Message ID | 20220630203635.33200-2-nicolinc@nvidia.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | Simplify vfio_iommu_type1 attach/detach routine | expand |
On 2022/7/1 04:36, Nicolin Chen wrote: > Cases like VFIO wish to attach a device to an existing domain that was > not allocated specifically from the device. This raises a condition > where the IOMMU driver can fail the domain attach because the domain and > device are incompatible with each other. > > This is a soft failure that can be resolved by using a different domain. > > Provide a dedicated errno from the IOMMU driver during attach that the > reason attached failed is because of domain incompatability. EMEDIUMTYPE > is chosen because it is never used within the iommu subsystem today and > evokes a sense that the 'medium' aka the domain is incompatible. > > VFIO can use this to know attach is a soft failure and it should continue > searching. Otherwise the attach will be a hard failure and VFIO will > return the code to userspace. > > Update all drivers to return EMEDIUMTYPE in their failure paths that are > related to domain incompatability. Also remove adjacent error prints for > these soft failures, to prevent a kernel log spam, since -EMEDIUMTYPE is > clear enough to indicate an incompatability error. > > Add kdocs describing this behavior. > > Suggested-by: Jason Gunthorpe<jgg@nvidia.com> > Reviewed-by: Kevin Tian<kevin.tian@intel.com> > Signed-off-by: Nicolin Chen<nicolinc@nvidia.com> Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com> Best regards, baolu
On 2022-06-30 21:36, Nicolin Chen wrote: > Cases like VFIO wish to attach a device to an existing domain that was > not allocated specifically from the device. This raises a condition > where the IOMMU driver can fail the domain attach because the domain and > device are incompatible with each other. > > This is a soft failure that can be resolved by using a different domain. > > Provide a dedicated errno from the IOMMU driver during attach that the > reason attached failed is because of domain incompatability. EMEDIUMTYPE > is chosen because it is never used within the iommu subsystem today and > evokes a sense that the 'medium' aka the domain is incompatible. > > VFIO can use this to know attach is a soft failure and it should continue > searching. Otherwise the attach will be a hard failure and VFIO will > return the code to userspace. > > Update all drivers to return EMEDIUMTYPE in their failure paths that are > related to domain incompatability. Also remove adjacent error prints for > these soft failures, to prevent a kernel log spam, since -EMEDIUMTYPE is > clear enough to indicate an incompatability error. > > Add kdocs describing this behavior. > > Suggested-by: Jason Gunthorpe <jgg@nvidia.com> > Reviewed-by: Kevin Tian <kevin.tian@intel.com> > Signed-off-by: Nicolin Chen <nicolinc@nvidia.com> > --- [...] > diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu.c b/drivers/iommu/arm/arm-smmu/arm-smmu.c > index 2ed3594f384e..072cac5ab5a4 100644 > --- a/drivers/iommu/arm/arm-smmu/arm-smmu.c > +++ b/drivers/iommu/arm/arm-smmu/arm-smmu.c > @@ -1135,10 +1135,8 @@ static int arm_smmu_attach_dev(struct iommu_domain *domain, struct device *dev) > struct arm_smmu_device *smmu; > int ret; > > - if (!fwspec || fwspec->ops != &arm_smmu_ops) { > - dev_err(dev, "cannot attach to SMMU, is it on the same bus?\n"); > - return -ENXIO; > - } > + if (!fwspec || fwspec->ops != &arm_smmu_ops) > + return -EMEDIUMTYPE; This is the wrong check, you want the "if (smmu_domain->smmu != smmu)" condition further down. If this one fails it's effectively because the device doesn't have an IOMMU at all, and similar to patch #3 it will be removed once the core code takes over properly (I even have both those patches written now!) Thanks, Robin. > /* > * FIXME: The arch/arm DMA API code tries to attach devices to its own
On Fri, Jul 01, 2022 at 11:21:48AM +0100, Robin Murphy wrote: > > diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu.c b/drivers/iommu/arm/arm-smmu/arm-smmu.c > > index 2ed3594f384e..072cac5ab5a4 100644 > > --- a/drivers/iommu/arm/arm-smmu/arm-smmu.c > > +++ b/drivers/iommu/arm/arm-smmu/arm-smmu.c > > @@ -1135,10 +1135,8 @@ static int arm_smmu_attach_dev(struct iommu_domain *domain, struct device *dev) > > struct arm_smmu_device *smmu; > > int ret; > > > > - if (!fwspec || fwspec->ops != &arm_smmu_ops) { > > - dev_err(dev, "cannot attach to SMMU, is it on the same bus?\n"); > > - return -ENXIO; > > - } > > + if (!fwspec || fwspec->ops != &arm_smmu_ops) > > + return -EMEDIUMTYPE; > > This is the wrong check, you want the "if (smmu_domain->smmu != smmu)" > condition further down. If this one fails it's effectively because the > device doesn't have an IOMMU at all, and similar to patch #3 it will be Thanks for the review! I will fix that. The "on the same bus" is quite eye-catching. > removed once the core code takes over properly (I even have both those > patches written now!) Actually in my v1 the proposal for ops check returned -EMEDIUMTYPE also upon an ops mismatch, treating that too as an incompatibility. Do you mean that we should have fine-grained it further?
