Received: by 10.223.185.116 with SMTP id b49csp6749872wrg; Wed, 28 Feb 2018 15:01:36 -0800 (PST) X-Google-Smtp-Source: AH8x2274SqO6w/OwecvGFNzW7fg7tgA886qNmiSbRMrMoQpeSZ2zCL2mp6LHMN0FHwc/8wzCG3M/ X-Received: by 10.99.120.205 with SMTP id t196mr15052452pgc.392.1519858896103; Wed, 28 Feb 2018 15:01:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519858896; cv=none; d=google.com; s=arc-20160816; b=gcceY27eUrdUqQ8sCCvg0dSg3MSrLBpI8G2h1HhD2lgcYMcmtyux8rJm7q2mp1ehuN PV7jcQYrkL/q+qt/cqOw4Xvsd2RLHOfooMO01om1PEY98d+pzYtFbvGpklGZ8DjIypPx 9p4o2chKhRgLkcpYbCq+431r0Cifp+KezrxnE1IMvWCWC2Qfy5eFnfBuRVQSbxa1Idmm 4y3GlRezul9XJ83MMPSvsnLthbmQtwGHxPMJ+TuJn9Qs6PKBoplT4UfztGiNi6xViQq5 meLIeHFv7IgMEY7yQiV0Cm+4b+qmsvBtsNt9ijs5aJgfhMunw2Me0vSMj2HHNxLKXAqL NtgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :arc-authentication-results; bh=lT9rbaL3RWpmsy/B64H6UtVV92E7QhuEDr9x5sgO038=; b=lifp+PvxpFdmjNFsPXHDzIH0SD16Votu1ZXxos0xzoAdbsygl94qpqHC/zrSU2ALK9 joe6OEaxetCxTYAYe0v+0ZC++7bbhaiYrtM7UfrjoRBX1qnMXPDv/yHbqDvapi7GDLJw RMjcyN4G957zMxCE1hG5p45bl13Bdns6EiKsN2//LbLBvnLlNWS/MQnzxZeoU8QEdAo+ f8RjqemLtyDhe4q9Bcn5iTP/4FvxTuR1ti42H6miL4UblnOCWG5tmMG0L9QeAsK/kWhy OfZqVEgPHW1foobQt8oTuahSpLTnuSOJIdQIMgW28uRkni4O1Kl4oStnp93W6iVM/sKU NHeg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 75si1897459pfp.353.2018.02.28.15.01.20; Wed, 28 Feb 2018 15:01:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964847AbeB1W76 (ORCPT + 99 others); Wed, 28 Feb 2018 17:59:58 -0500 Received: from mx1.redhat.com ([209.132.183.28]:56722 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S964824AbeB1W7z (ORCPT ); Wed, 28 Feb 2018 17:59:55 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0F6F7356DA; Wed, 28 Feb 2018 22:59:55 +0000 (UTC) Received: from w520.home (ovpn-117-203.phx2.redhat.com [10.3.117.203]) by smtp.corp.redhat.com (Postfix) with ESMTP id EBD505D960; Wed, 28 Feb 2018 22:59:50 +0000 (UTC) Date: Wed, 28 Feb 2018 15:59:49 -0700 From: Alex Williamson To: Alexander Duyck Cc: Bjorn Helgaas , linux-pci@vger.kernel.org, Alexander Duyck , virtio-dev@lists.oasis-open.org, kvm@vger.kernel.org, Netdev , "Daly, Dan" , LKML , Maximilian Heyne , "Wang, Liang-min" , "Rustad, Mark D" , David Woodhouse , dwmw@amazon.co.uk Subject: Re: [PATCH] pci-iov: Add support for unmanaged SR-IOV Message-ID: <20180228155949.00fde8ae@w520.home> In-Reply-To: References: <20180227190520.3273.79728.stgit@localhost.localdomain> <20180227144015.228d4f5c@w520.home> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Wed, 28 Feb 2018 22:59:55 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 28 Feb 2018 09:49:21 -0800 Alexander Duyck wrote: > On Tue, Feb 27, 2018 at 2:25 PM, Alexander Duyck > wrote: > > On Tue, Feb 27, 2018 at 1:40 PM, Alex Williamson > > wrote: > >> On Tue, 27 Feb 2018 11:06:54 -0800 > >> Alexander Duyck wrote: > >> > >>> From: Alexander Duyck > >>> > >>> This patch is meant to add support for SR-IOV on devices when the VFs are > >>> not managed by the kernel. Examples of recent patches attempting to do this > >>> include: > >> > >> It appears to enable sriov when the _pf_ is not managed by the > >> kernel, but by "managed" we mean that either there is no pf driver or > >> the pf driver doesn't provide an sriov_configure callback, > >> intentionally or otherwise. > >> > >>> virto - https://patchwork.kernel.org/patch/10241225/ > >>> pci-stub - https://patchwork.kernel.org/patch/10109935/ > >>> vfio - https://patchwork.kernel.org/patch/10103353/ > >>> uio - https://patchwork.kernel.org/patch/9974031/ > >> > >> So is the goal to get around the issues with enabling sriov on each of > >> the above drivers by doing it under the covers or are you really just > >> trying to enable sriov for a truly unmanage (no pf driver) case? For > >> example, should a driver explicitly not wanting sriov enabled implement > >> a dummy sriov_configure function? > >> > >>> Since this is quickly blowing up into a multi-driver problem it is probably > >>> best to implement this solution in one spot. > >>> > >>> This patch is an attempt to do that. What we do with this patch is provide > >>> a generic call to enable SR-IOV in the case that the PF driver is either > >>> not present, or the PF driver doesn't support configuring SR-IOV. > >>> > >>> A new sysfs value called