On 11/17/2023 9:07 PM, Yi Liu wrote:

From: Lu Baolu baolu.lu@linux.intel.com

The updates of the PTEs in the nested page table will be propagated to the hardware caches on both IOMMU (IOTLB) and devices (DevTLB/ATC).

Add a new domain op cache_invalidate_user for the userspace to flush the hardware caches for a nested domain through iommufd. No wrapper for it, as it's only supposed to be used by iommufd. Then, pass in invalidation requests in form of a user data array conatining a number of invalidation

s/conatining/containing/

data entries.

From: Liu, Yi L yi.l.liu@intel.com Sent: Monday, November 20, 2023 4:30 PM

On 2023/11/20 16:09, Tian, Kevin wrote:

...

...

From: Liu, Yi L yi.l.liu@intel.com Sent: Friday, November 17, 2023 9:07 PM

• • @req_len: Length (in bytes) of a request entry in the request array
• • @req_num: Input the number of cache invalidation requests in the

array.

...

...

• •       Output the number of requests successfully handled by kernel.
    

• • @out_driver_error_code: Report a driver speicifc error code upon

failure.

...

...

• •                     It's optional, driver has a choice to fill it or
    

• •                     not.
    

Being optional how does the user tell whether the code is filled or not?

seems like we need a flag for it. otherwise, a reserved special value is required. or is it enough to just document it that this field is available or not per the iommu_hw_info_type?

No guarantee that a reserved special value applies to all vendors.

I'll just remove the optional part. the viommu driver knows what a valid code is, if the driver fills it.

From: Nicolin Chen nicolinc@nvidia.com Sent: Tuesday, November 21, 2023 1:37 AM

On Mon, Nov 20, 2023 at 08:34:58AM +0000, Tian, Kevin wrote:

...

...

From: Liu, Yi L yi.l.liu@intel.com Sent: Monday, November 20, 2023 4:30 PM

On 2023/11/20 16:09, Tian, Kevin wrote:

...

...

From: Liu, Yi L yi.l.liu@intel.com Sent: Friday, November 17, 2023 9:07 PM

• • @req_len: Length (in bytes) of a request entry in the request array
• • @req_num: Input the number of cache invalidation requests in the

array.

...

...

• •       Output the number of requests successfully handled by
    

kernel.

...

...

...

...

• • @out_driver_error_code: Report a driver speicifc error code upon

failure.

...

...

• •                     It's optional, driver has a choice to fill it or
    

• •                     not.
    

Being optional how does the user tell whether the code is filled or not?

Well, naming it "error_code" indicates zero means no error while non-zero means something? An error return from this ioctl could also tell the user space to look up for this driver error code, if it ever cares.

probably over-thinking but I'm not sure whether zero is guaranteed to mean no error in all implementations...

...

...

seems like we need a flag for it. otherwise, a reserved special value is required. or is it enough to just document it that this field is available or not per the iommu_hw_info_type?

No guarantee that a reserved special value applies to all vendors.

I'll just remove the optional part. the viommu driver knows what a valid code is, if the driver fills it.

Hmm, remove out_driver_error_code? Do you mean by reusing ioctl error code to tell the user space what driver error code it gets?

No. I just meant to remove the last sentence "It's optional ..."

From: Nicolin Chen nicolinc@nvidia.com Sent: Tuesday, November 21, 2023 1:24 PM

On Tue, Nov 21, 2023 at 02:50:05AM +0000, Tian, Kevin wrote:

...

...

From: Nicolin Chen nicolinc@nvidia.com Sent: Tuesday, November 21, 2023 1:37 AM

On Mon, Nov 20, 2023 at 08:34:58AM +0000, Tian, Kevin wrote:

...

...

From: Liu, Yi L yi.l.liu@intel.com Sent: Monday, November 20, 2023 4:30 PM

On 2023/11/20 16:09, Tian, Kevin wrote:

...

> From: Liu, Yi L yi.l.liu@intel.com > Sent: Friday, November 17, 2023 9:07 PM > + * @req_len: Length (in bytes) of a request entry in the request

array

...

...

...

...

...

> + * @req_num: Input the number of cache invalidation requests in

the

...

...

...

...

array.

...

> + * Output the number of requests successfully handled by

kernel.

...

...

...

> + * @out_driver_error_code: Report a driver speicifc error code

upon

...

...

...

...

failure.

...

> + * It's optional, driver has a choice to fill it or > + * not.

Being optional how does the user tell whether the code is filled or

not?

...

...

Well, naming it "error_code" indicates zero means no error while non-zero means something? An error return from this ioctl could also tell the user space to look up for this driver error code, if it ever cares.

probably over-thinking but I'm not sure whether zero is guaranteed to mean no error in all implementations...

Well, you are right. Usually HW conveniently raises a flag in a register to indicate something wrong, yet it is probably unsafe to say it definitely.

this reminds me one open. What about an implementation having a hierarchical error code layout e.g. one main error register with each bit representing an error category then multiple error code registers each for one error category? In this case probably a single out_driver_error_code cannot carry that raw information.

Instead the iommu driver may need to define a customized error code convention in uapi header which is converted from the raw error information.

From this angle should we simply say that the error code definition must be included in the uapi header? If raw error information can be carried by this field then this hw can simply say that the error code format is same as the hw spec defines.

With that explicit information then the viommu can easily tell whether error code is filled or not based on its own convention.

On 2023/11/28 03:53, Nicolin Chen wrote:

On Fri, Nov 24, 2023 at 02:36:29AM +0000, Tian, Kevin wrote:

...

...

...

...

...

>>> + * @out_driver_error_code: Report a driver speicifc error code

upon

...

...

...

> failure. >>> + * It's optional, driver has a choice to fill it or >>> + * not. >> >> Being optional how does the user tell whether the code is filled or

not?

...

...

Well, naming it "error_code" indicates zero means no error while non-zero means something? An error return from this ioctl could also tell the user space to look up for this driver error code, if it ever cares.

probably over-thinking but I'm not sure whether zero is guaranteed to mean no error in all implementations...

Well, you are right. Usually HW conveniently raises a flag in a register to indicate something wrong, yet it is probably unsafe to say it definitely.

this reminds me one open. What about an implementation having a hierarchical error code layout e.g. one main error register with each bit representing an error category then multiple error code registers each for one error category? In this case probably a single out_driver_error_code cannot carry that raw information.

Hmm, good point.

...

Instead the iommu driver may need to define a customized error code convention in uapi header which is converted from the raw error information.

From this angle should we simply say that the error code definition must be included in the uapi header? If raw error information can be carried by this field then this hw can simply say that the error code format is same as the hw spec defines.

With that explicit information then the viommu can easily tell whether error code is filled or not based on its own convention.

That'd be to put this error_code field into the driver uAPI structure right?

looks to be. Then it would be convenient to reserve a code for the case of no error (either no error happened or just not used)

I also thought about making this out_driver_error_code per HW. Yet, an error can be either per array or per entry/quest. The array-related error should be reported in the array structure that is a core uAPI, v.s. the per-HW entry structure. Though we could still report an array error in the entry structure at the first entry (or indexed by "array->entry_num")?

per-entry error code seems like to be a completion code. Each entry in the array can have a corresponding code (0 for succ, others for failure). do you already have such a need?

From: Nicolin Chen nicolinc@nvidia.com Sent: Tuesday, November 28, 2023 3:53 AM

On Fri, Nov 24, 2023 at 02:36:29AM +0000, Tian, Kevin wrote:

...

...

...

...

...

> >> + * @out_driver_error_code: Report a driver speicifc error code

upon

...

...

...

> failure. > >> + * It's optional, driver has a choice to fill it or > >> + * not. > > > > Being optional how does the user tell whether the code is filled

or

...

...

not?

...

...

Well, naming it "error_code" indicates zero means no error while non-zero means something? An error return from this ioctl could also tell the user space to look up for this driver error code, if it ever cares.

probably over-thinking but I'm not sure whether zero is guaranteed to mean no error in all implementations...

Well, you are right. Usually HW conveniently raises a flag in a register to indicate something wrong, yet it is probably unsafe to say it definitely.

this reminds me one open. What about an implementation having a hierarchical error code layout e.g. one main error register with each bit representing an error category then multiple error code registers each for one error category? In this case probably a single out_driver_error_code cannot carry that raw information.

Hmm, good point.

...

Instead the iommu driver may need to define a customized error code convention in uapi header which is converted from the raw error information.

From this angle should we simply say that the error code definition must be included in the uapi header? If raw error information can be carried by this field then this hw can simply say that the error code format is same as the hw spec defines.

With that explicit information then the viommu can easily tell whether error code is filled or not based on its own convention.

That'd be to put this error_code field into the driver uAPI structure right?

I also thought about making this out_driver_error_code per HW. Yet, an error can be either per array or per entry/quest. The array-related error should be reported in the array structure that is a core uAPI, v.s. the per-HW entry structure. Though we could still report an array error in the entry structure at the first entry (or indexed by "array->entry_num")?

why would there be an array error? array is just a software entity containing actual HW invalidation cmds. If there is any error with the array itself it should be reported via ioctl errno.

Jason, how about your opinion? I didn't spot big issues except this one. Hope it can make into 6.8.

On Tue, Nov 28, 2023 at 04:51:21PM -0800, Nicolin Chen wrote:

...

...

I also thought about making this out_driver_error_code per HW. Yet, an error can be either per array or per entry/quest. The array-related error should be reported in the array structure that is a core uAPI, v.s. the per-HW entry structure. Though we could still report an array error in the entry structure at the first entry (or indexed by "array->entry_num")?

why would there be an array error? array is just a software entity containing actual HW invalidation cmds. If there is any error with the array itself it should be reported via ioctl errno.

