Received: by 2002:a05:7412:b10a:b0:f3:1519:9f41 with SMTP id az10csp2610666rdb; Mon, 4 Dec 2023 02:28:32 -0800 (PST) X-Google-Smtp-Source: AGHT+IE5tQdws/1vp0zPYWbScBYY7coco98Ic0ysHhbuyYJjc8jTi7f8ge8+13sx0pLbWqClzpLp X-Received: by 2002:a05:6a00:398f:b0:6ce:2732:572 with SMTP id fi15-20020a056a00398f00b006ce27320572mr4088123pfb.35.1701685712199; Mon, 04 Dec 2023 02:28:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701685712; cv=none; d=google.com; s=arc-20160816; b=Td3U5aoSPMVjzmUArGtUSmiCyC158zYIJg1EqQFQI2XPm9SDwwV5cYeXd6FDQrZO3w v+8GWcdDbAEMAdrIItqesZoDbYmvvdcVJ3t2UIASaRRUiJDXqO7tKAlJxkvgdtZCzn+M /oqXBD0YwjSb3e1X3VW8WeEV02PzTcM36mq/VMUn7N9VeDi+DsR9+OQH77zPanbLIanH h7HXXmk+ep0++uEwvPhQTQ0rZOBp3J34mg6f43ufwvCyvfX9Et/Xgwby795trHwsHw3v S93JEWFhSHCa8Gj19fNRQJvkKEtfZe0XwN4ehHP91km/7PgMPFzPVx5hrqbIH3OrSAhR NOJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=9Xm7HNFkq0+Qbd6Uu1gKkNyeDxPZw3eWj43IaSy+UC4=; fh=NhMln7+vDj/rQn6yuy06xQVEG+KG3GZJgC64B3FjyW0=; b=YHcQCzheQ+8AtxAB4TPScTkwzgnNBuXDnk8gsZz54NPKBTIDRX4pcLpngcyC7bNHVc oJ9tpcTlhq1AUFPZ37ZCDNnE8MCJrnCGurwOq7DEctg2I9IrccihbI6g6Y+UfvqGLtU8 Y+wCFHriLsFQ+h+wHtw4GrOt1R5hMIu90x85XGk3G/lYsjCdJKnA74qI2DPsMX7SurJt r4qZuipH5hbyCU+jZLCduL/UXqhOkPw4F5XCMKuV5VPM9x4D0gbHWQExlz7Yce7hN94+ Yyc+huFR/3xPNn2/MmZx3JpcsqSp8dSpO/BHNkBLPq5bR8mDWLPmEJpdQvtjLkdW4v2K ZYdA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@citrix.com header.s=google header.b=p+Cl6CQ7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=citrix.com Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id h18-20020a056a00231200b0069347c30c78si7731022pfh.230.2023.12.04.02.28.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Dec 2023 02:28:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@citrix.com header.s=google header.b=p+Cl6CQ7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=citrix.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 56CDF80615C2; Mon, 4 Dec 2023 02:28:29 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229789AbjLDK2E (ORCPT + 99 others); Mon, 4 Dec 2023 05:28:04 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51514 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229532AbjLDK2D (ORCPT ); Mon, 4 Dec 2023 05:28:03 -0500 Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5B942B9 for ; Mon, 4 Dec 2023 02:28:08 -0800 (PST) Received: by mail-wm1-x330.google.com with SMTP id 5b1f17b1804b1-40c0a03eb87so10692405e9.3 for ; Mon, 04 Dec 2023 02:28:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=citrix.com; s=google; t=1701685687; x=1702290487; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=9Xm7HNFkq0+Qbd6Uu1gKkNyeDxPZw3eWj43IaSy+UC4=; b=p+Cl6CQ78cBbuNn5og6nWCY9dDrOpH/9bgWAX6x2m7qIZO88irwClp4onv7dBzSLPA myD+9ULM3THU6QYkpi/qECknZLbM3a6Ey7nkIi5Jqh00a4QhtzF4vrUJzC3a+D7aemkK fKqNY1a/Vqi7ywR32Avd8Il98AGKgLmVRmMDc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701685687; x=1702290487; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=9Xm7HNFkq0+Qbd6Uu1gKkNyeDxPZw3eWj43IaSy+UC4=; b=xEA3JKVB5ITlkv5QKL0NFdW938978HBdiN4BohB/ovPukUFBr3PdEZxt8VbtbaIx70 X4NxmqN/26Z4BXsifomKi4/MMTxnJ1dxshMNTJRpMZLbUyOwxTE2O4DNYHAndZwYwvV4 PAsnfSUqgjZqkeY6o/ZLK2odmed56MHk1iXE0mjscx58ScJEoMeO3UVQEII2WusL4AkQ yRF67+MjS9TIuNwuYw7vS17ENgqQodHZ8Jaj1q6rVsj4UHVml0sI9nCkIhQFhePyQsth nXt5jbSzWKseXbI00CKDrlyyEbDxek4PM8n/5XRBGgpKa4fMw7QsdKbSkI7Etq3a5Voc NcnQ== X-Gm-Message-State: AOJu0YzUx2KG9BeP5hCMxps6tlG1fcqLEVCl+3CC/WNlFZwx1rI0Ewxx ZlxRfU/4hmctyB6GRd/n6kPS9g== X-Received: by 2002:a05:600c:3d09:b0:40c:6bf:bdff with SMTP id bh9-20020a05600c3d0900b0040c06bfbdffmr879047wmb.355.1701685686722; Mon, 04 Dec 2023 02:28:06 -0800 (PST) Received: from localhost ([213.195.113.99]) by smtp.gmail.com with ESMTPSA id r21-20020a05600c35d500b0040b3e79bad3sm14462375wmq.40.2023.12.04.02.28.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Dec 2023 02:28:06 -0800 (PST) Date: Mon, 4 Dec 2023 11:28:05 +0100 From: Roger Pau =?utf-8?B?TW9ubsOp?