On 01/07/2022 5:43 pm, Nicolin Chen wrote: > On Fri, Jul 01, 2022 at 11:21:48AM +0100, Robin Murphy wrote: > >>> diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu.c b/drivers/iommu/arm/arm-smmu/arm-smmu.c >>> index 2ed3594f384e..072cac5ab5a4 100644 >>> --- a/drivers/iommu/arm/arm-smmu/arm-smmu.c >>> +++ b/drivers/iommu/arm/arm-smmu/arm-smmu.c >>> @@ -1135,10 +1135,8 @@ static int arm_smmu_attach_dev(struct iommu_domain *domain, struct device *dev) >>> struct arm_smmu_device *smmu; >>> int ret; >>> >>> - if (!fwspec || fwspec->ops != &arm_smmu_ops) { >>> - dev_err(dev, "cannot attach to SMMU, is it on the same bus?\n"); >>> - return -ENXIO; >>> - } >>> + if (!fwspec || fwspec->ops != &arm_smmu_ops) >>> + return -EMEDIUMTYPE; >> >> This is the wrong check, you want the "if (smmu_domain->smmu != smmu)" >> condition further down. If this one fails it's effectively because the >> device doesn't have an IOMMU at all, and similar to patch #3 it will be > > Thanks for the review! I will fix that. The "on the same bus" is > quite eye-catching. > >> removed once the core code takes over properly (I even have both those >> patches written now!) > > Actually in my v1 the proposal for ops check returned -EMEDIUMTYPE > also upon an ops mismatch, treating that too as an incompatibility. > Do you mean that we should have fine-grained it further? On second look, I think this particular check was already entirely redundant by the time I made the fwspec conversion to it, oh well. Since it remains harmless for the time being, let's just ignore it entirely until we can confidently say goodbye to the whole lot[1]. I don't think there's any need to differentiate an instance mismatch from a driver mismatch, once the latter becomes realistically possible, mostly due to iommu_domain_alloc() also having to become device-aware to know which driver to allocate from. Thus as far as a user is concerned, if attaching a device to an existing domain fails with -EMEDIUMTYPE, allocating a new domain using the given device, and attaching to that, can be expected to succeed, regardless of why the original attempt was rejected. In fact even in the theoretical different-driver-per-bus model the same principle still holds up. Thanks, Robin. [1] https://gitlab.arm.com/linux-arm/linux-rm/-/commit/aa4accfa4a10e92daad0d51095918e8a89014393
On Fri, Jul 01, 2022 at 07:17:38PM +0100, Robin Murphy wrote: > External email: Use caution opening links or attachments > > > On 01/07/2022 5:43 pm, Nicolin Chen wrote: > > On Fri, Jul 01, 2022 at 11:21:48AM +0100, Robin Murphy wrote: > > > > > > diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu.c b/drivers/iommu/arm/arm-smmu/arm-smmu.c > > > > index 2ed3594f384e..072cac5ab5a4 100644 > > > > --- a/drivers/iommu/arm/arm-smmu/arm-smmu.c > > > > +++ b/drivers/iommu/arm/arm-smmu/arm-smmu.c > > > > @@ -1135,10 +1135,8 @@ static int arm_smmu_attach_dev(struct iommu_domain *domain, struct device *dev) > > > > struct arm_smmu_device *smmu; > > > > int ret; > > > > > > > > - if (!fwspec || fwspec->ops != &arm_smmu_ops) { > > > > - dev_err(dev, "cannot attach to SMMU, is it on the same bus?