User array reading is a software operation, but kernel array reading is a hardware operation that can raise an error when the memory location to the array is incorrect or so.

Well, we shouldn't get into a situation like that.. By the time the HW got the address it should be valid.

With that being said, I think errno (-EIO) could do the job, as you suggested too.

Do we have any idea what HW failures can be generated by the commands this will execture? IIRC I don't remember seeing any smmu specific codes related to invalid invalidation? Everything is a valid input?

Can vt-d fail single commands? What about AMD?

...

Jason, how about your opinion? I didn't spot big issues except this one. Hope it can make into 6.8.

Yes, lets try

Jason

On Tue, Nov 28, 2023 at 05:09:07PM -0800, Nicolin Chen wrote:

...

...

With that being said, I think errno (-EIO) could do the job, as you suggested too.

Do we have any idea what HW failures can be generated by the commands this will execture? IIRC I don't remember seeing any smmu specific codes related to invalid invalidation? Everything is a valid input?

"7.1 Command queue errors" has the info.

Hmm CERROR_ATC_INV_SYNC needs to be forwarded to the guest somehow

Jason

On Wed, Nov 29, 2023 at 02:07:58PM -0800, Nicolin Chen wrote:

On Wed, Nov 29, 2023 at 03:58:04PM -0400, Jason Gunthorpe wrote:

...

On Tue, Nov 28, 2023 at 05:09:07PM -0800, Nicolin Chen wrote:

...

...

...

With that being said, I think errno (-EIO) could do the job, as you suggested too.

Do we have any idea what HW failures can be generated by the commands this will execture? IIRC I don't remember seeing any smmu specific codes related to invalid invalidation? Everything is a valid input?

"7.1 Command queue errors" has the info.

Hmm CERROR_ATC_INV_SYNC needs to be forwarded to the guest somehow

Oh, for sure. That's typically triggered with an asynchronous timeout from the eventq, so we'd need the io page fault series as you previously remarked. Though I also wonder if an invalid vSID that doesn't link to a pSID should be CERROR_ATC_INV_SYNC also v.s. CERROR_ILL.

Yes, something like that make sense

Presumably sync becomes emulated and turns into something generated when the ioctl returns. So userspace would have to read the event FD before returning to be correct?

Maybe the kernel can somehow return a flag to indicate the event fd has data in it?

If yes then all errors would flow through the event fd?

Would Intel be basically the same too?

Jason

On Thu, Nov 30, 2023 at 12:41:20PM -0800, Nicolin Chen wrote:

...

So userspace would have to read the event FD before returning to be correct?

Maybe the kernel can somehow return a flag to indicate the event fd has data in it?

If yes then all errors would flow through the event fd?

I think it'd be nicer to return an immediate error to stop guest CMDQ to raise a fault there accordingly, similar to returning a -EIO for a bad STE in your SMMU part-3 series.

If the "return a flag" is an errno of the ioctl, it could work by reading from a separate memory that belongs to the event fd. Yet, in this case, an eventfd signal (assuming there is one to trigger VMM's fault handler) becomes unnecessary, since the invalidation ioctl is already handling it?

My concern is how does all this fit together and do we push the right things to the right places in the right order when an error occurs.

I did not study the spec carefully to see what exactly is supposed to happen here, and I don't see things in Linux that make me think it particularly cares..

ie Linux doesn't seem like it will know that an async event was even triggered while processing the sync to generate an EIO. It looks like it just gets ETIMEDOUT? Presumably we should be checking the event queue to detect a pushed error?

It is worth understanding if the spec has language that requires certain order so we can try to follow it.

Jason

On Thu, Nov 30, 2023 at 08:29:34PM -0800, Nicolin Chen wrote:

On Thu, Nov 30, 2023 at 08:45:23PM -0400, Jason Gunthorpe wrote:

...

On Thu, Nov 30, 2023 at 12:41:20PM -0800, Nicolin Chen wrote:

...

...

So userspace would have to read the event FD before returning to be correct?

Maybe the kernel can somehow return a flag to indicate the event fd has data in it?

If yes then all errors would flow through the event fd?

I think it'd be nicer to return an immediate error to stop guest CMDQ to raise a fault there accordingly, similar to returning a -EIO for a bad STE in your SMMU part-3 series.

If the "return a flag" is an errno of the ioctl, it could work by reading from a separate memory that belongs to the event fd. Yet, in this case, an eventfd signal (assuming there is one to trigger VMM's fault handler) becomes unnecessary, since the invalidation ioctl is already handling it?

My concern is how does all this fit together and do we push the right things to the right places in the right order when an error occurs.

I did not study the spec carefully to see what exactly is supposed to happen here, and I don't see things in Linux that make me think it particularly cares..

ie Linux doesn't seem like it will know that an async event was even triggered while processing the sync to generate an EIO. It looks like it just gets ETIMEDOUT? Presumably we should be checking the event queue to detect a pushed error?

It is worth understanding if the spec has language that requires certain order so we can try to follow it.

Oh, I replied one misinformation previously. Actually eventq doesn't report a CERROR. The global error interrupt does.

7.1 has that sequence: 1) CMDQ stops 2) Log current index to the CONS register 3) Log error code to the CONS register 4) Set bit-0 "CMDQ error" of GERROR register to rise an irq.

Which triggers some async mechanism that seems to restart the command queue and convert the error into a printk.

It seems there is not a simple way to realize this error back to userspace since we can't block the global command queue and we proceed to complete commands that the real HW would not have completed.

To actually emulate this the gerror handler would have to capture all the necessary registers, return them back to the thread doing invalidate_user and all of that would have to return back to userspace to go into the virtual version of all the same registers.

Yes, it can be synchronous it seems, but we don't have any infrastructure in the driver to do this.

Given this is pretty niche maybe we just don't support error forwarding and simply ensure it could be added to the uapi later?

Jason

On Fri, Dec 01, 2023 at 11:58:07AM -0800, Nicolin Chen wrote:

...

It seems there is not a simple way to realize this error back to userspace since we can't block the global command queue and we proceed to complete commands that the real HW would not have completed.

To actually emulate this the gerror handler would have to capture all the necessary registers, return them back to the thread doing invalidate_user and all of that would have to return back to userspace to go into the virtual version of all the same registers.

Yes, it can be synchronous it seems, but we don't have any infrastructure in the driver to do this.

Given this is pretty niche maybe we just don't support error forwarding and simply ensure it could be added to the uapi later?

If arm_smmu_cmdq_issue_cmdlist in arm_smmu_cache_invalidate_user fails with ETIMEOUT, we polls the CONS register to get the error code. This can cover CERROR_ABT and CERROR_ATC_INV.

Why is timeout linked to these two? Or rather, it doesn't have to be linked like that. Any gerror is effectively synchronous because it halts the queue and allows SW time to inspect which command failed and record the gerror flags. So each and every command can get an error indication.

Restarting the queue is done by putting sync in there to effectively nop the failed command and we hope for the best and let it rip.

As you remarked that we can't block the global CMDQ, so we have to let a real CERROR_ILL go. Yet, we can make sure commands to be fully sanitized before being issued, as we should immediately reject faulty commands anyway, for errors such as unsupported op codes, unzero-ed reserved fields, and unlinked vSIDs. This can at least largely reduce the probability of a real CERROR_ILL.

I'm more a little more concerend with ATC_INV as a malfunctioning device can trigger this..

So, combining these two, we can still have a basic synchronous way by returning an errno to the invalidate ioctl? I see Kevin replied something similar too.

It isn't enough information, you don't know which gerror bits to set and you don't know what cons index to stick to indicate the error triggering command with just a simple errno.

It does need to return a bunch of data to get it all right.

Though again, there is no driver infrastructure to do all this and it doesn't seem that important so maybe we can just ensure there is a future extension possiblity and have userspace understand an errno means to generate CERROR_ILL on the last command in the batch?

Jason

On Fri, Dec 01, 2023 at 02:12:28PM -0800, Nicolin Chen wrote:

...

Why is timeout linked to these two? Or rather, it doesn't have to be linked like that. Any gerror is effectively synchronous because it halts the queue and allows SW time to inspect which command failed and record the gerror flags. So each and every command can get an error indication.

Restarting the queue is done by putting sync in there to effectively nop the failed command and we hope for the best and let it rip.

I see that SMMU driver only restarts the queue when dealing with CERROR_ILL. So only CERROR_ABT or CERROR_ATC_INV would result in -ETIMEOUT.

I'm not sure that is the best thing to do. ABT is basically the machine caught fire, so sure there is no recovery for that.

But ATC_INV could be recovered and should ideally be canceled then forwarded to the VM.

...

...

As you remarked that we can't block the global CMDQ, so we have to let a real CERROR_ILL go. Yet, we can make sure commands to be fully sanitized before being issued, as we should immediately reject faulty commands anyway, for errors such as unsupported op codes, unzero-ed reserved fields, and unlinked vSIDs. This can at least largely reduce the probability of a real CERROR_ILL.

I'm more a little more concerend with ATC_INV as a malfunctioning device can trigger this..

How about making sure that the invalidate handler always issues one CMD_ATC_INV at a time, so each arm_smmu_cmdq_issue_cmdlist() call has a chance to timeout? Then, we can simply know which one in the user array fails.

That sounds slow

...

...

So, combining these two, we can still have a basic synchronous way by returning an errno to the invalidate ioctl? I see Kevin replied something similar too.

It isn't enough information, you don't know which gerror bits to set and you don't know what cons index to stick to indicate the error triggering command with just a simple errno.

It does need to return a bunch of data to get it all right.

