[PATCH v7 0/4] kvm: arm64: allow the VM to select DEVICE_* and NORMAL_NC for IO memory

[PATCH v7 0/4] kvm: arm64: allow the VM to select DEVICE_* and NORMAL_NC for IO memory

[ankita]

From: Ankit Agrawal <ankita@nvidia.com>

Currently, KVM for ARM64 maps at stage 2 memory that is considered device
with DEVICE_nGnRE memory attributes; this setting overrides (per
ARM architecture [1]) any device MMIO mapping present at stage 1,
resulting in a set-up whereby a guest operating system cannot
determine device MMIO mapping memory attributes on its own but
it is always overridden by the KVM stage 2 default.

This set-up does not allow guest operating systems to select device
memory attributes independently from KVM stage-2 mappings
(refer to [1], "Combining stage 1 and stage 2 memory type attributes"),
which turns out to be an issue in that guest operating systems
(e.g. Linux) may request to map devices MMIO regions with memory
attributes that guarantee better performance (e.g. gathering
attribute - that for some devices can generate larger PCIe memory
writes TLPs) and specific operations (e.g. unaligned transactions)
such as the NormalNC memory type.

The default device stage 2 mapping was chosen in KVM for ARM64 since
it was considered safer (i.e. it would not allow guests to trigger
uncontained failures ultimately crashing the machine) but this
turned out to be asynchronous (SError) defeating the purpose.

For these reasons, relax the KVM stage 2 device memory attributes
from DEVICE_nGnRE to Normal-NC.

Generalizing to other devices may be problematic, however. E.g.
GICv2 VCPU interface, which is effectively a shared peripheral, can
allow a guest to affect another guest's interrupt distribution. Hence
limit the change to VFIO PCI as caution. This is achieved by
making the VFIO PCI core module set a flag that is tested by KVM
to activate the code. This could be extended to other devices in
the future once that is deemed safe.

[1] section D8.5 - DDI0487J_a_a-profile_architecture_reference_manual.pdf

Applied over v6.8-rc2.

History
=======
v6 -> v7
- Changed VM_VFIO_ALLOW_WC to VM_ALLOW_ANY_UNCACHED based on suggestion
  from Alex Williamson.
- Refactored stage2_set_prot_attr() based on Will's suggestion to
  reorganize the switch cases. Also updated the case to return -EINVAL
  when both KVM_PGTABLE_PROT_DEVICE and KVM_PGTABLE_PROT_NORMAL_NC set.
- Fixed nits pointed by Oliver and Catalin.

v5 -> v6
- Rebased to v6.8-rc2

v4 -> v5
- Moved the cover letter description text to patch 1/4.
- Cleaned up stage2_set_prot_attr() based on Marc Zyngier suggestions.
- Moved the mm header file changes to a separate patch.
- Rebased to v6.7-rc3.

v3 -> v4
- Moved the vfio-pci change to use the VM_VFIO_ALLOW_WC into
  separate patch.
- Added check to warn on the case NORMAL_NC and DEVICE are
  set simultaneously.
- Fixed miscellaneous nitpicks suggested in v3.

v2 -> v3
- Added a new patch (and converted to patch series) suggested by
  Catalin Marinas to ensure the code changes are restricted to
  VFIO PCI devices.
- Introduced VM_VFIO_ALLOW_WC flag for VFIO PCI to communicate
  with VMM.
- Reverted GIC mapping to DEVICE.

v1 -> v2
- Updated commit log to the one posted by
  Lorenzo Pieralisi <lpieralisi@kernel.org> (Thanks!)
- Added new flag to represent the NORMAL_NC setting. Updated
  stage2_set_prot_attr() to handle new flag.

v6 Link:
https://lore.kernel.org/all/20240207204652.22954-1-ankita@nvidia.com/

Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ankit Agrawal <ankita@nvidia.com>

