On Fri, Nov 04, 2022 at 08:32:30AM +0000, Tian, Kevin wrote:
From: Jason Gunthorpe jgg@nvidia.com Sent: Wednesday, October 26, 2022 2:12 AM
+int iommufd_ioas_allow_iovas(struct iommufd_ucmd *ucmd) +{
- struct iommu_ioas_allow_iovas *cmd = ucmd->cmd;
- struct rb_root_cached allowed_iova = RB_ROOT_CACHED;
- struct interval_tree_node *node;
- struct iommufd_ioas *ioas;
- struct io_pagetable *iopt;
- int rc = 0;
- ioas = iommufd_get_ioas(ucmd, cmd->ioas_id);
- if (IS_ERR(ioas))
return PTR_ERR(ioas);
- iopt = &ioas->iopt;
Missed the check of __reserved field
Done
+int iommufd_ioas_copy(struct iommufd_ucmd *ucmd) +{
- struct iommu_ioas_copy *cmd = ucmd->cmd;
- struct iommufd_ioas *src_ioas;
- struct iommufd_ioas *dst_ioas;
- unsigned int flags = 0;
- LIST_HEAD(pages_list);
- unsigned long iova;
- int rc;
- if ((cmd->flags &
~(IOMMU_IOAS_MAP_FIXED_IOVA |
IOMMU_IOAS_MAP_WRITEABLE |
IOMMU_IOAS_MAP_READABLE)))
return -EOPNOTSUPP;
- if (cmd->length >= ULONG_MAX)
return -EOVERFLOW;
and overflow on cmd->dest_iova/src_iova
Yep
- src_ioas = iommufd_get_ioas(ucmd, cmd->src_ioas_id);
- if (IS_ERR(src_ioas))
return PTR_ERR(src_ioas);
- rc = iopt_get_pages(&src_ioas->iopt, cmd->src_iova, cmd->length,
&pages_list);
- iommufd_put_object(&src_ioas->obj);
- if (rc)
goto out_pages;
direct return given iopt_get_pages() already called iopt_free_pages_list() upon error.
Ok
+int iommufd_ioas_unmap(struct iommufd_ucmd *ucmd) +{
- struct iommu_ioas_unmap *cmd = ucmd->cmd;
- struct iommufd_ioas *ioas;
- unsigned long unmapped = 0;
- int rc;
- ioas = iommufd_get_ioas(ucmd, cmd->ioas_id);
- if (IS_ERR(ioas))
return PTR_ERR(ioas);
- if (cmd->iova == 0 && cmd->length == U64_MAX) {
rc = iopt_unmap_all(&ioas->iopt, &unmapped);
if (rc)
goto out_put;
- } else {
if (cmd->iova >= ULONG_MAX || cmd->length >=
ULONG_MAX) {
rc = -EOVERFLOW;
goto out_put;
}
Above check can be moved before iommufd_get_ioas().
They have to be after this:
if (cmd->iova == 0 && cmd->length == U64_MAX) {
Or it will false trigger
+static int iommufd_option(struct iommufd_ucmd *ucmd) +{
- struct iommu_option *cmd = ucmd->cmd;
- int rc;
lack of __reserved check
Done
static struct iommufd_ioctl_op iommufd_ioctl_ops[] = { IOCTL_OP(IOMMU_DESTROY, iommufd_destroy, struct iommu_destroy, id),
- IOCTL_OP(IOMMU_IOAS_ALLOC, iommufd_ioas_alloc_ioctl,
struct iommu_ioas_alloc, out_ioas_id),
- IOCTL_OP(IOMMU_IOAS_ALLOW_IOVAS, iommufd_ioas_allow_iovas,
struct iommu_ioas_allow_iovas, allowed_iovas),
- IOCTL_OP(IOMMU_IOAS_COPY, iommufd_ioas_copy, struct
iommu_ioas_copy,
src_iova),
- IOCTL_OP(IOMMU_IOAS_IOVA_RANGES, iommufd_ioas_iova_ranges,
struct iommu_ioas_iova_ranges, out_iova_alignment),
- IOCTL_OP(IOMMU_IOAS_MAP, iommufd_ioas_map, struct
iommu_ioas_map,
__reserved),
- IOCTL_OP(IOMMU_IOAS_UNMAP, iommufd_ioas_unmap, struct
iommu_ioas_unmap,
length),
- IOCTL_OP(IOMMU_OPTION, iommufd_option, struct iommu_option,
val64),
};
Just personal preference - it reads better to me if the above order (and the enum definition in iommufd.h) can be same as how those commands are defined/explained in iommufd.h.