= To: Stefano Stabellini Cc: Jiqian Chen , Juergen Gross , Oleksandr Tyshchenko , Thomas Gleixner , Boris Ostrovsky , "Rafael J . Wysocki" , Len Brown , Bjorn Helgaas , xen-devel@lists.xenproject.org, linux-kernel@vger.kernel.org, linux-acpi@vger.kernel.org, Stefano Stabellini , Alex Deucher , Christian Koenig , Stewart Hildebrand , Xenia Ragiadakou , Honglei Huang , Julia Zhang , Huang Rui Subject: Re: [RFC KERNEL PATCH v2 2/3] xen/pvh: Unmask irq for passthrough device in PVH dom0 Message-ID: References: <20231124103123.3263471-1-Jiqian.Chen@amd.com> <20231124103123.3263471-3-Jiqian.Chen@amd.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Mon, 04 Dec 2023 02:28:29 -0800 (PST) On Fri, Dec 01, 2023 at 07:37:55PM -0800, Stefano Stabellini wrote: > On Fri, 1 Dec 2023, Roger Pau Monné wrote: > > On Thu, Nov 30, 2023 at 07:15:17PM -0800, Stefano Stabellini wrote: > > > On Thu, 30 Nov 2023, Roger Pau Monné wrote: > > > > On Wed, Nov 29, 2023 at 07:53:59PM -0800, Stefano Stabellini wrote: > > > > > On Fri, 24 Nov 2023, Jiqian Chen wrote: > > > > > > This patch is to solve two problems we encountered when we try to > > > > > > passthrough a device to hvm domU base on Xen PVH dom0. > > > > > > > > > > > > First, hvm guest will alloc a pirq and irq for a passthrough device > > > > > > by using gsi, before that, the gsi must first has a mapping in dom0, > > > > > > see Xen code pci_add_dm_done->xc_domain_irq_permission, it will call > > > > > > into Xen and check whether dom0 has the mapping. See > > > > > > XEN_DOMCTL_irq_permission->pirq_access_permitted, "current" is PVH > > > > > > dom0 and it return irq is 0, and then return -EPERM. > > > > > > This is because the passthrough device doesn't do PHYSDEVOP_map_pirq > > > > > > when thay are enabled. > > > > > > > > > > > > Second, in PVH dom0, the gsi of a passthrough device doesn't get > > > > > > registered, but gsi must be configured for it to be able to be > > > > > > mapped into a domU. > > > > > > > > > > > > After searching codes, we can find map_pirq and register_gsi will be > > > > > > done in function vioapic_write_redirent->vioapic_hwdom_map_gsi when > > > > > > the gsi(aka ioapic's pin) is unmasked in PVH dom0. So the problems > > > > > > can be conclude to that the gsi of a passthrough device doesn't be > > > > > > unmasked. > > > > > > > > > > > > To solve the unmaske problem, this patch call the unmask_irq when we > > > > > > assign a device to be passthrough. So that the gsi can get registered > > > > > > and mapped in PVH dom0. > > > > > > > > > > > > > > > Roger, this seems to be more of a Xen issue than a Linux issue. Why do > > > > > we need the unmask check in Xen? Couldn't we just do: > > > > > > > > > > > > > > > diff --git a/xen/arch/x86/hvm/vioapic.c b/xen/arch/x86/hvm/vioapic.c > > > > > index 4e40d3609a..df262a4a18 100644 > > > > > --- a/xen/arch/x86/hvm/vioapic.c > > > > > +++ b/xen/arch/x86/hvm/vioapic.c > > > > > @@ -287,7 +287,7 @@ static void vioapic_write_redirent( > > > > > hvm_dpci_eoi(d, gsi); > > > > > } > > > > > > > > > > - if ( is_hardware_domain(d) && unmasked ) > > > > > + if ( is_hardware_domain(d) ) > > > > > { > > > > > /* > > > > > * NB: don't call vioapic_hwdom_map_gsi while holding hvm.irq_lock > > > > > > > > There are some issues with this approach. > > > > > > > > mp_register_gsi() will only setup the trigger and polarity of the > > > > IO-APIC pin once, so we do so once the guest unmask the pin in order > > > > to assert that the configuration is the intended one. A guest is > > > > allowed to write all kind of nonsense stuff to the IO-APIC RTE, but > > > > that doesn't take effect unless the pin is unmasked. > > > > > > > > Overall the question would be whether we have any guarantees that > > > > the hardware domain has properly configured the pin, even if it's not > > > > using it itself (as it hasn't been unmasked). > > > > > > > > IIRC PCI legacy interrupts are level triggered and low polarity, so we > > > > could configure any pins that are not setup at bind time? > > > > > > That could work. > > > > > > Another idea is to move only the call to allocate_and_map_gsi_pirq at > > > bind time? That might be enough to pass a pirq_access_permitted check. > > > > Maybe, albeit that would change the behavior of XEN_DOMCTL_bind_pt_irq > > just for PT_IRQ_TYPE_PCI and only when called from a PVH dom0 (as the > > parameter