Ankit Agrawal (4):
  kvm: arm64: introduce new flag for non-cacheable IO memory
  mm: introduce new flag to indicate wc safe
  kvm: arm64: set io memory s2 pte as normalnc for vfio pci device
  vfio: convey kvm that the vfio-pci device is wc safe

 arch/arm64/include/asm/kvm_pgtable.h |  2 ++
 arch/arm64/include/asm/memory.h      |  2 ++
 arch/arm64/kvm/hyp/pgtable.c         | 24 +++++++++++++++++++-----
 arch/arm64/kvm/mmu.c                 | 14 ++++++++++----
 drivers/vfio/pci/vfio_pci_core.c     |  6 +++++-
 include/linux/mm.h                   | 14 ++++++++++++++
 6 files changed, 52 insertions(+), 10 deletions(-)

-- 
2.34.1

[PATCH v7 0/4] kvm: arm64: allow the VM to select DEVICE_* and NORMAL_NC for IO memory

[ankita]

From: Ankit Agrawal <ankita@nvidia.com>

Currently, KVM for ARM64 maps at stage 2 memory that is considered device
with DEVICE_nGnRE memory attributes; this setting overrides (per
ARM architecture [1]) any device MMIO mapping present at stage 1,
resulting in a set-up whereby a guest operating system cannot
determine device MMIO mapping memory attributes on its own but
it is always overridden by the KVM stage 2 default.

This set-up does not allow guest operating systems to select device
memory attributes independently from KVM stage-2 mappings
(refer to [1], "Combining stage 1 and stage 2 memory type attributes"),
which turns out to be an issue in that guest operating systems
(e.g. Linux) may request to map devices MMIO regions with memory
attributes that guarantee better performance (e.g. gathering
attribute - that for some devices can generate larger PCIe memory
writes TLPs) and specific operations (e.g. unaligned transactions)
such as the NormalNC memory type.

The default device stage 2 mapping was chosen in KVM for ARM64 since
it was considered safer (i.e. it would not allow guests to trigger
uncontained failures ultimately crashing the machine) but this
turned out to be asynchronous (SError) defeating the purpose.

For these reasons, relax the KVM stage 2 device memory attributes
from DEVICE_nGnRE to Normal-NC.

Generalizing to other devices may be problematic, however. E.g.
GICv2 VCPU interface, which is effectively a shared peripheral, can
allow a guest to affect another guest's interrupt distribution. Hence
limit the change to VFIO PCI as caution. This is achieved by
making the VFIO PCI core module set a flag that is tested by KVM
to activate the code. This could be extended to other devices in
the future once that is deemed safe.

[1] section D8.5 - DDI0487J_a_a-profile_architecture_reference_manual.pdf

Applied over v6.8-rc2.

History
=======
v6 -> v7
- Changed VM_VFIO_ALLOW_WC to VM_ALLOW_ANY_UNCACHED based on suggestion
  from Alex Williamson.
- Refactored stage2_set_prot_attr() based on Will's suggestion to
  reorganize the switch cases. Also updated the case to return -EINVAL
  when both KVM_PGTABLE_PROT_DEVICE and KVM_PGTABLE_PROT_NORMAL_NC set.
- Fixed nits pointed by Oliver and Catalin.

v5 -> v6
- Rebased to v6.8-rc2

v4 -> v5
- Moved the cover letter description text to patch 1/4.
- Cleaned up stage2_set_prot_attr() based on Marc Zyngier suggestions.
- Moved the mm header file changes to a separate patch.
- Rebased to v6.7-rc3.

v3 -> v4
- Moved the vfio-pci change to use the VM_VFIO_ALLOW_WC into
  separate patch.
- Added check to warn on the case NORMAL_NC and DEVICE are
  set simultaneously.
- Fixed miscellaneous nitpicks suggested in v3.

