From: Baolu Lu baolu.lu@linux.intel.com Sent: Sunday, April 27, 2025 2:24 PM

On 4/26/25 13:57, Nicolin Chen wrote:

...

@@ -120,6 +128,13 @@ struct iommufd_viommu {

•                array->entry_num to report the number of handled requests.
  

•                The data structure of the array entry must be defined in
  

•                include/uapi/linux/iommufd.h
  

• • @vdevice_alloc: Allocate a vDEVICE object and init its driver-level

structure

...

• •             or HW procedure. Note that the core-level structure is filled
    

• •             by the iommufd core after calling this op. @virt_id carries a
    

• •             per-vIOMMU virtual ID for the driver to initialize its HW.
    

I'm wondering whether the 'per-vIOMMU virtual ID' is intended to be generic for other features that might require a vdevice. I'm also not sure where this virtual ID originates when I read it here. Could it

for PCI it's the virtual BDF in the guest PCI topology, hence provided by the VMM when calling @vdevice_alloc:

potentially come from the KVM instance? If so, how about retrieving it directly from a struct kvm pointer? My understanding is that vIOMMU in IOMMUFD acts as a handle to KVM, so perhaps we should maintain a reference to the kvm pointer within the iommufd_viommu structure?

It's OK to maintain a KVM pointer in viommu (for which I recall such discussion for confidential io), but obviously it's not the requirement in this series.

On Fri, Apr 25, 2025 at 10:57:58PM -0700, Nicolin Chen wrote:

The new type of vIOMMU for tegra241-cmdqv driver needs a driver-specific user data. So, add data_len/uptr to the iommu_viommu_alloc uAPI and pass it in via the viommu_alloc iommu op.

Reviewed-by: Jason Gunthorpe jgg@nvidia.com Signed-off-by: Nicolin Chen nicolinc@nvidia.com

Acked-by: Pranjal Shrivastava praan@google.com

---

include/uapi/linux/iommufd.h | 6 ++++++ drivers/iommu/iommufd/viommu.c | 8 +++++++- 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/iommufd.h b/include/uapi/linux/iommufd.h index f29b6c44655e..cc90299a08d9 100644 --- a/include/uapi/linux/iommufd.h +++ b/include/uapi/linux/iommufd.h @@ -965,6 +965,9 @@ enum iommu_viommu_type {

• @dev_id: The device's physical IOMMU will be used to back the virtual IOMMU
• @hwpt_id: ID of a nesting parent HWPT to associate to
• @out_viommu_id: Output virtual IOMMU ID for the allocated object

• • @data_len: Length of the type specific data
• • @__reserved: Must be 0
• • @data_uptr: User pointer to an array of driver-specific virtual IOMMU data
  • Allocate a virtual IOMMU object, representing the underlying physical IOMMU's
  • virtualization support that is a security-isolated slice of the real IOMMU HW

@@ -985,6 +988,9 @@ struct iommu_viommu_alloc { __u32 dev_id; __u32 hwpt_id; __u32 out_viommu_id;

• __u32 data_len;
• __u32 __reserved;
• __aligned_u64 data_uptr;

}; #define IOMMU_VIOMMU_ALLOC _IO(IOMMUFD_TYPE, IOMMUFD_CMD_VIOMMU_ALLOC) diff --git a/drivers/iommu/iommufd/viommu.c b/drivers/iommu/iommufd/viommu.c index fffa57063c60..a65153458a26 100644 --- a/drivers/iommu/iommufd/viommu.c +++ b/drivers/iommu/iommufd/viommu.c @@ -17,6 +17,11 @@ void iommufd_viommu_destroy(struct iommufd_object *obj) int iommufd_viommu_alloc_ioctl(struct iommufd_ucmd *ucmd) { struct iommu_viommu_alloc *cmd = ucmd->cmd;

• const struct iommu_user_data user_data = {

• .type = cmd->type,
  

• .uptr = u64_to_user_ptr(cmd->data_uptr),
  

• .len = cmd->data_len,
  

• }; struct iommufd_hwpt_paging *hwpt_paging; struct iommufd_viommu *viommu; struct iommufd_device *idev;

@@ -48,7 +53,8 @@ int iommufd_viommu_alloc_ioctl(struct iommufd_ucmd *ucmd) } viommu = ops->viommu_alloc(idev->dev, hwpt_paging->common.domain,

• 		   ucmd->ictx, cmd->type, NULL);
  

• 		   ucmd->ictx, cmd->type,
  

• 		   user_data.len ? &user_data : NULL);
  

  if (IS_ERR(viommu)) { rc = PTR_ERR(viommu); goto out_put_hwpt;

-- 2.43.0

On Fri, Apr 25, 2025 at 10:57:59PM -0700, Nicolin Chen wrote:

Similar to the iommu_copy_struct_from_user helper receiving data from the user space, add an iommu_copy_struct_to_user helper to report output data back to the user space data pointer.

Reviewed-by: Jason Gunthorpe jgg@nvidia.com Signed-off-by: Nicolin Chen nicolinc@nvidia.com

---

include/linux/iommu.h | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+)

diff --git a/include/linux/iommu.h b/include/linux/iommu.h index ba7add27e9a0..634ff647888d 100644 --- a/include/linux/iommu.h +++ b/include/linux/iommu.h @@ -562,6 +562,46 @@ iommu_copy_struct_from_full_user_array(void *kdst, size_t kdst_entry_size, return 0; } +/**

• • __iommu_copy_struct_to_user - Report iommu driver specific user space data
• • @dst_data: Pointer to a struct iommu_user_data for user space data location
• • @src_data: Pointer to an iommu driver specific user data that is defined in

• •        include/uapi/linux/iommufd.h
    

• • @data_type: The data type of the @dst_data. Must match with @src_data.type

^ Nit: Must match with @dst_data type.

• • @data_len: Length of current user data structure, i.e. sizeof(struct _src)
• • @min_len: Initial length of user data structure for backward compatibility.

• •       This should be offsetofend using the last member in the user data
    

• •       struct that was initially added to include/uapi/linux/iommufd.h
    

• */

+static inline int +__iommu_copy_struct_to_user(const struct iommu_user_data *dst_data,

• 	    void *src_data, unsigned int data_type,
  

• 	    size_t data_len, size_t min_len)
  

+{

• if (WARN_ON(!dst_data || !src_data))

• return -EINVAL;
  

• if (dst_data->type != data_type)

• return -EINVAL;
  

• if (dst_data->len < min_len || data_len < dst_data->len)

• return -EINVAL;
  

• return copy_struct_to_user(dst_data->uptr, dst_data->len, src_data,

• 		   data_len, NULL);
  

+}

+/**

• • iommu_copy_struct_to_user - Report iommu driver specific user space data
• • @user_data: Pointer to a struct iommu_user_data for user space data location
• • @ksrc: Pointer to an iommu driver specific user data that is defined in

• •    include/uapi/linux/iommufd.h
    

• • @data_type: The data type of the @ksrc. Must match with @user_data->type
• • @min_last: The last member of the data structure @ksrc points in the initial

• •        version.
    

• • Return 0 for success, otherwise -error.
• */

+#define iommu_copy_struct_to_user(user_data, ksrc, data_type, min_last) \

• __iommu_copy_struct_to_user(user_data, ksrc, data_type, sizeof(*ksrc), \

• 		    offsetofend(typeof(*ksrc), min_last))
  

/**

• struct iommu_ops - iommu ops and capabilities
• @capable: check capability

With the above nit. Reviewed-by: Pranjal Shrivastava praan@google.com

-- 2.43.0

On Mon, Apr 28, 2025 at 11:21:43AM -0700, Nicolin Chen wrote:

On Mon, Apr 28, 2025 at 05:50:28PM +0000, Pranjal Shrivastava wrote:

...

On Fri, Apr 25, 2025 at 10:57:59PM -0700, Nicolin Chen wrote:

...

Similar to the iommu_copy_struct_from_user helper receiving data from the user space, add an iommu_copy_struct_to_user helper to report output data back to the user space data pointer.