would be a GSI instead of a previously mapped IRQ). Such > > difference just for PT_IRQ_TYPE_PCI is slightly weird - if we go that > > route I would recommend that we instead introduce a new dmop that has > > this syntax regardless of the domain type it's called from. > > Looking at the code it is certainly a bit confusing. My point was that > we don't need to wait until polarity and trigger are set appropriately > to allow Dom0 to pass successfully a pirq_access_permitted() check. Xen > should be able to figure out that Dom0 is permitted pirq access. The logic is certainly not straightforward, and it could benefit from some comments. The irq permissions are a bit special, in that they get setup when the IRQ is mapped. The problem however is not so much with IRQ permissions, that we can indeed sort out internally in Xen. Such check in dom0 has the side effect of preventing the IRQ from being assigned to a domU without the hardware source being properly configured AFAICT. > > So the idea was to move the call to allocate_and_map_gsi_pirq() earlier > somewhere because allocate_and_map_gsi_pirq doesn't require trigger or > polarity to be configured to work. But the suggestion of doing it a > "bind time" (meaning: XEN_DOMCTL_bind_pt_irq) was a bad idea. > > But maybe we can find another location, maybe within > xen/arch/x86/hvm/vioapic.c, to call allocate_and_map_gsi_pirq() before > trigger and polarity are set and before the interrupt is unmasked. > > Then we change the implementation of vioapic_hwdom_map_gsi to skip the > call to allocate_and_map_gsi_pirq, because by the time > vioapic_hwdom_map_gsi we assume that allocate_and_map_gsi_pirq had > already been done. But then we would end up in a situation where the pirq_access_permitted() check will pass, but the IO-APIC pin won't be configured, which I think it's not what we want. One option would be to allow mp_register_gsi() to be called multiple times, and update the IO-APIC pin configuration as long as the pin is not unmasked. That would propagate each dom0 RTE update to the underlying IO-APIC. However such approach relies on dom0 configuring all possible IO-APIC pins, even if no device on dom0 is using them, I think it's not a very reliable option. Another option would be to modify the toolstack to setup the GSI itself using the PHYSDEVOP_setup_gsi hypercall. As said in a previous email, since we only care about PCI device passthrough the legacy INTx should always be level triggered and low polarity. > I am not familiar with vioapic.c but to give you an idea of what I was > thinking: > > > diff --git a/xen/arch/x86/hvm/vioapic.c b/xen/arch/x86/hvm/vioapic.c > index 4e40d3609a..16d56fe851 100644 > --- a/xen/arch/x86/hvm/vioapic.c > +++ b/xen/arch/x86/hvm/vioapic.c > @@ -189,14 +189,6 @@ static int vioapic_hwdom_map_gsi(unsigned int gsi, unsigned int trig, > return ret; > } > > - ret = allocate_and_map_gsi_pirq(currd, pirq, &pirq); > - if ( ret ) > - { > - gprintk(XENLOG_WARNING, "vioapic: error mapping GSI %u: %d\n", > - gsi, ret); > - return ret; > - } > - > pcidevs_lock(); > ret = pt_irq_create_bind(currd, &pt_irq_bind); > if ( ret ) > @@ -287,6 +279,17 @@ static void vioapic_write_redirent( > hvm_dpci_eoi(d, gsi); > } > > + if ( is_hardware_domain(d) ) > + { > + int pirq = gsi, ret; > + ret = allocate_and_map_gsi_pirq(currd, pirq, &pirq); > + if ( ret ) > + { > + gprintk(XENLOG_WARNING, "vioapic: error mapping GSI %u: %d\n", > + gsi, ret); > + return ret; > + } > + } > if ( is_hardware_domain(d) && unmasked ) > { > /* As said above, such approach relies on dom0 writing to the IO-APIC RTE of likely each IO-APIC pin, which is IMO not quite reliable. In there are two different issues here that need to be fixed for PVH dom0: - Fix the XEN_DOMCTL_irq_permission pirq_access_permitted() call to succeed for a PVH dom0, even if dom0 is not using the GSI itself. - Configure IO-APIC pins for PCI interrupts even if dom0 is not using the IO-APIC pin itself. First one needs to be fixed internally in Xen, second one will require the toolstack to issue an extra hypercall in order to ensure the IO-APIC pin is properly configured. Thanks, Roger.