diff mbox series

[v3] x86/io-apic: fix directed EOI when using AMD-Vi interrupt remapping

Message ID 20241029110351.40531-1-roger.pau@citrix.com (mailing list archive)
State Superseded
Headers show
Series [v3] x86/io-apic: fix directed EOI when using AMD-Vi interrupt remapping | expand

Commit Message

Roger Pau Monne Oct. 29, 2024, 11:03 a.m. UTC
When using AMD-Vi interrupt remapping the vector field in the IO-APIC RTE is
repurposed to contain part of the offset into the remapping table.  Previous to
2ca9fbd739b8 Xen had logic so that the offset into the interrupt remapping
table would match the vector.  Such logic was mandatory for end of interrupt to
work, since the vector field (even when not containing a vector) is used by the
IO-APIC to find for which pin the EOI must be performed.

Introduce a table to store the EOI handlers when using interrupt remapping, so
that the IO-APIC driver can translate pins into EOI handlers without having to
read the IO-APIC RTE entry.  Note that to simplify the logic such table is used
unconditionally when interrupt remapping is enabled, even if strictly it would
only be required for AMD-Vi.

Reported-by: Willi Junga <xenproject@ymy.be>
Suggested-by: David Woodhouse <dwmw@amazon.co.uk>
Fixes: 2ca9fbd739b8 ('AMD IOMMU: allocate IRTE entries instead of using a static mapping')
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
---
Changes since v2:
 - Restore sentinel value.

Changes since v1:
 - s/apic_pin_eoi/io_apic_pin_eoi/.
 - Expand comment about io_apic_pin_eoi usage and layout.
 - Use uint8_t instead of unsigned int as array type.
 - Do not use a sentinel value.
---
 xen/arch/x86/io_apic.c | 56 +++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 55 insertions(+), 1 deletion(-)

Comments

Jan Beulich Oct. 29, 2024, 4:43 p.m. UTC | #1
On 29.10.2024 12:03, Roger Pau Monne wrote:
> When using AMD-Vi interrupt remapping the vector field in the IO-APIC RTE is
> repurposed to contain part of the offset into the remapping table.  Previous to
> 2ca9fbd739b8 Xen had logic so that the offset into the interrupt remapping
> table would match the vector.  Such logic was mandatory for end of interrupt to
> work, since the vector field (even when not containing a vector) is used by the
> IO-APIC to find for which pin the EOI must be performed.
> 
> Introduce a table to store the EOI handlers when using interrupt remapping, so
> that the IO-APIC driver can translate pins into EOI handlers without having to
> read the IO-APIC RTE entry.  Note that to simplify the logic such table is used
> unconditionally when interrupt remapping is enabled, even if strictly it would
> only be required for AMD-Vi.

In here I think you mean "handle" when you use "handler"? Plus with what you said
earlier about vector vs EOI handle, and with the code using "vector" all over the
place, their (non-)relationship could also do with clarifying (perhaps better in
a code comment in __io_apic_eoi()).

> @@ -273,6 +293,13 @@ void __ioapic_write_entry(
>      {
>          __io_apic_write(apic, 0x11 + 2 * pin, eu.w2);
>          __io_apic_write(apic, 0x10 + 2 * pin, eu.w1);
> +        /*
> +         * Called in clear_IO_APIC_pin() before io_apic_pin_eoi is allocated.
> +         * Entry will be updated once the array is allocated and there's a
> +         * write against the pin.
> +         */
> +        if ( io_apic_pin_eoi )
> +            io_apic_pin_eoi[apic][pin] = e.vector;

The comment here looks a little misleading to me. clear_IO_APIC_pin() calls
here to, in particular, set the mask bit. With the mask bit the vector isn't
meaningful anyway (and indeed clear_IO_APIC_pin() sets it to zero, at which
point recording IRQ_VECTOR_UNASSIGNED might be better than the bogus vector
0x00).

> @@ -298,9 +325,17 @@ static void __io_apic_eoi(unsigned int apic, unsigned int vector, unsigned int p
>      /* Prefer the use of the EOI register if available */
>      if ( ioapic_has_eoi_reg(apic) )
>      {
> +        if ( io_apic_pin_eoi )
> +            vector = io_apic_pin_eoi[apic][pin];
> +
>          /* If vector is unknown, read it from the IO-APIC */
>          if ( vector == IRQ_VECTOR_UNASSIGNED )
> +        {
>              vector = __ioapic_read_entry(apic, pin, true).vector;

Related to my comment higher up regarding vector vs EOI handle: Here we're
doing a raw read, i.e. we don't really fetch the vector but the EOI handle
in the AMD case. Why is it that this isn't sufficient for directed EOI to
work (perhaps with the conditional adjusted)?

Then again - are we ever taking this path? Certainly not when coming from
clear_IO_APIC_pin(), hence ...

> +            if ( io_apic_pin_eoi )

... I'm unconvinced this conditional is needed.

> +                /* Update cached value so further EOI don't need to fetch it. */
> +                io_apic_pin_eoi[apic][pin] = vector;
> +        }
>  
>          *(IO_APIC_BASE(apic)+16) = vector;
>      }
> @@ -1022,8 +1057,27 @@ static void __init setup_IO_APIC_irqs(void)
>  
>      apic_printk(APIC_VERBOSE, KERN_DEBUG "init IO_APIC IRQs\n");
>  
> +    if ( iommu_intremap )
> +    {
> +        io_apic_pin_eoi = xmalloc_array(typeof(*io_apic_pin_eoi), nr_ioapics);

Nit: Strictly speaking this and ...