Reviewed-by: Jason Gunthorpe jgg@nvidia.com Signed-off-by: Nicolin Chen nicolinc@nvidia.com

---

include/linux/iommu.h | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+)

diff --git a/include/linux/iommu.h b/include/linux/iommu.h index ba7add27e9a0..634ff647888d 100644 --- a/include/linux/iommu.h +++ b/include/linux/iommu.h @@ -562,6 +562,46 @@ iommu_copy_struct_from_full_user_array(void *kdst, size_t kdst_entry_size, return 0; } +/**

• • __iommu_copy_struct_to_user - Report iommu driver specific user space data
• • @dst_data: Pointer to a struct iommu_user_data for user space data location
• • @src_data: Pointer to an iommu driver specific user data that is defined in

• •        include/uapi/linux/iommufd.h
    

• • @data_type: The data type of the @dst_data. Must match with @src_data.type

						   ^

Nit: Must match with @dst_data type.

Oh, that's a copy-n-paste mistake. It should be:

• @data_type: The data type of the @src_data. Must match with @dst_data.type

Ack, yes that's what I meant!

Thanks! Nicolin

Thanks, Praan

On Fri, Apr 25, 2025 at 10:58:03PM -0700, Nicolin Chen wrote:

The new vCMDQ object will be added for HW to access the guest memory for a HW-accelerated virtualization feature. It needs to ensure the guest memory pages are pinned when HW accesses them and they are contiguous in physical address space.

This is very like the existing iommufd_access_pin_pages() that outputs the pinned page list for the caller to test its contiguity.

Move those code from iommufd_access_pin/unpin_pages() and related function for a pair of iopt helpers that can be shared with the vCMDQ allocator. As the vCMDQ allocator will be a user-space triggered ioctl function, WARN_ON would not be a good fit in the new iopt_unpin_pages(), thus change them to use WARN_ON_ONCE instead.

Rename check_area_prot() to align with the existing iopt_area helpers, and inline it to the header since iommufd_access_rw() still uses it.

Signed-off-by: Nicolin Chen nicolinc@nvidia.com

drivers/iommu/iommufd/io_pagetable.h | 8 ++ drivers/iommu/iommufd/iommufd_private.h | 6 ++ drivers/iommu/iommufd/device.c | 117 ++---------------------- drivers/iommu/iommufd/io_pagetable.c | 95 +++++++++++++++++++ 4 files changed, 117 insertions(+), 109 deletions(-)

diff --git a/drivers/iommu/iommufd/io_pagetable.h b/drivers/iommu/iommufd/io_pagetable.h index 10c928a9a463..4288a2b1a90f 100644 --- a/drivers/iommu/iommufd/io_pagetable.h +++ b/drivers/iommu/iommufd/io_pagetable.h @@ -114,6 +114,14 @@ static inline unsigned long iopt_area_iova_to_index(struct iopt_area *area, return iopt_area_start_byte(area, iova) / PAGE_SIZE; } +static inline bool iopt_area_check_prot(struct iopt_area *area,

• 			unsigned int flags)
  

+{

• if (flags & IOMMUFD_ACCESS_RW_WRITE)

• return area->iommu_prot & IOMMU_WRITE;
  

• return area->iommu_prot & IOMMU_READ;

+}

#define __make_iopt_iter(name) \ static inline struct iopt_##name *iopt_##name##_iter_first( \ struct io_pagetable *iopt, unsigned long start, \ diff --git a/drivers/iommu/iommufd/iommufd_private.h b/drivers/iommu/iommufd/iommufd_private.h index 8d96aa514033..79160b039bc7 100644 --- a/drivers/iommu/iommufd/iommufd_private.h +++ b/drivers/iommu/iommufd/iommufd_private.h @@ -130,6 +130,12 @@ int iopt_cut_iova(struct io_pagetable *iopt, unsigned long *iovas, void iopt_enable_large_pages(struct io_pagetable *iopt); int iopt_disable_large_pages(struct io_pagetable *iopt); +int iopt_pin_pages(struct io_pagetable *iopt, unsigned long iova,

•    unsigned long length, struct page **out_pages,
  

•    unsigned int flags);
  

+void iopt_unpin_pages(struct io_pagetable *iopt, unsigned long iova,

•       unsigned long length);
  

struct iommufd_ucmd { struct iommufd_ctx *ictx; void __user *ubuffer; diff --git a/drivers/iommu/iommufd/device.c b/drivers/iommu/iommufd/device.c index 2111bad72c72..a5c6be164254 100644 --- a/drivers/iommu/iommufd/device.c +++ b/drivers/iommu/iommufd/device.c @@ -1240,58 +1240,17 @@ void iommufd_access_notify_unmap(struct io_pagetable *iopt, unsigned long iova, void iommufd_access_unpin_pages(struct iommufd_access *access, unsigned long iova, unsigned long length) {

• struct iopt_area_contig_iter iter;
• struct io_pagetable *iopt;
• unsigned long last_iova;
• struct iopt_area *area;
• if (WARN_ON(!length) ||

•    WARN_ON(check_add_overflow(iova, length - 1, &last_iova)))
  

• return;
  

• mutex_lock(&access->ioas_lock);

• guard(mutex)(&access->ioas_lock); /*
  • The driver must be doing something wrong if it calls this before an
  • iommufd_access_attach() or after an iommufd_access_detach().
  */

• if (WARN_ON(!access->ioas_unpin)) {

• mutex_unlock(&access->ioas_lock);
  

• if (WARN_ON(!access->ioas_unpin)) return;

• }
• iopt = &access->ioas_unpin->iopt;
• down_read(&iopt->iova_rwsem);
• iopt_for_each_contig_area(&iter, area, iopt, iova, last_iova)

• iopt_area_remove_access(
  

• 	area, iopt_area_iova_to_index(area, iter.cur_iova),
  

• 	iopt_area_iova_to_index(
  

• 		area,
  

• 		min(last_iova, iopt_area_last_iova(area))));
  

• WARN_ON(!iopt_area_contig_done(&iter));
• up_read(&iopt->iova_rwsem);
• mutex_unlock(&access->ioas_lock);

• iopt_unpin_pages(&access->ioas_unpin->iopt, iova, length);

} EXPORT_SYMBOL_NS_GPL(iommufd_access_unpin_pages, "IOMMUFD"); -static bool iopt_area_contig_is_aligned(struct iopt_area_contig_iter *iter) -{

• if (iopt_area_start_byte(iter->area, iter->cur_iova) % PAGE_SIZE)

• return false;
  

• if (!iopt_area_contig_done(iter) &&

•    (iopt_area_start_byte(iter->area, iopt_area_last_iova(iter->area)) %
  

•     PAGE_SIZE) != (PAGE_SIZE - 1))
  

• return false;
  

• return true;

-}

-static bool check_area_prot(struct iopt_area *area, unsigned int flags) -{

• if (flags & IOMMUFD_ACCESS_RW_WRITE)

• return area->iommu_prot & IOMMU_WRITE;
  

• return area->iommu_prot & IOMMU_READ;

-}

/**

• iommufd_access_pin_pages() - Return a list of pages under the iova
• @access: IOAS access to act on

@@ -1315,76 +1274,16 @@ int iommufd_access_pin_pages(struct iommufd_access *access, unsigned long iova, unsigned long length, struct page **out_pages, unsigned int flags) {

• struct iopt_area_contig_iter iter;
• struct io_pagetable *iopt;
• unsigned long last_iova;
• struct iopt_area *area;
• int rc;
• /* Driver's ops don't support pin_pages */ if (IS_ENABLED(CONFIG_IOMMUFD_TEST) && WARN_ON(access->iova_alignment != PAGE_SIZE || !access->ops->unmap)) return -EINVAL;

• if (!length)

• return -EINVAL;
  

• if (check_add_overflow(iova, length - 1, &last_iova))

• return -EOVERFLOW;
  

• mutex_lock(&access->ioas_lock);
• if (!access->ioas) {

• mutex_unlock(&access->ioas_lock);
  

• guard(mutex)(&access->ioas_lock);
• if (!access->ioas) return -ENOENT;

• }
• iopt = &access->ioas->iopt;
• down_read(&iopt->iova_rwsem);
• iopt_for_each_contig_area(&iter, area, iopt, iova, last_iova) {

• unsigned long last = min(last_iova, iopt_area_last_iova(area));
  

• unsigned long last_index = iopt_area_iova_to_index(area, last);
  

• unsigned long index =
  

• 	iopt_area_iova_to_index(area, iter.cur_iova);
  

• if (area->prevent_access ||
  

•     !iopt_area_contig_is_aligned(&iter)) {
  

• 	rc = -EINVAL;
  

• 	goto err_remove;
  

