Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2383530pxb; Sat, 27 Feb 2021 22:43:10 -0800 (PST) X-Google-Smtp-Source: ABdhPJwh+fVnJXuNRBumgqsX7aFp/Aa2IF1sxAW1W9Sdw22yNWipc0EJ4VT47KO8yQPg68lMkoVQ X-Received: by 2002:a17:906:d1d5:: with SMTP id bs21mr10597415ejb.242.1614494590263; Sat, 27 Feb 2021 22:43:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614494590; cv=none; d=google.com; s=arc-20160816; b=SoVnko7JC1Ty4k10Ultwpjjkj0k4iPW9zebpcSPVQishUlN91Hqrd1yucEtamQX20q wYnx1yNIJOxNWiqEvyj+SkkgzV7ooodWPyro0Zz5TYJiFz5eYV3pnzlZLxyn6efRu5mU tOJUtFsBnR5n6LshNxDNGB7aJEUlcR7u7OwseTZPkD3zPhk8NcTqOfmQB5ns0EA6CsgK x7Q5wi/Q/KEEKViGlisY1BCQRWk8LfGvIXvh5UsjoWXlrpHaYSRdnJtzpuepNZ1cB6T3 51JbSMgcXQbPUCMrMQL/Jw4xnOc3UQXxsjHfickoUhrj0ehTEk5UfK3qX90QFh4ADu9g P1uQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:references:in-reply-to:message-id:date:subject :cc:to:from:ironport-sdr:ironport-sdr; bh=5xcpcZWzob8LbRlr/KEXZa6srJv0qQHbSs1hU7NV3d0=; b=Vh6rW/3YyzQfCUJ8Qh7KXOdNO/mE+NBW3ERL6ulb49SU9JA2HjMD14Mmvl6L16nrrv YvIFuZ3rpMqHsIZbN47i7csShMEnGSuhUAysbfthhnXWXtJaV9wXp/muD58UwJ+fV1l+ vFsEZE2fjkgsDu3hK9/feF8Uu3vJE1wK3a6E4uSlL1eXV+GpG5mvqrK7xj9KVVOLGXV+ VypsANrDsLRRtqTtXKawe1B8fG6oP1zIFPHVV4BKwPHHwD5NoH+jrmHcrjAsSC6U1039 xAqHb1BVRsVQyveTZzY9QZ3JuBt5gaGp9oPCVMFG+fbwueeqDfB6tnQ3CVdQWsSXSfMt 9xiw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k2si9248439ejr.529.2021.02.27.22.42.48; Sat, 27 Feb 2021 22:43:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230423AbhB1Gl7 (ORCPT + 99 others); Sun, 28 Feb 2021 01:41:59 -0500 Received: from mga09.intel.com ([134.134.136.24]:58903 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230445AbhB1Gly (ORCPT ); Sun, 28 Feb 2021 01:41:54 -0500 IronPort-SDR: M86yoXHTOXt0Z19fUXGZJbNlKTkTaTrhOp0zBjAXfv+uKs77irEmDlYD/JToTilbBDPz139ULF w3p/O0xi95WQ== X-IronPort-AV: E=McAfee;i="6000,8403,9908"; a="186323906" X-IronPort-AV: E=Sophos;i="5.81,211,1610438400"; d="scan'208";a="186323906" Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Feb 2021 22:33:10 -0800 IronPort-SDR: VwmdMDFqK2b6EtjWnoffQBBdex7rudtOi8+cVDYN+vuAbCYlNLFGMm0gzT7CnGOM/j3N7ldZe+ umTYB3/XUhEQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.81,211,1610438400"; d="scan'208";a="517029737" Received: from otc-wp-03.jf.intel.com ([10.54.39.79]) by orsmga004.jf.intel.com with ESMTP; 27 Feb 2021 22:33:10 -0800 From: Jacob Pan To: LKML , Joerg Roedel , "Lu Baolu" , David Woodhouse , iommu@lists.linux-foundation.org, cgroups@vger.kernel.org, Tejun Heo , Li Zefan , Johannes Weiner , Jean-Philippe Brucker Cc: Alex Williamson , Eric Auger , Jason Gunthorpe , Jonathan Corbet , Raj Ashok , "Tian, Kevin" , Yi Liu , Wu Hao , Dave Jiang , Jacob Pan Subject: [PATCH V4 14/18] iommu/vt-d: Listen to IOASID notifications Date: Sat, 27 Feb 2021 14:01:22 -0800 Message-Id: <1614463286-97618-15-git-send-email-jacob.jun.pan@linux.intel.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1614463286-97618-1-git-send-email-jacob.jun.pan@linux.intel.com> References: <1614463286-97618-1-git-send-email-jacob.jun.pan@linux.intel.