v2 -> v3
- Added a new patch (and converted to patch series) suggested by
  Catalin Marinas to ensure the code changes are restricted to
  VFIO PCI devices.
- Introduced VM_VFIO_ALLOW_WC flag for VFIO PCI to communicate
  with VMM.
- Reverted GIC mapping to DEVICE.

v1 -> v2
- Updated commit log to the one posted by
  Lorenzo Pieralisi <lpieralisi@kernel.org> (Thanks!)
- Added new flag to represent the NORMAL_NC setting. Updated
  stage2_set_prot_attr() to handle new flag.

v6 Link:
https://lore.kernel.org/all/20240207204652.22954-1-ankita@nvidia.com/

Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ankit Agrawal <ankita@nvidia.com>

Ankit Agrawal (4):
  kvm: arm64: introduce new flag for non-cacheable IO memory
  mm: introduce new flag to indicate wc safe
  kvm: arm64: set io memory s2 pte as normalnc for vfio pci device
  vfio: convey kvm that the vfio-pci device is wc safe

 arch/arm64/include/asm/kvm_pgtable.h |  2 ++
 arch/arm64/include/asm/memory.h      |  2 ++
 arch/arm64/kvm/hyp/pgtable.c         | 24 +++++++++++++++++++-----
 arch/arm64/kvm/mmu.c                 | 14 ++++++++++----
 drivers/vfio/pci/vfio_pci_core.c     |  6 +++++-
 include/linux/mm.h                   | 14 ++++++++++++++
 6 files changed, 52 insertions(+), 10 deletions(-)

-- 
2.34.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v7 1/4] kvm: arm64: introduce new flag for non-cacheable IO memory

[ankita]

From: Ankit Agrawal <ankita@nvidia.com>

Currently, KVM for ARM64 maps at stage 2 memory that is considered device
(i.e. it is not RAM) with DEVICE_nGnRE memory attributes; this setting
overrides (as per the ARM architecture [1]) any device MMIO mapping
present at stage 1, resulting in a set-up whereby a guest operating
system cannot determine device MMIO mapping memory attributes on its
own but it is always overridden by the KVM stage 2 default.

This set-up does not allow guest operating systems to select device
memory attributes independently from KVM stage-2 mappings
(refer to [1], "Combining stage 1 and stage 2 memory type attributes"),
which turns out to be an issue in that guest operating systems
(e.g. Linux) may request to map devices MMIO regions with memory
attributes that guarantee better performance (e.g. gathering
attribute - that for some devices can generate larger PCIe memory
writes TLPs) and specific operations (e.g. unaligned transactions)
such as the NormalNC memory type.

The default device stage 2 mapping was chosen in KVM for ARM64 since
it was considered safer (i.e. it would not allow guests to trigger
uncontained failures ultimately crashing the machine) but this
turned out to be asynchronous (SError) defeating the purpose.

Failures containability is a property of the platform and is independent
from the memory type used for MMIO device memory mappings.

Actually, DEVICE_nGnRE memory type is even more problematic than
Normal-NC memory type in terms of faults containability in that e.g.
aborts triggered on DEVICE_nGnRE loads cannot be made, architecturally,
synchronous (i.e. that would imply that the processor should issue at
most 1 load transaction at a time - it cannot pipeline them - otherwise
the synchronous abort semantics would break the no-speculation attribute
attached to DEVICE_XXX memory).

This means that regardless of the combined stage1+stage2 mappings a
platform is safe if and only if device transactions cannot trigger
uncontained failures and that in turn relies on platform capabilities
and the device type being assigned (i.e. PCIe AER/DPC error containment
and RAS architecture[3]); therefore the default KVM device stage 2
memory attributes play no role in making device assignment safer
for a given platform (if the platform design adheres to design
guidelines outlined in [3]) and therefore can be relaxed.

For all these reasons, relax the KVM stage 2 device memory attributes
from DEVICE_nGnRE to Normal-NC.

