Received: by 2002:ab2:620c:0:b0:1ef:ffd0:ce49 with SMTP id o12csp961160lqt; Tue, 19 Mar 2024 08:48:10 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVKzyYncHxXp5M+wa+8f7mHas3vVj5XlP7b8oYPwpD9hVcYdZh2D4bCOwuI3zucgoNlDbCh2o2nI5F+QmxFnBok9YHL/LoOmKDoXu53Lg== X-Google-Smtp-Source: AGHT+IH6UOaqRNu/0S6AY9C0KmtBZg1m1jaKipvQf/6w97i9MZ2aRvhZCkiRduVt75HFQFnWdxJp X-Received: by 2002:a05:6512:3d91:b0:513:c607:7a9b with SMTP id k17-20020a0565123d9100b00513c6077a9bmr12873636lfv.41.1710863290250; Tue, 19 Mar 2024 08:48:10 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1710863290; cv=pass; d=google.com; s=arc-20160816; b=tbO+kZaAaVfLMac1GSEPzsYscyx6unieFdQCpBxg4oTMT/s3LjP4tCXfs3EdwO6qWm Nmg8vNecZ8S1bHpofPT9tIel1zhQGRWaywoJXd7sz9COSzCc5urX4QjGUlGOEPMWKYBq QVkJo2v1GZzN3L63i04yEyfalupoFzOjDDZlmOnXaiYeUZaUf9XVvxFnWNrGo7jx7fPV RzUtslGVdiZ2xT+kt5a3Jws/Z5zsVsWuobXmKe/GK6EWvt75tSrqE2m03JqFiTS46le1 2SHTTpMko6+ERa4OKDTF+J/Lxa6yPSpi02DKRwk6iofk5Zu7Bcb2x3vOzCP4hzzoZVBI wBrQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:in-reply-to:content-disposition:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:references :message-id:subject:cc:to:from:date:dkim-signature; bh=ZHvFaO8oepOw7fVH8xnKb8FzWQkSScznOitwgsvRmYY=; fh=pH+hQ8anWrmvuXP6GncRbsmC2YXyivGNN4AGgFP8WTg=; b=twrHo2IWh0mn/11DLvKmIUqT2OuD8S+8yDEGSRu/jBNgHoC6x4LCCMWV7oFVw2/I0N 1hYPUtNxJXFMsOcfp17IiWzxJwkBXtpR1sGgSGO0bG6J7bhjdctQlrjGNdpRlsxt6wxj ig97/C8iENnPD8E0rjkNXvDDKxOdULScb5qLgi4L6Ogue5SnZFSVq9AI9IifoZ5s5190 R6zN6Y7GzRMP9Q3w/oVMwdTM+vbrAIce8GovCh7TLmxwgttNwCvLO5wXa7dIh0PaSjZR ybIWWk3/aV1rRGn8fPANi+DCC1gzuzhJOvIibrC6fks8VsOQtY2lTnZZQ66FAMRx2KEd zKmQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=VsE+Dgj7; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-107741-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-107741-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id f23-20020a50d557000000b00568c15ec111si3346272edj.525.2024.03.19.08.48.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Mar 2024 08:48:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-107741-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=VsE+Dgj7; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-107741-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-107741-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id F189C1F22A24 for ; Tue, 19 Mar 2024 15:48:09 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4B7B27FBAE; Tue, 19 Mar 2024 15:48:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="VsE+Dgj7" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5FF22657D3; Tue, 19 Mar 2024 15:48:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710863282; cv=none; b=tu3JzoEpH8Rmus7298Via0HcFc8WBO6lUTS3RPqepvjcUEc8AnDDj9G44xTfySn59O2E0Pdt7Oa5j1wdOqmy8RxMa133z/AnIPbWhHqPIStvKdg4TOQPB/tuiXQFR06grCuC5/gqzgXPm7VbkiEf5ipsWkqu2Fk/mX4bAtJPN0k= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710863282; c=relaxed/simple; bh=eHlATGPtHi4Dvca5jjoXEJntrvdbTpLgFF3K6HWMAzY=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=ndYwGMDp0HzAOTnFpzCckyNv8OewHm0DM3Cw9KaLQTqzqYZ27DEUV5CtfX4mEBZF8wutRC0Pr6D5xqpfO8AK/MQ7RsCo2gjf3MIgjOI19ZOEIdvWT2d+OBGUX5Z6Czmg8b5GflO6W7kUzHIZtfMKpD22gCucfU955m7P4PRKqdY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=VsE+Dgj7; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 11012C433F1; Tue, 19 Mar 2024 15:47:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1710863281; bh=eHlATGPtHi4Dvca5jjoXEJntrvdbTpLgFF3K6HWMAzY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=VsE+Dgj7KK5X9edOigr2E9e0soVH+z1IP9FfEPEuF2WC5aZzxXt8QUODUToTIwdWA TSPeAV/m5dgZiwVBZy90MnQQ2RNSdiLA9yaPtSRLQQzU/AEWAjcxcwKcbbDoyGTlZK GlXC/lllWrTuWCvXbilzgE3r129QA0y2Ob7DGXN6uNylVU3NeQXDJG0X0KfRK+QUb6 aMnjD5FMNGWA6xhWtzJTEi1l6tzWDhvUgfNzAuh8dwlu7zkFCLYRQxJgBxm+aQSzgZ M+2Zsx5jNwi40c3wns11IgtOBLZK93TYDsR5ys30AHgc6wbRIscvljvw1d+riJF9Kh oCF7zuBJr3/Yw== Date: Tue, 19 Mar 2024 15:47:56 +0000 From: Will Deacon To: Robin Murphy Cc: Tyler Hicks , Jason Gunthorpe , Jerry Snitselaar , linux-arm-kernel@lists.infradead.org, iommu@lists.linux.dev, linux-kernel@vger.kernel.org, Dexuan Cui , Easwar Hariharan Subject: Re: Why is the ARM SMMU v1/v2 put into bypass mode on kexec? Message-ID: <20240319154756.GB2901@willie-the-truck> References: <120d0dec-450f-41f8-9e05-fd763e84f6dd@arm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <120d0dec-450f-41f8-9e05-fd763e84f6dd@arm.com> User-Agent: Mutt/1.10.1 (2018-07-13) On Tue, Mar 19, 2024 at 12:57:52PM +0000, Robin Murphy wrote: > On 2024-03-14 7:06 pm, Tyler Hicks wrote: > > On 2024-03-14 09:55:46, Tyler Hicks wrote: > > > Given that drivers are only optionally asked to implement the .shutdown > > > hook, which is required to properly