The array structure returns req_num to indicate the index. This works, even if the command consumption stops in the middle:

• @req_num: Input the number of cache invalidation requests in the array.

•       Output the number of requests successfully handled by kernel.
  
  

So we only need an error code of CERROR_ABT/ILL/ATC_INV.

Yes

Or am I missing some point here?

It sounds Ok, we just have to understand what userspace should be doing and how much of this the kernel should implement.

It seems to me that the error code should return the gerror and the req_num should indicate the halted cons. The vmm should relay both into the virtual registers.

Jason

On Tue, Dec 05, 2023 at 09:33:30AM -0800, Nicolin Chen wrote:

On Mon, Dec 04, 2023 at 10:48:50AM -0400, Jason Gunthorpe wrote:

...

...

Or am I missing some point here?

It sounds Ok, we just have to understand what userspace should be doing and how much of this the kernel should implement.

It seems to me that the error code should return the gerror and the req_num should indicate the halted cons. The vmm should relay both into the virtual registers.

I see your concern. I will take a closer look and see if we can add to the initial version of arm_smmu_cache_invalidate_user(). Otherwise, we can add later.

Btw, VT-d seems to want the error_code and reports in the VT-d specific invalidate entry structure, as Kevin and Yi had that discussion in the other side of the thread.

It could be fine to shift it into the driver data blob. It isn't really generic in the end.

Jason

On Fri, Dec 01, 2023 at 11:51:26AM +0800, Yi Liu wrote:

On 2023/11/29 08:57, Jason Gunthorpe wrote:

...

On Tue, Nov 28, 2023 at 04:51:21PM -0800, Nicolin Chen wrote:

...

...

...

I also thought about making this out_driver_error_code per HW. Yet, an error can be either per array or per entry/quest. The array-related error should be reported in the array structure that is a core uAPI, v.s. the per-HW entry structure. Though we could still report an array error in the entry structure at the first entry (or indexed by "array->entry_num")?

why would there be an array error? array is just a software entity containing actual HW invalidation cmds. If there is any error with the array itself it should be reported via ioctl errno.

User array reading is a software operation, but kernel array reading is a hardware operation that can raise an error when the memory location to the array is incorrect or so.

Well, we shouldn't get into a situation like that.. By the time the HW got the address it should be valid.

...

With that being said, I think errno (-EIO) could do the job, as you suggested too.

Do we have any idea what HW failures can be generated by the commands this will execture? IIRC I don't remember seeing any smmu specific codes related to invalid invalidation? Everything is a valid input?

Can vt-d fail single commands? What about AMD?

Intel VT-d side, after each invalidation request, there is a wait descriptor which either provide an interrupt or an address for the hw to notify software the request before the wait descriptor has been completed. While, if there is error happened on the invalidation request, a flag (IQE, ICE, ITE) would be set in the Fault Status Register, and some detailed information would be recorded in the Invalidation Queue Error Record Register. So an invalidation request may be failed with some error reported. If no error, will return completion via the wait descriptor. Is this what you mean by "fail a single command"?

I see the current VT-d series marking those as "REVISIT". How will it report an error to the user space from those register?

Are they global status registers so that it might be difficult to direct the error to the nested domain for an event fd?

Nic

On 2023/12/1 13:19, Tian, Kevin wrote:

...

From: Nicolin Chen nicolinc@nvidia.com Sent: Friday, December 1, 2023 12:50 PM

On Fri, Dec 01, 2023 at 11:51:26AM +0800, Yi Liu wrote:

...

On 2023/11/29 08:57, Jason Gunthorpe wrote:

...

On Tue, Nov 28, 2023 at 04:51:21PM -0800, Nicolin Chen wrote:

...

...

> I also thought about making this out_driver_error_code per HW. > Yet, an error can be either per array or per entry/quest. The > array-related error should be reported in the array structure > that is a core uAPI, v.s. the per-HW entry structure. Though > we could still report an array error in the entry structure > at the first entry (or indexed by "array->entry_num")? >

why would there be an array error? array is just a software entity containing actual HW invalidation cmds. If there is any error with the array itself it should be reported via ioctl errno.

User array reading is a software operation, but kernel array reading is a hardware operation that can raise an error when the memory location to the array is incorrect or so.

Well, we shouldn't get into a situation like that.. By the time the HW got the address it should be valid.

...

With that being said, I think errno (-EIO) could do the job, as you suggested too.

Do we have any idea what HW failures can be generated by the

commands

...

...

this will execture? IIRC I don't remember seeing any smmu specific codes related to invalid invalidation? Everything is a valid input?

Can vt-d fail single commands? What about AMD?

Intel VT-d side, after each invalidation request, there is a wait descriptor which either provide an interrupt or an address for the hw to notify software the request before the wait descriptor has been completed. While, if there is error happened on the invalidation request, a flag (IQE, ICE, ITE) would be set in the Fault Status Register, and some detailed information would be recorded in the Invalidation Queue Error Record Register. So an invalidation request may be failed with some error reported. If no error, will return completion via the wait descriptor. Is this what you mean by "fail a single command"?

I see the current VT-d series marking those as "REVISIT". How will it report an error to the user space from those register?

Are they global status registers so that it might be difficult to direct the error to the nested domain for an event fd?

They are global registers but invalidation queue is also the global resource. intel-iommu driver polls the status register after queueing new invalidation descriptors. The submission is serialized.

If the error is related to a descriptor itself (e.g. format issue) then the head register points to the problematic descriptor so software can direct it to the related domain.

If the error is related to device tlb invalidation (e.g. timeout) there is no way to associate the error with a specific descriptor by current spec. But intel-iommu driver batches descriptors per domain so we can still direct the error to the nested domain.

But I don't see the need of doing it via eventfd.

The poll semantics in intel-iommu driver is essentially a sync model. vt-d spec does allow software to optionally enable notification upon those errors but it's not used so far.

With that I still prefer to having driver-specific error code defined in the entry. If ARM is an event-driven model then we can define that field at least in vtd specific data structure.

btw given vtd doesn't use native format in uAPI it doesn't make sense to forward descriptor formatting errors back to userspace. Those, if happen, are driver's own problem. intel-iommu driver should verify the uAPI structure and return -EINVAL or proper errno to userspace purely in software.

With that Yi please just define error codes for device tlb related errors for vtd.

hmmm, this sounds like customized error code. is it? So far, VT-d spec has two errors (ICE and ITE). ITE is valuable to let userspace know. For ICE, looks like no much value. Intel iommu driver should be responsible to submit a valid device-tlb invalidation to device. is it?

On 2023/12/1 15:10, Tian, Kevin wrote:

...

From: Liu, Yi L yi.l.liu@intel.com Sent: Friday, December 1, 2023 3:05 PM

On 2023/12/1 13:19, Tian, Kevin wrote:

...

...

From: Nicolin Chen nicolinc@nvidia.com Sent: Friday, December 1, 2023 12:50 PM

On Fri, Dec 01, 2023 at 11:51:26AM +0800, Yi Liu wrote:

...

On 2023/11/29 08:57, Jason Gunthorpe wrote:

...

On Tue, Nov 28, 2023 at 04:51:21PM -0800, Nicolin Chen wrote: >>> I also thought about making this out_driver_error_code per HW. >>> Yet, an error can be either per array or per entry/quest. The >>> array-related error should be reported in the array structure >>> that is a core uAPI, v.s. the per-HW entry structure. Though >>> we could still report an array error in the entry structure >>> at the first entry (or indexed by "array->entry_num")? >>> >> >> why would there be an array error? array is just a software >> entity containing actual HW invalidation cmds. If there is >> any error with the array itself it should be reported via >> ioctl errno. > > User array reading is a software operation, but kernel array > reading is a hardware operation that can raise an error when > the memory location to the array is incorrect or so.

Well, we shouldn't get into a situation like that.. By the time the HW got the address it should be valid.

> With that being said, I think errno (-EIO) could do the job, > as you suggested too.

Do we have any idea what HW failures can be generated by the

commands

...

...

this will execture? IIRC I don't remember seeing any smmu specific codes related to invalid invalidation? Everything is a valid input?

Can vt-d fail single commands? What about AMD?

Intel VT-d side, after each invalidation request, there is a wait descriptor which either provide an interrupt or an address for the hw to notify software the request before the wait descriptor has been completed. While, if there is error happened on the invalidation request, a flag (IQE, ICE, ITE) would be set in the Fault Status Register, and some detailed information would be recorded in the Invalidation Queue Error Record Register. So an invalidation request may be failed with some

error

...

...

...

reported. If no error, will return completion via the wait descriptor. Is this what you mean by "fail a single command"?

I see the current VT-d series marking those as "REVISIT". How will it report an error to the user space from those register?

Are they global status registers so that it might be difficult to direct the error to the nested domain for an event fd?

They are global registers but invalidation queue is also the global resource. intel-iommu driver polls the status register after queueing new invalidation descriptors. The submission is serialized.

If the error is related to a descriptor itself (e.g. format issue) then the head register points to the problematic descriptor so software can direct it to the related domain.

If the error is related to device tlb invalidation (e.g. timeout) there is no way to associate the error with a specific descriptor by current spec. But intel-iommu driver batches descriptors per domain so we can still direct the error to the nested domain.

But I don't see the need of doing it via eventfd.

The poll semantics in intel-iommu driver is essentially a sync model. vt-d spec does allow software to optionally enable notification upon those errors but it's not used so far.

With that I still prefer to having driver-specific error code defined in the entry. If ARM is an event-driven model then we can define that field at least in vtd specific data structure.

btw given vtd doesn't use native format in uAPI it doesn't make sense to forward descriptor formatting errors back to userspace. Those, if happen, are driver's own problem. intel-iommu driver should verify the uAPI structure and return -EINVAL or proper errno to userspace purely in software.