The NormalNC was chosen over a different Normal memory type default
at stage-2 (e.g. Normal Write-through) to avoid cache allocation/snooping.

Relaxing S2 KVM device MMIO mappings to Normal-NC is not expected to
trigger any issue on guest device reclaim use cases either (i.e. device
MMIO unmap followed by a device reset) at least for PCIe devices, in that
in PCIe a device reset is architected and carried out through PCI config
space transactions that are naturally ordered with respect to MMIO
transactions according to the PCI ordering rules.

Having Normal-NC S2 default puts guests in control (thanks to
stage1+stage2 combined memory attributes rules [1]) of device MMIO
regions memory mappings, according to the rules described in [1]
and summarized here ([(S1) - stage1], [(S2) - stage 2]):

S1           |  S2           | Result
NORMAL-WB    |  NORMAL-NC    | NORMAL-NC
NORMAL-WT    |  NORMAL-NC    | NORMAL-NC
NORMAL-NC    |  NORMAL-NC    | NORMAL-NC
DEVICE<attr> |  NORMAL-NC    | DEVICE<attr>

It is worth noting that currently, to map devices MMIO space to user
space in a device pass-through use case the VFIO framework applies memory
attributes derived from pgprot_noncached() settings applied to VMAs, which
result in device-nGnRnE memory attributes for the stage-1 VMM mappings.

This means that a userspace mapping for device MMIO space carried
out with the current VFIO framework and a guest OS mapping for the same
MMIO space may result in a mismatched alias as described in [2].

Defaulting KVM device stage-2 mappings to Normal-NC attributes does not
change anything in this respect, in that the mismatched aliases would
only affect (refer to [2] for a detailed explanation) ordering between
the userspace and GuestOS mappings resulting stream of transactions
(i.e. it does not cause loss of property for either stream of
transactions on its own), which is harmless given that the userspace
and GuestOS access to the device is carried out through independent
transactions streams.

A Normal-NC flag is not present today. So add a new kvm_pgtable_prot
(KVM_PGTABLE_PROT_NORMAL_NC) flag for it, along with its
corresponding PTE value 0x5 (0b101) determined from [1].

Lastly, adapt the stage2 PTE property setter function
(stage2_set_prot_attr) to handle the NormalNC attribute.

[1] section D8.5.5 - DDI0487J_a_a-profile_architecture_reference_manual.pdf
[2] section B2.8 - DDI0487J_a_a-profile_architecture_reference_manual.pdf
[3] sections 1.7.7.3/1.8.5.2/appendix C - DEN0029H_SBSA_7.1.pdf

Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ankit Agrawal <ankita@nvidia.com>
---
 arch/arm64/include/asm/kvm_pgtable.h |  2 ++
 arch/arm64/include/asm/memory.h      |  2 ++
 arch/arm64/kvm/hyp/pgtable.c         | 24 +++++++++++++++++++-----
 3 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/arch/arm64/include/asm/kvm_pgtable.h b/arch/arm64/include/asm/kvm_pgtable.h
index cfdf40f734b1..19278dfe7978 100644
--- a/arch/arm64/include/asm/kvm_pgtable.h
+++ b/arch/arm64/include/asm/kvm_pgtable.h
@@ -197,6 +197,7 @@ enum kvm_pgtable_stage2_flags {
  * @KVM_PGTABLE_PROT_W:		Write permission.
  * @KVM_PGTABLE_PROT_R:		Read permission.
  * @KVM_PGTABLE_PROT_DEVICE:	Device attributes.
+ * @KVM_PGTABLE_PROT_NORMAL_NC:	Normal noncacheable attributes.
  * @KVM_PGTABLE_PROT_SW0:	Software bit 0.
  * @KVM_PGTABLE_PROT_SW1:	Software bit 1.
  * @KVM_PGTABLE_PROT_SW2:	Software bit 2.
@@ -208,6 +209,7 @@ enum kvm_pgtable_prot {
 	KVM_PGTABLE_PROT_R			= BIT(2),
 
