| Message ID | 6596469d5fa1e918145fdd4e6b1a3ad67f7cde2e.1566238530.git.robin.murphy@arm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | iommu/io-pgtable: Cleanup and prep for split tables | expand |
On Mon, Aug 19, 2019 at 07:19:31PM +0100, Robin Murphy wrote: > Now that callers are free to use a given table for TTBR1 if they wish > (all they need do is shift the provided attributes when constructing > their final TCR value), the only remaining impediment is the address > validation on map/unmap. The fact that the LPAE address space split is > symmetric makes this easy to accommodate - by simplifying the current > range checks into explicit tests that address bits above IAS are all > zero, it then follows straightforwardly to add the inverse test to > allow the all-ones case as well. > > Signed-off-by: Robin Murphy <robin.murphy@arm.com> > --- > drivers/iommu/io-pgtable-arm.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c > index 09cb20671fbb..f39c50356351 100644 > --- a/drivers/iommu/io-pgtable-arm.c > +++ b/drivers/iommu/io-pgtable-arm.c > @@ -475,13 +475,13 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova, > arm_lpae_iopte *ptep = data->pgd; > int ret, lvl = ARM_LPAE_START_LVL(data); > arm_lpae_iopte prot; > + long iaext = (long)iova >> data->iop.cfg.ias; > > /* If no access, then nothing to do */ > if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE))) > return 0; > > - if (WARN_ON(iova >= (1ULL << data->iop.cfg.ias) || > - paddr >= (1ULL << data->iop.cfg.oas))) > + if (WARN_ON((iaext && ~iaext) || paddr >> data->iop.cfg.oas)) > return -ERANGE; > > prot = arm_lpae_prot_to_pte(data, iommu_prot); We'll want to cast away the sign extended bits before mapping the iova, this might be a good patch for that too as long as we are calculating the iaext. > @@ -647,8 +647,9 @@ static size_t arm_lpae_unmap(struct io_pgtable_ops *ops, unsigned long iova, > struct arm_lpae_io_pgtable *data = io_pgtable_ops_to_data(ops); > arm_lpae_iopte *ptep = data->pgd; > int lvl = ARM_LPAE_START_LVL(data); > + long iaext = (long)iova >> data->iop.cfg.ias; > > - if (WARN_ON(iova >= (1ULL << data->iop.cfg.ias))) > + if (WARN_ON(iaext && ~iaext)) > return 0; > > return __arm_lpae_unmap(data, iova, size, lvl, ptep); And here too. Jordan
On Mon, Aug 19, 2019 at 07:19:31PM +0100, Robin Murphy wrote: > Now that callers are free to use a given table for TTBR1 if they wish > (all they need do is shift the provided attributes when constructing > their final TCR value), the only remaining impediment is the address > validation on map/unmap. The fact that the LPAE address space split is > symmetric makes this easy to accommodate - by simplifying the current > range checks into explicit tests that address bits above IAS are all > zero, it then follows straightforwardly to add the inverse test to > allow the all-ones case as well. > > Signed-off-by: Robin Murphy <robin.murphy@arm.com> > --- > drivers/iommu/io-pgtable-arm.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c > index 09cb20671fbb..f39c50356351 100644 > --- a/drivers/iommu/io-pgtable-arm.c > +++ b/drivers/iommu/io-pgtable-arm.c > @@ -475,13 +475,13 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova, > arm_lpae_iopte *ptep = data->pgd; > int ret, lvl = ARM_LPAE_START_LVL(data); > arm_lpae_iopte prot; > + long iaext = (long)iova >> data->iop.cfg.ias; > > /* If no access, then nothing to do */ > if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE))) > return 0; > > - if (WARN_ON(iova >= (1ULL << data->iop.cfg.ias) || > - paddr >= (1ULL << data->iop.cfg.oas))) > + if (WARN_ON((iaext && ~iaext) || paddr >> data->iop.cfg.oas)) I had to read that '&&' twice, but I see what you're doing now :) > return -ERANGE; This doesn't seem sufficient to prevent a mixture of TTBR1 and TTBR0 addresses from being mapped in the same TTBR. Perhaps we need a quirk for TTBR1, which could then take care of setting EPDx appropriately? Will