With that Yi please just define error codes for device tlb related errors for vtd.

hmmm, this sounds like customized error code. is it? So far, VT-d

yes. there is no need to replicate hardware registers/bits if most of them are irrelevant to userspace.

...

spec has two errors (ICE and ITE). ITE is valuable to let userspace know. For ICE, looks like no much value. Intel iommu driver should be responsible to submit a valid device-tlb invalidation to device.

it's an invalid completion message from the device which could be caused by various reasons (not exactly due to the invalidation request by iommu driver). so it still makes sense to forward.

ok. so we may need to define a field to forward the detailed info to user as well. This data is error-code specific. @Nic, are we aligned that the error_code field and error data reporting should be moved to the driver-specific part since it is different between vendors?

On Fri, Nov 17, 2023 at 05:07:13AM -0800, Yi Liu wrote:

+/**

• • struct iommu_hwpt_invalidate - ioctl(IOMMU_HWPT_INVALIDATE)
• • @size: sizeof(struct iommu_hwpt_invalidate)
• • @hwpt_id: HWPT ID of a nested HWPT for cache invalidation
• • @reqs_uptr: User pointer to an array having @req_num of cache invalidation

• •         requests. The request entries in the array are of fixed width
    

• •         @req_len, and contain a user data structure for invalidation
    

• •         request specific to the given hardware page table.
    

• • @req_type: One of enum iommu_hwpt_data_type, defining the data type of all

• •        the entries in the invalidation request array. It should suit
    

• •        with the data_type passed per the allocation of the hwpt pointed
    

• •        by @hwpt_id.
    

• • @req_len: Length (in bytes) of a request entry in the request array
• • @req_num: Input the number of cache invalidation requests in the array.

• •       Output the number of requests successfully handled by kernel.
    

• • @out_driver_error_code: Report a driver speicifc error code upon failure.

• •                     It's optional, driver has a choice to fill it or
    

• •                     not.
    

"specific"

Jason

From: Jason Gunthorpe jgg@nvidia.com Sent: Monday, December 11, 2023 9:22 PM

On Mon, Dec 11, 2023 at 03:53:40PM +0800, Yi Liu wrote:

...

...

...

From that thread Jason mentioned to make the invalidation format part of domain allocation. If that is the direction to go then there won't be multiple invalidation formats per hwpt. The user should create multiple hwpt's per invalidation format (though mixing formats in one virtual platform is very unlikely)?

I think we could do either, but I have a vauge cleanness preference that the enums are just different? That would follow a pretty typical pattern for a structure tag to reflect the content of the structure.

Is this still following the direction to make the invalidation format part of domain allocation?

I think you should make it seperate

Sure. I'll add a separate enum for cache invalidation format. Just to see if it is good to pass down the invalidation format in the hwpt alloc path? So iommu driver can check if the invalidation format can be used for the hwpt to be allocated.

Regards, Yi Liu

From: Jason Gunthorpe jgg@nvidia.com Sent: Tuesday, December 12, 2023 10:40 PM

On Tue, Dec 12, 2023 at 01:45:16PM +0000, Liu, Yi L wrote:

...

...

From: Jason Gunthorpe jgg@nvidia.com Sent: Monday, December 11, 2023 9:22 PM

On Mon, Dec 11, 2023 at 03:53:40PM +0800, Yi Liu wrote:

...

...

...

From that thread Jason mentioned to make the invalidation format part of domain allocation. If that is the direction to go then there won't be multiple invalidation formats per hwpt. The user should create multiple hwpt's per invalidation format (though mixing formats in one virtual platform is very unlikely)?

I think we could do either, but I have a vauge cleanness preference that the enums are just different? That would follow a pretty typical pattern for a structure tag to reflect the content of the structure.

Is this still following the direction to make the invalidation format part of domain allocation?

I think you should make it seperate

Sure. I'll add a separate enum for cache invalidation format. Just to see if it is good to pass down the invalidation format in the hwpt alloc path? So iommu driver can check if the invalidation format can be used for the hwpt to be allocated.

I would skip it in the invalidation. If necessary drivers can push a 0 length invalidation to do 'try and fail' discovery of supported types.

I think you mean keep passing the req_type in cache invalidation path instead of the way I proposed. For the 'try and fail' discovery, we should allow a zero-length array, is it? If the req_type is supported by the iommu driver, then return successful, otherwise fail the ioctl. Is it?

Regards, Yi Liu

From: Liu, Yi L yi.l.liu@intel.com Sent: Friday, November 17, 2023 9:07 PM

+/**

• • __iommu_copy_struct_from_user_array - Copy iommu driver specific

__iommu_copy_entry_from_user_array?

From: Nicolin Chen nicolinc@nvidia.com Sent: Tuesday, November 21, 2023 1:25 AM

On Mon, Nov 20, 2023 at 08:17:47AM +0000, Tian, Kevin wrote:

...

...

From: Liu, Yi L yi.l.liu@intel.com Sent: Friday, November 17, 2023 9:07 PM

+/**

• • __iommu_copy_struct_from_user_array - Copy iommu driver specific

__iommu_copy_entry_from_user_array?

I think "struct" and "entry" are interchangeable. Yet, aligning with the {__}iommu_copy_struct_from_user seems to be nicer?

ok

On 2023/12/7 02:16, Jason Gunthorpe wrote:

On Fri, Nov 17, 2023 at 05:07:15AM -0800, Yi Liu wrote:

...

+static int +mock_domain_cache_invalidate_user(struct iommu_domain *domain,

• 		  struct iommu_user_data_array *array,
  

• 		  u32 *error_code)
  

+{

• struct mock_iommu_domain_nested *mock_nested =

• container_of(domain, struct mock_iommu_domain_nested, domain);
  

• struct iommu_hwpt_invalidate_selftest inv;
• int rc = 0;
• int i, j;
• if (domain->type != IOMMU_DOMAIN_NESTED)

• return -EINVAL;
  

The core code already checked this, and it is only present on domain_nested_ops so it is checked twice already..

would drop it. thanks.

On 2023/12/11 10:29, Tian, Kevin wrote:

...

From: Jason Gunthorpe jgg@nvidia.com Sent: Saturday, December 9, 2023 9:47 AM

What is in a Nested domain: Intel: A single IO page table refereed to by a PASID entry Each vDomain-ID,PASID allocates a unique nesting domain AMD: A GCR3 table pointer Nesting domains are created for every unique GCR3 pointer. vDomain-ID can possibly refer to multiple Nesting domains :( ARM: A CD table pointer Nesting domains are created for every unique CD table top pointer.

this AMD/ARM difference is not very clear to me.

How could a vDomain-ID refer to multiple GCR3 pointers? Wouldn't it lead to cache tag conflict when a same PASID entry in multiple GCR3 tables points to different I/O page tables?

Perhaps due to only one DomainID in the DTE table indexed by BDF? Actually, the vDomainID will not be used to tag cache, the host DomainId would be used instead. @Jason?

On 12/11/2023 8:05 PM, Jason Gunthorpe wrote:

On Mon, Dec 11, 2023 at 08:36:46PM +0800, Yi Liu wrote:

...

On 2023/12/11 10:29, Tian, Kevin wrote:

...

...

From: Jason Gunthorpe jgg@nvidia.com Sent: Saturday, December 9, 2023 9:47 AM

What is in a Nested domain: Intel: A single IO page table refereed to by a PASID entry Each vDomain-ID,PASID allocates a unique nesting domain AMD: A GCR3 table pointer Nesting domains are created for every unique GCR3 pointer. vDomain-ID can possibly refer to multiple Nesting domains :( ARM: A CD table pointer Nesting domains are created for every unique CD table top pointer.

this AMD/ARM difference is not very clear to me.

How could a vDomain-ID refer to multiple GCR3 pointers? Wouldn't it lead to cache tag conflict when a same PASID entry in multiple GCR3 tables points to different I/O page tables?

Perhaps due to only one DomainID in the DTE table indexed by BDF? Actually, the vDomainID will not be used to tag cache, the host DomainId would be used instead. @Jason?

The DomainID comes from the DTE table which is indexed by the RID, and the DTE entry points to the GCR3 table. So the VM certainly can setup a DTE table with multiple entires having the same vDomainID but pointing to different GCR3's. So the VMM has to do *something* with this.

Most likely this is not a useful thing to do. However what should the VMM do when it sees this? Block a random DTE or push the duplication down to real HW would be my options. I'd probably try to do the latter just on the basis of better emulation.

Jason

For AMD, the hardware uses host DomainID (hDomainId) and PASID to tag the IOMMU TLB.

The VM can setup vDomainID independently from device (RID) and hDomainID. The vDomainId->hDomainId mapping would be managed by the host IOMMU driver (since this is also needed by the HW when enabling the HW-vIOMMU support a.k.a virtual function).

Currently, the AMD IOMMU driver allocates a DomainId per IOMMU group. One issue with this is when we have nested translation where we could end up with multiple devices (RIDs) sharing same PASID and the same hDomainID.

For example:

- Host view Device1 (RID 1) w/ hDomainId 1 Device2 (RID 2) w/ hDomainId 1 - Guest view Pass-through Device1 (vRID 3) w/ vDomainID A + PASID 0 Pass-through Device2 (vRID 4) w/ vDomainID B + PASID 0

We should be able to workaround this by changing the way we assign hDomainId to be per-device for VFIO pass-through devices although sharing the same v1 (stage-2) page table. This would look like.

