Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757941AbcKCOAC (ORCPT ); Thu, 3 Nov 2016 10:00:02 -0400 Received: from mail-db5eur01on0049.outbound.protection.outlook.com ([104.47.2.49]:48048 "EHLO EUR01-DB5-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1757841AbcKCN74 (ORCPT ); Thu, 3 Nov 2016 09:59:56 -0400 From: Diana Madalina Craciun To: Eric Auger , "eric.auger.pro@gmail.com" , "christoffer.dall@linaro.org" , "marc.zyngier@arm.com" , "robin.murphy@arm.com" , "alex.williamson@redhat.com" , "will.deacon@arm.com" , "joro@8bytes.org" , "tglx@linutronix.de" , "jason@lakedaemon.net" , "linux-arm-kernel@lists.infradead.org" CC: "drjones@redhat.com" , "kvm@vger.kernel.org" , "Manish.Jaggi@caviumnetworks.com" , "p.fedin@samsung.com" , "linux-kernel@vger.kernel.org" , "iommu@lists.linux-foundation.org" , "pranav.sawargaonkar@gmail.com" , "yehuday@marvell.com" Subject: Re: [PATCH v14 14/16] vfio/type1: Check doorbell safety Thread-Topic: [PATCH v14 14/16] vfio/type1: Check doorbell safety Thread-Index: AQHSJIvbdqIPIm3NlUSVZXuvU2tUsA== Date: Thu, 3 Nov 2016 13:45:11 +0000 Message-ID: References: <1476278544-3397-1-git-send-email-eric.auger@redhat.com> <1476278544-3397-15-git-send-email-eric.auger@redhat.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=diana.craciun@nxp.com; x-originating-ip: [192.88.146.1] x-ms-office365-filtering-correlation-id: f140e571-6750-402b-b38d-08d403efa22f x-microsoft-exchange-diagnostics: 1;HE1PR04MB1322;7:Tk7f+MzJjxusm6pwTOgdGHTlyNgh/mFHB/0JvthmgjTmiwpFn1VCWz5lsLXHZ3yulXvgO4oJwOUvQ5XBfa8YUyRQvqbpV5rQYcVahNjx5pY/AjIHdvtreymE99qKStZbbiUUge66yF05QFXAN8WRes1vrkq8I+njPzxCWSJTslyDYrp/D3VjqVPwDY96j5gmk/ls5lkG4QfkeANNvooHdE8i6ql3HUgIB6/+z9uemqVUAlXjHl1OVZp6G1JhXnEgG87Y8X2BS2kSZ6tuRy5xhTIVBbe1rXm4XREZHObz9imjvcekFGBDQvDl8Gg9jcJDwzAwOrqnk/30gU/cm4go/GYLXL2E4GDrOUsgBXn9qLE= x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:HE1PR04MB1322; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(6040176)(6045074)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(6046074)(6072074);SRVR:HE1PR04MB1322;BCL:0;PCL:0;RULEID:;SRVR:HE1PR04MB1322; x-forefront-prvs: 011579F31F x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(6009001)(7916002)(189002)(24454002)(377454003)(199003)(7696004)(3660700001)(2501003)(2201001)(8676002)(81156014)(81166006)(2906002)(575784001)(4326007)(10400500002)(5660300001)(106116001)(97736004)(6116002)(5001770100001)(86362001)(66066001)(102836003)(3846002)(586003)(106356001)(87936001)(189998001)(5002640100001)(33656002)(2900100001)(105586002)(7416002)(3280700002)(68736007)(122556002)(92566002)(9686002)(19580395003)(5890100001)(54356999)(11100500001)(7736002)(76176999)(50986999)(76576001)(7846002)(74316002)(77096005)(305945005)(19580405001)(101416001)(8936002)(921003)(1121003);DIR:OUT;SFP:1101;SCL:1;SRVR:HE1PR04MB1322;H:HE1PR04MB1321.eurprd04.