Re: [PATCH] iommu: Implement deferred domain attachment

From: Robin Murphy
Date: Fri May 15 2020 - 15:23:17 EST

Next message: Bjorn Helgaas: "Re: [PATCH v2] x86/PCI: Mark Power Control Unit as having non-compliant BARs"
Previous message: kbuild test robot: "[tip:x86/urgent] BUILD SUCCESS a9a3ed1eff3601b63aea4fb462d8b3b92c7c1e7e"
In reply to: Joerg Roedel: "Re: [PATCH] iommu: Implement deferred domain attachment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2020-05-15 19:26, Joerg Roedel wrote:

On Fri, May 15, 2020 at 05:28:53PM +0100, Robin Murphy wrote:

On 2020-05-15 17:14, Joerg Roedel wrote:

diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c
index ba128d1cdaee..403fda04ea98 100644
--- a/drivers/iommu/dma-iommu.c
+++ b/drivers/iommu/dma-iommu.c
@@ -362,8 +362,8 @@ static int iommu_dma_deferred_attach(struct device *dev,
return 0;
if (unlikely(ops->is_attach_deferred &&
- ops->is_attach_deferred(domain, dev)))
- return iommu_attach_device(domain, dev);
+ ops->is_attach_deferred(domain, dev)))
+ return iommu_attach_device_no_defer(domain, dev);

Wouldn't it be simpler to just invoke ops->attach_dev directly and avoid
having to formalise a public interface that nobody else should ever use
anyway?

That would omit the ops->attach_dev != NULL check and the trace-point on
device attach. Besides that, it would be a layering violation. But the
function is of course entirely internal to the iommu subsytem and is a
good canditate to be moved to a header file in drivers/iommu.

Sure, checking the pointer before calling was implied, but the tracepoint is a good argument, I'd forgotten about that :)

@@ -746,8 +747,11 @@ int iommu_group_add_device(struct iommu_group *group,
struct device *dev)

mutex_lock(&group->mutex);
list_add_tail(&device->list, &group->devices);
- if (group->domain)
- ret = __iommu_attach_device(group->domain, dev);
+ domain = group->domain;
+ if (domain && (!domain->ops->is_attach_deferred ||
+ !domain->ops->is_attach_deferred(domain, dev)))
+ ret = __iommu_attach_device(domain, dev);
+ }
mutex_unlock(&group->mutex);
if (ret)
goto err_put_group;

No, doing this in iommu_group_add_device() doesn't solve the problem.
The attach must not happen before a device driver took control of the
device and silenced any DMA initiated by the old kernel. At probe time
this isn't guaranteed.

But that's not what this is; this is (supposed to be) the exact same "don't actually perform the attach yet" logic as before, just restricting it to default domains in the one place that it actually needs to be, so as not to fundamentally bugger up iommu_attach_device() in a way that prevents it from working as expected at the correct point later.

Thinking a bit more, consider if the driver resets the device then attaches it straight to its own unmanaged domain rather than calling any DMA ops (e.g. VFIO?) - it looks like that would also be totally broken right now, and no amount of bodges in iommu-dma is going to help there.

Robin.

Next message: Bjorn Helgaas: "Re: [PATCH v2] x86/PCI: Mark Power Control Unit as having non-compliant BARs"
Previous message: kbuild test robot: "[tip:x86/urgent] BUILD SUCCESS a9a3ed1eff3601b63aea4fb462d8b3b92c7c1e7e"
In reply to: Joerg Roedel: "Re: [PATCH] iommu: Implement deferred domain attachment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]