 	KVM_PGTABLE_PROT_DEVICE			= BIT(3),
+	KVM_PGTABLE_PROT_NORMAL_NC		= BIT(4),
 
 	KVM_PGTABLE_PROT_SW0			= BIT(55),
 	KVM_PGTABLE_PROT_SW1			= BIT(56),
diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h
index d82305ab420f..449ca2ff1df6 100644
--- a/arch/arm64/include/asm/memory.h
+++ b/arch/arm64/include/asm/memory.h
@@ -173,6 +173,7 @@
  * Memory types for Stage-2 translation
  */
 #define MT_S2_NORMAL		0xf
+#define MT_S2_NORMAL_NC		0x5
 #define MT_S2_DEVICE_nGnRE	0x1
 
 /*
@@ -180,6 +181,7 @@
  * Stage-2 enforces Normal-WB and Device-nGnRE
  */
 #define MT_S2_FWB_NORMAL	6
+#define MT_S2_FWB_NORMAL_NC	5
 #define MT_S2_FWB_DEVICE_nGnRE	1
 
 #ifdef CONFIG_ARM64_4K_PAGES
diff --git a/arch/arm64/kvm/hyp/pgtable.c b/arch/arm64/kvm/hyp/pgtable.c
index c651df904fe3..e2982a8922c3 100644
--- a/arch/arm64/kvm/hyp/pgtable.c
+++ b/arch/arm64/kvm/hyp/pgtable.c
@@ -717,15 +717,29 @@ void kvm_tlb_flush_vmid_range(struct kvm_s2_mmu *mmu,
 static int stage2_set_prot_attr(struct kvm_pgtable *pgt, enum kvm_pgtable_prot prot,
 				kvm_pte_t *ptep)
 {
-	bool device = prot & KVM_PGTABLE_PROT_DEVICE;
-	kvm_pte_t attr = device ? KVM_S2_MEMATTR(pgt, DEVICE_nGnRE) :
-			    KVM_S2_MEMATTR(pgt, NORMAL);
+	kvm_pte_t attr;
 	u32 sh = KVM_PTE_LEAF_ATTR_LO_S2_SH_IS;
 
+	switch (prot & (KVM_PGTABLE_PROT_DEVICE |
+			KVM_PGTABLE_PROT_NORMAL_NC)) {
+	case KVM_PGTABLE_PROT_DEVICE | KVM_PGTABLE_PROT_NORMAL_NC:
+		return -EINVAL;
+	case KVM_PGTABLE_PROT_DEVICE:
+		if (prot & KVM_PGTABLE_PROT_X)
+			return -EINVAL;
+		attr = KVM_S2_MEMATTR(pgt, DEVICE_nGnRE);
+		break;
+	case KVM_PGTABLE_PROT_NORMAL_NC:
+		if (prot & KVM_PGTABLE_PROT_X)
+			return -EINVAL;
+		attr = KVM_S2_MEMATTR(pgt, NORMAL_NC);
+		break;
+	default:
+		attr = KVM_S2_MEMATTR(pgt, NORMAL);
+	}
+
 	if (!(prot & KVM_PGTABLE_PROT_X))
 		attr |= KVM_PTE_LEAF_ATTR_HI_S2_XN;
-	else if (device)
-		return -EINVAL;
 
 	if (prot & KVM_PGTABLE_PROT_R)
 		attr |= KVM_PTE_LEAF_ATTR_LO_S2_S2AP_R;
-- 
2.34.1

[PATCH v7 1/4] kvm: arm64: introduce new flag for non-cacheable IO memory

[ankita]

From: Ankit Agrawal <ankita@nvidia.com>

Currently, KVM for ARM64 maps at stage 2 memory that is considered device
(i.e. it is not RAM) with DEVICE_nGnRE memory attributes; this setting
overrides (as per the ARM architecture [1]) any device MMIO mapping
present at stage 1, resulting in a set-up whereby a guest operating
system cannot determine device MMIO mapping memory attributes on its
own but it is always overridden by the KVM stage 2 default.