\n"); > > > > - return -ENXIO; > > > > - } > > > > + if (!fwspec || fwspec->ops != &arm_smmu_ops) > > > > + return -EMEDIUMTYPE; > > > > > > This is the wrong check, you want the "if (smmu_domain->smmu != smmu)" > > > condition further down. If this one fails it's effectively because the > > > device doesn't have an IOMMU at all, and similar to patch #3 it will be > > > > Thanks for the review! I will fix that. The "on the same bus" is > > quite eye-catching. > > > > > removed once the core code takes over properly (I even have both those > > > patches written now!) > > > > Actually in my v1 the proposal for ops check returned -EMEDIUMTYPE > > also upon an ops mismatch, treating that too as an incompatibility. > > Do you mean that we should have fine-grained it further? > > On second look, I think this particular check was already entirely > redundant by the time I made the fwspec conversion to it, oh well. Since > it remains harmless for the time being, let's just ignore it entirely > until we can confidently say goodbye to the whole lot[1]. That looks cleaner! > I don't think there's any need to differentiate an instance mismatch > from a driver mismatch, once the latter becomes realistically possible, > mostly due to iommu_domain_alloc() also having to become device-aware to > know which driver to allocate from. Thus as far as a user is concerned, > if attaching a device to an existing domain fails with -EMEDIUMTYPE, > allocating a new domain using the given device, and attaching to that, > can be expected to succeed, regardless of why the original attempt was > rejected. In fact even in the theoretical different-driver-per-bus model > the same principle still holds up. I see. Thanks for the explanation.
diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c index a56a9ad3273e..e851c3e91145 100644 --- a/drivers/iommu/amd/iommu.c +++ b/drivers/iommu/amd/iommu.c @@ -1743,7 +1743,7 @@ static int attach_device(struct device *dev, if (domain->flags & PD_IOMMUV2_MASK) { struct iommu_domain *def_domain = iommu_get_dma_domain(dev); - ret = -EINVAL; + ret = -EMEDIUMTYPE; if (def_domain->type != IOMMU_DOMAIN_IDENTITY) goto out; diff --git a/drivers/iommu/apple-dart.c b/drivers/iommu/apple-dart.c index 8af0242a90d9..e58dc310afd7 100644 --- a/drivers/iommu/apple-dart.c +++ b/drivers/iommu/apple-dart.c @@ -495,10 +495,10 @@ static int apple_dart_attach_dev(struct iommu_domain *domain, if (cfg->stream_maps[0].dart->force_bypass && domain->type != IOMMU_DOMAIN_IDENTITY) - return -EINVAL; + return -EMEDIUMTYPE; if (!cfg->stream_maps[0].dart->supports_bypass && domain->type == IOMMU_DOMAIN_IDENTITY) - return -EINVAL; + return -EMEDIUMTYPE; ret = apple_dart_finalize_domain(domain, cfg); if (ret) diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c index 88817a3376ef..5b64138f549d 100644 --- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c +++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c @@ -2420,24 +2420,15 @@ static int arm_smmu_attach_dev(struct iommu_domain *domain, struct device *dev) goto out_unlock; } } else if (smmu_domain->smmu != smmu) { - dev_err(dev, - "cannot attach to SMMU %s (upstream of %s)\n", - dev_name(smmu_domain->smmu->dev), - dev_name(smmu->dev)); - ret = -ENXIO; + ret = -EMEDIUMTYPE; goto out_unlock; } else if (smmu_domain->stage == ARM_SMMU_DOMAIN_S1 && master->ssid_bits != smmu_domain->s1_cfg.s1cdmax) { - dev_err(dev, - "cannot attach to incompatible domain (%u SSID bits != %u)\n", - smmu_domain->s1_cfg.s1cdmax, master->ssid_bits); - ret = -EINVAL; + ret = -EMEDIUMTYPE; goto out_unlock; } else if (smmu_domain->stage == ARM_SMMU_DOMAIN_S1 && smmu_domain->stall_enabled != master->stall_enabled) { - dev_err(dev, "cannot attach to stall-%s domain\n", - smmu_domain->stall_enabled ? "enabled" : "disabled"); - ret = -EINVAL; + ret = -EMEDIUMTYPE; goto out_unlock; } diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu.c b/drivers/iommu/arm/arm-smmu/arm-smmu.c index 2ed3594f384e..072cac5ab5a4 100644 --- a/drivers/iommu/arm/arm-smmu/arm-smmu.c +++ b/drivers/iommu/arm/arm-smmu/arm-smmu.c @@ -1135,10 +1135,8 @@ static int arm_smmu_attach_dev(struct iommu_domain *domain, struct device *dev) struct arm_smmu_device *smmu; int ret; - if (!fwspec || fwspec->ops != &arm_smmu_ops) { - dev_err(dev, "cannot attach to SMMU, is it on the same bus?