On 19/08/2019 23:34, Jordan Crouse wrote: > On Mon, Aug 19, 2019 at 07:19:31PM +0100, Robin Murphy wrote: >> Now that callers are free to use a given table for TTBR1 if they wish >> (all they need do is shift the provided attributes when constructing >> their final TCR value), the only remaining impediment is the address >> validation on map/unmap. The fact that the LPAE address space split is >> symmetric makes this easy to accommodate - by simplifying the current >> range checks into explicit tests that address bits above IAS are all >> zero, it then follows straightforwardly to add the inverse test to >> allow the all-ones case as well. >> >> Signed-off-by: Robin Murphy <robin.murphy@arm.com> >> --- >> drivers/iommu/io-pgtable-arm.c | 7 ++++--- >> 1 file changed, 4 insertions(+), 3 deletions(-) >> >> diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c >> index 09cb20671fbb..f39c50356351 100644 >> --- a/drivers/iommu/io-pgtable-arm.c >> +++ b/drivers/iommu/io-pgtable-arm.c >> @@ -475,13 +475,13 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova, >> arm_lpae_iopte *ptep = data->pgd; >> int ret, lvl = ARM_LPAE_START_LVL(data); >> arm_lpae_iopte prot; >> + long iaext = (long)iova >> data->iop.cfg.ias; >> >> /* If no access, then nothing to do */ >> if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE))) >> return 0; >> >> - if (WARN_ON(iova >= (1ULL << data->iop.cfg.ias) || >> - paddr >= (1ULL << data->iop.cfg.oas))) >> + if (WARN_ON((iaext && ~iaext) || paddr >> data->iop.cfg.oas)) >> return -ERANGE; >> >> prot = arm_lpae_prot_to_pte(data, iommu_prot); > > We'll want to cast away the sign extended bits before mapping the iova, this > might be a good patch for that too as long as we are calculating the iaext. Ah good point, I'd forgotten that ARM_LPAE_LVL_IDX() doesn't actually cap to IAS if the top level is smaller than bits_per_level (I suppose we *could* make it do so for purity, but that's bound to hurt efficiency far more than just zeroing out the offending bits here). Thanks, Robin. > >> @@ -647,8 +647,9 @@ static size_t arm_lpae_unmap(struct io_pgtable_ops *ops, unsigned long iova, >> struct arm_lpae_io_pgtable *data = io_pgtable_ops_to_data(ops); >> arm_lpae_iopte *ptep = data->pgd; >> int lvl = ARM_LPAE_START_LVL(data); >> + long iaext = (long)iova >> data->iop.cfg.ias; >> >> - if (WARN_ON(iova >= (1ULL << data->iop.cfg.ias))) >> + if (WARN_ON(iaext && ~iaext)) >> return 0; >> >> return __arm_lpae_unmap(data, iova, size, lvl, ptep); > > And here too. > > Jordan >
On 20/08/2019 11:30, Will Deacon wrote: > On Mon, Aug 19, 2019 at 07:19:31PM +0100, Robin Murphy wrote: >> Now that callers are free to use a given table for TTBR1 if they wish >> (all they need do is shift the provided attributes when constructing >> their final TCR value), the only remaining impediment is the address >> validation on map/unmap. The fact that the LPAE address space split is >> symmetric makes this easy to accommodate - by simplifying the current >> range checks into explicit tests that address bits above IAS are all >> zero, it then follows straightforwardly to add the inverse test to >> allow the all-ones case as well. >> >> Signed-off-by: Robin Murphy <robin.murphy@arm.com> >> --- >> drivers/iommu/io-pgtable-arm.c | 7 ++++--- >> 1 file changed, 4 insertions(+), 3 deletions(-) >> >> diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c >> index 09cb20671fbb..f39c50356351 100644 >> --- a/drivers/iommu/io-pgtable-arm.c >> +++ b/drivers/iommu/io-pgtable-arm.c >> @@ -475,13 +475,13 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova, >> arm_lpae_iopte *ptep = data->pgd; >> int ret, lvl = ARM_LPAE_START_LVL(data); >> arm_lpae_iopte prot; >> + long iaext = (long)iova >> data->iop.cfg.ias; >> >> /* If no access, then nothing to do */ >> if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE))) >> return 0; >> >> - if (WARN_ON(iova >= (1ULL << data->iop.cfg.ias) || >> - paddr >= (1ULL << data->iop.cfg.oas))) >> + if (WARN_ON((iaext && ~iaext) || paddr >> data->iop.cfg.oas)) > > I had to read that '&&' twice, but I see what you're doing now :) > >> return -ERANGE; > > This doesn't seem sufficient to prevent a mixture of TTBR1 and TTBR0 > addresses from being mapped in the same TTBR. Perhaps we need a quirk for > TTBR1, which could then take care of setting EPDx appropriately? Right, that's the one downside of going for the minimalist "io-pgtable doesn't even have to know" approach. On reflection, though, in that paradigm it should probably be the caller's responsibility to convert TTBR1 addresses to preserve the "as if TTBR0" illusion anyway :/ The advantage of not having a quirk is that it allows split address spaces to fit more closely with the aux_domain idea, i.e. we could allocate and initialise a domain without having to assume, or even care, whether it will end up attached as a primary or aux domain. It *might* even be potentially useful to have a domain attached to TTBR0 of one device's context and TTBR1 of another's at the same time, although that's pretty niche. Robin.
