Message ID | 20230518204650.14541-16-joao.m.martins@oracle.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | IOMMUFD Dirty Tracking | expand |
On Thu, May 18, 2023 at 09:46:41PM +0100, Joao Martins wrote: > VFIO has an operation where you an unmap an IOVA while returning a bitmap > with the dirty data. In reality the operation doesn't quite query the IO > pagetables that the the PTE was dirty or not, but it marks as dirty in the > bitmap anything that was mapped all in one operation. > > In IOMMUFD this equivalent can be done in two operations by querying with > GET_DIRTY_IOVA followed by UNMAP_IOVA. However, this would incur two TLB > flushes given that after clearing dirty bits IOMMU implementations require > invalidating their IOTLB, plus another invalidation needed for the UNMAP. > To allow dirty bits to be queried faster, we add a flag > (IOMMU_GET_DIRTY_IOVA_NO_CLEAR) that requests to not clear the dirty bits > from the PTE (but just reading them), under the expectation that the next > operation is the unmap. An alternative is to unmap and just perpectually > mark as dirty as that's the same behaviour as today. So here equivalent > functionally can be provided, and if real dirty info is required we > amortize the cost while querying. > > There's still a race against DMA where in theory the unmap of the IOVA > (when the guest invalidates the IOTLB via emulated iommu) would race > against the VF performing DMA on the same IOVA being invalidated which > would be marking the PTE as dirty but losing the update in the > unmap-related IOTLB flush. The way to actually prevent the race would be to > write-protect the IOPTE, then query dirty bits and flush the IOTLB in the > unmap after. However, this remains an issue that is so far theoretically > possible, but lacks an use case or whether the race is relevant in the > first place that justifies such complexity. > > Link: > https://lore.kernel.org/linux-iommu/20220502185239.GR8364@nvidia.com/ I think you should clip the explanation from the email into the commit message - eg that we are accepting to resolve this race as throwing away the DMA and it doesn't matter if it hit physical DRAM or not, the VM can't tell if we threw it away because the DMA was blocked or because we failed to copy the DRAM. Jason
diff --git a/drivers/iommu/iommufd/hw_pagetable.c b/drivers/iommu/iommufd/hw_pagetable.c index 25860aa0a1f8..bcb81eefe16c 100644 --- a/drivers/iommu/iommufd/hw_pagetable.c +++ b/drivers/iommu/iommufd/hw_pagetable.c @@ -260,7 +260,8 @@ int iommufd_hwpt_get_dirty_iova(struct iommufd_ucmd *ucmd) struct iommufd_ioas *ioas; int rc = -EOPNOTSUPP; - if ((cmd->flags || cmd->__reserved)) + if ((cmd->flags & ~(IOMMU_GET_DIRTY_IOVA_NO_CLEAR)) || + cmd->__reserved) return -EOPNOTSUPP; hwpt = iommufd_get_hwpt(ucmd, cmd->hwpt_id); diff --git a/drivers/iommu/iommufd/io_pagetable.c b/drivers/iommu/iommufd/io_pagetable.c index 01adb0f7e4d0..ef58910ec747 100644 --- a/drivers/iommu/iommufd/io_pagetable.c +++ b/drivers/iommu/iommufd/io_pagetable.c @@ -414,6 +414,7 @@ int iopt_map_user_pages(struct iommufd_ctx *ictx, struct io_pagetable *iopt, } struct iova_bitmap_fn_arg { + unsigned long flags; struct iommu_domain *domain; struct iommu_dirty_bitmap *dirty; }; @@ -426,8 +427,9 @@ static int __iommu_read_and_clear_dirty(struct iova_bitmap *bitmap, struct iommu_domain *domain = arg->domain; const struct iommu_domain_ops *ops = domain->ops; struct iommu_dirty_bitmap *dirty = arg->dirty; + unsigned long flags = arg->flags; - return ops->read_and_clear_dirty(domain, iova, length, 0, dirty); + return ops->read_and_clear_dirty(domain, iova, length, flags, dirty); } static int iommu_read_and_clear_dirty(struct iommu_domain *domain, @@ -451,11 +453,14 @@ static int iommu_read_and_clear_dirty(struct iommu_domain *domain, iommu_dirty_bitmap_init(&dirty, iter, &gather); + arg.flags = flags; arg.domain = domain; arg.dirty = &dirty; iova_bitmap_for_each(iter, &arg, __iommu_read_and_clear_dirty); - iommu_iotlb_sync(domain, &gather); + if (!(flags & IOMMU_DIRTY_NO_CLEAR)) + iommu_iotlb_sync(domain, &gather); + iova_bitmap_free(iter); return ret; diff --git a/include/uapi/linux/iommufd.h b/include/uapi/linux/iommufd.h index c256f7354867..a91bf845e679 100644 --- a/include/uapi/linux/iommufd.h +++ b/include/uapi/linux/iommufd.h @@ -427,6 +427,18 @@ struct iommufd_dirty_data { __aligned_u64 *data; }; +/** + * enum iommufd_get_dirty_iova_flags - Flags for getting dirty bits + * @IOMMU_GET_DIRTY_IOVA_NO_CLEAR: Just read the PTEs without clearing any dirty + * bits metadata. This flag can be passed in the + * expectation where the next operation is + * an unmap of the same IOVA range. + * + */ +enum iommufd_hwpt_get_dirty_iova_flags { + IOMMU_GET_DIRTY_IOVA_NO_CLEAR = 1, +}; + /** * struct iommu_hwpt_get_dirty_iova - ioctl(IOMMU_HWPT_GET_DIRTY_IOVA) * @size: sizeof(struct iommu_hwpt_get_dirty_iova)
VFIO has an operation where you an unmap an IOVA while returning a bitmap with the dirty data. In reality the operation doesn't quite query the IO pagetables that the the PTE was dirty or not, but it marks as dirty in the bitmap anything that was mapped all in one operation. In IOMMUFD this equivalent can be done in two operations by querying with GET_DIRTY_IOVA followed by UNMAP_IOVA. However, this would incur two TLB flushes given that after clearing dirty bits IOMMU implementations require invalidating their IOTLB, plus another invalidation needed for the UNMAP. To allow dirty bits to be queried faster, we add a flag (IOMMU_GET_DIRTY_IOVA_NO_CLEAR) that requests to not clear the dirty bits from the PTE (but just reading them), under the expectation that the next operation is the unmap. An alternative is to unmap and just perpectually mark as dirty as that's the same behaviour as today. So here equivalent functionally can be provided, and if real dirty info is required we amortize the cost while querying. There's still a race against DMA where in theory the unmap of the IOVA (when the guest invalidates the IOTLB via emulated iommu) would race against the VF performing DMA on the same IOVA being invalidated which would be marking the PTE as dirty but losing the update in the unmap-related IOTLB flush. The way to actually prevent the race would be to write-protect the IOPTE, then query dirty bits and flush the IOTLB in the unmap after. However, this remains an issue that is so far theoretically possible, but lacks an use case or whether the race is relevant in the first place that justifies such complexity. Link: https://lore.kernel.org/linux-iommu/20220502185239.GR8364@nvidia.com/ Signed-off-by: Joao Martins <joao.m.martins@oracle.com> --- drivers/iommu/iommufd/hw_pagetable.c | 3 ++- drivers/iommu/iommufd/io_pagetable.c | 9 +++++++-- include/uapi/linux/iommufd.h | 12 ++++++++++++ 3 files changed, 21 insertions(+), 3 deletions(-)