device on x86 platforms. There might be multiple
> instances of iommu drivers, none of which have the dev->iommu->fwspec
> field populated.
>
> Probe the right iommu_ops for device by iterating over all the global
> drivers and call their probe function to find a match.
>
> Fixes: 17de3f5fdd35 ("iommu: Retire bus ops")
> Cc: Robin Murphy <robin.murphy@xxxxxxx>
> Signed-off-by: Lu Baolu <baolu.lu@xxxxxxxxxxxxxxx>
> ---
> drivers/iommu/iommu.c | 76 +++++++++++++++++++++++++++----------------
> 1 file changed, 48 insertions(+), 28 deletions(-)
>
> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
> index 0af0b5544072..2cdb01e411fa 100644
> --- a/drivers/iommu/iommu.c
> +++ b/drivers/iommu/iommu.c
> @@ -396,30 +396,69 @@ void dev_iommu_priv_set(struct device *dev, void *priv)
> }
> EXPORT_SYMBOL_GPL(dev_iommu_priv_set);
>
> +static struct iommu_device *
> +__iommu_do_probe_device(struct device *dev, const struct iommu_ops *ops)
> +{
> + struct iommu_device *iommu_dev;
> +
> + if (!try_module_get(ops->owner))
> + return ERR_PTR(-EINVAL);
> +
> + iommu_dev = ops->probe_device(dev);
> + if (IS_ERR(iommu_dev))
> + module_put(ops->owner);
This doesn't really do enough to protect against races, to do that
fully we need to have iommu_device_unregister() do some better
locking, and fix fwspec->ops lifecycle somehow.. Remember that module
ref counts don't prevent iommu_device_unregister_bus() concurrency.
So, it would be simpler to leave the try_module_get in the
iommu_init_device(), just move it after the probe_device call.
> +static struct iommu_device *iommu_probe_device_ops(struct device *dev)
> +{
> + struct iommu_device *iter, *iommu_dev = ERR_PTR(-ENODEV);
> + struct iommu_fwspec *fwspec;
> +
> + /*
> + * For FDT-based systems and ACPI IORT/VIOT, drivers register IOMMU
> + * instances with non-NULL fwnodes, and client devices should have been
> + * identified with a fwspec by this point. Otherwise, we will iterate
> + * over all the global drivers and call their probe function to find a
> + * match.
> + */
> + fwspec = dev_iommu_fwspec_get(dev);
> + if (fwspec && fwspec->ops)
> + return __iommu_do_probe_device(dev, fwspec->ops);
> +
> + mutex_lock(&iommu_device_lock);
> + list_for_each_entry(iter, &iommu_device_list, list) {
> + iommu_dev = __iommu_do_probe_device(dev, iter->ops);
> + if (!IS_ERR(iommu_dev))
> + break;
This does need to skip duplicate ops though (see my version), we don't
want to call the same driver many times. And Kevin and Robin are
right, since we recently removed a bunch of fwpsec checks from drivers
the core code must now never call a fwspec expecting driver without a
fwspec. (check for !iommu->fwnode)
Otherwise this looks fine for me, thanks
Jason