• }
  

• if (!check_area_prot(area, flags)) {
  

• 	rc = -EPERM;
  

• 	goto err_remove;
  

• }
  

• rc = iopt_area_add_access(area, index, last_index, out_pages,
  

• 			  flags);
  

• if (rc)
  

• 	goto err_remove;
  

• out_pages += last_index - index + 1;
  

• }
• if (!iopt_area_contig_done(&iter)) {

• rc = -ENOENT;
  

• goto err_remove;
  

• }
• up_read(&iopt->iova_rwsem);
• mutex_unlock(&access->ioas_lock);
• return 0;

-err_remove:

• if (iova < iter.cur_iova) {

• last_iova = iter.cur_iova - 1;
  

• iopt_for_each_contig_area(&iter, area, iopt, iova, last_iova)
  

• 	iopt_area_remove_access(
  

• 		area,
  

• 		iopt_area_iova_to_index(area, iter.cur_iova),
  

• 		iopt_area_iova_to_index(
  

• 			area, min(last_iova,
  

• 				  iopt_area_last_iova(area))));
  

• }
• up_read(&iopt->iova_rwsem);
• mutex_unlock(&access->ioas_lock);
• return rc;

• return iopt_pin_pages(&access->ioas->iopt, iova, length, out_pages,

• 	      flags);
  

} EXPORT_SYMBOL_NS_GPL(iommufd_access_pin_pages, "IOMMUFD"); @@ -1431,7 +1330,7 @@ int iommufd_access_rw(struct iommufd_access *access, unsigned long iova, goto err_out; }

• if (!check_area_prot(area, flags)) {
  

• if (!iopt_area_check_prot(area, flags)) {
  rc = -EPERM;
  goto err_out;
  

  }

diff --git a/drivers/iommu/iommufd/io_pagetable.c b/drivers/iommu/iommufd/io_pagetable.c index 8a790e597e12..160eec49af1b 100644 --- a/drivers/iommu/iommufd/io_pagetable.c +++ b/drivers/iommu/iommufd/io_pagetable.c @@ -1472,3 +1472,98 @@ int iopt_table_enforce_dev_resv_regions(struct io_pagetable *iopt, up_write(&iopt->iova_rwsem); return rc; }

+static bool iopt_area_contig_is_aligned(struct iopt_area_contig_iter *iter) +{

• if (iopt_area_start_byte(iter->area, iter->cur_iova) % PAGE_SIZE)

• return false;
  

• if (!iopt_area_contig_done(iter) &&

•    (iopt_area_start_byte(iter->area, iopt_area_last_iova(iter->area)) %
  

•     PAGE_SIZE) != (PAGE_SIZE - 1))
  

• return false;
  

• return true;

+}

+int iopt_pin_pages(struct io_pagetable *iopt, unsigned long iova,

•    unsigned long length, struct page **out_pages,
  

•    unsigned int flags)
  

+{

• struct iopt_area_contig_iter iter;
• unsigned long last_iova;
• struct iopt_area *area;
• int rc;
• if (!length)

• return -EINVAL;
  

• if (check_add_overflow(iova, length - 1, &last_iova))

• return -EOVERFLOW;
  

• down_read(&iopt->iova_rwsem);
• iopt_for_each_contig_area(&iter, area, iopt, iova, last_iova) {

• unsigned long last = min(last_iova, iopt_area_last_iova(area));
  

• unsigned long last_index = iopt_area_iova_to_index(area, last);
  

• unsigned long index =
  

• 	iopt_area_iova_to_index(area, iter.cur_iova);
  

• if (area->prevent_access ||
  

Nit: Shouldn't we return -EBUSY or something if (area->prevent_access == 1) ? IIUC, this just means that an unmap attempt is in progress, hence avoid accessing the area.

•     !iopt_area_contig_is_aligned(&iter)) {
  

• 	rc = -EINVAL;
  

• 	goto err_remove;
  

• }
  

• if (!iopt_area_check_prot(area, flags)) {
  

• 	rc = -EPERM;
  

• 	goto err_remove;
  

• }
  

• rc = iopt_area_add_access(area, index, last_index, out_pages,
  

• 			  flags);
  

• if (rc)
  

• 	goto err_remove;
  

• out_pages += last_index - index + 1;
  

• }
• if (!iopt_area_contig_done(&iter)) {

• rc = -ENOENT;
  

• goto err_remove;
  

• }
• up_read(&iopt->iova_rwsem);
• return 0;

+err_remove:

• if (iova < iter.cur_iova) {

• last_iova = iter.cur_iova - 1;
  

• iopt_for_each_contig_area(&iter, area, iopt, iova, last_iova)
  

• 	iopt_area_remove_access(
  

• 		area,
  

• 		iopt_area_iova_to_index(area, iter.cur_iova),
  

• 		iopt_area_iova_to_index(
  

• 			area, min(last_iova,
  

• 				  iopt_area_last_iova(area))));
  

• }
• up_read(&iopt->iova_rwsem);
• return rc;

+}

+void iopt_unpin_pages(struct io_pagetable *iopt, unsigned long iova,

•       unsigned long length)
  

+{

• struct iopt_area_contig_iter iter;
• unsigned long last_iova;
• struct iopt_area *area;
• if (WARN_ON_ONCE(!length) ||

•    WARN_ON_ONCE(check_add_overflow(iova, length - 1, &last_iova)))
  

• return;
  

• down_read(&iopt->iova_rwsem);
• iopt_for_each_contig_area(&iter, area, iopt, iova, last_iova)

• iopt_area_remove_access(
  

• 	area, iopt_area_iova_to_index(area, iter.cur_iova),
  

• 	iopt_area_iova_to_index(
  

• 		area,
  

• 		min(last_iova, iopt_area_last_iova(area))));
  

• WARN_ON_ONCE(!iopt_area_contig_done(&iter));
• up_read(&iopt->iova_rwsem);

+}

2.43.0

On 4/26/25 13:58, Nicolin Chen wrote:

Add a new IOMMUFD_OBJ_VCMDQ with an iommufd_vcmdq structure, representing a command queue type of physical HW passed to a user space VM. This vCMDQ object, is a subset of vIOMMU resources of a physical IOMMU's, such as:

• NVIDIA's virtual command queue
• AMD vIOMMU's command buffer

Inroduce a struct iommufd_vcmdq and its allocator iommufd_vcmdq_alloc(). Also add a pair of viommu ops for iommufd to forward user space ioctls to IOMMU drivers.

Signed-off-by: Nicolin Chennicolinc@nvidia.com

Reviewed-by: Lu Baolu baolu.lu@linux.intel.com

with a small nit below ...

---

include/linux/iommufd.h | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+)

diff --git a/include/linux/iommufd.h b/include/linux/iommufd.h index ef0d3c4765cf..e91381aaec5a 100644 --- a/include/linux/iommufd.h +++ b/include/linux/iommufd.h @@ -37,6 +37,7 @@ enum iommufd_object_type { IOMMUFD_OBJ_VIOMMU, IOMMUFD_OBJ_VDEVICE, IOMMUFD_OBJ_VEVENTQ,

• IOMMUFD_OBJ_VCMDQ, #ifdef CONFIG_IOMMUFD_TEST IOMMUFD_OBJ_SELFTEST, #endif

@@ -112,6 +113,14 @@ struct iommufd_vdevice { u64 id; /* per-vIOMMU virtual ID */ }; +struct iommufd_vcmdq {

• struct iommufd_object obj;
• struct iommufd_ctx *ictx;
• struct iommufd_viommu *viommu;
• dma_addr_t addr;

It's better to add a comment to state that @addr is a guest physical address. Or not?

• size_t length;

+};

Thanks, baolu

On Fri, Apr 25, 2025 at 10:58:04PM -0700, Nicolin Chen wrote:

Add a new IOMMUFD_OBJ_VCMDQ with an iommufd_vcmdq structure, representing a command queue type of physical HW passed to a user space VM. This vCMDQ object, is a subset of vIOMMU resources of a physical IOMMU's, such as:

• NVIDIA's virtual command queue
• AMD vIOMMU's command buffer

Inroduce a struct iommufd_vcmdq and its allocator iommufd_vcmdq_alloc(). Also add a pair of viommu ops for iommufd to forward user space ioctls to IOMMU drivers.