> +        BUG_ON(!io_apic_pin_eoi);
> +    }
> +
>      for (apic = 0; apic < nr_ioapics; apic++) {
> -        for (pin = 0; pin < nr_ioapic_entries[apic]; pin++) {
> +        const unsigned int nr_entries = nr_ioapic_entries[apic];
> +
> +        if ( iommu_intremap )
> +        {
> +            io_apic_pin_eoi[apic] = xmalloc_array(typeof(**io_apic_pin_eoi),
> +                                                  nr_entries);

... and this should be xvmalloc_array() in new code.

Also this 2nd conditional may better use io_apic_pin_eoi, such that the two
conditionals don't need keeping in sync. Note also how Andrew previously
pointed out that both conditionals aren't Misra-compliant right now.

Jan
Roger Pau Monne Oct. 29, 2024, 5:48 p.m. UTC | #2
On Tue, Oct 29, 2024 at 05:43:24PM +0100, Jan Beulich wrote:
> On 29.10.2024 12:03, Roger Pau Monne wrote:
> > When using AMD-Vi interrupt remapping the vector field in the IO-APIC RTE is
> > repurposed to contain part of the offset into the remapping table.  Previous to
> > 2ca9fbd739b8 Xen had logic so that the offset into the interrupt remapping
> > table would match the vector.  Such logic was mandatory for end of interrupt to
> > work, since the vector field (even when not containing a vector) is used by the
> > IO-APIC to find for which pin the EOI must be performed.
> > 
> > Introduce a table to store the EOI handlers when using interrupt remapping, so
> > that the IO-APIC driver can translate pins into EOI handlers without having to
> > read the IO-APIC RTE entry.  Note that to simplify the logic such table is used
> > unconditionally when interrupt remapping is enabled, even if strictly it would
> > only be required for AMD-Vi.
> 
> In here I think you mean "handle" when you use "handler"?

Indeed.

> Plus with what you said
> earlier about vector vs EOI handle, and with the code using "vector" all over the
> place, their (non-)relationship could also do with clarifying (perhaps better in
> a code comment in __io_apic_eoi()).

I've attempted to clarify the relation between vector vs EOI handle in
the first paragraph, and how that applies to AMD-Vi.  I can move
(part?) of that into the comment in __ioapic_write_entry(), maybe:

/*
 * Might be called before io_apic_pin_eoi is allocated.  Entry will be
 * updated once the array is allocated and there's a write against the
 * pin.
 *
 * Note that the vector field is only cached for raw RTE writes when
 * using IR.  In that case the vector field might have been repurposed
 * to store something different than the target vector, and hence need
 * to be cached for performing EOI.
 */

> > @@ -273,6 +293,13 @@ void __ioapic_write_entry(
> >      {
> >          __io_apic_write(apic, 0x11 + 2 * pin, eu.w2);
> >          __io_apic_write(apic, 0x10 + 2 * pin, eu.w1);
> > +        /*
> > +         * Called in clear_IO_APIC_pin() before io_apic_pin_eoi is allocated.
> > +         * Entry will be updated once the array is allocated and there's a
> > +         * write against the pin.
> > +         */
> > +        if ( io_apic_pin_eoi )
> > +            io_apic_pin_eoi[apic][pin] = e.vector;
> 
> The comment here looks a little misleading to me. clear_IO_APIC_pin() calls
> here to, in particular, set the mask bit. With the mask bit the vector isn't
> meaningful anyway (and indeed clear_IO_APIC_pin() sets it to zero, at which
> point recording IRQ_VECTOR_UNASSIGNED might be better than the bogus vector
> 0x00).

Note that clear_IO_APIC_pin() performs the call to
__ioapic_write_entry() with raw == false, at which point
__ioapic_write_entry() will call iommu_update_ire_from_apic() if IOMMU
IR is enabled.  The cached 'vector' value will be the IOMMU entry
offset for the AMD-Vi case, as the IOMMU code will perform the call to
__ioapic_write_entry() with raw == true.

What matters is that the cached value matches what's written in the
IO-APIC RTE, and the current logic ensures this.

What's the benefit of using IRQ_VECTOR_UNASSIGNED if the result is
reading the RTE and finding that vector == 0?

Looking at clear_IO_APIC_pin() - I think the function is slightly
bogus.  If entry.trigger is not set, the logic to switch the entry to
level triggered  will fetch the entry contents without requesting a
raw RTE, at which point the entry.vector field can not be used as
the EOI handle since it will contain the vector, not the IR table
offset.  I will need to make a further patch to fix this corner
case.

> > @@ -298,9 +325,17 @@ static void __io_apic_eoi(unsigned int apic, unsigned int vector, unsigned int p
> >      /* Prefer the use of the EOI register if available */
> >      if ( ioapic_has_eoi_reg(apic) )
> >      {
> > +        if ( io_apic_pin_eoi )
> > +            vector = io_apic_pin_eoi[apic][pin];
> > +
> >          /* If vector is unknown, read it from the IO-APIC */
> >          if ( vector == IRQ_VECTOR_UNASSIGNED )
> > +        {
> >              vector = __ioapic_read_entry(apic, pin, true).vector;
> 
> Related to my comment higher up regarding vector vs EOI handle: Here we're
> doing a raw read, i.e. we don't really fetch the vector but the EOI handle
> in the AMD case. Why is it that this isn't sufficient for directed EOI to
> work (perhaps with the conditional adjusted)?

It is enough, but we don't want to be doing such read for each EOI,
hence why we cache it in io_apic_pin_eoi.

> Then again - are we ever taking this path? Certainly not when coming from
> clear_IO_APIC_pin(), hence ...
> 
> > +            if ( io_apic_pin_eoi )
> 
> ... I'm unconvinced this conditional is needed.