On Tue, Aug 20, 2019 at 03:51:45PM +0100, Robin Murphy wrote: > On 20/08/2019 11:30, Will Deacon wrote: > > On Mon, Aug 19, 2019 at 07:19:31PM +0100, Robin Murphy wrote: > > > Now that callers are free to use a given table for TTBR1 if they wish > > > (all they need do is shift the provided attributes when constructing > > > their final TCR value), the only remaining impediment is the address > > > validation on map/unmap. The fact that the LPAE address space split is > > > symmetric makes this easy to accommodate - by simplifying the current > > > range checks into explicit tests that address bits above IAS are all > > > zero, it then follows straightforwardly to add the inverse test to > > > allow the all-ones case as well. > > > > > > Signed-off-by: Robin Murphy <robin.murphy@arm.com> > > > --- > > > drivers/iommu/io-pgtable-arm.c | 7 ++++--- > > > 1 file changed, 4 insertions(+), 3 deletions(-) > > > > > > diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c > > > index 09cb20671fbb..f39c50356351 100644 > > > --- a/drivers/iommu/io-pgtable-arm.c > > > +++ b/drivers/iommu/io-pgtable-arm.c > > > @@ -475,13 +475,13 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova, > > > arm_lpae_iopte *ptep = data->pgd; > > > int ret, lvl = ARM_LPAE_START_LVL(data); > > > arm_lpae_iopte prot; > > > + long iaext = (long)iova >> data->iop.cfg.ias; > > > /* If no access, then nothing to do */ > > > if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE))) > > > return 0; > > > - if (WARN_ON(iova >= (1ULL << data->iop.cfg.ias) || > > > - paddr >= (1ULL << data->iop.cfg.oas))) > > > + if (WARN_ON((iaext && ~iaext) || paddr >> data->iop.cfg.oas)) > > > > I had to read that '&&' twice, but I see what you're doing now :) > > > > > return -ERANGE; > > > > This doesn't seem sufficient to prevent a mixture of TTBR1 and TTBR0 > > addresses from being mapped in the same TTBR. Perhaps we need a quirk for > > TTBR1, which could then take care of setting EPDx appropriately? > > Right, that's the one downside of going for the minimalist "io-pgtable > doesn't even have to know" approach. On reflection, though, in that paradigm > it should probably be the caller's responsibility to convert TTBR1 addresses > to preserve the "as if TTBR0" illusion anyway :/ Right, and I'd rather not push stuff into the caller for the common case. It's not exactly onerous to support this in io-pgtable. It's also why I'd still like to keep the EPDx in there, because the callers that care can rewrite the stuff, but at least we provided a default. > The advantage of not having a quirk is that it allows split address spaces > to fit more closely with the aux_domain idea, i.e. we could allocate and > initialise a domain without having to assume, or even care, whether it will > end up attached as a primary or aux domain. It *might* even be potentially > useful to have a domain attached to TTBR0 of one device's context and TTBR1 > of another's at the same time, although that's pretty niche. That sounds pretty theoretical to me at the moment. Will
diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c index 09cb20671fbb..f39c50356351 100644 --- a/drivers/iommu/io-pgtable-arm.c +++ b/drivers/iommu/io-pgtable-arm.c @@ -475,13 +475,13 @@ static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova, arm_lpae_iopte *ptep = data->pgd; int ret, lvl = ARM_LPAE_START_LVL(data); arm_lpae_iopte prot; + long iaext = (long)iova >> data->iop.cfg.ias; /* If no access, then nothing to do */ if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE))) return 0; - if (WARN_ON(iova >= (1ULL << data->iop.cfg.ias) || - paddr >= (1ULL << data->iop.cfg.oas))) + if (WARN_ON((iaext && ~iaext) || paddr >> data->iop.cfg.oas)) return -ERANGE; prot = arm_lpae_prot_to_pte(data, iommu_prot); @@ -647,8 +647,9 @@ static size_t arm_lpae_unmap(struct io_pgtable_ops *ops, unsigned long iova, struct arm_lpae_io_pgtable *data = io_pgtable_ops_to_data(ops); arm_lpae_iopte *ptep = data->pgd; int lvl = ARM_LPAE_START_LVL(data); + long iaext = (long)iova >> data->iop.cfg.ias; - if (WARN_ON(iova >= (1ULL << data->iop.cfg.ias))) + if (WARN_ON(iaext && ~iaext)) return 0; return __arm_lpae_unmap(data, iova, size, lvl, ptep);
Now that callers are free to use a given table for TTBR1 if they wish (all they need do is shift the provided attributes when constructing their final TCR value), the only remaining impediment is the address validation on map/unmap. The fact that the LPAE address space split is symmetric makes this easy to accommodate - by simplifying the current range checks into explicit tests that address bits above IAS are all zero, it then follows straightforwardly to add the inverse test to allow the all-ones case as well. Signed-off-by: Robin Murphy <robin.murphy@arm.com> --- drivers/iommu/io-pgtable-arm.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)