This set-up does not allow guest operating systems to select device
memory attributes independently from KVM stage-2 mappings
(refer to [1], "Combining stage 1 and stage 2 memory type attributes"),
which turns out to be an issue in that guest operating systems
(e.g. Linux) may request to map devices MMIO regions with memory
attributes that guarantee better performance (e.g. gathering
attribute - that for some devices can generate larger PCIe memory
writes TLPs) and specific operations (e.g. unaligned transactions)
such as the NormalNC memory type.

The default device stage 2 mapping was chosen in KVM for ARM64 since
it was considered safer (i.e. it would not allow guests to trigger
uncontained failures ultimately crashing the machine) but this
turned out to be asynchronous (SError) defeating the purpose.

Failures containability is a property of the platform and is independent
from the memory type used for MMIO device memory mappings.

Actually, DEVICE_nGnRE memory type is even more problematic than
Normal-NC memory type in terms of faults containability in that e.g.
aborts triggered on DEVICE_nGnRE loads cannot be made, architecturally,
synchronous (i.e. that would imply that the processor should issue at
most 1 load transaction at a time - it cannot pipeline them - otherwise
the synchronous abort semantics would break the no-speculation attribute
attached to DEVICE_XXX memory).

This means that regardless of the combined stage1+stage2 mappings a
platform is safe if and only if device transactions cannot trigger
uncontained failures and that in turn relies on platform capabilities
and the device type being assigned (i.e. PCIe AER/DPC error containment
and RAS architecture[3]); therefore the default KVM device stage 2
memory attributes play no role in making device assignment safer
for a given platform (if the platform design adheres to design
guidelines outlined in [3]) and therefore can be relaxed.

For all these reasons, relax the KVM stage 2 device memory attributes
from DEVICE_nGnRE to Normal-NC.

The NormalNC was chosen over a different Normal memory type default
at stage-2 (e.g. Normal Write-through) to avoid cache allocation/snooping.

Relaxing S2 KVM device MMIO mappings to Normal-NC is not expected to
trigger any issue on guest device reclaim use cases either (i.e. device
MMIO unmap followed by a device reset) at least for PCIe devices, in that
in PCIe a device reset is architected and carried out through PCI config
space transactions that are naturally ordered with respect to MMIO
transactions according to the PCI ordering rules.

Having Normal-NC S2 default puts guests in control (thanks to
stage1+stage2 combined memory attributes rules [1]) of device MMIO
regions memory mappings, according to the rules described in [1]
and summarized here ([(S1) - stage1], [(S2) - stage 2]):

S1           |  S2           | Result
NORMAL-WB    |  NORMAL-NC    | NORMAL-NC
NORMAL-WT    |  NORMAL-NC    | NORMAL-NC
NORMAL-NC    |  NORMAL-NC    | NORMAL-NC
DEVICE<attr> |  NORMAL-NC    | DEVICE<attr>

It is worth noting that currently, to map devices MMIO space to user
space in a device pass-through use case the VFIO framework applies memory
attributes derived from pgprot_noncached() settings applied to VMAs, which
result in device-nGnRnE memory attributes for the stage-1 VMM mappings.

This means that a userspace mapping for device MMIO space carried
out with the current VFIO framework and a guest OS mapping for the same
MMIO space may result in a mismatched alias as described in [2].

Defaulting KVM device stage-2 mappings to Normal-NC attributes does not
change anything in this respect, in that the mismatched aliases would
only affect (refer to [2] for a detailed explanation) ordering between
the userspace and GuestOS mappings resulting stream of transactions
(i.e. it does not cause loss of property for either stream of
transactions on its own), which is harmless given that the userspace
and GuestOS access to the device is carried out through independent
transactions streams.