- Host view Device1 (RID 1) w/ hDomainId 1 Device2 (RID 2) w/ hDomainId 2 - Guest view Pass-through Device1 (vRID 3) w/ vDomainID A + PASID 0 Pass-through Device2 (vRID 4) w/ vDomainID B + PASID 0

This should avoid the IOMMU TLB conflict. However, the invalidation would need to be done for both DomainId 1 and 2 when updating the v1 (stage-2) page table.

Thanks, Suravee

On 2023/12/9 09:47, Jason Gunthorpe wrote:

On Fri, Nov 17, 2023 at 05:07:11AM -0800, Yi Liu wrote:

...

Take Intel VT-d as an example, the stage-1 translation table is I/O page table. As the below diagram shows, guest I/O page table pointer in GPA (guest physical address) is passed to host and be used to perform the stage-1 address translation. Along with it, modifications to present mappings in the guest I/O page table should be followed with an IOTLB invalidation.

I've been looking at what the three HW's need for invalidation, it is a bit messy.. Here is my thinking. Please let me know if I got it right

What is the starting point of the guest memory walks: Intel: Single Scalable Mode PASID table entry indexed by a RID & PASID AMD: GCR3 table (a table of PASIDs) indexed by RID ARM: CD table (a table of PASIDs) indexed by RID

What key does the physical HW use for invalidation: Intel: Domain-ID (stored in hypervisor, per PASID), PASID AMD: Domain-ID (stored in hypervisor, per RID), PASID ARM: VMID (stored in hypervisor, per RID), ASID (stored in guest)

Why key does the VM use for invalidation: Intel: vDomain-ID (per PASID), PASID AMD: vDomain-ID (per RID), PASID ARM: ASID

What is in a Nested domain: Intel: A single IO page table refereed to by a PASID entry Each vDomain-ID,PASID allocates a unique nesting domain AMD: A GCR3 table pointer Nesting domains are created for every unique GCR3 pointer. vDomain-ID can possibly refer to multiple Nesting domains :(

Per section '2.2.6.3 Guest CR3 Table' in below spec, DTE has domainID, and it points to a guest CR3 Table (it should be a set of guest CRs3) which is indexed by PASID. So it looks like the PASID is per-DommainID. HW should use domainID+PASID to tag the cache, otherwise there would be cache conflict...

https://www.amd.com/content/dam/amd/en/documents/processor-tech-docs/specifi...

ARM: A CD table pointer Nesting domains are created for every unique CD table top pointer.

How does the hypervisor compute it's cache tag: Intel: Each time a nesting domain is attached to a (RID,PASID) the hypervisor driver will try to find a (DID,PASID) that is already used by this domain, or allocate a new DID. AMD: When creating the Nesting Domain the vDomain-ID should be passed in. The hypervisor driver will allocate a unique pDomain-ID for each vDomain-ID (hand wave). Several Nesting Domains will share the same p/vDomain-ID. ARM: The VMID is uniquely assigned to the Nesting Parent when it is allocated, in some configurations it has to be shared with KVM's VMID so allocating the Nesting Parent will require a KVM FD.

Will ATC be forwarded or synthesized: Intel: The (vDomain-ID,PASID) is a unique nesting domain so the hypervisor knows exactly which RIDs this nesting domain is linked to and can generate an ATC invalidation. Plan is to supress/discard the ATC invalidations from the VM and generate them in the hypervisor. AMD: (vDomain-ID,PASID) is ambiguous, it can refer to multiple GCR3 tables. We know which maximal set of RIDs it represents, but not the actual set. I expect AMD will forward the ATC invalidation to avoid over invalidation. ARM: ASID is ambiguous. We have no idea which Nesting Domain/CD table the ASID is contained in. ARM must forward the ATC invalidation from the guest.

What iommufd object should receive the IOTLB invalidation command list: Intel: The Nesting domain. The command list has to be broken up per (vDomain-ID,PASID) and that batch delivered to the single nesting domain. Kernel ignores vDomain-ID/PASID and just invalidates whatever the nesting domain is actually attached to

this is what we are doing in current series[1]. is it? Guest needs to issue invalidation request with vDomain-ID and PASID (if it is enabled), and affected pages for sure. But in hypervisor side, use vDomainID and PASID info to figure out the target HWPT, then invoke a cache invalidation on the HWPT with the invalidation range is enough. Kernel can figure out what device/pasid this HWPT has been attached and invalidate the caches.

[1] https://lore.kernel.org/linux-iommu/20231117131816.24359-1-yi.l.liu@intel.co...

AMD: Any Nesting Domain in the vDomain-ID group. The command list has to be broken up per (vDomain-ID). Kernel replaces vDomain-ID with pDomain-ID from the nesting domain and executes the invalidation. ARM: The Nesting Parent domain. Kernel forces the VMID from the Nesting Parent and executes the invalidation.

In all cases the VM issues an ATC invalidation with (vRID, PASID) as the tag. The VMM must translate vRID -> dev_id -> pRID

For a pure SW flow the vRID can be mapped to the dev_id and the ATC invalidation delivered to the device object (eg IOMMUFD_DEV_INVALIDATE)

Finally, we have the HW driven invalidation DMA queues that can be directly assigned to the guest. AMD and SMMUv3+vCMDQ support this. In this case the HW is directly processing invalidation commands without a hypervisor trap.

To make this work the iommu needs to be programmed with: AMD: A vDomain-ID -> pDomain-ID table A vRID -> pRID table This is all bound to some "virtual function" ARM: A vRID -> pRID table The vCMDQ is bound to a VM_ID, so to the Nesting Parent

For AMD, as above, I suggest the vDomain-ID be passed when creating the nesting domain.

The AMD "virtual function".. It is probably best to create a new iommufd object for this and it can be passed in to a few places

The vRID->pRID table should be some mostly common IOMMUFD_DEV_ASSIGN_VIRTUAL_ID. AMD will need to pass in the virtual function ID and ARM will need to pass in the Nesting Parent ID.

For the HW path some function will create the command queue and DMA/mmap it. Taking in the virtual function/nesting parent as the handle to associate it with.

For a SW path: AMD: All invalidations can be delivered to the virtual function and the kernel can use the vDomainID/vRID tables to translate them fully ARM: All invalidations can be delivered to the nesting parent

In many ways the nesting parent/virtual function are very similar things. Perhaps ARM should also create a virtual function object which is just welded to the nesting parent for API consistency.

So.. In short.. Invalidation is a PITA. The idea is the same but annoying little details interfere with actually having a compltely common API here. IMHO the uAPI in this series is fine. It will support Intel invalidation and non-ATC invalidation on AMD/ARM. It should be setup to allow that the target domain object can be any HWPT.

This HWPT is still nested domain. Is it? But it can represent a guest I/O page table (VT-d), guest CD table (ARM), guest CR3 Table (AMD, it seems to be a set of guest CR3 table pointers). May ARM and AMD guys keep me honest here.

The Intel guest I/O page table case may be the simplest as userspace only needs to provide the HWPT ID and the affected ranges for invalidating. As mentioned above, kernel will find out the attached device/pasid and invalidating cache with the device/pasid. For ARM and AMD case, extra information is needed. Am I getting you correct?

ARM will be able to do IOTLB invalidation using this API.

IOMMUFD_DEV_INVALIDATE should be introduced with the same design as HWPT invalidate. This would be used for AMD/ARM's ATC invalidation (and just force the stream ID, userspace must direct the vRID to the correct dev_id).

Then in yet another series we can tackle the entire "virtual function" vRID/pRID translation stuff when the mmapable queue thing is introduced.

Thus next steps:

• Respin this and lets focus on Intel only (this will be tough for the holidays, but if it is available I will try)

I've respinned the iommufd cache invalidation part with the change to report error_code/error_data per invalidation entry. yet still busy on making Intel VTd part to report the error_code. Besides, I didn't see other respin needed for Intel VT-d invalidation. If I missed thing, please do let me know.:)

• Get an ARM patch that just does IOTLB invalidation and add it to my part 3
• Start working on IOMMUFD_DEV_INVALIDATE along with an ARM implementation of it
• Reorganize the AMD RFC broadly along these lines and lets see it freshened up in the next months as well. I would like to see the AMD support structured to implement the SW paths in first steps and later add in the "virtual function" acceleration stuff. The latter is going to be complex.

Jason

On Mon, Dec 11, 2023 at 09:20:41AM -0400, Jason Gunthorpe wrote:

On Mon, Dec 11, 2023 at 08:35:09PM +0800, Yi Liu wrote:

...

...

So.. In short.. Invalidation is a PITA. The idea is the same but annoying little details interfere with actually having a compltely common API here. IMHO the uAPI in this series is fine. It will support Intel invalidation and non-ATC invalidation on AMD/ARM. It should be setup to allow that the target domain object can be any HWPT.

This HWPT is still nested domain. Is it? But it can represent a guest I/O page table (VT-d), guest CD table (ARM), guest CR3 Table (AMD, it seems to be a set of guest CR3 table pointers). May ARM and AMD guys keep me honest here.

I was thinking ARM would not want to use a nested domain because really the invalidation is global to the entire nesting parent.

But, there is an issue with that - the nesting parent could be attached to multiple iommu instances but we only want to invalidate a single instance.

I am still not sure about attaching an S2 domain to multiple SMMUs. An S2 domain is created per SMMU, and we have such a rejection in arm_smmu_attach_dev(): } else if (smmu_domain->smmu != smmu) ret = -EINVAL;

I understand that it would be probably ideal to share the S2 iopt among the SMMUs. But in the driver the objects (domain) holding a shared S2 iopt must be different to allocate their own VMIDs, right?

Thanks Nicolin

On 12/9/2023 8:47 AM, Jason Gunthorpe wrote:

On Fri, Nov 17, 2023 at 05:07:11AM -0800, Yi Liu wrote:

...