Signed-off-by: Nicolin Chen nicolinc@nvidia.com

Reviewed-by: Pranjal Shrivastava praan@google.com

---

include/linux/iommufd.h | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+)

diff --git a/include/linux/iommufd.h b/include/linux/iommufd.h index ef0d3c4765cf..e91381aaec5a 100644 --- a/include/linux/iommufd.h +++ b/include/linux/iommufd.h @@ -37,6 +37,7 @@ enum iommufd_object_type { IOMMUFD_OBJ_VIOMMU, IOMMUFD_OBJ_VDEVICE, IOMMUFD_OBJ_VEVENTQ,

• IOMMUFD_OBJ_VCMDQ,

#ifdef CONFIG_IOMMUFD_TEST IOMMUFD_OBJ_SELFTEST, #endif @@ -112,6 +113,14 @@ struct iommufd_vdevice { u64 id; /* per-vIOMMU virtual ID */ }; +struct iommufd_vcmdq {

• struct iommufd_object obj;
• struct iommufd_ctx *ictx;
• struct iommufd_viommu *viommu;
• dma_addr_t addr;
• size_t length;

+};

/**

• struct iommufd_viommu_ops - vIOMMU specific operations
• @destroy: Clean up all driver-specific parts of an iommufd_viommu. The memory

@@ -135,6 +144,13 @@ struct iommufd_vdevice {

• @vdevice_destroy: Clean up all driver-specific parts of an iommufd_vdevice.

•               The memory of the vDEVICE will be free-ed by iommufd core
  

•               after calling this op
  

• • @vcmdq_alloc: Allocate a @type of iommufd_vcmdq as a user space command queue

• •           for a @viommu. @index carries the logical vcmdq ID (for a multi-
    

• •           queue case); @addr carries the guest physical base address of
    

• •           the queue memory; @length carries the size of the queue memory
    

• • @vcmdq_destroy: Clean up all driver-specific parts of an iommufd_vcmdq. The

• •             memory of the iommufd_vcmdq will be free-ed by iommufd core
    

• •             after calling this op
    

  */

struct iommufd_viommu_ops { void (*destroy)(struct iommufd_viommu *viommu); @@ -147,6 +163,10 @@ struct iommufd_viommu_ops { struct device *dev, u64 virt_id); void (*vdevice_destroy)(struct iommufd_vdevice *vdev);

• struct iommufd_vcmdq *(*vcmdq_alloc)(struct iommufd_viommu *viommu,

• 			     unsigned int type, u32 index,
  

• 			     dma_addr_t addr, size_t length);
  

• void (*vcmdq_destroy)(struct iommufd_vcmdq *vcmdq);

}; #if IS_ENABLED(CONFIG_IOMMUFD) @@ -286,6 +306,21 @@ static inline int iommufd_viommu_report_event(struct iommufd_viommu *viommu, ret; \ }) +#define iommufd_vcmdq_alloc(viommu, drv_struct, member) \

• ({ \

• drv_struct *ret;                                               \
  

• 							       \
  

• static_assert(__same_type(struct iommufd_viommu, *viommu));    \
  

• static_assert(__same_type(struct iommufd_vcmdq,                \
  

• 			  ((drv_struct *)NULL)->member));      \
  

• static_assert(offsetof(drv_struct, member.obj) == 0);          \
  

• ret = (drv_struct *)_iommufd_object_alloc(                     \
  

• 	viommu->ictx, sizeof(drv_struct), IOMMUFD_OBJ_VCMDQ);  \
  

• if (!IS_ERR(ret))                                              \
  

• 	ret->member.viommu = viommu;                           \
  

• ret;                                                           \
  

• })

/* Helper for IOMMU driver to destroy structures created by allocators above */ #define iommufd_struct_destroy(ictx, drv_struct, member) \ ({ \ -- 2.43.0

On 4/26/25 13:58, Nicolin Chen wrote:

diff --git a/drivers/iommu/iommufd/viommu.c b/drivers/iommu/iommufd/viommu.c index a65153458a26..02a111710ffe 100644 --- a/drivers/iommu/iommufd/viommu.c +++ b/drivers/iommu/iommufd/viommu.c @@ -170,3 +170,97 @@ int iommufd_vdevice_alloc_ioctl(struct iommufd_ucmd *ucmd) iommufd_put_object(ucmd->ictx, &viommu->obj); return rc; }

+void iommufd_vcmdq_destroy(struct iommufd_object *obj) +{

• struct iommufd_vcmdq *vcmdq =

• container_of(obj, struct iommufd_vcmdq, obj);
  

• struct iommufd_viommu *viommu = vcmdq->viommu;
• if (viommu->ops->vcmdq_destroy)

• viommu->ops->vcmdq_destroy(vcmdq);
  

• iopt_unpin_pages(&viommu->hwpt->ioas->iopt, vcmdq->addr, vcmdq->length);
• refcount_dec(&viommu->obj.users);

+}

+int iommufd_vcmdq_alloc_ioctl(struct iommufd_ucmd *ucmd) +{

• struct iommu_vcmdq_alloc *cmd = ucmd->cmd;
• struct iommufd_viommu *viommu;
• struct iommufd_vcmdq *vcmdq;
• struct page **pages;
• int max_npages, i;
• dma_addr_t end;
• int rc;
• if (cmd->flags || cmd->type == IOMMU_VCMDQ_TYPE_DEFAULT)

I don't follow the check of 'cmd->type == IOMMU_VCMDQ_TYPE_DEFAULT' here. My understanding is that it states that "other values of type are not supported". If so, shouldn't it be,

if (cmd->flags || cmd->type != IOMMU_VCMDQ_TYPE_DEFAULT)

?

• return -EOPNOTSUPP;
  

• if (!cmd->addr || !cmd->length)

• return -EINVAL;
  

• if (check_add_overflow(cmd->addr, cmd->length - 1, &end))

• return -EOVERFLOW;
  

Thanks, baolu

On Mon, Apr 28, 2025 at 05:42:27PM +0530, Vasant Hegde wrote:

...

+/**

• • struct iommu_vcmdq_alloc - ioctl(IOMMU_VCMDQ_ALLOC)
• • @size: sizeof(struct iommu_vcmdq_alloc)
• • @flags: Must be 0
• • @viommu_id: Virtual IOMMU ID to associate the virtual command queue with
• • @type: One of enum iommu_vcmdq_type
• • @index: The logical index to the virtual command queue per virtual IOMMU, for

• •     a multi-queue model
    

• • @out_vcmdq_id: The ID of the new virtual command queue
• • @addr: Base address of the queue memory in the guest physical address space

Sorry. I didn't get this part.

So here `addr` is command queue base address like

• NVIDIA's virtual command queue
• AMD vIOMMU's command buffer

.. and it will allocate vcmdq for each buffer type. Is that the correct understanding?

Yes. For AMD "vIOMMU", it needs a new type for iommufd vIOMMU: IOMMU_VIOMMU_TYPE_AMD_VIOMMU,

For AMD "vIOMMU" command buffer, it needs a new type too: IOMMU_VCMDQ_TYPE_AMD_VIOMMU, /* Kdoc it to be Command Buffer */

Then, use IOMMUFD_CMD_VIOMMU_ALLOC ioctl to allocate an vIOMMU obj, and use IOMMUFD_CMD_VCMDQ_ALLOC ioctl(s) to allocate vCMDQ objs.

In case of AMD vIOMMU, buffer base address is programmed in different register (ex: MMIO Offset 0008h Command Buffer Base Address Register) and buffer enable/disable is done via different register (ex: MMIO Offset 0018h IOMMU Control Register). And we need to communicate both to hypervisor. Not sure this API can accommodate this as addr seems to be mandatory.

NVIDIA's CMDQV has all three of them too. What we do here is to let VMM trap the buffer base address (in guest physical address space) and forward it to kernel using this @addr. Then, kernel will translate this @addr to host physical address space, and program the physical address and size to the register.

[1] https://www.amd.com/content/dam/amd/en/documents/processor-tech-docs/specifi...

Thanks for the doc. So, AMD has:

Command Buffer Base Address Register [MMIO Offset 0008h] "used to program the system physical base address and size of the command buffer. The command buffer occupies contiguous physical memory starting at the programmed base address, up to the programmed size." Command Buffer Head Pointer Register [MMIO Offset 2000h] Command Buffer Tail Pointer Register [MMIO Offset 2008h]

IIUIC, AMD should do the same: VMM traps VM's Command Buffer Base Address register when the guest kernel allocates a command buffer by programming the VM's Command Buffer Base Address register, to capture the guest PA and size. Then, VMM allocates a vCMDQ object (for this command buffer) forwarding its buffer address and size via @addr and @length to the host kernel. Then, the kernel should translate the guest PA to host PA to program the HW.