Hm, maybe.  I can adjust but seems more fragile to trigger a
dereference for the extra cost of a conditional in what should be a
non-common path anyway.

> > +                /* Update cached value so further EOI don't need to fetch it. */
> > +                io_apic_pin_eoi[apic][pin] = vector;
> > +        }
> >  
> >          *(IO_APIC_BASE(apic)+16) = vector;
> >      }
> > @@ -1022,8 +1057,27 @@ static void __init setup_IO_APIC_irqs(void)
> >  
> >      apic_printk(APIC_VERBOSE, KERN_DEBUG "init IO_APIC IRQs\n");
> >  
> > +    if ( iommu_intremap )
> > +    {
> > +        io_apic_pin_eoi = xmalloc_array(typeof(*io_apic_pin_eoi), nr_ioapics);
> 
> Nit: Strictly speaking this and ...
> 
> > +        BUG_ON(!io_apic_pin_eoi);
> > +    }
> > +
> >      for (apic = 0; apic < nr_ioapics; apic++) {
> > -        for (pin = 0; pin < nr_ioapic_entries[apic]; pin++) {
> > +        const unsigned int nr_entries = nr_ioapic_entries[apic];
> > +
> > +        if ( iommu_intremap )
> > +        {
> > +            io_apic_pin_eoi[apic] = xmalloc_array(typeof(**io_apic_pin_eoi),
> > +                                                  nr_entries);
> 
> ... and this should be xvmalloc_array() in new code.

Sorry, didn't notice we have that now.

> Also this 2nd conditional may better use io_apic_pin_eoi, such that the two
> conditionals don't need keeping in sync. Note also how Andrew previously
> pointed out that both conditionals aren't Misra-compliant right now.

Oh, yes, completely forgot to adjust the MISRA comment from Andrew,
sorry.

Thanks, Roger.
Jan Beulich Oct. 30, 2024, 9:41 a.m. UTC | #3
On 29.10.2024 18:48, Roger Pau Monné wrote:
> On Tue, Oct 29, 2024 at 05:43:24PM +0100, Jan Beulich wrote:
>> On 29.10.2024 12:03, Roger Pau Monne wrote:
>> Plus with what you said
>> earlier about vector vs EOI handle, and with the code using "vector" all over the
>> place, their (non-)relationship could also do with clarifying (perhaps better in
>> a code comment in __io_apic_eoi()).
> 
> I've attempted to clarify the relation between vector vs EOI handle in
> the first paragraph, and how that applies to AMD-Vi.  I can move
> (part?) of that into the comment in __ioapic_write_entry(), maybe:
> 
> /*
>  * Might be called before io_apic_pin_eoi is allocated.  Entry will be
>  * updated once the array is allocated and there's a write against the
>  * pin.
>  *
>  * Note that the vector field is only cached for raw RTE writes when
>  * using IR.  In that case the vector field might have been repurposed
>  * to store something different than the target vector, and hence need
>  * to be cached for performing EOI.
>  */

Sounds okay to me, yet I'd prefer a comment in __io_apic_eoi(), where it
may want wording a little differently.

>>> @@ -273,6 +293,13 @@ void __ioapic_write_entry(
>>>      {
>>>          __io_apic_write(apic, 0x11 + 2 * pin, eu.w2);
>>>          __io_apic_write(apic, 0x10 + 2 * pin, eu.w1);
>>> +        /*
>>> +         * Called in clear_IO_APIC_pin() before io_apic_pin_eoi is allocated.
>>> +         * Entry will be updated once the array is allocated and there's a
>>> +         * write against the pin.
>>> +         */
>>> +        if ( io_apic_pin_eoi )
>>> +            io_apic_pin_eoi[apic][pin] = e.vector;
>>
>> The comment here looks a little misleading to me. clear_IO_APIC_pin() calls
>> here to, in particular, set the mask bit. With the mask bit the vector isn't
>> meaningful anyway (and indeed clear_IO_APIC_pin() sets it to zero, at which
>> point recording IRQ_VECTOR_UNASSIGNED might be better than the bogus vector
>> 0x00).
> 
> Note that clear_IO_APIC_pin() performs the call to
> __ioapic_write_entry() with raw == false, at which point
> __ioapic_write_entry() will call iommu_update_ire_from_apic() if IOMMU
> IR is enabled.  The cached 'vector' value will be the IOMMU entry
> offset for the AMD-Vi case, as the IOMMU code will perform the call to
> __ioapic_write_entry() with raw == true.
> 
> What matters is that the cached value matches what's written in the
> IO-APIC RTE, and the current logic ensures this.
> 
> What's the benefit of using IRQ_VECTOR_UNASSIGNED if the result is
> reading the RTE and finding that vector == 0?

It's not specifically the vector == 0 case alone. Shouldn't we leave
the latched vector alone when writing an RTE with the mask bit set?
Any still pending EOI (there should be none aiui) can't possibly
target the meaningless vector / index in such an RTE. Perhaps it was
wrong to suggest to overwrite (with IRQ_VECTOR_UNASSIGNED) what we
have on record.

Yet at the same time there ought to be a case where the recorded
indeed moves back to IRQ_VECTOR_UNASSIGNED.

> Looking at clear_IO_APIC_pin() - I think the function is slightly
> bogus.  If entry.trigger is not set, the logic to switch the entry to
> level triggered  will fetch the entry contents without requesting a
> raw RTE, at which point the entry.vector field can not be used as
> the EOI handle since it will contain the vector, not the IR table
> offset.  I will need to make a further patch to fix this corner
> case.