\n"); - return -ENXIO; - } + if (!fwspec || fwspec->ops != &arm_smmu_ops) + return -EMEDIUMTYPE; /* * FIXME: The arch/arm DMA API code tries to attach devices to its own diff --git a/drivers/iommu/arm/arm-smmu/qcom_iommu.c b/drivers/iommu/arm/arm-smmu/qcom_iommu.c index 4c077c38fbd6..8372f985c14a 100644 --- a/drivers/iommu/arm/arm-smmu/qcom_iommu.c +++ b/drivers/iommu/arm/arm-smmu/qcom_iommu.c @@ -381,13 +381,8 @@ static int qcom_iommu_attach_dev(struct iommu_domain *domain, struct device *dev * Sanity check the domain. We don't support domains across * different IOMMUs. */ - if (qcom_domain->iommu != qcom_iommu) { - dev_err(dev, "cannot attach to IOMMU %s while already " - "attached to domain on IOMMU %s\n", - dev_name(qcom_domain->iommu->dev), - dev_name(qcom_iommu->dev)); - return -EINVAL; - } + if (qcom_domain->iommu != qcom_iommu) + return -EMEDIUMTYPE; return 0; } diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c index 44016594831d..db5fb799e350 100644 --- a/drivers/iommu/intel/iommu.c +++ b/drivers/iommu/intel/iommu.c @@ -4323,19 +4323,15 @@ static int prepare_domain_attach_device(struct iommu_domain *domain, return -ENODEV; if (dmar_domain->force_snooping && !ecap_sc_support(iommu->ecap)) - return -EOPNOTSUPP; + return -EMEDIUMTYPE; /* check if this iommu agaw is sufficient for max mapped address */ addr_width = agaw_to_width(iommu->agaw); if (addr_width > cap_mgaw(iommu->cap)) addr_width = cap_mgaw(iommu->cap); - if (dmar_domain->max_addr > (1LL << addr_width)) { - dev_err(dev, "%s: iommu width (%d) is not " - "sufficient for the mapped address (%llx)\n", - __func__, addr_width, dmar_domain->max_addr); - return -EFAULT; - } + if (dmar_domain->max_addr > (1LL << addr_width)) + return -EMEDIUMTYPE; dmar_domain->gaw = addr_width; /* diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c index cdc86c39954e..15e7a2914b5a 100644 --- a/drivers/iommu/iommu.c +++ b/drivers/iommu/iommu.c @@ -1972,6 +1972,20 @@ static int __iommu_attach_device(struct iommu_domain *domain, return ret; } +/** + * iommu_attach_device - Attach a device to an IOMMU domain + * @domain: IOMMU domain to attach + * @dev: Device that will be attached + * + * Returns 0 on success and error code on failure + * + * Specifically, -EMEDIUMTYPE is returned as a soft failure if the domain and + * the device are incompatible in some way. This indicates that a caller should + * try another existing IOMMU domain or allocate a new one. And note that it's + * recommended to keep kernel print free when reporting -EMEDIUMTYPE error, as + * this function can be called to test compatibility with domains that will fail + * the test, which will result in a kernel log spam. + */ int iommu_attach_device(struct iommu_domain *domain, struct device *dev) { struct iommu_group *group; @@ -2098,6 +2112,20 @@ static int __iommu_attach_group(struct iommu_domain *domain, return ret; } +/** + * iommu_attach_group - Attach an IOMMU group to an IOMMU domain + * @domain: IOMMU domain to attach + * @group: IOMMU group that will be attached + * + * Returns 0 on success and error code on failure + * + * Specifically, -EMEDIUMTYPE is returned as a soft failure if the domain and + * the device are incompatible in some way. This indicates that a caller should + * try another existing IOMMU domain or allocate a new one. And note that it's + * recommended to keep kernel print free when reporting -EMEDIUMTYPE error, as + * this function can be called to test compatibility with domains that will fail + * the test, which will result in a kernel log spam. + */ int iommu_attach_group(struct iommu_domain *domain, struct iommu_group *group) { int ret; diff --git a/drivers/iommu/ipmmu-vmsa.c b/drivers/iommu/ipmmu-vmsa.c index 1d42084d0276..0103480648cb 100644 --- a/drivers/iommu/ipmmu-vmsa.c +++ b/drivers/iommu/ipmmu-vmsa.c @@ -628,9 +628,7 @@ static int ipmmu_attach_device(struct iommu_domain *io_domain, * Something is wrong, we can't attach two devices using * different IOMMUs to the same domain. */ - dev_err(dev, "Can't attach IPMMU %s to domain on IPMMU %s\n", - dev_name(mmu->dev), dev_name(domain->mmu->dev)); - ret = -EINVAL; + ret = -EMEDIUMTYPE; } else dev_info(dev, "Reusing IPMMU context %u\n", domain->context_id); diff --git a/drivers/iommu/omap-iommu.c b/drivers/iommu/omap-iommu.c index d9cf2820c02e..6bc8925726bf 100644 --- a/drivers/iommu/omap-iommu.c +++ b/drivers/iommu/omap-iommu.c @@ -1471,8 +1471,7 @@ omap_iommu_attach_dev(struct iommu_domain *domain, struct device *dev) /* only a single client device can be attached to a domain */ if (omap_domain->dev) { - dev_err(dev, "iommu domain is already attached\n"); - ret = -EBUSY; + ret = -EMEDIUMTYPE; goto out; } diff --git a/drivers/iommu/s390-iommu.c b/drivers/iommu/s390-iommu.c index c898bcbbce11..ddcb78b284bb 100644 --- a/drivers/iommu/s390-iommu.c +++ b/drivers/iommu/s390-iommu.c @@ -127,7 +127,7 @@ static int s390_iommu_attach_device(struct iommu_domain *domain, /* Allow only devices with identical DMA range limits */ } else if (domain->geometry.aperture_start != zdev->start_dma || domain->geometry.aperture_end != zdev->end_dma) { - rc = -EINVAL; + rc = -EMEDIUMTYPE; spin_unlock_irqrestore(&s390_domain->list_lock, flags); goto out_restore; } diff --git a/drivers/iommu/sprd-iommu.c b/drivers/iommu/sprd-iommu.c index bd409bab6286..f6ae230ca1cd 100644 --- a/drivers/iommu/sprd-iommu.c +++ b/drivers/iommu/sprd-iommu.c @@ -237,10 +237,8 @@ static int sprd_iommu_attach_device(struct iommu_domain *domain, struct sprd_iommu_domain *dom = to_sprd_domain(domain); size_t pgt_size = sprd_iommu_pgt_size(domain); - if (dom->sdev) { - pr_err("There's already a device attached to this domain.\n"); - return -EINVAL; - } + if (dom->sdev) + return -EMEDIUMTYPE; dom->pgt_va = dma_alloc_coherent(sdev->dev, pgt_size, &dom->pgt_pa, GFP_KERNEL); if (!dom->pgt_va) diff --git a/drivers/iommu/tegra-gart.c b/drivers/iommu/tegra-gart.c index a6700a40a6f8..011c33e6ae31 100644 --- a/drivers/iommu/tegra-gart.c +++ b/drivers/iommu/tegra-gart.c @@ -112,7 +112,7 @@ static int gart_iommu_attach_dev(struct iommu_domain *domain, spin_lock(&gart->dom_lock); if (gart->active_domain && gart->active_domain != domain) { - ret = -EBUSY; + ret = -EMEDIUMTYPE; } else if (dev_iommu_priv_get(dev) != domain) { dev_iommu_priv_set(dev, domain); gart->active_domain = domain; diff --git a/drivers/iommu/virtio-iommu.c b/drivers/iommu/virtio-iommu.c index 25be4b822aa0..a41a62dccb4d 100644 --- a/drivers/iommu/virtio-iommu.c +++ b/drivers/iommu/virtio-iommu.c @@ -733,8 +733,7 @@ static int viommu_attach_dev(struct iommu_domain *domain, struct device *dev) */ ret = viommu_domain_finalise(vdev, domain); } else if (vdomain->viommu != vdev->viommu) { - dev_err(dev, "cannot attach to foreign vIOMMU\n"); - ret = -EXDEV; + ret = -EMEDIUMTYPE; } mutex_unlock(&vdomain->mutex);