We can see that the Head/Tail registers are in a different MMIO page (offset by two 4K pages), which is very like NVIDIA CMDQV that allows VMM to mmap that MMIO page of the Head/Tail registers for guest OS to directly control the HW (i.e. VMM doesn't trap these two registers.

When guest OS wants to issue a new command, the guest kernel can just fill the guest command buffer at the entry that the Head register points to, and program the Tail register (backed by an mmap'd MMIO page), then the HW will read the programmed physical address from the entry (Head) till the entry (Tail) in the guest command buffer.

...

@@ -170,3 +170,97 @@ int iommufd_vdevice_alloc_ioctl(struct iommufd_ucmd *ucmd) iommufd_put_object(ucmd->ictx, &viommu->obj); return rc; }

+void iommufd_vcmdq_destroy(struct iommufd_object *obj) +{

I didn't understood destroy flow in general. Can you please help me to understand:

VMM is expected to track all buffers and call this interface? OR iommufd will take care of it? What happens if VM crashes ?

In a normal routine, VMM gets a vCMDQ object ID for each vCMDQ object it allocated. So, it should track all the IDs and release them when VM shuts down.

The iommufd core does track all the objects that belong to an iommufd context (ictx), and automatically release them. But, it can't resolve certain dependency on other FD, e.g. vEVENTQ and FAULT QUEUE would return another FD that user space listens to and must be closed properly to destroy the QUEUE object.

...

• /* The underlying physical pages must be pinned in the IOAS */
• rc = iopt_pin_pages(&viommu->hwpt->ioas->iopt, cmd->addr, cmd->length,

• 	    pages, 0);
  

Why do we need this? is it not pinned already as part of vfio binding?

I think this could be clearer: /* * The underlying physical pages must be pinned to prevent them from * being unmapped (via IOMMUFD_CMD_IOAS_UNMAP) during the life cycle * of the vCMDQ object. */

Thanks Nicolin

On Fri, Apr 25, 2025 at 10:58:05PM -0700, Nicolin Chen wrote:

Introduce a new IOMMUFD_CMD_VCMDQ_ALLOC ioctl for user space to allocate a vCMDQ for a vIOMMU object. Simply increase the refcount of the vIOMMU.

Signed-off-by: Nicolin Chen nicolinc@nvidia.com

drivers/iommu/iommufd/iommufd_private.h | 2 + include/uapi/linux/iommufd.h | 41 +++++++++++ drivers/iommu/iommufd/main.c | 6 ++ drivers/iommu/iommufd/viommu.c | 94 +++++++++++++++++++++++++ 4 files changed, 143 insertions(+)

diff --git a/drivers/iommu/iommufd/iommufd_private.h b/drivers/iommu/iommufd/iommufd_private.h index 79160b039bc7..b974c207ae8a 100644 --- a/drivers/iommu/iommufd/iommufd_private.h +++ b/drivers/iommu/iommufd/iommufd_private.h @@ -611,6 +611,8 @@ int iommufd_viommu_alloc_ioctl(struct iommufd_ucmd *ucmd); void iommufd_viommu_destroy(struct iommufd_object *obj); int iommufd_vdevice_alloc_ioctl(struct iommufd_ucmd *ucmd); void iommufd_vdevice_destroy(struct iommufd_object *obj); +int iommufd_vcmdq_alloc_ioctl(struct iommufd_ucmd *ucmd); +void iommufd_vcmdq_destroy(struct iommufd_object *obj); #ifdef CONFIG_IOMMUFD_TEST int iommufd_test(struct iommufd_ucmd *ucmd); diff --git a/include/uapi/linux/iommufd.h b/include/uapi/linux/iommufd.h index cc90299a08d9..06a763fda47f 100644 --- a/include/uapi/linux/iommufd.h +++ b/include/uapi/linux/iommufd.h @@ -56,6 +56,7 @@ enum { IOMMUFD_CMD_VDEVICE_ALLOC = 0x91, IOMMUFD_CMD_IOAS_CHANGE_PROCESS = 0x92, IOMMUFD_CMD_VEVENTQ_ALLOC = 0x93,

• IOMMUFD_CMD_VCMDQ_ALLOC = 0x94,

}; /** @@ -1147,4 +1148,44 @@ struct iommu_veventq_alloc { __u32 __reserved; }; #define IOMMU_VEVENTQ_ALLOC _IO(IOMMUFD_TYPE, IOMMUFD_CMD_VEVENTQ_ALLOC)

+/**

• • enum iommu_vcmdq_type - Virtual Command Queue Type
• • @IOMMU_VCMDQ_TYPE_DEFAULT: Reserved for future use
• */

+enum iommu_vcmdq_type {

• IOMMU_VCMDQ_TYPE_DEFAULT = 0,

+};

+/**

• • struct iommu_vcmdq_alloc - ioctl(IOMMU_VCMDQ_ALLOC)
• • @size: sizeof(struct iommu_vcmdq_alloc)
• • @flags: Must be 0
• • @viommu_id: Virtual IOMMU ID to associate the virtual command queue with
• • @type: One of enum iommu_vcmdq_type
• • @index: The logical index to the virtual command queue per virtual IOMMU, for

• •     a multi-queue model
    

• • @out_vcmdq_id: The ID of the new virtual command queue
• • @addr: Base address of the queue memory in the guest physical address space
• • @length: Length of the queue memory in the guest physical address space
• • Allocate a virtual command queue object for a vIOMMU-specific HW-accelerated
• • feature that can access a guest queue memory described by @addr and @length.
• • It's suggested for VMM to back the queue memory using a single huge page with
• • a proper alignment for its contiguity in the host physical address space. The
• • call will fail, if the queue memory is not contiguous in the physical address
• • space. Upon success, its underlying physical pages will be pinned to prevent
• • VMM from unmapping them in the IOAS, until the virtual CMDQ gets destroyed.
• */

+struct iommu_vcmdq_alloc {

• __u32 size;
• __u32 flags;
• __u32 viommu_id;
• __u32 type;
• __u32 index;
• __u32 out_vcmdq_id;
• __aligned_u64 addr;
• __aligned_u64 length;

+}; +#define IOMMU_VCMDQ_ALLOC _IO(IOMMUFD_TYPE, IOMMUFD_CMD_VCMDQ_ALLOC) #endif diff --git a/drivers/iommu/iommufd/main.c b/drivers/iommu/iommufd/main.c index 2b9ee9b4a424..ac51d5cfaa61 100644 --- a/drivers/iommu/iommufd/main.c +++ b/drivers/iommu/iommufd/main.c @@ -303,6 +303,7 @@ union ucmd_buffer { struct iommu_ioas_map map; struct iommu_ioas_unmap unmap; struct iommu_option option;

• struct iommu_vcmdq_alloc vcmdq; struct iommu_vdevice_alloc vdev; struct iommu_veventq_alloc veventq; struct iommu_vfio_ioas vfio_ioas;

@@ -358,6 +359,8 @@ static const struct iommufd_ioctl_op iommufd_ioctl_ops[] = { IOCTL_OP(IOMMU_IOAS_UNMAP, iommufd_ioas_unmap, struct iommu_ioas_unmap, length), IOCTL_OP(IOMMU_OPTION, iommufd_option, struct iommu_option, val64),

• IOCTL_OP(IOMMU_VCMDQ_ALLOC, iommufd_vcmdq_alloc_ioctl,

•  struct iommu_vcmdq_alloc, length),
  

  IOCTL_OP(IOMMU_VDEVICE_ALLOC, iommufd_vdevice_alloc_ioctl, struct iommu_vdevice_alloc, virt_id), IOCTL_OP(IOMMU_VEVENTQ_ALLOC, iommufd_veventq_alloc,

@@ -501,6 +504,9 @@ static const struct iommufd_object_ops iommufd_object_ops[] = { [IOMMUFD_OBJ_IOAS] = { .destroy = iommufd_ioas_destroy, },