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Intel Scalable I/O Virtualization (SIOV) enabled platforms, IOMMU driver is one of the users of IOASIDs. In normal flow, callers will perform IOASID allocation, bind, unbind, and free in order. However, for guest SVA, IOASID free could come before unbind as guest is untrusted. This patch registers IOASID notification handler such that IOMMU driver can perform PASID teardown upon receiving an unexpected IOASID free event. Signed-off-by: Jacob Pan --- drivers/iommu/intel/iommu.c | 2 + drivers/iommu/intel/svm.c | 109 +++++++++++++++++++++++++++++++++++- include/linux/intel-iommu.h | 2 + 3 files changed, 111 insertions(+), 2 deletions(-) diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c index eb9868061545..d602e89c40d2 100644 --- a/drivers/iommu/intel/iommu.c +++ b/drivers/iommu/intel/iommu.c @@ -3313,6 +3313,8 @@ static int __init init_dmars(void) pr_err("Failed to allocate host PASID set %lu\n", PTR_ERR(host_pasid_set)); intel_iommu_sm = 0; + } else { + intel_svm_add_pasid_notifier(); } } diff --git a/drivers/iommu/intel/svm.c b/drivers/iommu/intel/svm.c index f75699ddb923..b5bb9b578281 100644 --- a/drivers/iommu/intel/svm.c +++ b/drivers/iommu/intel/svm.c @@ -96,6 +96,104 @@ static inline bool intel_svm_capable(struct intel_iommu *iommu) return iommu->flags & VTD_FLAG_SVM_CAPABLE; } +static inline void intel_svm_drop_pasid(ioasid_t pasid) +{ + /* + * Detaching SPID results in UNBIND notification on the set, we must + * do this before dropping the IOASID reference, otherwise the + * notification chain may get destroyed. + */ + ioasid_detach_spid(pasid); + ioasid_detach_data(pasid); + ioasid_put(NULL, pasid); +} + +static DEFINE_MUTEX(pasid_mutex); +#define pasid_lock_held() lock_is_held(&pasid_mutex.dep_map) + +static void intel_svm_free_async_fn(struct work_struct *work) +{ + struct intel_svm *svm = container_of(work, struct intel_svm, work); + struct intel_svm_dev *sdev; + + /* + * Unbind all devices associated with this PASID which is + * being freed by other users such as VFIO. + */ + mutex_lock(&pasid_mutex); + list_for_each_entry_rcu(sdev, &svm->devs, list, pasid_lock_held()) { + /* Does not poison forward pointer */ + list_del_rcu(&sdev->list); + spin_lock(&sdev->iommu->lock); + intel_pasid_tear_down_entry(sdev->iommu, sdev->dev, + svm->pasid, true); + intel_svm_drain_prq(sdev->dev, svm->pasid); + spin_unlock(&sdev->iommu->lock); + kfree_rcu(sdev, rcu); + } + /* + * We may not be the last user to drop the reference but since + * the PASID is in FREE_PENDING state, no one can get new reference. + * Therefore, we can safely free the private data svm. + */ + intel_svm_drop_pasid(svm->pasid); + + /* + * Free before unbind can only happen with host PASIDs used for + * guest SVM. We get here because ioasid_free is called with + * outstanding references. So we need to drop the reference + * such that the PASID can be reclaimed. unbind_gpasid() after this + * will not result in dropping refcount since the private data is + * already detached. + */ + kfree(svm); + + mutex_unlock(&pasid_mutex); +} + + +static int pasid_status_change(struct notifier_block *nb, + unsigned long code, void *data) +{ + struct ioasid_nb_args *args = (struct ioasid_nb_args *)data; + struct intel_svm *svm = (struct intel_svm *)args->pdata; + int ret = NOTIFY_DONE; + + /* + * Notification private data is a choice of vendor driver when the + * IOASID is allocated or attached after allocation. When the data + * type changes, we must make modifications here accordingly. + */ + if (code == IOASID_NOTIFY_FREE) { + /* + * If PASID UNBIND happens before FREE, private data of the + * IOASID should be NULL, then we don't need to do anything. + */ + if (!svm) + goto done; + if (args->id != svm->pasid) { + pr_warn("Notify PASID does not match data %d : %d\n", + args->id, svm->pasid); + goto done; + } + if (!ioasid_queue_work(&svm->work)) + pr_warn("Cleanup work already queued\n"); + return NOTIFY_OK; + } +done: + return ret; +} + +static struct notifier_block pasid_nb = { + .notifier_call = pasid_status_change, +}; + +void intel_svm_add_pasid_notifier(void) +{ + /* Listen to all PASIDs, not specific to a set */ + ioasid_register_notifier(NULL, &pasid_nb); +} + void intel_svm_check(struct intel_iommu *iommu) { if (!pasid_supported(iommu)) @@ -240,7 +338,6 @@ static const struct mmu_notifier_ops intel_mmuops = { .invalidate_range = intel_invalidate_range, }; -static DEFINE_MUTEX(pasid_mutex); static LIST_HEAD(global_svm_list); #define for_each_svm_dev(sdev, svm, d) \ @@ -367,8 +464,16 @@ int intel_svm_bind_gpasid(struct iommu_domain *domain, struct device *dev, if (data->flags & IOMMU_SVA_GPASID_VAL) { svm->gpasid = data->gpasid; svm->flags |= SVM_FLAG_GUEST_PASID; + ioasid_attach_spid(data->hpasid, data->gpasid); } ioasid_attach_data(data->hpasid, svm); + ioasid_get(NULL, svm->pasid); + sdev->iommu = iommu; + /* + * Set up cleanup async work in case IOASID core notify us PASID + * is freed before unbind. + */ + INIT_WORK(&svm->work, intel_svm_free_async_fn); INIT_LIST_HEAD_RCU(&svm->devs); } sdev = kzalloc(sizeof(*sdev), GFP_KERNEL); @@ -464,7 +569,7 @@ int intel_svm_unbind_gpasid(struct device *dev, u32 pasid) * the unbind, IOMMU driver will get notified * and perform cleanup. */ - ioasid_detach_data(pasid); + intel_svm_drop_pasid(pasid); kfree(svm); } } diff --git a/include/linux/intel-iommu.h b/include/linux/intel-iommu.h index 09c6a0bf3892..b1b8914e1564 100644 --- a/include/linux/intel-iommu.h +++ b/include/linux/intel-iommu.h @@ -757,6 +757,7 @@ void intel_svm_unbind(struct iommu_sva *handle); u32 intel_svm_get_pasid(struct iommu_sva *handle); int intel_svm_page_response(struct device *dev, struct iommu_fault_event *evt, struct iommu_page_response *msg); +void intel_svm_add_pasid_notifier(void); struct svm_dev_ops; @@ -783,6 +784,7 @@ struct intel_svm { int gpasid; /* In case that guest PASID is different from host PASID */ struct list_head devs; struct list_head list; + struct work_struct work; /* For deferred clean up */ }; #else static inline void intel_svm_check(struct intel_iommu *iommu) {} -- 2.25.1