Received-SPF: pass (google.com: domain of linux-kernel+bounces-107741-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Date: Tue, 19 Mar 2024 15:47:56 +0000
From: Will Deacon <will@kernel.org>
To: Robin Murphy <robin.murphy@arm.com>
Cc: Tyler Hicks <code@tyhicks.com>, Jason Gunthorpe <jgg@ziepe.ca>,
	Jerry Snitselaar <jsnitsel@redhat.com>,
	linux-arm-kernel@lists.infradead.org, iommu@lists.linux.dev,
	linux-kernel@vger.kernel.org, Dexuan Cui <decui@microsoft.com>,
	Easwar Hariharan <eahariha@linux.microsoft.com>
Subject: Re: Why is the ARM SMMU v1/v2 put into bypass mode on kexec?
Message-ID: <20240319154756.GB2901@willie-the-truck>
References: <ZfKsAIt8RY/JcL/V@sequoia>
 <ZfNKv70oqqwMwIeS@sequoia>
 <120d0dec-450f-41f8-9e05-fd763e84f6dd@arm.com>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <120d0dec-450f-41f8-9e05-fd763e84f6dd@arm.com>
User-Agent: Mutt/1.10.1 (2018-07-13)

On Tue, Mar 19, 2024 at 12:57:52PM +0000, Robin Murphy wrote:
> On 2024-03-14 7:06 pm, Tyler Hicks wrote:
> > On 2024-03-14 09:55:46, Tyler Hicks wrote:
> > > Given that drivers are only optionally asked to implement the .shutdown
> > > hook, which is required to properly quiesce devices before a kexec, why
> > > is it that we put the ARM SMMU v1/v2 into bypass mode in the arm-smmu
> > > driver's own .shutdown hook?
> > > 
> > >   arm_smmu_device_shutdown() -> set SMMU_sCR0.CLIENTPD bit to 1
> > > 
> > > Driver authors often forget to even implement a .shutdown hook, which
> > > results in some hard-to-debug memory corruption issues in the kexec'ed
> > > target kernel due to pending DMA operations happening on untranslated
> > > addresses. Why not leave the SMMU in translate mode but clear the stream
> > > mapping table (or maybe even call arm_smmu_device_reset()) in the SMMU's
> > > .shutdown hook to prevent the memory corruption from happening in the
> > > first place?
> > > 
> > > Fully acknowledging that the proper fix is to quiesce the devices, I
> > > feel like resetting the SMMU and leaving it in translate mode across
> > > kexec would be more consistent with the intent behind v5.2 commit
> > > 954a03be033c ("iommu/arm-smmu: Break insecure users by disabling bypass
> > > by default"). The incoming transactions of devices, that weren't
> > > properly quiesced during a kexec, would be blocked until their drivers
> > > have a chance to reinitialize the devices in the new kernel.
> > > 
> > > I appreciate any help understanding why bypass mode is utilized here as
> > > I'm sure there are nuances that I haven't considered. Thank you!
> > 
> > I now see that Will has previously mentioned that he'd be open to such a
> > change:
> > 
> >   One thing I would be in favour of is changing the ->shutdown() code to
> >   honour disable_bypass=1 so that we put the SMMU in an aborting state
> >   instead of passthrough. Would that help at all? It would at least
> >   avoid the memory corruption on missing shutdown callback.
> > 
> >   - https://lore.kernel.org/linux-arm-kernel/20200608113852.GA3108@willie-the-truck/
> > 
> > Robin mentions the need to support kexec into a non-SMMU-aware OS. I
> > hadn't considered that bit of complexity:
> > 
> >   ... consider if the first kernel *did* leave it enabled with whatever
> >   left-over translations in place, and kexec'ed into another OS that
> >   wasn't SMMU-aware...
> > 
> >   - https://lore.kernel.org/linux-arm-kernel/e072f61a-d6cf-2e34-efd5-c1db38c5c622@arm.com/
> > 
> > Now that we're 3-4 years removed from that conversation, has anything
> > changed? Will, is there anything we'd need to watch out for if we were
> > to prototype this sort of change? For example, would it be wise to
> > disable fault interrupts when putting the SMMU in an aborting state
> > before kexec'ing?

I've grown older and wiser in those four years and no longer think that's
a good idea :) Well, older maybe, but the reality is that the code around
the driver has evolved and 'disable_bypass' is even more of a hack now
than it used to be.

> Fundamentally, we expect the SMMU to be disabled at initial boot, so per the
> intent of kexec we put it back in that state. That also seems the most
> likely expectation of anything we could kexec into, given that it is the
> natural state of an untouched SMMU after a hard reset, and thus comes out as
> the least-worst option.

Heh, that sounded too good to be true when I read it so I went and looked at
the code:

SMMUv3: arm_smmu_device_shutdown() -> clears CR0 but doesn't touch GBPA
SMMUv2: arm_smmu_device_shutdown() -> writes CLIENTPD to CR0

So it's a bit of a muddle afaict; SMMUv2 explicitly goes into bypass
whereas SMMUv3 probably does honour disable_bypass=false! Did I miss
something?

As discussed elsewhere, if we remove disable_bypass from SMMUv3, then
we should be able to be consistent here. The question is, what's the
right behaviour?

> Beyond properly quiescing and resetting the system back to a boot-time
> state, the outgoing kernel in a kexec can only really do things which affect
> itself. Sure, we *could* configure the SMMU to block all traffic and disable
> the interrupt to avoid getting stuck in a storm of faults on the way out,
> but what does that mean for the incoming kexec payload? That it can have the
> pleasure of discovering the SMMU, innocently enabling the interrupt and
> getting stuck in an unexpected storm of faults. Or perhaps just resetting
> the SMMU into a disabled state and thus still unwittingly allowing its
> memory to be corrupted by the previous kernel not supporting kexec properly.

Right, it's hard to win if DMA-active devices weren't quiesced properly
by the outgoing kernel. Either the SMMU was left in abort (leading to the
problems you list above) or the SMMU is left in bypass (leading to possible
data corruption). Which is better?

The best solution is obviously to implement those missing ->shutdown()
callbacks.

Will