• [IOMMUFD_OBJ_VCMDQ] = {

• .destroy = iommufd_vcmdq_destroy,
  

• }, [IOMMUFD_OBJ_VDEVICE] = { .destroy = iommufd_vdevice_destroy, },

When do we expect the VMM to use this ioctl? While it's spawning a new VM? IIUC, one vintf can have multiple lvcmdqs and looking at the series it looks like the vcmdq_alloc allocates a single lvcmdq. Is the plan to dedicate one lvcmdq to per VM? Which means VMs can share a vintf? Or do we plan to trap access to trap the access everytime the VM accesses an lvcmdq base register?

diff --git a/drivers/iommu/iommufd/viommu.c b/drivers/iommu/iommufd/viommu.c index a65153458a26..02a111710ffe 100644 --- a/drivers/iommu/iommufd/viommu.c +++ b/drivers/iommu/iommufd/viommu.c @@ -170,3 +170,97 @@ int iommufd_vdevice_alloc_ioctl(struct iommufd_ucmd *ucmd) iommufd_put_object(ucmd->ictx, &viommu->obj); return rc; }

+void iommufd_vcmdq_destroy(struct iommufd_object *obj) +{

• struct iommufd_vcmdq *vcmdq =

• container_of(obj, struct iommufd_vcmdq, obj);
  

• struct iommufd_viommu *viommu = vcmdq->viommu;
• if (viommu->ops->vcmdq_destroy)

• viommu->ops->vcmdq_destroy(vcmdq);
  

• iopt_unpin_pages(&viommu->hwpt->ioas->iopt, vcmdq->addr, vcmdq->length);
• refcount_dec(&viommu->obj.users);

+}

+int iommufd_vcmdq_alloc_ioctl(struct iommufd_ucmd *ucmd) +{

• struct iommu_vcmdq_alloc *cmd = ucmd->cmd;
• struct iommufd_viommu *viommu;
• struct iommufd_vcmdq *vcmdq;
• struct page **pages;
• int max_npages, i;
• dma_addr_t end;
• int rc;
• if (cmd->flags || cmd->type == IOMMU_VCMDQ_TYPE_DEFAULT)

• return -EOPNOTSUPP;
  

The cmd->type check is a little confusing here, I think we could re-order the series and add this check when we have the CMDQV type. Alternatively, we could keep this in place and add the driver-specific vcmdq_alloc op calls when it's added/available for Tegra CMDQV while stubbing out the rest of this function accordingly.

• if (!cmd->addr || !cmd->length)

• return -EINVAL;
  

• if (check_add_overflow(cmd->addr, cmd->length - 1, &end))

• return -EOVERFLOW;
  

• max_npages = DIV_ROUND_UP(cmd->length, PAGE_SIZE);
• pages = kcalloc(max_npages, sizeof(*pages), GFP_KERNEL);
• if (!pages)

• return -ENOMEM;
  

• viommu = iommufd_get_viommu(ucmd, cmd->viommu_id);
• if (IS_ERR(viommu)) {

• rc = PTR_ERR(viommu);
  

• goto out_free;
  

• }
• if (!viommu->ops || !viommu->ops->vcmdq_alloc) {

• rc = -EOPNOTSUPP;
  

• goto out_put_viommu;
  

• }
• /* Quick test on the base address */
• if (!iommu_iova_to_phys(viommu->hwpt->common.domain, cmd->addr)) {

• rc = -ENXIO;
  

• goto out_put_viommu;
  

• }
• /* The underlying physical pages must be pinned in the IOAS */
• rc = iopt_pin_pages(&viommu->hwpt->ioas->iopt, cmd->addr, cmd->length,

• 	    pages, 0);
  

• if (rc)

• goto out_put_viommu;
  

• /* Validate if the underlying physical pages are contiguous */
• for (i = 1; i < max_npages && pages[i]; i++) {

• if (page_to_pfn(pages[i]) == page_to_pfn(pages[i - 1]) + 1)
  

• 	continue;
  

• rc = -EFAULT;
  

• goto out_unpin;
  

• }
• vcmdq = viommu->ops->vcmdq_alloc(viommu, cmd->type, cmd->index,

• 			 cmd->addr, cmd->length);
  

• if (IS_ERR(vcmdq)) {

• rc = PTR_ERR(vcmdq);
  

• goto out_unpin;
  

• }
• vcmdq->viommu = viommu;
• refcount_inc(&viommu->obj.users);
• vcmdq->addr = cmd->addr;
• vcmdq->ictx = ucmd->ictx;
• vcmdq->length = cmd->length;
• cmd->out_vcmdq_id = vcmdq->obj.id;
• rc = iommufd_ucmd_respond(ucmd, sizeof(*cmd));
• if (rc)

• iommufd_object_abort_and_destroy(ucmd->ictx, &vcmdq->obj);
  

• else

• iommufd_object_finalize(ucmd->ictx, &vcmdq->obj);
  

• goto out_put_viommu;

+out_unpin:

• iopt_unpin_pages(&viommu->hwpt->ioas->iopt, cmd->addr, cmd->length);

+out_put_viommu:

• iommufd_put_object(ucmd->ictx, &viommu->obj);

+out_free:

• kfree(pages);
• return rc;

+}

2.43.0

On Mon, Apr 28, 2025 at 03:44:08PM -0700, Nicolin Chen wrote:

On Mon, Apr 28, 2025 at 09:34:05PM +0000, Pranjal Shrivastava wrote:

...

On Fri, Apr 25, 2025 at 10:58:05PM -0700, Nicolin Chen wrote:

...

@@ -501,6 +504,9 @@ static const struct iommufd_object_ops iommufd_object_ops[] = { [IOMMUFD_OBJ_IOAS] = { .destroy = iommufd_ioas_destroy, },

• [IOMMUFD_OBJ_VCMDQ] = {

• .destroy = iommufd_vcmdq_destroy,
  

• }, [IOMMUFD_OBJ_VDEVICE] = { .destroy = iommufd_vdevice_destroy, },

When do we expect the VMM to use this ioctl? While it's spawning a new VM?

When guest OS clears the VCMDQ's base address register, or when guest OS reboots or shuts down.

Ack. So, basically any write to VCMDQ_BASE is trapped?

...

IIUC, one vintf can have multiple lvcmdqs and looking at the series it looks like the vcmdq_alloc allocates a single lvcmdq. Is the plan to dedicate one lvcmdq to per VM? Which means VMs can share a vintf?

VINTF is a vSMMU instance per SMMU. Each VINTF can have multiple LVCMDQs. Each vCMDQ is allocated per IOMMUFD_CMD_VCMDQ_ALLOC. In other word, VM can issue multiple IOMMUFD_CMD_VCMDQ_ALLOC calls for each VTINF/vSMMU.

Ack. I'm just wondering why would a single VM want more than one vCMDQ per vSMMU?

...

Or do we plan to trap access to trap the access everytime the VM accesses an lvcmdq base register?

Yes. That's the only place the VMM can trap. All other register accesses are going to the HW directly without trappings.

Got it.

...

...

diff --git a/drivers/iommu/iommufd/viommu.c b/drivers/iommu/iommufd/viommu.c index a65153458a26..02a111710ffe 100644 --- a/drivers/iommu/iommufd/viommu.c +++ b/drivers/iommu/iommufd/viommu.c @@ -170,3 +170,97 @@ int iommufd_vdevice_alloc_ioctl(struct iommufd_ucmd *ucmd) iommufd_put_object(ucmd->ictx, &viommu->obj); return rc; }

+void iommufd_vcmdq_destroy(struct iommufd_object *obj) +{

• struct iommufd_vcmdq *vcmdq =

• container_of(obj, struct iommufd_vcmdq, obj);
  

• struct iommufd_viommu *viommu = vcmdq->viommu;
• if (viommu->ops->vcmdq_destroy)

• viommu->ops->vcmdq_destroy(vcmdq);
  

• iopt_unpin_pages(&viommu->hwpt->ioas->iopt, vcmdq->addr, vcmdq->length);
• refcount_dec(&viommu->obj.users);

+}

+int iommufd_vcmdq_alloc_ioctl(struct iommufd_ucmd *ucmd) +{

• struct iommu_vcmdq_alloc *cmd = ucmd->cmd;
• struct iommufd_viommu *viommu;
• struct iommufd_vcmdq *vcmdq;
• struct page **pages;
• int max_npages, i;
• dma_addr_t end;
• int rc;
• if (cmd->flags || cmd->type == IOMMU_VCMDQ_TYPE_DEFAULT)

• return -EOPNOTSUPP;
  

The cmd->type check is a little confusing here, I think we could re-order the series and add this check when we have the CMDQV type.