Take Intel VT-d as an example, the stage-1 translation table is I/O page table. As the below diagram shows, guest I/O page table pointer in GPA (guest physical address) is passed to host and be used to perform the stage-1 address translation. Along with it, modifications to present mappings in the guest I/O page table should be followed with an IOTLB invalidation.

I've been looking at what the three HW's need for invalidation, it is a bit messy.. Here is my thinking. Please let me know if I got it right

What is the starting point of the guest memory walks: Intel: Single Scalable Mode PASID table entry indexed by a RID & PASID AMD: GCR3 table (a table of PASIDs) indexed by RID

GCR3 table is indexed by PASID. Device Table (DTE) is indexted by DeviceID (RID)

... Will ATC be forwarded or synthesized: Intel: The (vDomain-ID,PASID) is a unique nesting domain so the hypervisor knows exactly which RIDs this nesting domain is linked to and can generate an ATC invalidation. Plan is to supress/discard the ATC invalidations from the VM and generate them in the hypervisor. AMD: (vDomain-ID,PASID) is ambiguous, it can refer to multiple GCR3 tables. We know which maximal set of RIDs it represents, but not the actual set. I expect AMD will forward the ATC invalidation to avoid over invalidation.

Not sure I understand your description here.

For the AMD IOMMU INVALIDE_IOMMU_PAGES (i.e. invalidate the IOMMU TLB), the hypervisor needs to map gDomainId->hDomainId and issue the command on behalf of the VM along with the PASID and GVA (or GVA range) provided by the guest.

For the AMD IOMMU INVALIDE_IOTLB_PAGES (i.e. invalidate the ATC on the device), the hypervisor needs to map gDeviceId->hDeviceId and issue the command on behalf of the VM along with the PASID and GVA (or GVA range) provided by the guest.

ARM: ASID is ambiguous. We have no idea which Nesting Domain/CD table the ASID is contained in. ARM must forward the ATC invalidation from the guest.

What iommufd object should receive the IOTLB invalidation command list: Intel: The Nesting domain. The command list has to be broken up per (vDomain-ID,PASID) and that batch delivered to the single nesting domain. Kernel ignores vDomain-ID/PASID and just invalidates whatever the nesting domain is actually attached to AMD: Any Nesting Domain in the vDomain-ID group. The command list has to be broken up per (vDomain-ID). Kernel replaces vDomain-ID with pDomain-ID from the nesting domain and executes the invalidation. ARM: The Nesting Parent domain. Kernel forces the VMID from the Nesting Parent and executes the invalidation.

In all cases the VM issues an ATC invalidation with (vRID, PASID) as the tag. The VMM must translate vRID -> dev_id -> pRID

For a pure SW flow the vRID can be mapped to the dev_id and the ATC invalidation delivered to the device object (eg IOMMUFD_DEV_INVALIDATE)

Finally, we have the HW driven invalidation DMA queues that can be directly assigned to the guest. AMD and SMMUv3+vCMDQ support this. In this case the HW is directly processing invalidation commands without a hypervisor trap.

To make this work the iommu needs to be programmed with: AMD: A vDomain-ID -> pDomain-ID table A vRID -> pRID table This is all bound to some "virtual function"

By "virtual function", I assume you are referring to the AMD vIOMMU instance in the guest?

ARM: A vRID -> pRID table The vCMDQ is bound to a VM_ID, so to the Nesting Parent

For AMD, as above, I suggest the vDomain-ID be passed when creating the nesting domain

Sure, we can do this part.

The AMD "virtual function".. It is probably best to create a new iommufd object for this and it can be passed in to a few places

Something like IOMMUFD_OBJ_VIOMMU? Then operation would include something like: * Init * Destroy * ...

The vRID->pRID table should be some mostly common IOMMUFD_DEV_ASSIGN_VIRTUAL_ID. AMD will need to pass in the virtual function ID and ARM will need to pass in the Nesting Parent ID.

Ok.

... Thus next steps:

• Respin this and lets focus on Intel only (this will be tough for the holidays, but if it is available I will try)
• Get an ARM patch that just does IOTLB invalidation and add it to my part 3
• Start working on IOMMUFD_DEV_INVALIDATE along with an ARM implementation of it
• Reorganize the AMD RFC broadly along these lines and lets see it freshened up in the next months as well. I would like to see the AMD support structured to implement the SW paths in first steps and later add in the "virtual function" acceleration stuff. The latter is going to be complex.

Working on refining the part 1 to add HW info reporting and nested translation (minus the invalidation stuff). Should be sending out soon.

Suravee

On Fri, Dec 08, 2023 at 09:47:26PM -0400, Jason Gunthorpe wrote:

What is in a Nested domain: ARM: A CD table pointer Nesting domains are created for every unique CD table top pointer.

I think we basically implemented in a way of syncing STE, i,e, vSTE.Config must be "S1 Translate" besides a CD table pointer, and a nested domain is freed when vSTE.Config=BYPASS even if a CD table pointer is present, right?

To make this work the iommu needs to be programmed with: AMD: A vDomain-ID -> pDomain-ID table A vRID -> pRID table This is all bound to some "virtual function" ARM: A vRID -> pRID table The vCMDQ is bound to a VM_ID, so to the Nesting Parent

VCMDQ also has something called "virtual interface" that holds a VMID and a list of CMDQ queues, which might be a bit similar to AMD's "virtual function".

For AMD, as above, I suggest the vDomain-ID be passed when creating the nesting domain.

The AMD "virtual function".. It is probably best to create a new iommufd object for this and it can be passed in to a few places

The vRID->pRID table should be some mostly common IOMMUFD_DEV_ASSIGN_VIRTUAL_ID. AMD will need to pass in the virtual function ID and ARM will need to pass in the Nesting Parent ID.

It sounds like our previous IOMMUFD_SET/UNSET_IDEV_DATA. I'm wondering if we need to make it exclusive to the ID assigning? Maybe set_idev_data could be reused for other potential cases?

If we do implement an IOMMUFD_DEV_ASSIGN_VIRTUAL_ID, do we need an IOMMUFD_DEV_RESIGN_VIRTUAL_ID? (or better word than resign).

Could the structure just look like this? struct iommu_dev_assign_virtual_id { __u32 size; __u32 dev_id; __u32 id_type; __u32 id; };

In many ways the nesting parent/virtual function are very similar things. Perhaps ARM should also create a virtual function object which is just welded to the nesting parent for API consistency.

A virtual function that holds an S2 domain/iopt + a VMID? If this is for VCMDQ, the VMCDQ extension driver has that kinda object holding an S2 domain: I implemented as the extension function at the end of arm_smmu_finalise_s2() previously.

So.. In short.. Invalidation is a PITA. The idea is the same but annoying little details interfere with actually having a compltely common API here. IMHO the uAPI in this series is fine. It will support Intel invalidation and non-ATC invalidation on AMD/ARM. It should be setup to allow that the target domain object can be any HWPT.

ARM will be able to do IOTLB invalidation using this API.

IOMMUFD_DEV_INVALIDATE should be introduced with the same design as HWPT invalidate. This would be used for AMD/ARM's ATC invalidation (and just force the stream ID, userspace must direct the vRID to the correct dev_id).

SMMU's CD invalidations could fall into this category too.

Then in yet another series we can tackle the entire "virtual function" vRID/pRID translation stuff when the mmapable queue thing is introduced.

VCMDQ is also a mmapable queue. I feel that there could be more common stuff between "virtual function" and "virtual interface", I'll need to take a look at AMD's stuff though.

I previously drafted something to test it out with iommufd. Basically it needs the pairing of vRID/pRID in attach_dev() and another ioctl to mmap/config user queue(s): +struct iommu_hwpt_cache_config_tegra241_vcmdq { + __u32 vcmdq_id; // queue id + __u32 vcmdq_log2size; // queue size + __aligned_u64 vcmdq_base; // queue guest PA +};

Thus next steps:

• Get an ARM patch that just does IOTLB invalidation and add it to my part 3
• Start working on IOMMUFD_DEV_INVALIDATE along with an ARM implementation of it.

I will work on these two, presumably including the new IOMMUFD_DEV_ASSIGN_VIRTUAL_ID or so.

Thanks Nicolin

On Mon, Dec 11, 2023 at 05:57:38PM -0400, Jason Gunthorpe wrote:

On Mon, Dec 11, 2023 at 01:27:49PM -0800, Nicolin Chen wrote:

...

On Fri, Dec 08, 2023 at 09:47:26PM -0400, Jason Gunthorpe wrote:

...

What is in a Nested domain: ARM: A CD table pointer Nesting domains are created for every unique CD table top pointer.

I think we basically implemented in a way of syncing STE, i,e, vSTE.Config must be "S1 Translate" besides a CD table pointer, and a nested domain is freed when vSTE.Config=BYPASS even if a CD table pointer is present, right?

Yes, but you can also de-duplicate the nested domains based on the CD table pointer. It is not as critical for ARM as others, but may still be worth doing.

Ah right! Should do that.

...

If we do implement an IOMMUFD_DEV_ASSIGN_VIRTUAL_ID, do we need an IOMMUFD_DEV_RESIGN_VIRTUAL_ID? (or better word than resign).

I don't think so.. The vRID is basically fixed, if it needs to be changed then the device can be destroyed (or assign can just change it)

OK. Will insert the cleanup piece to the unbind()/destroy().

...

Could the structure just look like this? struct iommu_dev_assign_virtual_id { __u32 size; __u32 dev_id; __u32 id_type; __u32 id; };

It needs to take in the viommu_id also, and I'd make the id 64 bits just for good luck.

What is viommu_id required for in this context? I thought we already know which SMMU instance to issue commands via dev_id?

...

...

