[v6,01/11] iommu: Add dma ownership management interfaces

Message ID	20220218005521.172832-2-baolu.lu@linux.intel.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <kvm-owner@kernel.org> From: Lu Baolu <baolu.lu@linux.intel.com> To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Joerg Roedel <joro@8bytes.org>, Alex Williamson <alex.williamson@redhat.com>, Bjorn Helgaas <bhelgaas@google.com>, Jason Gunthorpe <jgg@nvidia.com>, Christoph Hellwig <hch@infradead.org>, Kevin Tian <kevin.tian@intel.com>, Ashok Raj <ashok.raj@intel.com> Cc: Will Deacon <will@kernel.org>, Robin Murphy <robin.murphy@arm.com>, Dan Williams <dan.j.williams@intel.com>, rafael@kernel.org, Diana Craciun <diana.craciun@oss.nxp.com>, Cornelia Huck <cohuck@redhat.com>, Eric Auger <eric.auger@redhat.com>, Liu Yi L <yi.l.liu@intel.com>, Jacob jun Pan <jacob.jun.pan@intel.com>, Chaitanya Kulkarni <kch@nvidia.com>, Stuart Yoder <stuyoder@gmail.com>, Laurentiu Tudor <laurentiu.tudor@nxp.com>, Thierry Reding <thierry.reding@gmail.com>, David Airlie <airlied@linux.ie>, Daniel Vetter <daniel@ffwll.ch>, Jonathan Hunter <jonathanh@nvidia.com>, Li Yang <leoyang.li@nxp.com>, Dmitry Osipenko <digetx@gmail.com>, iommu@lists.linux-foundation.org, linux-pci@vger.kernel.org, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Lu Baolu <baolu.lu@linux.intel.com> Subject: [PATCH v6 01/11] iommu: Add dma ownership management interfaces Date: Fri, 18 Feb 2022 08:55:11 +0800 Message-Id: <20220218005521.172832-2-baolu.lu@linux.intel.com> In-Reply-To: <20220218005521.172832-1-baolu.lu@linux.intel.com> References: <20220218005521.172832-1-baolu.lu@linux.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Fix BUG_ON in vfio_iommu_group_notifier() \| expand [v6,00/11] Fix BUG_ON in vfio_iommu_group_notifier() [v6,01/11] iommu: Add dma ownership management interfaces [v6,02/11] driver core: Add dma_cleanup callback in bus_type [v6,03/11] amba: Stop sharing platform_dma_configure() [v6,04/11] bus: platform,amba,fsl-mc,PCI: Add device DMA ownership management [v6,05/11] PCI: pci_stub: Set driver_managed_dma [v6,06/11] PCI: portdrv: Set driver_managed_dma [v6,07/11] vfio: Set DMA ownership for VFIO devices [v6,08/11] vfio: Remove use of vfio_group_viable() [v6,09/11] vfio: Delete the unbound_list [v6,10/11] vfio: Remove iommu group notifier [v6,11/11] iommu: Remove iommu group changes notifier

Baolu Lu Feb. 18, 2022, 12:55 a.m. UTC

Multiple devices may be placed in the same IOMMU group because they
cannot be isolated from each other. These devices must either be
entirely under kernel control or userspace control, never a mixture.

This adds dma ownership management in iommu core and exposes several
interfaces for the device drivers and the device userspace assignment
framework (i.e. VFIO), so that any conflict between user and kernel
controlled dma could be detected at the beginning.

The device driver oriented interfaces are,

	int iommu_device_use_default_domain(struct device *dev);
	void iommu_device_unuse_default_domain(struct device *dev);

By calling iommu_device_use_default_domain(), the device driver tells
the iommu layer that the device dma is handled through the kernel DMA
APIs. The iommu layer will manage the IOVA and use the default domain
for DMA address translation.

The device user-space assignment framework oriented interfaces are,

	int iommu_group_claim_dma_owner(struct iommu_group *group,
					void *owner);
	void iommu_group_release_dma_owner(struct iommu_group *group);
	bool iommu_group_dma_owner_claimed(struct iommu_group *group);

The device userspace assignment must be disallowed if the DMA owner
claiming interface returns failure.

Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
---
 include/linux/iommu.h |  31 +++++++++
 drivers/iommu/iommu.c | 158 +++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 186 insertions(+), 3 deletions(-)

Christoph Hellwig Feb. 19, 2022, 7:31 a.m. UTC | #1

The overall API and patch looks fine, but:

> + * iommu_group_dma_owner_claimed() - Query group dma ownership status
> + * @group: The group.
> + *
> + * This provides status query on a given group. It is racey and only for
> + * non-binding status reporting.

s/racey/racy/

> + */
> +bool iommu_group_dma_owner_claimed(struct iommu_group *group)
> +{
> +	unsigned int user;
> +
> +	mutex_lock(&group->mutex);
> +	user = group->owner_cnt;
> +	mutex_unlock(&group->mutex);
> +
> +	return user;
> +}
> +EXPORT_SYMBOL_GPL(iommu_group_dma_owner_claimed);

Still no no need for the lock here.

Baolu Lu Feb. 21, 2022, 4:02 a.m. UTC | #2

On 2/19/22 3:31 PM, Christoph Hellwig wrote:
> The overall API and patch looks fine, but:
> 
>> + * iommu_group_dma_owner_claimed() - Query group dma ownership status
>> + * @group: The group.
>> + *
>> + * This provides status query on a given group. It is racey and only for
>> + * non-binding status reporting.
> 
> s/racey/racy/

Yes.

> 
>> + */
>> +bool iommu_group_dma_owner_claimed(struct iommu_group *group)
>> +{
>> +	unsigned int user;
>> +
>> +	mutex_lock(&group->mutex);
>> +	user = group->owner_cnt;
>> +	mutex_unlock(&group->mutex);
>> +
>> +	return user;
>> +}
>> +EXPORT_SYMBOL_GPL(iommu_group_dma_owner_claimed);
> 
> Still no no need for the lock here.

We've discussed this before. I tend to think that is right.

We don't lose anything with this lock held and it also follows the rule
that all accesses to the internal group structure must be done with the
group->mutex held.

Best regards,
baolu

Robin Murphy Feb. 23, 2022, 6 p.m. UTC | #3

On 2022-02-18 00:55, Lu Baolu wrote:
[...]
> +/**
> + * iommu_group_claim_dma_owner() - Set DMA ownership of a group
> + * @group: The group.
> + * @owner: Caller specified pointer. Used for exclusive ownership.
> + *
> + * This is to support backward compatibility for vfio which manages
> + * the dma ownership in iommu_group level. New invocations on this
> + * interface should be prohibited.
> + */
> +int iommu_group_claim_dma_owner(struct iommu_group *group, void *owner)
> +{
> +	int ret = 0;
> +
> +	mutex_lock(&group->mutex);
> +	if (group->owner_cnt) {

To clarify the comment buried in the other thread, I really think we 
should just unconditionally flag the error here...

> +		if (group->owner != owner) {
> +			ret = -EPERM;
> +			goto unlock_out;
> +		}
> +	} else {
> +		if (group->domain && group->domain != group->default_domain) {
> +			ret = -EBUSY;
> +			goto unlock_out;
> +		}
> +
> +		group->owner = owner;
> +		if (group->domain)
> +			__iommu_detach_group(group->domain, group);
> +	}
> +
> +	group->owner_cnt++;
> +unlock_out:
> +	mutex_unlock(&group->mutex);
> +
> +	return ret;
> +}
> +EXPORT_SYMBOL_GPL(iommu_group_claim_dma_owner);
> +
> +/**
> + * iommu_group_release_dma_owner() - Release DMA ownership of a group
> + * @group: The group.
> + *
> + * Release the DMA ownership claimed by iommu_group_claim_dma_owner().
> + */
> +void iommu_group_release_dma_owner(struct iommu_group *group)
> +{
> +	mutex_lock(&group->mutex);
> +	if (WARN_ON(!group->owner_cnt || !group->owner))
> +		goto unlock_out;
> +
> +	if (--group->owner_cnt > 0)
> +		goto unlock_out;

...and equivalently just set owner_cnt directly to 0 here. I don't see a 
realistic use-case for any driver to claim the same group more than 
once, and allowing it in the API just feels like opening up various 
potential corners for things to get out of sync.

I think that's the only significant concern I have left with the series 
as a whole - you can consider my other grumbles non-blocking :)

Thanks,
Robin.