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Nov 2016 13:45:11.7983 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR04MB1322 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.home.local id uA3E0Fom015284 Content-Length: 3441 Lines: 99 Hi Eric, On 10/12/2016 04:23 PM, Eric Auger wrote: > On x86 IRQ remapping is abstracted by the IOMMU. On ARM this is abstracted > by the msi controller. > > Since we currently have no way to detect whether the MSI controller is > upstream or downstream to the IOMMU we rely on the MSI doorbell information > registered by the interrupt controllers. In case at least one doorbell > does not implement proper isolation, we state the assignment is unsafe > with regard to interrupts. This is a coarse assessment but should allow to > wait for a better system description. > > At this point ARM sMMU still advertises IOMMU_CAP_INTR_REMAP. This is > removed in next patch. > > Signed-off-by: Eric Auger > > --- > v13 -> v15: > - check vfio_msi_resv before checking whether msi doorbell is safe > > v9 -> v10: > - coarse safety assessment based on MSI doorbell info > > v3 -> v4: > - rename vfio_msi_parent_irq_remapping_capable into vfio_safe_irq_domain > and irq_remapping into safe_irq_domains > > v2 -> v3: > - protect vfio_msi_parent_irq_remapping_capable with > CONFIG_GENERIC_MSI_IRQ_DOMAIN > --- > drivers/vfio/vfio_iommu_type1.c | 30 +++++++++++++++++++++++++++++- > 1 file changed, 29 insertions(+), 1 deletion(-) > > diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c > index e0c97ef..c18ba9d 100644 > --- a/drivers/vfio/vfio_iommu_type1.c > +++ b/drivers/vfio/vfio_iommu_type1.c > @@ -442,6 +442,29 @@ static void vfio_unmap_unpin(struct vfio_iommu *iommu, struct vfio_dma *dma) > } > > /** > + * vfio_msi_resv - Return whether any VFIO iommu domain requires > + * MSI mapping > + * > + * @iommu: vfio iommu handle > + * > + * Return: true of MSI mapping is needed, false otherwise > + */ > +static bool vfio_msi_resv(struct vfio_iommu *iommu) > +{ > + struct iommu_domain_msi_resv msi_resv; > + struct vfio_domain *d; > + int ret; > + > + list_for_each_entry(d, &iommu->domain_list, next) { > + ret = iommu_domain_get_attr(d->domain, DOMAIN_ATTR_MSI_RESV, > + &msi_resv); > + if (!ret) > + return true; > + } > + return false; > +} > + > +/** > * vfio_set_msi_aperture - Sets the msi aperture on all domains > * requesting MSI mapping > * > @@ -945,8 +968,13 @@ static int vfio_iommu_type1_attach_group(void *iommu_data, > INIT_LIST_HEAD(&domain->group_list); > list_add(&group->next, &domain->group_list); > > + /* > + * to advertise safe interrupts either the IOMMU or the MSI controllers > + * must support IRQ remapping (aka. interrupt translation) > + */ > if (!allow_unsafe_interrupts && > - !iommu_capable(bus, IOMMU_CAP_INTR_REMAP)) { > + (!iommu_capable(bus, IOMMU_CAP_INTR_REMAP) && > + !(vfio_msi_resv(iommu) && iommu_msi_doorbell_safe()))) { > pr_warn("%s: No interrupt remapping support. Use the module param \"allow_unsafe_interrupts\" to enable VFIO IOMMU support on this platform\n", > __func__); > ret = -EPERM; I understand from the other discussions that you will respin these series, but anyway I have tested this version with GICV3 + ITS and it stops here. As I have a GICv3 I am not supposed to enable allow unsafe interrupts. What I see is that vfio_msi_resv returns false just because the iommu->domain_list list is empty. The newly created domain is actually added to the domain_list at the end of this function, so it seems normal for the list to be empty at this point. Thanks, Diana