This is the patch that introduces the IOMMU_VCMDQ_TYPE_DEFAULT. So, it's natural we check it here. The thing is that we have to introduce something to fill the enum iommu_vcmdq_type, so that it wouldn't be empty.

An unsupported DEFAULT type is what we have for vIOMMU/vEVENTQ also.

A driver patch should define its own type along with the driver patch. And it's what this series does. I think it's pretty clear?

Alright. Agreed.

...

Alternatively, we could keep this in place and

[..]

...

add the driver-specific vcmdq_alloc op calls when it's added/available for Tegra CMDQV while stubbing out the rest of this function accordingly.

Why?

The vcmdq_alloc op is already introduced in the prior patch. It is cleaner to keep all core code in one patch. And then another tegra patch to add driver type and its support.

Alright.

Thanks Nicolin

Thanks, Praan

On 4/26/25 13:58, Nicolin Chen wrote:

For vIOMMU passing through HW resources to user space (VMs), add an mmap infrastructure to map a region of hardware MMIO pages.

Maintain an mt_mmap per ictx for validations. To allow IOMMU drivers to add and delete mmappable regions to/from the mt_mmap, add a pair of new helpers: iommufd_ctx_alloc_mmap() and iommufd_ctx_free_mmap().

I am wondering why the dma_buf mechanism isn't used here, considering that this also involves an export and import pattern.

Signed-off-by: Nicolin Chen nicolinc@nvidia.com

drivers/iommu/iommufd/iommufd_private.h | 8 +++++ include/linux/iommufd.h | 15 ++++++++++ drivers/iommu/iommufd/driver.c | 39 +++++++++++++++++++++++++ drivers/iommu/iommufd/main.c | 39 +++++++++++++++++++++++++ 4 files changed, 101 insertions(+)

diff --git a/drivers/iommu/iommufd/iommufd_private.h b/drivers/iommu/iommufd/iommufd_private.h index b974c207ae8a..db5b62ec4abb 100644 --- a/drivers/iommu/iommufd/iommufd_private.h +++ b/drivers/iommu/iommufd/iommufd_private.h @@ -7,6 +7,7 @@ #include <linux/iommu.h> #include <linux/iommufd.h> #include <linux/iova_bitmap.h> +#include <linux/maple_tree.h> #include <linux/rwsem.h> #include <linux/uaccess.h> #include <linux/xarray.h> @@ -44,6 +45,7 @@ struct iommufd_ctx { struct xarray groups; wait_queue_head_t destroy_wait; struct rw_semaphore ioas_creation_lock;

• struct maple_tree mt_mmap;

struct mutex sw_msi_lock; struct list_head sw_msi_list; @@ -55,6 +57,12 @@ struct iommufd_ctx { struct iommufd_ioas *vfio_ioas; }; +/* Entry for iommufd_ctx::mt_mmap */ +struct iommufd_mmap {

• unsigned long pfn_start;
• unsigned long pfn_end;

+};

This structure is introduced to represent a mappable/mapped region, right? It would be better to add comments specifying whether the start and end are inclusive or exclusive.

• /*
  • The IOVA to PFN map. The map automatically copies the PFNs into multiple
  • domains and permits sharing of PFNs between io_pagetable instances. This

diff --git a/include/linux/iommufd.h b/include/linux/iommufd.h index 5dff154e8ce1..d63e2d91be0d 100644 --- a/include/linux/iommufd.h +++ b/include/linux/iommufd.h @@ -236,6 +236,9 @@ int iommufd_object_depend(struct iommufd_object *obj_dependent, struct iommufd_object *obj_depended); void iommufd_object_undepend(struct iommufd_object *obj_dependent, struct iommufd_object *obj_depended); +int iommufd_ctx_alloc_mmap(struct iommufd_ctx *ictx, phys_addr_t base,

• 	   size_t size, unsigned long *immap_id);
  

+void iommufd_ctx_free_mmap(struct iommufd_ctx *ictx, unsigned long immap_id); struct device *iommufd_viommu_find_dev(struct iommufd_viommu *viommu, unsigned long vdev_id); int iommufd_viommu_get_vdev_id(struct iommufd_viommu *viommu, @@ -262,11 +265,23 @@ static inline int iommufd_object_depend(struct iommufd_object *obj_dependent, return -EOPNOTSUPP; } +static inline int iommufd_ctx_alloc_mmap(struct iommufd_ctx *ictx,

• 			 phys_addr_t base, size_t size,
  

• 			 unsigned long *immap_id)
  

+{

• return -EOPNOTSUPP;

+}

• static inline void iommufd_object_undepend(struct iommufd_object *obj_dependent, struct iommufd_object *obj_depended) { }

+static inline void iommufd_ctx_free_mmap(struct iommufd_ctx *ictx,

• 			 unsigned long immap_id)
  

+{ +}

• static inline struct device * iommufd_viommu_find_dev(struct iommufd_viommu *viommu, unsigned long vdev_id) {

diff --git a/drivers/iommu/iommufd/driver.c b/drivers/iommu/iommufd/driver.c index fb7f8fe40f95..c55336c580dc 100644 --- a/drivers/iommu/iommufd/driver.c +++ b/drivers/iommu/iommufd/driver.c @@ -78,6 +78,45 @@ void iommufd_object_undepend(struct iommufd_object *obj_dependent, } EXPORT_SYMBOL_NS_GPL(iommufd_object_undepend, "IOMMUFD"); +/* Driver should report the output @immap_id to user space for mmap() syscall */ +int iommufd_ctx_alloc_mmap(struct iommufd_ctx *ictx, phys_addr_t base,

• 	   size_t size, unsigned long *immap_id)
  

+{

• struct iommufd_mmap *immap;
• int rc;
• if (WARN_ON_ONCE(!immap_id))

• return -EINVAL;
  

• if (base & ~PAGE_MASK)

• return -EINVAL;
  

Is it equal to PAGE_ALIGNED()?

• if (!size || size & ~PAGE_MASK)

• return -EINVAL;
  

• immap = kzalloc(sizeof(*immap), GFP_KERNEL);
• if (!immap)

• return -ENOMEM;
  

• immap->pfn_start = base >> PAGE_SHIFT;
• immap->pfn_end = immap->pfn_start + (size >> PAGE_SHIFT) - 1;
• rc = mtree_alloc_range(&ictx->mt_mmap, immap_id, immap, sizeof(immap),

• 	       0, LONG_MAX >> PAGE_SHIFT, GFP_KERNEL);
  

• if (rc < 0) {

• kfree(immap);
  

• return rc;
  

• }
• /* mmap() syscall will right-shift the immap_id to vma->vm_pgoff */
• *immap_id <<= PAGE_SHIFT;
• return 0;

+} +EXPORT_SYMBOL_NS_GPL(iommufd_ctx_alloc_mmap, "IOMMUFD");

+void iommufd_ctx_free_mmap(struct iommufd_ctx *ictx, unsigned long immap_id) +{

• kfree(mtree_erase(&ictx->mt_mmap, immap_id >> PAGE_SHIFT));

MMIO lifecycle question: what happens if a region is removed from the maple tree (and is therefore no longer mappable), but is still mapped and in use by userspace?

+} +EXPORT_SYMBOL_NS_GPL(iommufd_ctx_free_mmap, "IOMMUFD");

• /* Caller should xa_lock(&viommu->vdevs) to protect the return value */ struct device *iommufd_viommu_find_dev(struct iommufd_viommu *viommu, unsigned long vdev_id)

Thanks, baolu

On Fri, Apr 25, 2025 at 10:58:08PM -0700, Nicolin Chen wrote:

For vIOMMU passing through HW resources to user space (VMs), add an mmap infrastructure to map a region of hardware MMIO pages.

Maintain an mt_mmap per ictx for validations. To allow IOMMU drivers to add and delete mmappable regions to/from the mt_mmap, add a pair of new helpers: iommufd_ctx_alloc_mmap() and iommufd_ctx_free_mmap().