> +
> +	/*
> +	 * The UNMANAGED domain should be detached before all USER
> +	 * owners have been released.
> +	 */
> +	if (!WARN_ON(group->domain) && group->default_domain)
> +		__iommu_attach_group(group->default_domain, group);
> +	group->owner = NULL;
> +
> +unlock_out:
> +	mutex_unlock(&group->mutex);
> +}
> +EXPORT_SYMBOL_GPL(iommu_group_release_dma_owner);
> +
> +/**
> + * iommu_group_dma_owner_claimed() - Query group dma ownership status
> + * @group: The group.
> + *
> + * This provides status query on a given group. It is racey and only for
> + * non-binding status reporting.
> + */
> +bool iommu_group_dma_owner_claimed(struct iommu_group *group)
> +{
> +	unsigned int user;
> +
> +	mutex_lock(&group->mutex);
> +	user = group->owner_cnt;
> +	mutex_unlock(&group->mutex);
> +
> +	return user;
> +}
> +EXPORT_SYMBOL_GPL(iommu_group_dma_owner_claimed);

Jason Gunthorpe Feb. 23, 2022, 6:02 p.m. UTC | #4

On Wed, Feb 23, 2022 at 06:00:06PM +0000, Robin Murphy wrote:

> ...and equivalently just set owner_cnt directly to 0 here. I don't see a
> realistic use-case for any driver to claim the same group more than once,
> and allowing it in the API just feels like opening up various potential
> corners for things to get out of sync.

I am Ok if we toss it out to get this merged, as there is no in-kernel
user right now.

Something will have to come back for iommufd, but we can look at what
is best suited then.

Thanks,
Jason

Robin Murphy Feb. 23, 2022, 6:20 p.m. UTC | #5

On 2022-02-23 18:02, Jason Gunthorpe via iommu wrote:
> On Wed, Feb 23, 2022 at 06:00:06PM +0000, Robin Murphy wrote:
> 
>> ...and equivalently just set owner_cnt directly to 0 here. I don't see a
>> realistic use-case for any driver to claim the same group more than once,
>> and allowing it in the API just feels like opening up various potential
>> corners for things to get out of sync.
> 
> I am Ok if we toss it out to get this merged, as there is no in-kernel
> user right now.
> 
> Something will have to come back for iommufd, but we can look at what
> is best suited then.

If iommufd plans to be too dumb to keep track of whether it already owns 
a given group or not, I can't see it dealing with attaching that group 
to a single domain no more than once, either ;)

Robin.

Jason Gunthorpe Feb. 23, 2022, 6:32 p.m. UTC | #6

On Wed, Feb 23, 2022 at 06:20:36PM +0000, Robin Murphy wrote:
> On 2022-02-23 18:02, Jason Gunthorpe via iommu wrote:
> > On Wed, Feb 23, 2022 at 06:00:06PM +0000, Robin Murphy wrote:
> > 
> > > ...and equivalently just set owner_cnt directly to 0 here. I don't see a
> > > realistic use-case for any driver to claim the same group more than once,
> > > and allowing it in the API just feels like opening up various potential
> > > corners for things to get out of sync.
> > 
> > I am Ok if we toss it out to get this merged, as there is no in-kernel
> > user right now.
> > 
> > Something will have to come back for iommufd, but we can look at what
> > is best suited then.
> 
> If iommufd plans to be too dumb to keep track of whether it already owns a
> given group or not, I can't see it dealing with attaching that group to a
> single domain no more than once, either ;)

Indeed, this is why I'd like to use the device API :)

Jason

Baolu Lu Feb. 24, 2022, 5:16 a.m. UTC | #7

Hi Robin and Jason,

On 2/24/22 2:02 AM, Jason Gunthorpe wrote:
> On Wed, Feb 23, 2022 at 06:00:06PM +0000, Robin Murphy wrote:
> 
>> ...and equivalently just set owner_cnt directly to 0 here. I don't see a
>> realistic use-case for any driver to claim the same group more than once,
>> and allowing it in the API just feels like opening up various potential
>> corners for things to get out of sync.
> I am Ok if we toss it out to get this merged, as there is no in-kernel
> user right now.

So we don't need the owner pointer in the API anymore, right? As we will
only allow the claiming interface to be called only once, this token is
unnecessary.