quiesce devices before a kexec, why > > > is it that we put the ARM SMMU v1/v2 into bypass mode in the arm-smmu > > > driver's own .shutdown hook? > > > > > > arm_smmu_device_shutdown() -> set SMMU_sCR0.CLIENTPD bit to 1 > > > > > > Driver authors often forget to even implement a .shutdown hook, which > > > results in some hard-to-debug memory corruption issues in the kexec'ed > > > target kernel due to pending DMA operations happening on untranslated > > > addresses. Why not leave the SMMU in translate mode but clear the stream > > > mapping table (or maybe even call arm_smmu_device_reset()) in the SMMU's > > > .shutdown hook to prevent the memory corruption from happening in the > > > first place? > > > > > > Fully acknowledging that the proper fix is to quiesce the devices, I > > > feel like resetting the SMMU and leaving it in translate mode across > > > kexec would be more consistent with the intent behind v5.2 commit > > > 954a03be033c ("iommu/arm-smmu: Break insecure users by disabling bypass > > > by default"). The incoming transactions of devices, that weren't > > > properly quiesced during a kexec, would be blocked until their drivers > > > have a chance to reinitialize the devices in the new kernel. > > > > > > I appreciate any help understanding why bypass mode is utilized here as > > > I'm sure there are nuances that I haven't considered. Thank you! > > > > I now see that Will has previously mentioned that he'd be open to such a > > change: > > > > One thing I would be in favour of is changing the ->shutdown() code to > > honour disable_bypass=1 so that we put the SMMU in an aborting state > > instead of passthrough. Would that help at all? It would at least > > avoid the memory corruption on missing shutdown callback. > > > > - https://lore.kernel.org/linux-arm-kernel/20200608113852.GA3108@willie-the-truck/ > > > > Robin mentions the need to support kexec into a non-SMMU-aware OS. I > > hadn't considered that bit of complexity: > > > > ... consider if the first kernel *did* leave it enabled with whatever > > left-over translations in place, and kexec'ed into another OS that > > wasn't SMMU-aware... > > > > - https://lore.kernel.org/linux-arm-kernel/e072f61a-d6cf-2e34-efd5-c1db38c5c622@arm.com/ > > > > Now that we're 3-4 years removed from that conversation, has anything > > changed? Will, is there anything we'd need to watch out for if we were > > to prototype this sort of change? For example, would it be wise to > > disable fault interrupts when putting the SMMU in an aborting state > > before kexec'ing? I've grown older and wiser in those four years and no longer think that's a good idea :) Well, older maybe, but the reality is that the code around the driver has evolved and 'disable_bypass' is even more of a hack now than it used to be. > Fundamentally, we expect the SMMU to be disabled at initial boot, so per the > intent of kexec we put it back in that state. That also seems the most > likely expectation of anything we could kexec into, given that it is the > natural state of an untouched SMMU after a hard reset, and thus comes out as > the least-worst option. Heh, that sounded too good to be true when I read it so I went and looked at the code: SMMUv3: arm_smmu_device_shutdown() -> clears CR0 but doesn't touch GBPA SMMUv2: arm_smmu_device_shutdown() -> writes CLIENTPD to CR0 So it's a bit of a muddle afaict; SMMUv2 explicitly goes into bypass whereas SMMUv3 probably does honour disable_bypass=false! Did I miss something? As discussed elsewhere, if we remove disable_bypass from SMMUv3, then we should be able to be consistent here. The question is, what's the right behaviour? > Beyond properly quiescing and resetting the system back to a boot-time > state, the outgoing kernel in a kexec can only really do things which affect > itself. Sure, we *could* configure the SMMU to block all traffic and disable > the interrupt to avoid getting stuck in a storm of faults on the way out, > but what does that mean for the incoming kexec payload? That it can have the > pleasure of discovering the SMMU, innocently enabling the interrupt and > getting stuck in an unexpected storm of faults. Or perhaps just resetting > the SMMU into a disabled state and thus still unwittingly allowing its > memory to be corrupted by the previous kernel not supporting kexec properly. Right, it's hard to win if DMA-active devices weren't quiesced properly by the outgoing kernel. Either the SMMU was left in abort (leading to the problems you list above) or the SMMU is left in bypass (leading to possible data corruption). Which is better? The best solution is obviously to implement those missing ->shutdown() callbacks. Will