Signed-off-by: Nicolin Chen nicolinc@nvidia.com

drivers/iommu/iommufd/iommufd_private.h | 8 +++++ include/linux/iommufd.h | 15 ++++++++++ drivers/iommu/iommufd/driver.c | 39 +++++++++++++++++++++++++ drivers/iommu/iommufd/main.c | 39 +++++++++++++++++++++++++ 4 files changed, 101 insertions(+)

diff --git a/drivers/iommu/iommufd/iommufd_private.h b/drivers/iommu/iommufd/iommufd_private.h index b974c207ae8a..db5b62ec4abb 100644 --- a/drivers/iommu/iommufd/iommufd_private.h +++ b/drivers/iommu/iommufd/iommufd_private.h @@ -7,6 +7,7 @@ #include <linux/iommu.h> #include <linux/iommufd.h> #include <linux/iova_bitmap.h> +#include <linux/maple_tree.h> #include <linux/rwsem.h> #include <linux/uaccess.h> #include <linux/xarray.h> @@ -44,6 +45,7 @@ struct iommufd_ctx { struct xarray groups; wait_queue_head_t destroy_wait; struct rw_semaphore ioas_creation_lock;

• struct maple_tree mt_mmap;

struct mutex sw_msi_lock; struct list_head sw_msi_list; @@ -55,6 +57,12 @@ struct iommufd_ctx { struct iommufd_ioas *vfio_ioas; }; +/* Entry for iommufd_ctx::mt_mmap */ +struct iommufd_mmap {

• unsigned long pfn_start;
• unsigned long pfn_end;

+};

/*

• The IOVA to PFN map. The map automatically copies the PFNs into multiple
• domains and permits sharing of PFNs between io_pagetable instances. This

diff --git a/include/linux/iommufd.h b/include/linux/iommufd.h index 5dff154e8ce1..d63e2d91be0d 100644 --- a/include/linux/iommufd.h +++ b/include/linux/iommufd.h @@ -236,6 +236,9 @@ int iommufd_object_depend(struct iommufd_object *obj_dependent, struct iommufd_object *obj_depended); void iommufd_object_undepend(struct iommufd_object *obj_dependent, struct iommufd_object *obj_depended); +int iommufd_ctx_alloc_mmap(struct iommufd_ctx *ictx, phys_addr_t base,

• 	   size_t size, unsigned long *immap_id);
  

+void iommufd_ctx_free_mmap(struct iommufd_ctx *ictx, unsigned long immap_id); struct device *iommufd_viommu_find_dev(struct iommufd_viommu *viommu, unsigned long vdev_id); int iommufd_viommu_get_vdev_id(struct iommufd_viommu *viommu, @@ -262,11 +265,23 @@ static inline int iommufd_object_depend(struct iommufd_object *obj_dependent, return -EOPNOTSUPP; } +static inline int iommufd_ctx_alloc_mmap(struct iommufd_ctx *ictx,

• 			 phys_addr_t base, size_t size,
  

• 			 unsigned long *immap_id)
  

+{

• return -EOPNOTSUPP;

+}

static inline void iommufd_object_undepend(struct iommufd_object *obj_dependent, struct iommufd_object *obj_depended) { } +static inline void iommufd_ctx_free_mmap(struct iommufd_ctx *ictx,

• 			 unsigned long immap_id)
  

+{ +}

static inline struct device * iommufd_viommu_find_dev(struct iommufd_viommu *viommu, unsigned long vdev_id) { diff --git a/drivers/iommu/iommufd/driver.c b/drivers/iommu/iommufd/driver.c index fb7f8fe40f95..c55336c580dc 100644 --- a/drivers/iommu/iommufd/driver.c +++ b/drivers/iommu/iommufd/driver.c @@ -78,6 +78,45 @@ void iommufd_object_undepend(struct iommufd_object *obj_dependent, } EXPORT_SYMBOL_NS_GPL(iommufd_object_undepend, "IOMMUFD"); +/* Driver should report the output @immap_id to user space for mmap() syscall */ +int iommufd_ctx_alloc_mmap(struct iommufd_ctx *ictx, phys_addr_t base,

• 	   size_t size, unsigned long *immap_id)
  

+{

• struct iommufd_mmap *immap;
• int rc;
• if (WARN_ON_ONCE(!immap_id))

• return -EINVAL;
  

• if (base & ~PAGE_MASK)

• return -EINVAL;
  

• if (!size || size & ~PAGE_MASK)

• return -EINVAL;
  

• immap = kzalloc(sizeof(*immap), GFP_KERNEL);
• if (!immap)

• return -ENOMEM;
  

• immap->pfn_start = base >> PAGE_SHIFT;
• immap->pfn_end = immap->pfn_start + (size >> PAGE_SHIFT) - 1;
• rc = mtree_alloc_range(&ictx->mt_mmap, immap_id, immap, sizeof(immap),

I believe this should be sizeof(*immap) ?

• 	       0, LONG_MAX >> PAGE_SHIFT, GFP_KERNEL);
  

• if (rc < 0) {

• kfree(immap);
  

• return rc;
  

• }
• /* mmap() syscall will right-shift the immap_id to vma->vm_pgoff */
• *immap_id <<= PAGE_SHIFT;
• return 0;

+} +EXPORT_SYMBOL_NS_GPL(iommufd_ctx_alloc_mmap, "IOMMUFD");

+void iommufd_ctx_free_mmap(struct iommufd_ctx *ictx, unsigned long immap_id) +{

• kfree(mtree_erase(&ictx->mt_mmap, immap_id >> PAGE_SHIFT));

+} +EXPORT_SYMBOL_NS_GPL(iommufd_ctx_free_mmap, "IOMMUFD");

/* Caller should xa_lock(&viommu->vdevs) to protect the return value */ struct device *iommufd_viommu_find_dev(struct iommufd_viommu *viommu, unsigned long vdev_id) diff --git a/drivers/iommu/iommufd/main.c b/drivers/iommu/iommufd/main.c index ac51d5cfaa61..4b46ea47164d 100644 --- a/drivers/iommu/iommufd/main.c +++ b/drivers/iommu/iommufd/main.c @@ -213,6 +213,7 @@ static int iommufd_fops_open(struct inode *inode, struct file *filp) xa_init_flags(&ictx->objects, XA_FLAGS_ALLOC1 | XA_FLAGS_ACCOUNT); xa_init(&ictx->groups); ictx->file = filp;

• mt_init_flags(&ictx->mt_mmap, MT_FLAGS_ALLOC_RANGE); init_waitqueue_head(&ictx->destroy_wait); mutex_init(&ictx->sw_msi_lock); INIT_LIST_HEAD(&ictx->sw_msi_list);

@@ -410,11 +411,49 @@ static long iommufd_fops_ioctl(struct file *filp, unsigned int cmd, return ret; } +/*

• • Kernel driver must first do iommufd_ctx_alloc_mmap() to register an mmappable
• • MMIO region to the iommufd core to receive an "immap_id". Then, driver should
• • report to user space this immap_id and the size of the registered MMIO region
• • for @vm_pgoff and @size of an mmap() call, via an IOMMU_VIOMMU_ALLOC ioctl in
• • the output fields of its driver-type data structure.
• • Note the @size is allowed to be smaller than the registered size as a partial
• • mmap starting from the registered base address.
• */

+static int iommufd_fops_mmap(struct file *filp, struct vm_area_struct *vma) +{

• struct iommufd_ctx *ictx = filp->private_data;
• size_t size = vma->vm_end - vma->vm_start;
• struct iommufd_mmap *immap;
• if (size & ~PAGE_MASK)

• return -EINVAL;
  

• if (!(vma->vm_flags & VM_SHARED))

• return -EINVAL;
  

• if (vma->vm_flags & VM_EXEC)

• return -EPERM;
  

• /* vm_pgoff carries an index (immap_id) to an mtree entry (immap) */
• immap = mtree_load(&ictx->mt_mmap, vma->vm_pgoff);
• if (!immap)

• return -ENXIO;
  

• if (size >> PAGE_SHIFT > immap->pfn_end - immap->pfn_start + 1)

• return -ENXIO;
  

• vma->vm_pgoff = 0;
• vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
• vm_flags_set(vma, VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP | VM_IO);
• return remap_pfn_range(vma, vma->vm_start, immap->pfn_start, size,

• 	       vma->vm_page_prot);
  

+}

static const struct file_operations iommufd_fops = { .owner = THIS_MODULE, .open = iommufd_fops_open, .release = iommufd_fops_release, .unlocked_ioctl = iommufd_fops_ioctl,

• .mmap = iommufd_fops_mmap,

}; /**