Is there actually a reason not to pass IRQ_VECTOR_UNASSIGNED there,
to have __io_apic_eoi() determine the vector? (But of course we can
also latch entry.vector from the earlier raw read.)

>>> @@ -298,9 +325,17 @@ static void __io_apic_eoi(unsigned int apic, unsigned int vector, unsigned int p
>>>      /* Prefer the use of the EOI register if available */
>>>      if ( ioapic_has_eoi_reg(apic) )
>>>      {
>>> +        if ( io_apic_pin_eoi )
>>> +            vector = io_apic_pin_eoi[apic][pin];
>>> +
>>>          /* If vector is unknown, read it from the IO-APIC */
>>>          if ( vector == IRQ_VECTOR_UNASSIGNED )
>>> +        {
>>>              vector = __ioapic_read_entry(apic, pin, true).vector;
>>
>> Related to my comment higher up regarding vector vs EOI handle: Here we're
>> doing a raw read, i.e. we don't really fetch the vector but the EOI handle
>> in the AMD case. Why is it that this isn't sufficient for directed EOI to
>> work (perhaps with the conditional adjusted)?
> 
> It is enough, but we don't want to be doing such read for each EOI,
> hence why we cache it in io_apic_pin_eoi.

Yet then the patch is to a fair part about improving performance, when the
functionality issue could be addressed with a far less intrusive change.
Which may in particular make a difference with backporting in mind. Plus
that may want at least mentioning in the description.

>> Then again - are we ever taking this path? Certainly not when coming from
>> clear_IO_APIC_pin(), hence ...
>>
>>> +            if ( io_apic_pin_eoi )
>>
>> ... I'm unconvinced this conditional is needed.
> 
> Hm, maybe.  I can adjust but seems more fragile to trigger a
> dereference for the extra cost of a conditional in what should be a
> non-common path anyway.

Well, I was thinking of transforming the if() into ASSERT().

Jan
Roger Pau Monne Oct. 30, 2024, 10:09 a.m. UTC | #4
On Wed, Oct 30, 2024 at 10:41:40AM +0100, Jan Beulich wrote:
> On 29.10.2024 18:48, Roger Pau Monné wrote:
> > On Tue, Oct 29, 2024 at 05:43:24PM +0100, Jan Beulich wrote:
> >> On 29.10.2024 12:03, Roger Pau Monne wrote:
> >> Plus with what you said
> >> earlier about vector vs EOI handle, and with the code using "vector" all over the
> >> place, their (non-)relationship could also do with clarifying (perhaps better in
> >> a code comment in __io_apic_eoi()).
> > 
> > I've attempted to clarify the relation between vector vs EOI handle in
> > the first paragraph, and how that applies to AMD-Vi.  I can move
> > (part?) of that into the comment in __ioapic_write_entry(), maybe:
> > 
> > /*
> >  * Might be called before io_apic_pin_eoi is allocated.  Entry will be
> >  * updated once the array is allocated and there's a write against the
> >  * pin.
> >  *
> >  * Note that the vector field is only cached for raw RTE writes when
> >  * using IR.  In that case the vector field might have been repurposed
> >  * to store something different than the target vector, and hence need
> >  * to be cached for performing EOI.
> >  */
> 
> Sounds okay to me, yet I'd prefer a comment in __io_apic_eoi(), where it
> may want wording a little differently.

OK, let me try to add another comment for __io_apic_eoi() in v4 then.

> >>> @@ -273,6 +293,13 @@ void __ioapic_write_entry(
> >>>      {
> >>>          __io_apic_write(apic, 0x11 + 2 * pin, eu.w2);
> >>>          __io_apic_write(apic, 0x10 + 2 * pin, eu.w1);
> >>> +        /*
> >>> +         * Called in clear_IO_APIC_pin() before io_apic_pin_eoi is allocated.
> >>> +         * Entry will be updated once the array is allocated and there's a
> >>> +         * write against the pin.
> >>> +         */
> >>> +        if ( io_apic_pin_eoi )
> >>> +            io_apic_pin_eoi[apic][pin] = e.vector;
> >>
> >> The comment here looks a little misleading to me. clear_IO_APIC_pin() calls
> >> here to, in particular, set the mask bit. With the mask bit the vector isn't
> >> meaningful anyway (and indeed clear_IO_APIC_pin() sets it to zero, at which
> >> point recording IRQ_VECTOR_UNASSIGNED might be better than the bogus vector
> >> 0x00).
> > 
> > Note that clear_IO_APIC_pin() performs the call to
> > __ioapic_write_entry() with raw == false, at which point
> > __ioapic_write_entry() will call iommu_update_ire_from_apic() if IOMMU
> > IR is enabled.  The cached 'vector' value will be the IOMMU entry
> > offset for the AMD-Vi case, as the IOMMU code will perform the call to
> > __ioapic_write_entry() with raw == true.
> > 
> > What matters is that the cached value matches what's written in the
> > IO-APIC RTE, and the current logic ensures this.
> > 
> > What's the benefit of using IRQ_VECTOR_UNASSIGNED if the result is
> > reading the RTE and finding that vector == 0?
> 
> It's not specifically the vector == 0 case alone. Shouldn't we leave
> the latched vector alone when writing an RTE with the mask bit set?

I'm not sure what's the benefit of the extra logic to detect such
cases, just to avoid a write to the io_apic_pin_eoi matrix.

> Any still pending EOI (there should be none aiui) can't possibly
> target the meaningless vector / index in such an RTE. Perhaps it was
> wrong to suggest to overwrite (with IRQ_VECTOR_UNASSIGNED) what we
> have on record.
> 
> Yet at the same time there ought to be a case where the recorded
> indeed moves back to IRQ_VECTOR_UNASSIGNED.