IOMMUFD_DEV_INVALIDATE should be introduced with the same design as HWPT invalidate. This would be used for AMD/ARM's ATC invalidation (and just force the stream ID, userspace must direct the vRID to the correct dev_id).

SMMU's CD invalidations could fall into this category too.

Do we need a different iommu API for this ioctl? We currently have the cache_invalidate_user as a domain op. The new device op will be an iommu op?

And should we rename the "cache_invalidate_user"? Would VT-d still uses it for device cache?

...

I previously drafted something to test it out with iommufd. Basically it needs the pairing of vRID/pRID in attach_dev() and another ioctl to mmap/config user queue(s): +struct iommu_hwpt_cache_config_tegra241_vcmdq {

•   __u32 vcmdq_id;			// queue id
  

•   __u32 vcmdq_log2size;		// queue size
  

•   __aligned_u64 vcmdq_base;	// queue guest PA
  

+};

vRID/pRID pairing should come from IOMMUFD_DEV_ASSIGN_VIRTUAL_ID. When a HWPT is allocated it would be connected to the viommu_id and then it would all be bundled together in the HW somehow

Since we were talking about sharing stage-2 domain, the HWPT to the stage-2 domain will be shared among the vIOMMU/pIOMMU instances too? I think I am not quite getting the viommu_id part yet. From the other side of this thread, viommu object is created per vIOMMU instance and each one actually tied to a pIOMMU by nature?

Thanks Nicolin

On Tue, Dec 12, 2023 at 10:44:21AM -0400, Jason Gunthorpe wrote:

On Mon, Dec 11, 2023 at 11:30:00PM -0800, Nicolin Chen wrote:

...

...

...

Could the structure just look like this? struct iommu_dev_assign_virtual_id { __u32 size; __u32 dev_id; __u32 id_type; __u32 id; };

It needs to take in the viommu_id also, and I'd make the id 64 bits just for good luck.

What is viommu_id required for in this context? I thought we already know which SMMU instance to issue commands via dev_id?

The viommu_id would be the container that holds the xarray that maps the vRID to pRID

Logically we could have multiple mappings per iommufd as we could have multiple iommu instances working here.

I see. This is the object to hold a shared stage-2 HWPT/domain then.

// iommufd_private.h

enum iommufd_object_type { ... + IOMMUFD_OBJ_VIOMMU, ... };

+struct iommufd_viommu { + struct iommufd_object obj; + struct iommufd_hwpt_paging *hwpt; + struct xarray devices; +};

struct iommufd_hwpt_paging hwpt { ... + struct list_head viommu_list; ... };

struct iommufd_group { ... + struct iommufd_viommu *viommu; // should we attach to viommu instead of hwpt? ... };

Question to finalize how we maps vRID-pRID in the xarray: how should IOMMUFD_DEV_INVALIDATE work? The ioctl structure has a dev_id and a list of commands that belongs to the device. So, it forwards the struct device pointer to the driver along with the commands. Then, doesn't the driver already know the pRID from the dev pointer without looking up a vRID-pRID table?

// uapi/linux/iommufd.h

struct iommu_hwpt_alloc { ... + __u32 viommu_id; };

+enum iommu_dev_virtual_id_type { + IOMMU_DEV_VIRTUAL_ID_TYPE_AMD_VIOMMU_DID, // not sure how this fits the xarray in viommu obj. + IOMMU_DEV_VIRTUAL_ID_TYPE_AMD_VIOMMU_RID, + IOMMU_DEV_VIRTUAL_ID_TYPE_ARM_SMMU_SID, +}; + +struct iommu_dev_assign_virtual_id { + __u32 size; + __u32 dev_id; + __u32 viommu_id; + __u32 id_type; + __aligned_u64 id; +};

Then, I think that we also need an iommu_viommu_alloc structure and ioctl to allocate an object, and that VMM should know if it needs to allocate multiple viommu objects -- this probably needs the hw_info ioctl to return a piommu_id so VMM gets the list of piommus from the attached devices?

Another question, introducing the viommu obj complicates things a lot. Do we want it to come with iommu_dev_assign_virtual_id, or maybe put in a later series? We could stage the xarray in the iommu_hwpt_paging struct for now, so a single-IOMMU system could still work with that.

...

...

...

...

IOMMUFD_DEV_INVALIDATE should be introduced with the same design as HWPT invalidate. This would be used for AMD/ARM's ATC invalidation (and just force the stream ID, userspace must direct the vRID to the correct dev_id).

SMMU's CD invalidations could fall into this category too.

Do we need a different iommu API for this ioctl? We currently have the cache_invalidate_user as a domain op. The new device op will be an iommu op?

Yes

OK. FWIW, I think either VMM or iommufd core knows which nested HWPT the device is attached to. If we ever wanted to keep it in the domain op list, we could still do that by passing in extra domain pointer to the driver.

...

And should we rename the "cache_invalidate_user"? Would VT-d still uses it for device cache?

I think vt-d will not implement it

Then should we "s/cache_invalidate_user/iotlb_sync_user"?

Thanks Nicolin

On Tue, Dec 12, 2023 at 03:21:00PM -0400, Jason Gunthorpe wrote:

On Tue, Dec 12, 2023 at 11:13:37AM -0800, Nicolin Chen wrote:

...

On Tue, Dec 12, 2023 at 10:44:21AM -0400, Jason Gunthorpe wrote:

...

On Mon, Dec 11, 2023 at 11:30:00PM -0800, Nicolin Chen wrote:

...

...

...

Could the structure just look like this? struct iommu_dev_assign_virtual_id { __u32 size; __u32 dev_id; __u32 id_type; __u32 id; };

It needs to take in the viommu_id also, and I'd make the id 64 bits just for good luck.

What is viommu_id required for in this context? I thought we already know which SMMU instance to issue commands via dev_id?

The viommu_id would be the container that holds the xarray that maps the vRID to pRID

Logically we could have multiple mappings per iommufd as we could have multiple iommu instances working here.

I see. This is the object to hold a shared stage-2 HWPT/domain then.

It could be done like that, yes. I wasn't thinking about linking the stage two so tightly but perhaps? If we can avoid putting the hwpt here that might be more general.

...

// iommufd_private.h

enum iommufd_object_type { ...

• IOMMUFD_OBJ_VIOMMU, ...

};

+struct iommufd_viommu {

• struct iommufd_object obj;
• struct iommufd_hwpt_paging *hwpt;
• struct xarray devices;

+};

struct iommufd_hwpt_paging hwpt { ...

• struct list_head viommu_list; ...

};

I'd probably first try to go backwards and link the hwpt to the viommu.

I think a VM should have only one hwpt_paging object while one or more viommu objects, so we could do only viommu->hwpt_paging and hwpt_paging->viommu_list. How to go backwards?

...

struct iommufd_group { ...

• struct iommufd_viommu *viommu; // should we attach to viommu instead of hwpt? ...

};

No. Attach is a statement of translation so you still attach to the HWPT.

OK. It's probably not necessary since we know which piommu the device is behind. And we only need to link viommu and piommu, right?

...

Question to finalize how we maps vRID-pRID in the xarray: how should IOMMUFD_DEV_INVALIDATE work? The ioctl structure has a dev_id and a list of commands that belongs to the device. So, it forwards the struct device pointer to the driver along with the commands. Then, doesn't the driver already know the pRID from the dev pointer without looking up a vRID-pRID table?

The first version of DEV_INVALIDATE should have no xarray. The invalidate commands are stripped of the SID and executed on the given dev_id period. VMM splits up the invalidate command list.

Yes. This makes sense to me. VMM knows which device to issue an IOMMUFD_DEV_INVALIDATE from the vSID/vRID in the commands.

The second version maybe we have the xarray, or maybe we just push the xarray to the eventual viommu series.

I think that I still don't get the purpose of the xarray here. It was needed previously because a cache invalidate per hwpt doesn't know which device. Now IOMMUFD_DEV_INVALIDATE knows.

Maybe it's related to that narrative "logically we could have multiple mappings per iommufd" that you mentioned above. Mind elaborating a bit?

In my mind, viommu is allocated by VMM per piommu, by detecting the piommu_id via hw_info. In that case, viommu can only have one unique device list. If IOMMUFD_DEV_INVALIDATE passes in the dev_id, we don't really need a mapping of vRID-pRID in a multi- viommu case either? In another word, VMM already has a mapping from vRID to dev_id, so it could call the DEV_INVALIDATE ioctl in the first place?

Thanks Nicolin

On Wed, Dec 13, 2023 at 08:40:55AM -0400, Jason Gunthorpe wrote:

On Tue, Dec 12, 2023 at 12:05:41PM -0800, Nicolin Chen wrote:

...

...

...

// iommufd_private.h

enum iommufd_object_type { ...

• IOMMUFD_OBJ_VIOMMU, ...

};

+struct iommufd_viommu {

• struct iommufd_object obj;
• struct iommufd_hwpt_paging *hwpt;
• struct xarray devices;

+};

struct iommufd_hwpt_paging hwpt { ...

• struct list_head viommu_list; ...

};

I'd probably first try to go backwards and link the hwpt to the viommu.

I think a VM should have only one hwpt_paging object while one or more viommu objects, so we could do only viommu->hwpt_paging and hwpt_paging->viommu_list. How to go backwards?

That is probably how things would work but I don't know if it makes sense to enforce it in the kernel logic..

Point the S2 to a list of viommu objects it is linked to

Hmm, isn't that hwpt_paging->viommu_list already?

...

...

The second version maybe we have the xarray, or maybe we just push the xarray to the eventual viommu series.

I think that I still don't get the purpose of the xarray here. It was needed previously because a cache invalidate per hwpt doesn't know which device. Now IOMMUFD_DEV_INVALIDATE knows.

