Received: by 2002:a05:7412:518d:b0:e2:908c:2ebd with SMTP id fn13csp412183rdb;
        Thu, 5 Oct 2023 09:20:45 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFZnWVHhY0aaEsAGYlskoGuMpFMp6g6v+8lb5wh4EWgnHD8vp2fXtgToyj536///rja21M9
X-Received: by 2002:a17:902:7682:b0:1c5:634e:e12c with SMTP id m2-20020a170902768200b001c5634ee12cmr4945511pll.37.1696522845378;
        Thu, 05 Oct 2023 09:20:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696522845; cv=none;
        d=google.com; s=arc-20160816;
        b=eeB9EMp32MLxSUY3BbIndPmNtC65COq46pQX+iSuOdc3/YQVt6BhUfFzqH10YOIKTe
         gfdtMdYbOdqRbbwwOzxfp6aXmXKPEP+Ud9YXOmcdvGilEWUOiRC3Om0uE9+BtU1gz7U6
         uUNsqRshbUfVBC4hxFQ0oEE8IC6TV7OP9kAdUZ0kS+iZxziRpOlH4IDg3EiK5npsFxpN
         ylZAi74FLx/FnM70nOijtdQMe04bI/4ObunyaaqYQZ8EbUoJc99hVAQRbtUkRFh40TMr
         YqXToxAmqVnhlqXIfgQHMR8GSFPMEmc6UVo16GKD7Rcf10tLV8KFbdugUO7wu1tJ9CfT
         bBeA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=NHd2H4TnN10AplOFxgwiFxU8bxIhcyBm4Mak7CGnh+c=;
        fh=H1MWokz2W5FQLz7JV/s60/lD8BJ4r978QgVHj6Ssf+Q=;
        b=WtjWYl+LK0M6WbzoiboxQ4TRswVwI3N6gNatAFDkoT87PD5VX527H7vfTgsu5k+aza
         D1wvlwDw2hdCH4EMP/X0gwsP5ou/lsuCqJeitRMrsyYe3/jw8x8xHD9DYTbd2yJfOH2P
         NuI4ftUkOkfFhhMRneYXWIRmJH5pr+Bn+xTk8x36FSrMp6XRn3PaaFkKrdFG2OcV07FZ
         obRm8TMbR4iYHbFD4pQsaEWCkXKoamkIMhbQlk58hbwQa4dVXXILMmWz7ihyY21/ngk6
         zc8/Fey4PHphn9tiG/FhJf4eQtjH1jHSSFYed3J3XUAmkkUi9PYHUIQ6gNB7qhwlofIZ
         Z7XA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Iq9asrIV;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from groat.vger.email (groat.vger.email. [23.128.96.35])
        by mx.google.com with ESMTPS id c12-20020a170902d48c00b001c62161b18esi1853434plg.580.2023.10.05.09.20.44
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 05 Oct 2023 09:20:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Iq9asrIV;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by groat.vger.email (Postfix) with ESMTP id 70B5E80C8DE7;
	Thu,  5 Oct 2023 09:19:54 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S240993AbjJEQRf (ORCPT <rfc822;recursive.nomad@gmail.com>
        + 99 others); Thu, 5 Oct 2023 12:17:35 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36140 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S240836AbjJEQOH (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 5 Oct 2023 12:14:07 -0400
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B6DB19033
        for <linux-kernel@vger.kernel.org>; Thu,  5 Oct 2023 07:42:31 -0700 (PDT)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 173C5C4163D;
        Thu,  5 Oct 2023 09:56:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1696499825;
        bh=PrIjz4gP7mh1DNNI/311t7CyHU+4imq8iF8rKwFrJvE=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=Iq9asrIVkhKRp3kH5WXH0cQIwRPvUanUsynih4KtJQ0r5sHgFsJanWSdTBM8ttHMY
         olEV3DafaVDgH5g/oL/3r+iZbkcUSTRFiuVJ/51dpxJ5ldJvV3ETmV3eENE+8CTa4r
         7QO4QC8AeceTkxGoFKQtvDVQgtdPgOv3Y5SzfBQENUtCfJbq/guDNBmBiJOmeOcLrw
         Cf/sMWSGAfYwKmIZAfYehlIUiaHy6Sen90C5Br9LRNWC1vKF0SuToenHdj/vPjGFMu
         6BouzxK0tz7And/yw24m9GdC0oX33LQwUOiZqJjwVEQSlqYjTP8OssWLeVvYMQI1fB
         fWc4WyUOKEJpw==
Date:   Thu, 5 Oct 2023 11:56:55 +0200
From:   Lorenzo Pieralisi <lpieralisi@kernel.org>
To:     Catalin Marinas <catalin.marinas@arm.com>
Cc:     Jason Gunthorpe <jgg@nvidia.com>, ankita@nvidia.com,
        maz@kernel.org, oliver.upton@linux.dev, will@kernel.org,
        aniketa@nvidia.com, cjia@nvidia.com, kwankhede@nvidia.com,
        targupta@nvidia.com, vsethi@nvidia.com, acurrid@nvidia.com,
        apopple@nvidia.com, jhubbard@nvidia.com, danw@nvidia.com,
        linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1 2/2] KVM: arm64: allow the VM to select DEVICE_* and
 NORMAL_NC for IO memory
Message-ID: <ZR6IZwcFNw55asW0@lpieralisi>
References: <20230907181459.18145-1-ankita@nvidia.com>
 <20230907181459.18145-3-ankita@nvidia.com>
 <ZP8q71+YXoU6O9uh@lpieralisi>
 <ZP9MQdRYmlawNsbC@nvidia.com>
 <ZQHUifAfJ+lZikAn@lpieralisi>
 <ZQIFfqgR5zcidRR3@nvidia.com>
 <ZRKW6uDR/+eXYMzl@lpieralisi>
 <ZRLiDf204zCpO6Mv@arm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ZRLiDf204zCpO6Mv@arm.com>
X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Thu, 05 Oct 2023 09:19:54 -0700 (PDT)