sriov_unmanaged_autoprobe has been added. This > >>> value is used as the drivers_autoprobe setting of the VFs when they are > >>> being managed by an external entity such as userspace or device firmware > >>> instead of being managed by the kernel. > >> > >> Documentation/ABI/testing/sysfs-bus-pci update is missing. > > > > I can make sure to update that in the next version. > > > >>> One side effect of this change is that the sriov_drivers_autoprobe and > >>> sriov_unmanaged_autoprobe will only apply their updates when SR-IOV is > >>> disabled. Attempts to update them when SR-IOV is in use will only update > >>> the local value and will not update sriov->autoprobe. > >> > >> And we expect users to understand when sriov_drivers_autoprobe applies > >> vs sriov_unmanaged_autoprobe, even though they're using the same > >> interfaces to enable sriov? Are all combinations expected to work, ex. > >> unmanaged sriov is enabled, a native pf driver loads, vfs work? Not > >> only does it seems like there's opportunity to use this incorrectly, I > >> think maybe it might be difficult to use correctly. > >> > >>> I based my patch set originally on the patch by Mark Rustad but there isn't > >>> much left after going through and cleaning out the bits that were no longer > >>> needed, and after incorporating the feedback from David Miller. > >>> > >>> I have included the authors of the original 4 patches above in the Cc here. > >>> My hope is to get feedback and/or review on if this works for their use > >>> cases. > >>> > >>> Cc: Mark Rustad > >>> Cc: Maximilian Heyne > >>> Cc: Liang-Min Wang > >>> Cc: David Woodhouse > >>> Signed-off-by: Alexander Duyck > >>> --- > >>> drivers/pci/iov.c | 27 +++++++++++++++++++- > >>> drivers/pci/pci-driver.c | 2 + > >>> drivers/pci/pci-sysfs.c | 62 +++++++++++++++++++++++++++++++++++++++++----- > >>> drivers/pci/pci.h | 4 ++- > >>> include/linux/pci.h | 1 + > >>> 5 files changed, 86 insertions(+), 10 deletions(-) > >>> > >>> diff --git a/drivers/pci/iov.c b/drivers/pci/iov.c > >>> index 677924ae0350..7b8858bd8d03 100644 > >>> --- a/drivers/pci/iov.c > >>> +++ b/drivers/pci/iov.c > >>> @@ -446,6 +446,7 @@ static int sriov_init(struct pci_dev *dev, int pos) > >>> pci_read_config_word(dev, pos + PCI_SRIOV_VF_DID, &iov->vf_device); > >>> iov->pgsz = pgsz; > >>> iov->self = dev; > >>> + iov->autoprobe = true; > >>> iov->drivers_autoprobe = true; > >>> pci_read_config_dword(dev, pos + PCI_SRIOV_CAP, &iov->cap); > >>> pci_read_config_byte(dev, pos + PCI_SRIOV_FUNC_LINK, &iov->link); > >>> @@ -643,8 +644,11 @@ void pci_restore_iov_state(struct pci_dev *dev) > >>> */ > >>> void pci_vf_drivers_autoprobe(struct pci_dev *dev, bool auto_probe) > >>> { > >>> - if (dev->is_physfn) > >>> + if (dev->is_physfn) { > >>> dev->sriov->drivers_autoprobe = auto_probe; > >>> + if (!dev->sriov->num_VFs) > >>> + dev->sriov->autoprobe = auto_probe; > >> > >> Why is dev->sriov->autoprobe set any time other than immediately prior > >> to enabling VFs? > > > > My concern here was drivers that are still floating around with the > > old module parameter option for enabling SR-IOV. In the unlikely event > > that somebody was to use such a driver I wanted to make certain that > > the drivers_autoprobe state was pre-populated. Good point, but maybe that just means we should be setting it in sriov_enable()? > >>> + } > >>> } > >>> > >>> /** > >>> @@ -703,6 +707,27 @@ void pci_disable_sriov(struct pci_dev *dev) > >>> EXPORT_SYMBOL_GPL(pci_disable_sriov); > >>> > >>> /** > >>> + * pci_sriov_configure_unmanaged - helper to configure unmanaged SR-IOV > >>> + * @dev: the PCI device > >>> + * @nr_virtfn: number of virtual functions to enable, 0 to disable > >>> + * > >>> + * Used to provide generic enable/disable SR-IOV option for devices > >>> + * that do not manage the VFs generated by their driver, or have no > >>> + * driver present. > >>> + */ > >>> +int pci_sriov_configure_unmanaged(struct pci_dev *dev, int nr_virtfn) > >>> +{ > >>> + int rc = 0; > >>> + > >>> + if (!nr_virtfn) > >>> + pci_disable_sriov(dev); > >>> + else > >>> + rc = pci_enable_sriov(dev, nr_virtfn); > >>> + > >>> + return rc ? rc : nr_virtfn; > >>> +} > >>> + > >>> +/** > >>> * pci_num_vf - return number of VFs associated with a PF device_release_driver > >>> * @dev: the PCI device > >>> * > >>> diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c > >>> index 3bed6beda051..2cc68dff6130 100644 > >>> --- a/drivers/pci/pci-driver.c > >>> +++ b/drivers/pci/pci-driver.c > >>> @@ -398,7 +398,7 @@ void __weak pcibios_free_irq(struct pci_dev *dev) > >>> #ifdef CONFIG_PCI_IOV > >>> static inline bool pci_device_can_probe(struct pci_dev *pdev) > >>> { > >>> - return (!pdev->is_virtfn || pdev->physfn->sriov->drivers_autoprobe); > >>> + return (!pdev->is_virtfn || pdev->physfn->sriov->autoprobe); > >>> } > >>> #else > >>> static inline bool pci_device_can_probe(struct pci_dev *pdev) > >>> diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c > >>> index eb6bee8724cc..e701b6dbc267 100644 > >>> --- a/drivers/pci/pci-sysfs.c > >>> +++ b/drivers/pci/pci-sysfs.c > >>> @@ -605,6 +605,7 @@ static ssize_t sriov_numvfs_store(struct device *dev, > >>> struct device_attribute *attr, > >>> const char *buf, size_t count) > >>> { > >>> + int (*sriov_configure)(struct pci_dev *dev, int num_vfs); > >>> struct pci_dev *pdev = to_pci_dev(dev); > >>> int ret; > >>> u16 num_vfs; > >>> @@ -622,15 +623,20 @@ static ssize_t sriov_numvfs_store(struct device *dev, > >>> goto exit; > >>> > >>> /* is PF driver loaded w/callback */ > >>> - if (!pdev->driver || !pdev->driver->sriov_configure) { > >>> - pci_info(pdev, "Driver doesn't support SRIOV configuration via sysfs\n"); > >>> - ret = -ENOENT; > >>> - goto exit; > >>> - } > >>> + if (pdev->driver && pdev->driver->sriov_configure) > >>> + sriov_configure = pdev->driver->sriov_configure; > >>> + else > >>> + sriov_configure = pci_sriov_configure_unmanaged; > >> > >> So an unwitting user is now able to enable vfs, independent of the > >> pf... the trouble being that they're probably going to expect them to > >> work and the more common case is that they won't. For instance, what > >> can you do with an igbvf when igb isn't managing the pf? > > > > Well the VFs wouldn't be able to do anything. Basically they would be > > sitting there with no driver loaded on them unless they are assigned > > to a guest, or the root user had enabled the unmanaged option. If you > > did load a driver on it the VF would sit there with link down unless > > either the PF driver is loaded or some user-space entity steps in to > > start managing the PF. > > > > In reality this can already happen as last I recall igb and ixgbe were > > already capable of having the PF driver removed when SR-IOV was > > enabled and VFs were assigned. Basically the VFs just report link down > > and don't do anything. Reloading the PF driver would have it take over > > in the case of igb and ixgbe since they were designed to handle that > > type of scenario. I think only ixgbe behaves this way between the two, igb disables sriov in its remove function unless we're hung up by that silly pci_vfs_assigned() check, which doesn't apply to vfio assignment. Regardless, yes, some pf drivers do leave sriov enabled on remove, whether that's useful or reasonable is another question. > >> Or what happens when vfio-pci owns the pf, sriov is enabled via the > >> unmanaged interface, and the pf user driver segfaults and gets killed, > >> causing vfio-pci to restore the pf state, including wiping the sriov > >> config? > > > > Wiping the config shouldn't have any effect on the allocated VF pci > > devices. It will cause the VFs to act as though they have fallen off > > of the bus though and the guests would see a surprise remove type > > behavior if I am not mistaken. The MMIO and config accesses would fail > > until the SR-IOV configuration is restored. Really this shouldn't be a > > problem as long as the SR-IOV is enabled prior to loading the vfio-pci > > driver as I would assume it would restore the state an re-enable > > SR-IOV. Nope, sriov does not appear to be part of the device state saved and restored around reset, so I think we just end up in an inconsistent state. Also, vfio-pci stores a copy of the saved state of a device prior to giving the user access to the device and tries to restore that copy when released by the user, so anything that's part of the save state and modified via side-channels while the device is opened, would still be lost. > > In the grand scheme of things how would the situation