The only purpose of the io_apic_pin_eoi matrix is to cache what's
currently in the RTE entry 'vector' field.  I don't think we should
attempt to add extra logic as to whether the entry is valid, or
masked.  Higher level layers should already take care of that.  The
only purpose of the logic added in this patch is to ensure the EOI is
performed using what's in the RTE vector field for the requested pin.
Anything else is out of scope IMO.

Another option, which would allow to make the matrix store uint8_t
elements would be to initialize it at allocation with the RTE vector
fields currently present, IOW: do a raw read of every RTE and set the
fetched vector field in io_apic_pin_eoi.  Would that be better to you,
as also removing the need to ever store IRQ_VECTOR_UNASSIGNED?

> > Looking at clear_IO_APIC_pin() - I think the function is slightly
> > bogus.  If entry.trigger is not set, the logic to switch the entry to
> > level triggered  will fetch the entry contents without requesting a
> > raw RTE, at which point the entry.vector field can not be used as
> > the EOI handle since it will contain the vector, not the IR table
> > offset.  I will need to make a further patch to fix this corner
> > case.
> 
> Is there actually a reason not to pass IRQ_VECTOR_UNASSIGNED there,
> to have __io_apic_eoi() determine the vector? (But of course we can
> also latch entry.vector from the earlier raw read.)

Yes, it should pass IRQ_VECTOR_UNASSIGNED IMO.  The extra cost of
doing the RTE read is not an issue on that init-only path.

> >>> @@ -298,9 +325,17 @@ static void __io_apic_eoi(unsigned int apic, unsigned int vector, unsigned int p
> >>>      /* Prefer the use of the EOI register if available */
> >>>      if ( ioapic_has_eoi_reg(apic) )
> >>>      {
> >>> +        if ( io_apic_pin_eoi )
> >>> +            vector = io_apic_pin_eoi[apic][pin];
> >>> +
> >>>          /* If vector is unknown, read it from the IO-APIC */
> >>>          if ( vector == IRQ_VECTOR_UNASSIGNED )
> >>> +        {
> >>>              vector = __ioapic_read_entry(apic, pin, true).vector;
> >>
> >> Related to my comment higher up regarding vector vs EOI handle: Here we're
> >> doing a raw read, i.e. we don't really fetch the vector but the EOI handle
> >> in the AMD case. Why is it that this isn't sufficient for directed EOI to
> >> work (perhaps with the conditional adjusted)?
> > 
> > It is enough, but we don't want to be doing such read for each EOI,
> > hence why we cache it in io_apic_pin_eoi.
> 
> Yet then the patch is to a fair part about improving performance, when the
> functionality issue could be addressed with a far less intrusive change.

More than improving performance the patch is about not degrading it by
forcing an RTE read for each EOI.

I expect there's no such read ATM, since the vector should be provided
by irq_desc.  Adding an unconditional RTE read for each EOI would be
an unjustified performance penalty for this fix to introduce.

> Which may in particular make a difference with backporting in mind. Plus
> that may want at least mentioning in the description.
> 
> >> Then again - are we ever taking this path? Certainly not when coming from
> >> clear_IO_APIC_pin(), hence ...
> >>
> >>> +            if ( io_apic_pin_eoi )
> >>
> >> ... I'm unconvinced this conditional is needed.
> > 
> > Hm, maybe.  I can adjust but seems more fragile to trigger a
> > dereference for the extra cost of a conditional in what should be a
> > non-common path anyway.
> 
> Well, I was thinking of transforming the if() into ASSERT().

See my suggestion above about getting rid of IRQ_VECTOR_UNASSIGNED in
io_apic_pin_eoi altogether.

Thanks, Roger.
Jan Beulich Oct. 30, 2024, 10:57 a.m. UTC | #5
On 30.10.2024 11:09, Roger Pau Monné wrote:
> On Wed, Oct 30, 2024 at 10:41:40AM +0100, Jan Beulich wrote:
>> On 29.10.2024 18:48, Roger Pau Monné wrote:
>>> On Tue, Oct 29, 2024 at 05:43:24PM +0100, Jan Beulich wrote:
>>>> On 29.10.2024 12:03, Roger Pau Monne wrote:
>>>>> @@ -273,6 +293,13 @@ void __ioapic_write_entry(
>>>>>      {
>>>>>          __io_apic_write(apic, 0x11 + 2 * pin, eu.w2);
>>>>>          __io_apic_write(apic, 0x10 + 2 * pin, eu.w1);
>>>>> +        /*
>>>>> +         * Called in clear_IO_APIC_pin() before io_apic_pin_eoi is allocated.
>>>>> +         * Entry will be updated once the array is allocated and there's a
>>>>> +         * write against the pin.
>>>>> +         */
>>>>> +        if ( io_apic_pin_eoi )
>>>>> +            io_apic_pin_eoi[apic][pin] = e.vector;
>>>>
>>>> The comment here looks a little misleading to me. clear_IO_APIC_pin() calls
>>>> here to, in particular, set the mask bit. With the mask bit the vector isn't
>>>> meaningful anyway (and indeed clear_IO_APIC_pin() sets it to zero, at which
>>>> point recording IRQ_VECTOR_UNASSIGNED might be better than the bogus vector
>>>> 0x00).
>>>
>>> Note that clear_IO_APIC_pin() performs the call to
>>> __ioapic_write_entry() with raw == false, at which point
>>> __ioapic_write_entry() will call iommu_update_ire_from_apic() if IOMMU
>>> IR is enabled.  The cached 'vector' value will be the IOMMU entry
>>> offset for the AMD-Vi case, as the IOMMU code will perform the call to
>>> __ioapic_write_entry() with raw == true.
>>>
>>> What matters is that the cached value matches what's written in the
>>> IO-APIC RTE, and the current logic ensures this.
>>>
>>> What's the benefit of using IRQ_VECTOR_UNASSIGNED if the result is
>>> reading the RTE and finding that vector == 0?
>>
>> It's not specifically the vector == 0 case alone. Shouldn't we leave
>> the latched vector alone when writing an RTE with the mask bit set?
> 
> I'm not sure what's the benefit of the extra logic to detect such
> cases, just to avoid a write to the io_apic_pin_eoi matrix.