A Normal-NC flag is not present today. So add a new kvm_pgtable_prot
(KVM_PGTABLE_PROT_NORMAL_NC) flag for it, along with its
corresponding PTE value 0x5 (0b101) determined from [1].

Lastly, adapt the stage2 PTE property setter function
(stage2_set_prot_attr) to handle the NormalNC attribute.

[1] section D8.5.5 - DDI0487J_a_a-profile_architecture_reference_manual.pdf
[2] section B2.8 - DDI0487J_a_a-profile_architecture_reference_manual.pdf
[3] sections 1.7.7.3/1.8.5.2/appendix C - DEN0029H_SBSA_7.1.pdf

Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ankit Agrawal <ankita@nvidia.com>
---
 arch/arm64/include/asm/kvm_pgtable.h |  2 ++
 arch/arm64/include/asm/memory.h      |  2 ++
 arch/arm64/kvm/hyp/pgtable.c         | 24 +++++++++++++++++++-----
 3 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/arch/arm64/include/asm/kvm_pgtable.h b/arch/arm64/include/asm/kvm_pgtable.h
index cfdf40f734b1..19278dfe7978 100644
--- a/arch/arm64/include/asm/kvm_pgtable.h
+++ b/arch/arm64/include/asm/kvm_pgtable.h
@@ -197,6 +197,7 @@ enum kvm_pgtable_stage2_flags {
  * @KVM_PGTABLE_PROT_W:		Write permission.
  * @KVM_PGTABLE_PROT_R:		Read permission.
  * @KVM_PGTABLE_PROT_DEVICE:	Device attributes.
+ * @KVM_PGTABLE_PROT_NORMAL_NC:	Normal noncacheable attributes.
  * @KVM_PGTABLE_PROT_SW0:	Software bit 0.
  * @KVM_PGTABLE_PROT_SW1:	Software bit 1.
  * @KVM_PGTABLE_PROT_SW2:	Software bit 2.
@@ -208,6 +209,7 @@ enum kvm_pgtable_prot {
 	KVM_PGTABLE_PROT_R			= BIT(2),
 
 	KVM_PGTABLE_PROT_DEVICE			= BIT(3),
+	KVM_PGTABLE_PROT_NORMAL_NC		= BIT(4),
 
 	KVM_PGTABLE_PROT_SW0			= BIT(55),
 	KVM_PGTABLE_PROT_SW1			= BIT(56),
diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h
index d82305ab420f..449ca2ff1df6 100644
--- a/arch/arm64/include/asm/memory.h
+++ b/arch/arm64/include/asm/memory.h
@@ -173,6 +173,7 @@
  * Memory types for Stage-2 translation
  */
 #define MT_S2_NORMAL		0xf
+#define MT_S2_NORMAL_NC		0x5
 #define MT_S2_DEVICE_nGnRE	0x1
 
 /*
@@ -180,6 +181,7 @@
  * Stage-2 enforces Normal-WB and Device-nGnRE
  */
 #define MT_S2_FWB_NORMAL	6
+#define MT_S2_FWB_NORMAL_NC	5
 #define MT_S2_FWB_DEVICE_nGnRE	1
 
 #ifdef CONFIG_ARM64_4K_PAGES
diff --git a/arch/arm64/kvm/hyp/pgtable.c b/arch/arm64/kvm/hyp/pgtable.c
index c651df904fe3..e2982a8922c3 100644
--- a/arch/arm64/kvm/hyp/pgtable.c
+++ b/arch/arm64/kvm/hyp/pgtable.c
@@ -717,15 +717,29 @@ void kvm_tlb_flush_vmid_range(struct kvm_s2_mmu *mmu,
 static int stage2_set_prot_attr(struct kvm_pgtable *pgt, enum kvm_pgtable_prot prot,
 				kvm_pte_t *ptep)
 {
-	bool device = prot & KVM_PGTABLE_PROT_DEVICE;
-	kvm_pte_t attr = device ? KVM_S2_MEMATTR(pgt, DEVICE_nGnRE) :
-			    KVM_S2_MEMATTR(pgt, NORMAL);
+	kvm_pte_t attr;
 	u32 sh = KVM_PTE_LEAF_ATTR_LO_S2_SH_IS;
 