Maybe it's related to that narrative "logically we could have multiple mappings per iommufd" that you mentioned above. Mind elaborating a bit?

In my mind, viommu is allocated by VMM per piommu, by detecting the piommu_id via hw_info. In that case, viommu can only have one unique device list. If IOMMUFD_DEV_INVALIDATE passes in the dev_id, we don't really need a mapping of vRID-pRID in a multi- viommu case either? In another word, VMM already has a mapping from vRID to dev_id, so it could call the DEV_INVALIDATE ioctl in the first place?

The xarray exists to optimize the invalidation flow.

For SW you can imagine issuing an invalidation against the viommu itself and *all* commands, be they ASID or ATC invalidations can be processed in one shot. The xarray allows converting the vSID to pSID to process ATC invalidations, and the viommu object forces a single VMID to handle the ATC invalidations. If we want to do this, I don't know.

I drafted some patches with IOMMUFD_DEV_INVALIDATE yesterday, and realized the same problem that you pointed out here: how VMM should handle a group of commands interlaced with ASID and ATC commands. If VMM dispatches commands into two groups, the executions of the commands will be in a different order than what the guest kernel issued in. This might be bitter if there is an error occurring in the middle of command executions, in which case some later invalidations are done successfully but the CONS index would have to stop at a command prior.

And even if there are only ATC invalidations in a guest queue, there's no guarantee that all commands are for the same dev_id, i.e. ATC invalidations themselves would be dispatched into more groups and separate IOMMUFD_DEV_INVALIDATE calls.

With the xarray, perhaps we could provide a viommu_id in data structure of the current iommu_hwpt_invalidate, i.e. reshaping the existing invalidate uAPI per viommu, so it can be reused by ATC invalidations too instead of adding IOMMUFD_DEV_INVALIDATE? Then we wouldn't have the out-of-order execution problem above.

For HW, the xarray holds the vSID to pSID mapping that must be programmed into the HW operating the dedicated invalidation queue.

Ah, right! VCMDQ at least needs that.

Thanks Nicolin

On 2023/12/17 19:21, Joel Granados wrote:

Hey Yi

I have been working with https://github.com/yiliu1765/qemu/tree/zhenzhong/wip/iommufd_nesting_rfcv1

good to know about it.

and have some questions regarding one of the commits in that series. I however cannot find it in lore.kernel.org. Can you please direct me to where the rfc was posted? If it has not been posted yet, do you have an alternate place for discussion?

the qemu series has not been posted yet as kernel side is still changing. It still needs some time to be ready for public review. Zhenzhong Duan is going to post it when it's ready. If you have questions to discuss, you can post your questions to Zhenzhong and me first. I guess it may be fine to cc Alex Williamson, Eric Auger, Nicolin Chen, Cédric Le Goater, Kevin Tian, Jason Gunthorpe and qemu mail list as this is discussion something that is going to be posted in public.

Best

On Fri, Nov 17, 2023 at 05:07:11AM -0800, Yi Liu wrote:

...

Nested translation is a hardware feature that is supported by many modern IOMMU hardwares. It has two stages (stage-1, stage-2) address translation to get access to the physical address. stage-1 translation table is owned by userspace (e.g. by a guest OS), while stage-2 is owned by kernel. Changes to stage-1 translation table should be followed by an IOTLB invalidation.

Take Intel VT-d as an example, the stage-1 translation table is I/O page table. As the below diagram shows, guest I/O page table pointer in GPA (guest physical address) is passed to host and be used to perform the stage-1 address translation. Along with it, modifications to present mappings in the guest I/O page table should be followed with an IOTLB invalidation.

 .-------------.  .---------------------------.
 |   vIOMMU    |  | Guest I/O page table      |
 |             |  '---------------------------'
 .----------------/
 | PASID Entry |--- PASID cache flush --+
 '-------------'                        |
 |             |                        V
 |             |           I/O page table pointer in GPA
 '-------------'

Guest ------| Shadow |---------------------------|-------- v v v Host .-------------. .------------------------. | pIOMMU | | FS for GIOVA->GPA | | | '------------------------' .----------------/ | | PASID Entry | V (Nested xlate) '----------------.----------------------------------. | | | SS for GPA->HPA, unmanaged domain| | | '----------------------------------' '-------------' Where:

• FS = First stage page tables
• SS = Second stage page tables

<Intel VT-d Nested translation>

This series adds the cache invalidation path for the userspace to invalidate cache after modifying the stage-1 page table. This is based on the first part of nesting [1]

Complete code can be found in [2], QEMU could can be found in [3].

At last, this is a team work together with Nicolin Chen, Lu Baolu. Thanks them for the help. ^_^. Look forward to your feedbacks.

[1] https://lore.kernel.org/linux-iommu/20231026044216.64964-1-yi.l.liu@intel.co... - merged [2] https://github.com/yiliu1765/iommufd/tree/iommufd_nesting [3] https://github.com/yiliu1765/qemu/tree/zhenzhong/wip/iommufd_nesting_rfcv1

Change log:

v6:

• No much change, just rebase on top of 6.7-rc1 as part 1/2 is merged

v5: https://lore.kernel.org/linux-iommu/20231020092426.13907-1-yi.l.liu@intel.co...

• Split the iommufd nesting series into two parts of alloc_user and invalidation (Jason)
• Split IOMMUFD_OBJ_HW_PAGETABLE to IOMMUFD_OBJ_HWPT_PAGING/_NESTED, and do the same with the structures/alloc()/abort()/destroy(). Reworked the selftest accordingly too. (Jason)
• Move hwpt/data_type into struct iommu_user_data from standalone op arguments. (Jason)
• Rename hwpt_type to be data_type, the HWPT_TYPE to be HWPT_ALLOC_DATA, _TYPE_DEFAULT to be _ALLOC_DATA_NONE (Jason, Kevin)
• Rename iommu_copy_user_data() to iommu_copy_struct_from_user() (Kevin)
• Add macro to the iommu_copy_struct_from_user() to calculate min_size (Jason)
• Fix two bugs spotted by ZhaoYan

v4: https://lore.kernel.org/linux-iommu/20230921075138.124099-1-yi.l.liu@intel.c...

• Separate HWPT alloc/destroy/abort functions between user-managed HWPTs and kernel-managed HWPTs
• Rework invalidate uAPI to be a multi-request array-based design
• Add a struct iommu_user_data_array and a helper for driver to sanitize and copy the entry data from user space invalidation array
• Add a patch fixing TEST_LENGTH() in selftest program
• Drop IOMMU_RESV_IOVA_RANGES patches
• Update kdoc and inline comments
• Drop the code to add IOMMU_RESV_SW_MSI to kernel-managed HWPT in nested translation, this does not change the rule that resv regions should only be added to the kernel-managed HWPT. The IOMMU_RESV_SW_MSI stuff will be added in later series as it is needed only by SMMU so far.

v3: https://lore.kernel.org/linux-iommu/20230724110406.107212-1-yi.l.liu@intel.c...

• Add new uAPI things in alphabetical order
• Pass in "enum iommu_hwpt_type hwpt_type" to op->domain_alloc_user for sanity, replacing the previous op->domain_alloc_user_data_len solution
• Return ERR_PTR from domain_alloc_user instead of NULL
• Only add IOMMU_RESV_SW_MSI to kernel-managed HWPT in nested translation (Kevin)
• Add IOMMU_RESV_IOVA_RANGES to report resv iova ranges to userspace hence userspace is able to exclude the ranges in the stage-1 HWPT (e.g. guest I/O page table). (Kevin)
• Add selftest coverage for the new IOMMU_RESV_IOVA_RANGES ioctl
• Minor changes per Kevin's inputs

v2: https://lore.kernel.org/linux-iommu/20230511143844.22693-1-yi.l.liu@intel.co...

• Add union iommu_domain_user_data to include all user data structures to avoid passing void * in kernel APIs.
• Add iommu op to return user data length for user domain allocation
• Rename struct iommu_hwpt_alloc::data_type to be hwpt_type
• Store the invalidation data length in iommu_domain_ops::cache_invalidate_user_data_len
• Convert cache_invalidate_user op to be int instead of void
• Remove @data_type in struct iommu_hwpt_invalidate
• Remove out_hwpt_type_bitmap in struct iommu_hw_info hence drop patch 08 of v1

v1: https://lore.kernel.org/linux-iommu/20230309080910.607396-1-yi.l.liu@intel.c...

Thanks, Yi Liu

Lu Baolu (1): iommu: Add cache_invalidate_user op

Nicolin Chen (4): iommu: Add iommu_copy_struct_from_user_array helper iommufd/selftest: Add mock_domain_cache_invalidate_user support iommufd/selftest: Add IOMMU_TEST_OP_MD_CHECK_IOTLB test op iommufd/selftest: Add coverage for IOMMU_HWPT_INVALIDATE ioctl

Yi Liu (1): iommufd: Add IOMMU_HWPT_INVALIDATE

drivers/iommu/iommufd/hw_pagetable.c | 35 ++++++++ drivers/iommu/iommufd/iommufd_private.h | 9 ++ drivers/iommu/iommufd/iommufd_test.h | 22 +++++ drivers/iommu/iommufd/main.c | 3 + drivers/iommu/iommufd/selftest.c | 69 +++++++++++++++ include/linux/iommu.h | 84 +++++++++++++++++++ include/uapi/linux/iommufd.h | 35 ++++++++ tools/testing/selftests/iommu/iommufd.c | 75 +++++++++++++++++ tools/testing/selftests/iommu/iommufd_utils.h | 63 ++++++++++++++ 9 files changed, 395 insertions(+)

-- 2.34.1