On Tue, Sep 26, 2023 at 02:52:13PM +0100, Catalin Marinas wrote:

[...]

> Anyway, the text looks fine to me. Thanks for putting it together
> Lorenzo.

Thanks !

> One thing not mentioned here is that pci-vfio still maps such memory as
> Device-nGnRnE in user space and relaxing this potentially creates an
> alias. But such alias is only relevant of both the VMM and the VM try to
> access the same device which I doubt is a realistic scenario.

A revised log, FWIW:

---
Currently, KVM for ARM64 maps at stage 2 memory that is
considered device (ie it is not RAM) with DEVICE_nGnRE
memory attributes; this setting overrides (as per the ARM
architecture [1]) any device MMIO mapping present at stage
1, resulting in a set-up whereby a guest operating system
can't determine device MMIO mapping memory attributes on its
own but it is always overriden by the KVM stage 2 default.

This set-up does not allow guest operating systems to select
device memory attributes on a page by page basis independently
from KVM stage-2 mappings (refer to [1], "Combining stage 1 and stage
2 memory type attributes"), which turns out to be an issue in that
guest operating systems (eg Linux) may request to map
devices MMIO regions with memory attributes that guarantee
better performance (eg gathering attribute - that for some
devices can generate larger PCIe memory writes TLPs)
and specific operations (eg unaligned transactions) such as
the NormalNC memory type.

The default device stage 2 mapping was chosen in KVM
for ARM64 since it was considered safer (ie it would
not allow guests to trigger uncontained failures
ultimately crashing the machine) but this turned out
to be imprecise.

Failures containability is a property of the platform
and is independent from the memory type used for MMIO
device memory mappings (ie DEVICE_nGnRE memory type is
even more problematic than NormalNC in terms of containability
since eg aborts triggered on loads cannot be made synchronous,
which make them harder to contain); this means that,
regardless of the combined stage1+stage2 mappings a
platform is safe if and only if device transactions cannot trigger
uncontained failures; reworded, the default KVM device
stage 2 memory attributes play no role in making device
assignment safer for a given platform and therefore can
be relaxed.

For all these reasons, relax the KVM stage 2 device
memory attributes from DEVICE_nGnRE to NormalNC.

This puts guests in control (thanks to stage1+stage2
combined memory attributes rules [1]) of device MMIO
regions memory mappings, according to the rules
described in [1] and summarized here ([(S1) - stage1],
[(S2) - stage 2]):

S1	     |  S2	     | Result
NORMAL-WB    |  NORMAL-NC    | NORMAL-NC
NORMAL-WT    |  NORMAL-NC    | NORMAL-NC
NORMAL-NC    |  NORMAL-NC    | NORMAL-NC
DEVICE<attr> |  NORMAL-NC    | DEVICE<attr>

It is worth noting that currently, to map devices MMIO space to user
space in a device pass-through use case the VFIO framework applies memory
attributes derived from pgprot_noncached() settings applied to VMAs, which
result in device-nGnRnE memory attributes for the stage-1 VMM mappings.

This means that a userspace mapping for device MMIO space carried
out with the current VFIO framework and a guest OS mapping for the same
MMIO space may result in a mismatched alias as described in [2].

Defaulting KVM device stage-2 mappings to Normal-NC attributes does not change
anything in this respect, in that the mismatched aliases would only affect
(refer to [2] for a detailed explanation) ordering between the userspace and
GuestOS mappings resulting stream of transactions (ie it does not cause loss of
property for either stream of transactions on its own), which is harmless
given that the userspace and GuestOS access to the device is carried
out through independent transactions streams.

[1] section D8.5 - DDI0487_I_a_a-profile_architecture_reference_manual.pdf
[2] section B2.8 - DDI0487_I_a_a-profile_architecture_reference_manual.pdf