Perhaps the largely theoretical concern towards having stale data
somewhere. Yet ...

>> Any still pending EOI (there should be none aiui) can't possibly
>> target the meaningless vector / index in such an RTE. Perhaps it was
>> wrong to suggest to overwrite (with IRQ_VECTOR_UNASSIGNED) what we
>> have on record.
>>
>> Yet at the same time there ought to be a case where the recorded
>> indeed moves back to IRQ_VECTOR_UNASSIGNED.
> 
> The only purpose of the io_apic_pin_eoi matrix is to cache what's
> currently in the RTE entry 'vector' field.  I don't think we should
> attempt to add extra logic as to whether the entry is valid, or
> masked.  Higher level layers should already take care of that.  The
> only purpose of the logic added in this patch is to ensure the EOI is
> performed using what's in the RTE vector field for the requested pin.
> Anything else is out of scope IMO.
> 
> Another option, which would allow to make the matrix store uint8_t
> elements would be to initialize it at allocation with the RTE vector
> fields currently present, IOW: do a raw read of every RTE and set the
> fetched vector field in io_apic_pin_eoi.  Would that be better to you,
> as also removing the need to ever store IRQ_VECTOR_UNASSIGNED?

... yes, that may make sense (and eliminate my concern there).

I wonder whether the allocation of the array then wouldn't better be
moved earlier, to enable_IO_APIC(), such that clear_IO_APIC_pin()
already can suitably update it. In fact, since that function writes
zero[1], no extra reads would then be needed at all, and the array could
simply start out all zeroed.

Jan

[1] With the exception of RTEs saying SMI, where - for having fully
correct data on record - we may then need to update the array slot.
Roger Pau Monne Oct. 30, 2024, 12:26 p.m. UTC | #6
On Wed, Oct 30, 2024 at 11:57:39AM +0100, Jan Beulich wrote:
> On 30.10.2024 11:09, Roger Pau Monné wrote:
> > On Wed, Oct 30, 2024 at 10:41:40AM +0100, Jan Beulich wrote:
> >> On 29.10.2024 18:48, Roger Pau Monné wrote:
> >>> On Tue, Oct 29, 2024 at 05:43:24PM +0100, Jan Beulich wrote:
> >>>> On 29.10.2024 12:03, Roger Pau Monne wrote:
> >>>>> @@ -273,6 +293,13 @@ void __ioapic_write_entry(
> >>>>>      {
> >>>>>          __io_apic_write(apic, 0x11 + 2 * pin, eu.w2);
> >>>>>          __io_apic_write(apic, 0x10 + 2 * pin, eu.w1);
> >>>>> +        /*
> >>>>> +         * Called in clear_IO_APIC_pin() before io_apic_pin_eoi is allocated.
> >>>>> +         * Entry will be updated once the array is allocated and there's a
> >>>>> +         * write against the pin.
> >>>>> +         */
> >>>>> +        if ( io_apic_pin_eoi )
> >>>>> +            io_apic_pin_eoi[apic][pin] = e.vector;
> >>>>
> >>>> The comment here looks a little misleading to me. clear_IO_APIC_pin() calls
> >>>> here to, in particular, set the mask bit. With the mask bit the vector isn't
> >>>> meaningful anyway (and indeed clear_IO_APIC_pin() sets it to zero, at which
> >>>> point recording IRQ_VECTOR_UNASSIGNED might be better than the bogus vector
> >>>> 0x00).
> >>>
> >>> Note that clear_IO_APIC_pin() performs the call to
> >>> __ioapic_write_entry() with raw == false, at which point
> >>> __ioapic_write_entry() will call iommu_update_ire_from_apic() if IOMMU
> >>> IR is enabled.  The cached 'vector' value will be the IOMMU entry
> >>> offset for the AMD-Vi case, as the IOMMU code will perform the call to
> >>> __ioapic_write_entry() with raw == true.
> >>>
> >>> What matters is that the cached value matches what's written in the
> >>> IO-APIC RTE, and the current logic ensures this.
> >>>
> >>> What's the benefit of using IRQ_VECTOR_UNASSIGNED if the result is
> >>> reading the RTE and finding that vector == 0?
> >>
> >> It's not specifically the vector == 0 case alone. Shouldn't we leave
> >> the latched vector alone when writing an RTE with the mask bit set?
> > 
> > I'm not sure what's the benefit of the extra logic to detect such
> > cases, just to avoid a write to the io_apic_pin_eoi matrix.
> 
> Perhaps the largely theoretical concern towards having stale data
> somewhere. Yet ...
> 
> >> Any still pending EOI (there should be none aiui) can't possibly
> >> target the meaningless vector / index in such an RTE. Perhaps it was
> >> wrong to suggest to overwrite (with IRQ_VECTOR_UNASSIGNED) what we
> >> have on record.
> >>
> >> Yet at the same time there ought to be a case where the recorded
> >> indeed moves back to IRQ_VECTOR_UNASSIGNED.
> > 
> > The only purpose of the io_apic_pin_eoi matrix is to cache what's
> > currently in the RTE entry 'vector' field.  I don't think we should
> > attempt to add extra logic as to whether the entry is valid, or
> > masked.  Higher level layers should already take care of that.  The
> > only purpose of the logic added in this patch is to ensure the EOI is
> > performed using what's in the RTE vector field for the requested pin.
> > Anything else is out of scope IMO.
> > 
> > Another option, which would allow to make the matrix store uint8_t
> > elements would be to initialize it at allocation with the RTE vector
> > fields currently present, IOW: do a raw read of every RTE and set the
> > fetched vector field in io_apic_pin_eoi.  Would that be better to you,
> > as also removing the need to ever store IRQ_VECTOR_UNASSIGNED?
> 
> ... yes, that may make sense (and eliminate my concern there).
> 
> I wonder whether the allocation of the array then wouldn't better be
> moved earlier, to enable_IO_APIC(), such that clear_IO_APIC_pin()
> already can suitably update it. In fact, since that function writes
> zero[1], no extra reads would then be needed at all, and the array could
> simply start out all zeroed.