I prefer "keep sorted" for these kinds of lists, it is much easier to maintain in the long run
- Query an IOAS for ranges of allowed IOVAs. Mapping IOVA outside these
ranges
- is not allowed. out_num_iovas will be set to the total number of iovas
and
- the out_valid_iovas[] will be filled in as space permits.
out_num_iovas and out_valid_iovas[] are stale.
Done
- The allowed ranges are dependent on the HW path the DMA operation
takes, and
- can change during the lifetime of the IOAS. A fresh empty IOAS will have a
- full range, and each attached device will narrow the ranges based on that
- devices HW restrictions. Detatching a device can widen the ranges.
devices -> device's
Ok
+/**
- struct iommu_ioas_allow_iovas - ioctl(IOMMU_IOAS_ALLOW_IOVAS)
- @size: sizeof(struct iommu_ioas_allow_iovas)
- @ioas_id: IOAS ID to allow IOVAs from
missed num_iovas and __reserved
Hurm. how do I get make W=1 to cover the header files?
- @allowed_iovas: Pointer to array of struct iommu_iova_range
- Ensure a range of IOVAs are always available for allocation. If this call
- succeeds then IOMMU_IOAS_IOVA_RANGES will never return a list of
IOVA ranges
- that are narrower than the ranges provided here. This call will fail if
- IOMMU_IOAS_IOVA_RANGES is currently narrower than the given ranges.
- When an IOAS is first created the IOVA_RANGES will be maximally sized,
and as
- devices are attached the IOVA will narrow based on the device
restrictions.
- When an allowed range is specified any narrowing will be refused, ie
device
- attachment can fail if the device requires limiting within the allowed
range.
- Automatic IOVA allocation is also impacted by this call. MAP will only
- allocate within the allowed IOVAs if they are present.
According to iopt_check_iova() FIXED_IOVA can specify an iova which is not in allowed list but in the list of reported IOVA_RANGES. Is it correct or make more sense to have FIXED_IOVA also under guard of the allowed list (if violating then fail the map call)?
The concept was the allow list only really impacts domain attachment. When a user uses FIXED they have to know what they are doing. There is not a good reason to deny the user to use any IOVA that is not restricted by the reserved list.
- @length: Number of bytes to unmap, and return back the bytes
unmapped
- Unmap an IOVA range. The iova/length must be a superset of a
previously
- mapped range used with IOMMU_IOAS_PAGETABLE_MAP or COPY.
remove 'PAGETABLE'
Done
+/**
- enum iommufd_option
- @IOMMU_OPTION_RLIMIT_MODE:
- Change how RLIMIT_MEMLOCK accounting works. The caller must have
privilege
- to invoke this. Value 0 (default) is user based accouting, 1 uses process
- based accounting. Global option, object_id must be 0
- @IOMMU_OPTION_HUGE_PAGES:
- Value 1 (default) allows contiguous pages to be combined when
generating
- iommu mappings. Value 0 disables combining, everything is mapped to
- PAGE_SIZE. This can be useful for benchmarking. This is a per-IOAS
- option, the object_id must be the IOAS ID.
What about HWPT ID? Is there value of supporting HWPT's with different mapping size attached to the same IOAS?
This is a global IOAS flag, it just makes everything use PAGE_SIZE. It is really only interesting for debugging and benchmarking. The test suite and syzkaller have both made use of this to improve coverage.
+/**
- @size: sizeof(struct iommu_option)
- @option_id: One of enum iommufd_option
- @op: One of enum iommufd_option_ops
- @__reserved: Must be 0
- @object_id: ID of the object if required
- @val64: Option value to set or value returned on get
- Change a simple option value. This multiplexor allows controlling a
options
- on objects. IOMMU_OPTION_OP_SET will load an option and
IOMMU_OPTION_OP_GET
- will return the current value.
- */
This is quite generic. Does it imply that future device capability reporting can be also implemented based on this cmd, i.e. have OP_GET on a device object?
I don't view this as a way to do capabilities. I think we will have a capability ioctl as well. This is really for something that can be get & set.
Thanks, Jason