Best regards,
baolu

Baolu Lu Feb. 24, 2022, 5:21 a.m. UTC | #8

On 2/24/22 2:00 AM, Robin Murphy wrote:
> On 2022-02-18 00:55, Lu Baolu wrote:
> [...]
>> +/**
>> + * iommu_group_claim_dma_owner() - Set DMA ownership of a group
>> + * @group: The group.
>> + * @owner: Caller specified pointer. Used for exclusive ownership.
>> + *
>> + * This is to support backward compatibility for vfio which manages
>> + * the dma ownership in iommu_group level. New invocations on this
>> + * interface should be prohibited.
>> + */
>> +int iommu_group_claim_dma_owner(struct iommu_group *group, void *owner)
>> +{
>> +    int ret = 0;
>> +
>> +    mutex_lock(&group->mutex);
>> +    if (group->owner_cnt) {
> 
> To clarify the comment buried in the other thread, I really think we 
> should just unconditionally flag the error here...
> 
>> +        if (group->owner != owner) {
>> +            ret = -EPERM;
>> +            goto unlock_out;
>> +        }
>> +    } else {
>> +        if (group->domain && group->domain != group->default_domain) {
>> +            ret = -EBUSY;
>> +            goto unlock_out;
>> +        }
>> +
>> +        group->owner = owner;
>> +        if (group->domain)
>> +            __iommu_detach_group(group->domain, group);
>> +    }
>> +
>> +    group->owner_cnt++;
>> +unlock_out:
>> +    mutex_unlock(&group->mutex);
>> +
>> +    return ret;
>> +}
>> +EXPORT_SYMBOL_GPL(iommu_group_claim_dma_owner);
>> +
>> +/**
>> + * iommu_group_release_dma_owner() - Release DMA ownership of a group
>> + * @group: The group.
>> + *
>> + * Release the DMA ownership claimed by iommu_group_claim_dma_owner().
>> + */
>> +void iommu_group_release_dma_owner(struct iommu_group *group)
>> +{
>> +    mutex_lock(&group->mutex);
>> +    if (WARN_ON(!group->owner_cnt || !group->owner))
>> +        goto unlock_out;
>> +
>> +    if (--group->owner_cnt > 0)
>> +        goto unlock_out;
> 
> ...and equivalently just set owner_cnt directly to 0 here. I don't see a 
> realistic use-case for any driver to claim the same group more than 
> once, and allowing it in the API just feels like opening up various 
> potential corners for things to get out of sync.

Yeah! Both make sense to me. I will also drop the owner token in the API
as it's unnecessary anymore after the change.

> I think that's the only significant concern I have left with the series 
> as a whole - you can consider my other grumbles non-blocking :)

Thank you and very appreciated for your time!

Best regards,
baolu

Baolu Lu Feb. 24, 2022, 5:29 a.m. UTC | #9

On 2/24/22 1:16 PM, Lu Baolu wrote:
> Hi Robin and Jason,
> 
> On 2/24/22 2:02 AM, Jason Gunthorpe wrote:
>> On Wed, Feb 23, 2022 at 06:00:06PM +0000, Robin Murphy wrote:
>>
>>> ...and equivalently just set owner_cnt directly to 0 here. I don't see a
>>> realistic use-case for any driver to claim the same group more than 
>>> once,
>>> and allowing it in the API just feels like opening up various potential
>>> corners for things to get out of sync.
>> I am Ok if we toss it out to get this merged, as there is no in-kernel
>> user right now.
> 
> So we don't need the owner pointer in the API anymore, right?

Oh, NO.

The owner token represents that the group has been claimed for user
space access. And the default domain auto-attach policy will be changed
accordingly.

So we still need this. Sorry for the noise.

Best regards,
baolu

Robin Murphy Feb. 24, 2022, 8:58 a.m. UTC | #10

On 2022-02-24 05:29, Lu Baolu wrote:
> On 2/24/22 1:16 PM, Lu Baolu wrote:
>> Hi Robin and Jason,
>>
>> On 2/24/22 2:02 AM, Jason Gunthorpe wrote:
>>> On Wed, Feb 23, 2022 at 06:00:06PM +0000, Robin Murphy wrote:
>>>
>>>> ...and equivalently just set owner_cnt directly to 0 here. I don't 
>>>> see a
>>>> realistic use-case for any driver to claim the same group more than 
>>>> once,
>>>> and allowing it in the API just feels like opening up various potential
>>>> corners for things to get out of sync.
>>> I am Ok if we toss it out to get this merged, as there is no in-kernel
>>> user right now.
>>
>> So we don't need the owner pointer in the API anymore, right?
> 
> Oh, NO.
> 
> The owner token represents that the group has been claimed for user
> space access. And the default domain auto-attach policy will be changed
> accordingly.
> 
> So we still need this. Sorry for the noise.

Exactly. In fact we could almost go the other way, and rename owner_cnt 
to dma_api_users and make it mutually exclusive with owner being set, 
but that's really just cosmetic. It's understandable enough as-is that 
owner_cnt > 0 with owner == NULL represents implicit DMA API ownership.

Cheers,
Robin.

[v6,01/11] iommu: Add dma ownership management interfaces

Commit Message

Comments

Patch