I agree with the suggestion to allocate and setup the io_apic_pin_eoi
matrix in enable_IO_APIC().  However, I'm not sure I follow your
suggestion about the matrix starting as all zeroes being a sane state.

I think we need to do the raw RTE reads in enable_IO_APIC() before
calling clear_IO_APIC(), otherwise clear_IO_APIC_pin() can call
__io_apic_eoi() before any __ioapic_write_entry() has been performed,
and hence the state of the RTE.vector field could possibly be out of
sync with the initial value in io_apic_pin_eoi, and the EOI not take
effect.

Thanks, Roger.
Jan Beulich Oct. 31, 2024, 8:37 a.m. UTC | #7
On 30.10.2024 13:26, Roger Pau Monné wrote:
> On Wed, Oct 30, 2024 at 11:57:39AM +0100, Jan Beulich wrote:
>> On 30.10.2024 11:09, Roger Pau Monné wrote:
>>> On Wed, Oct 30, 2024 at 10:41:40AM +0100, Jan Beulich wrote:
>>>> On 29.10.2024 18:48, Roger Pau Monné wrote:
>>>>> On Tue, Oct 29, 2024 at 05:43:24PM +0100, Jan Beulich wrote:
>>>>>> On 29.10.2024 12:03, Roger Pau Monne wrote:
>>>>>>> @@ -273,6 +293,13 @@ void __ioapic_write_entry(
>>>>>>>      {
>>>>>>>          __io_apic_write(apic, 0x11 + 2 * pin, eu.w2);
>>>>>>>          __io_apic_write(apic, 0x10 + 2 * pin, eu.w1);
>>>>>>> +        /*
>>>>>>> +         * Called in clear_IO_APIC_pin() before io_apic_pin_eoi is allocated.
>>>>>>> +         * Entry will be updated once the array is allocated and there's a
>>>>>>> +         * write against the pin.
>>>>>>> +         */
>>>>>>> +        if ( io_apic_pin_eoi )
>>>>>>> +            io_apic_pin_eoi[apic][pin] = e.vector;
>>>>>>
>>>>>> The comment here looks a little misleading to me. clear_IO_APIC_pin() calls
>>>>>> here to, in particular, set the mask bit. With the mask bit the vector isn't
>>>>>> meaningful anyway (and indeed clear_IO_APIC_pin() sets it to zero, at which
>>>>>> point recording IRQ_VECTOR_UNASSIGNED might be better than the bogus vector
>>>>>> 0x00).
>>>>>
>>>>> Note that clear_IO_APIC_pin() performs the call to
>>>>> __ioapic_write_entry() with raw == false, at which point
>>>>> __ioapic_write_entry() will call iommu_update_ire_from_apic() if IOMMU
>>>>> IR is enabled.  The cached 'vector' value will be the IOMMU entry
>>>>> offset for the AMD-Vi case, as the IOMMU code will perform the call to
>>>>> __ioapic_write_entry() with raw == true.
>>>>>
>>>>> What matters is that the cached value matches what's written in the
>>>>> IO-APIC RTE, and the current logic ensures this.
>>>>>
>>>>> What's the benefit of using IRQ_VECTOR_UNASSIGNED if the result is
>>>>> reading the RTE and finding that vector == 0?
>>>>
>>>> It's not specifically the vector == 0 case alone. Shouldn't we leave
>>>> the latched vector alone when writing an RTE with the mask bit set?
>>>
>>> I'm not sure what's the benefit of the extra logic to detect such
>>> cases, just to avoid a write to the io_apic_pin_eoi matrix.
>>
>> Perhaps the largely theoretical concern towards having stale data
>> somewhere. Yet ...
>>
>>>> Any still pending EOI (there should be none aiui) can't possibly
>>>> target the meaningless vector / index in such an RTE. Perhaps it was
>>>> wrong to suggest to overwrite (with IRQ_VECTOR_UNASSIGNED) what we
>>>> have on record.
>>>>
>>>> Yet at the same time there ought to be a case where the recorded
>>>> indeed moves back to IRQ_VECTOR_UNASSIGNED.
>>>
>>> The only purpose of the io_apic_pin_eoi matrix is to cache what's
>>> currently in the RTE entry 'vector' field.  I don't think we should
>>> attempt to add extra logic as to whether the entry is valid, or
>>> masked.  Higher level layers should already take care of that.  The
>>> only purpose of the logic added in this patch is to ensure the EOI is
>>> performed using what's in the RTE vector field for the requested pin.
>>> Anything else is out of scope IMO.
>>>
>>> Another option, which would allow to make the matrix store uint8_t
>>> elements would be to initialize it at allocation with the RTE vector
>>> fields currently present, IOW: do a raw read of every RTE and set the
>>> fetched vector field in io_apic_pin_eoi.  Would that be better to you,
>>> as also removing the need to ever store IRQ_VECTOR_UNASSIGNED?
>>
>> ... yes, that may make sense (and eliminate my concern there).
>>
>> I wonder whether the allocation of the array then wouldn't better be
>> moved earlier, to enable_IO_APIC(), such that clear_IO_APIC_pin()
>> already can suitably update it. In fact, since that function writes
>> zero[1], no extra reads would then be needed at all, and the array could
>> simply start out all zeroed.
> 
> I agree with the suggestion to allocate and setup the io_apic_pin_eoi
> matrix in enable_IO_APIC().  However, I'm not sure I follow your
> suggestion about the matrix starting as all zeroes being a sane state.
> 
> I think we need to do the raw RTE reads in enable_IO_APIC() before
> calling clear_IO_APIC(), otherwise clear_IO_APIC_pin() can call
> __io_apic_eoi() before any __ioapic_write_entry() has been performed,
> and hence the state of the RTE.vector field could possibly be out of
> sync with the initial value in io_apic_pin_eoi, and the EOI not take
> effect.

