[PATCH v4 0/5] iommu/s390: Fixes related to attach and aperture handling

From: Niklas Schnelle
Date: Tue Oct 04 2022 - 08:08:02 EST

Hi All,

This is v4 of a follow up to Matt's recent series[0] where he tackled
a race that turned out to be outside of the s390 IOMMU driver itself as
well as duplicate device attachments. After an internal discussion we came
up with what I believe is a cleaner fix. Instead of actively checking for
duplicates we instead detach from any previous domain on attach. From my
cursory reading of the code this seems to be what the Intel IOMMU driver is
doing as well.

Moreover we drop the attempt to re-attach the device to its previous IOMMU
domain on failure. This was fragile, unlikely to help and unexpected for
calling code. Thanks Jason for the suggestion.

During development of this fix we realized that we can get rid of struct
s390_domain_device entirely if we instead thread the list through the
attached struct zpci_devs. This saves us from having to allocate during
attach and gets rid of one level of indirection during IOMMU operations.

Additionally 3 more fixes have been added in v3 that weren't in v2 of this
series. One is for a potential situation where the aperture of a domain
could shrink and leave invalid translations. The next one fixes an off by
one in checking validity of an IOVA and the last one fixes a wrong value
for pgsize_bitmap.

This series is against the s390 features branch[1] which already contains
the bus_next field removal that was part of v2.

Best regards,

Changes since v3:
- Drop s390_domain from __s390_iommu_detach_device() (Jason)
- WARN_ON() mismatched domain in s390_iommu_detach_device() (Jason)
- Use __s390_iommu_detach_device() in s390_iommu_release_device() (Jason)
- Make aperture check resistant against overflow (Jason)

Changes since v2:
- The patch removing the unused bus_next field has been spun out and
already made it into the s390 feature branch on git.kernel.org
- Make __s390_iommu_detach_device() return void (Jason)
- Remove the re-attach on failure dance as it is unlikely to help
and complicates debug and recovery (Jason)
- Ignore attempts to detach from domain that is not the active one
- Add patch to fix potential shrinking of the aperture and use
reserved ranges per device instead of the aperture to respect
IOVA range restrictions (Jason)
- Add a fix for an off by one error on checking an IOVA against
the aperture
- Add a fix for wrong pgsize_bitmap

Changes since v1:
- After patch 3 we don't have to search in the devices list on detach as
we alreadz have hold of the zpci_dev (Jason)
- Add a WARN_ON() if somehow ended up detaching a device from a domain that
isn't the device's current domain.
- Removed the iteration and list delete from s390_domain_free() instead
just WARN_ON() when we're freeing without having detached
- The last two points should help catching sequencing errors much more
quickly in the future.

[0] https://lore.kernel.org/linux-iommu/20220831201236.77595-1-mjrosato@xxxxxxxxxxxxx/
[1] https://git.kernel.org/pub/scm/linux/kernel/git/s390/linux.git/

Niklas Schnelle (5):
iommu/s390: Fix duplicate domain attachments
iommu/s390: Get rid of s390_domain_device
iommu/s390: Fix potential s390_domain aperture shrinking
iommu/s390: Fix incorrect aperture check
iommu/s390: Fix incorrect pgsize_bitmap

arch/s390/include/asm/pci.h | 1 +
drivers/iommu/s390-iommu.c | 169 +++++++++++++++---------------------
2 files changed, 70 insertions(+), 100 deletions(-)