you describe be > > any different than someone using the "reset" sysfs control on the PF > > while using SR-IOV with driver supported SR-IOV? Similar, but the pf driver has enabled sriov and can register the reset_done error handler to be notified to re-enable sriov or perform other cleanup. If the pf driver is not participating in sriov, it would seem exceptional to support this. Triggering reset via sysfs also falls more closely to shooting yourself in the foot than I think we want to design into driver/subsystem APIs. > > I suppose if you really wanted we could add a new call that you could > > put into the sriov_configure pointer that would just make it always > > return error. Then that way the configuration could be locked until > > the driver is unloaded. > > > >> I guess I don't understand how vfs can operate fully independent of the > >> pf and why vfio-pci wouldn't just implement a dummy sriov_configure to > >> avoid contending with such issues. > > > > This approach isn't without risk, but it isn't as if it is really a > > new risk we are introducing, and we could do further work to help > > smooth out issues like this. Much of this depends on the design of the > > device and the drivers involved. What is happening in this case is > > that the VFs are managed outside of the kernel itself either by some > > user-space entity or by a firmware entity. But we can't simply split vfs and pfs as separate resources, the vf is dependent on the pf and that implies a privilege hierarchy, if not at least cooperation. The pf driver can intentionally or unintentionally disconnect the vfs at any point in time, possibly leading to data loss or at least denial of service for the vf consumer. I also don't trust that there aren't numerous sriov implementations where the pf isn't privileged to the point of being able to snoop data from the vf. So what sort of usage models are we enabling for the vf? A firmware owned vf subject to these conditions seems mostly pointless. > So I was thinking about this some more. In the case of vfio-pci things > are a bit different since you are essentially taking a given device > and handing it to a VM or userspace and it doesn't guarantee a > communication between the two. Doesn't guarantee communication or cooperation or even trust. > My thought is to look at making SR-IOV configuration static or treat > it as read-only when the vfio-pci driver is loaded on a given > interface. In addition I would set the TAINT_USER flag and add a > warning about loading vfio-pci on an active PF, and provide the number > of VFs that were allocated. > > The idea with all of this being that we would at least have a partial > lock on all of this so that you can allocate some number of VFs, and > then start partitioning things up where you could assign the PF and > VFs as needed to the various interfaces. Once the PF is assigned to > the vfio-pci driver it would be locked in terms of the number of VFs > that are provided so there would be no need for an extra communication > channel between the PF driver and the host to deal with changes. > > Thoughts? Is an sriov configuration ever static? vfio is the most prolific user of the pci reset interfaces, AFAIK. Even if we add support for restoring the sriov configuration and even if the pf user isn't trying to be malicious, vf users would need to be prepared for their device arbitrarily dropping off the bus, mmio randomly (from their perspective) being disabled, and maybe other side-effects of the user just trying to use the pf device. Is there even any guarantee that a pf driver can operate identically, regardless of the state of sriov on the pf? It seems like the pf driver needs to be aware of which queues are available for itself vs the vfs in some designs. Is there still long term value in a solution for this if the kernel is tainted? Minimally, it seems like the pf driver (the user driver, not vfio-pci) needs to be a cooperating party in this exchange. How do we determine that and what QoS guarantees are they providing by agreeing to it? Otherwise it doesn't seem like sriov provides the sort of static, hard partitioning of the device that you're asking for. A vf is a piece of the pf and we've released ownership and control of the pf to a user. Thanks, Alex