Oh, you're right of course. That's a (side) effect of wanting to always
use the cached value in __io_apic_eoi(), and hence never reading the RTE
there.

Jan
diff mbox series

Patch

diff --git a/xen/arch/x86/io_apic.c b/xen/arch/x86/io_apic.c
index e40d2f7dbd75..64ba1c8d3da7 100644
--- a/xen/arch/x86/io_apic.c
+++ b/xen/arch/x86/io_apic.c
@@ -71,6 +71,26 @@  static int apic_pin_2_gsi_irq(int apic, int pin);
 
 static vmask_t *__read_mostly vector_map[MAX_IO_APICS];
 
+/*
+ * Store the EOI handle when using interrupt remapping.
+ *
+ * If using AMD-Vi interrupt remapping the IO-APIC redirection entry remapped
+ * format repurposes the vector field to store the offset into the Interrupt
+ * Remap table.  This causes directed EOI to longer work, as the CPU vector no
+ * longer matches the contents of the RTE vector field.  Add a translation
+ * table so that directed EOI uses the value in the RTE vector field when
+ * interrupt remapping is enabled.
+ *
+ * Note Intel VT-d Xen code still stores the CPU vector in the RTE vector field
+ * when using the remapped format, but use the translation table uniformly in
+ * order to avoid extra logic to differentiate between VT-d and AMD-Vi.
+ *
+ * The matrix is accessed as [#io-apic][#pin].  Note the field needs to handle
+ * the range [-1, 255], as -1 (IRQ_VECTOR_UNASSIGNED) is used as a sentinel to
+ * signal there's no cached value.
+ */
+static short **io_apic_pin_eoi;
+
 static void share_vector_maps(unsigned int src, unsigned int dst)
 {
     unsigned int pin;
@@ -273,6 +293,13 @@  void __ioapic_write_entry(
     {
         __io_apic_write(apic, 0x11 + 2 * pin, eu.w2);
         __io_apic_write(apic, 0x10 + 2 * pin, eu.w1);
+        /*
+         * Called in clear_IO_APIC_pin() before io_apic_pin_eoi is allocated.
+         * Entry will be updated once the array is allocated and there's a
+         * write against the pin.
+         */
+        if ( io_apic_pin_eoi )
+            io_apic_pin_eoi[apic][pin] = e.vector;
     }
     else
         iommu_update_ire_from_apic(apic, pin, e.raw);
@@ -298,9 +325,17 @@  static void __io_apic_eoi(unsigned int apic, unsigned int vector, unsigned int p
     /* Prefer the use of the EOI register if available */
     if ( ioapic_has_eoi_reg(apic) )
     {
+        if ( io_apic_pin_eoi )
+            vector = io_apic_pin_eoi[apic][pin];
+
         /* If vector is unknown, read it from the IO-APIC */
         if ( vector == IRQ_VECTOR_UNASSIGNED )
+        {
             vector = __ioapic_read_entry(apic, pin, true).vector;
+            if ( io_apic_pin_eoi )
+                /* Update cached value so further EOI don't need to fetch it. */
+                io_apic_pin_eoi[apic][pin] = vector;
+        }
 
         *(IO_APIC_BASE(apic)+16) = vector;
     }
@@ -1022,8 +1057,27 @@  static void __init setup_IO_APIC_irqs(void)
 
     apic_printk(APIC_VERBOSE, KERN_DEBUG "init IO_APIC IRQs\n");
 
+    if ( iommu_intremap )
+    {
+        io_apic_pin_eoi = xmalloc_array(typeof(*io_apic_pin_eoi), nr_ioapics);
+        BUG_ON(!io_apic_pin_eoi);
+    }
+
     for (apic = 0; apic < nr_ioapics; apic++) {
-        for (pin = 0; pin < nr_ioapic_entries[apic]; pin++) {
+        const unsigned int nr_entries = nr_ioapic_entries[apic];
+
+        if ( iommu_intremap )
+        {
+            io_apic_pin_eoi[apic] = xmalloc_array(typeof(**io_apic_pin_eoi),
+                                                  nr_entries);
+            BUG_ON(!io_apic_pin_eoi[apic]);
+
+            for ( pin = 0; pin < nr_entries; pin++ )
+                io_apic_pin_eoi[apic][pin] = IRQ_VECTOR_UNASSIGNED;
+        }
+
+        for ( pin = 0; pin < nr_entries; pin++ )
+        {
             /*
              * add it to the IO-APIC irq-routing table:
              */