+	switch (prot & (KVM_PGTABLE_PROT_DEVICE |
+			KVM_PGTABLE_PROT_NORMAL_NC)) {
+	case KVM_PGTABLE_PROT_DEVICE | KVM_PGTABLE_PROT_NORMAL_NC:
+		return -EINVAL;
+	case KVM_PGTABLE_PROT_DEVICE:
+		if (prot & KVM_PGTABLE_PROT_X)
+			return -EINVAL;
+		attr = KVM_S2_MEMATTR(pgt, DEVICE_nGnRE);
+		break;
+	case KVM_PGTABLE_PROT_NORMAL_NC:
+		if (prot & KVM_PGTABLE_PROT_X)
+			return -EINVAL;
+		attr = KVM_S2_MEMATTR(pgt, NORMAL_NC);
+		break;
+	default:
+		attr = KVM_S2_MEMATTR(pgt, NORMAL);
+	}
+
 	if (!(prot & KVM_PGTABLE_PROT_X))
 		attr |= KVM_PTE_LEAF_ATTR_HI_S2_XN;
-	else if (device)
-		return -EINVAL;
 
 	if (prot & KVM_PGTABLE_PROT_R)
 		attr |= KVM_PTE_LEAF_ATTR_LO_S2_S2AP_R;
-- 
2.34.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v7 2/4] mm: introduce new flag to indicate wc safe

[ankita]

From: Ankit Agrawal <ankita@nvidia.com>

Generalizing S2 setting from DEVICE_nGnRE to NormalNc for non PCI
devices may be problematic. E.g. GICv2 vCPU interface, which is
effectively a shared peripheral, can allow a guest to affect another
guest's interrupt distribution. The issue may be solved by limiting
the relaxation to mappings that have a user VMA. Still there is
insufficient information and uncertainity in the behavior of
non PCI drivers.

Add a new flag VM_ALLOW_ANY_UNCACHED to indicate KVM that the device
is WC capable and these S2 changes can be extended to it. KVM can use
this flag to activate the code.

Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Ankit Agrawal <ankita@nvidia.com>
---
 include/linux/mm.h | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/include/linux/mm.h b/include/linux/mm.h
index f5a97dec5169..59576e56c58b 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -391,6 +391,20 @@ extern unsigned int kobjsize(const void *objp);
 # define VM_UFFD_MINOR		VM_NONE
 #endif /* CONFIG_HAVE_ARCH_USERFAULTFD_MINOR */
 
+/*
+ * This flag is used to connect VFIO to arch specific KVM code. It
+ * indicates that the memory under this VMA is safe for use with any
+ * non-cachable memory type inside KVM. Some VFIO devices, on some
+ * platforms, are thought to be unsafe and can cause machine crashes
+ * if KVM does not lock down the memory type.
+ */
+#ifdef CONFIG_64BIT
+#define VM_ALLOW_ANY_UNCACHED_BIT	39
+#define VM_ALLOW_ANY_UNCACHED		BIT(VM_ALLOW_ANY_UNCACHED_BIT)
+#else
+#define VM_ALLOW_ANY_UNCACHED		VM_NONE
+#endif
+
 /* Bits set in the VMA until the stack is in its final location */
 #define VM_STACK_INCOMPLETE_SETUP (VM_RAND_READ | VM_SEQ_READ | VM_STACK_EARLY)
 
-- 
2.34.1

[PATCH v7 2/4] mm: introduce new flag to indicate wc safe

[ankita]

From: Ankit Agrawal <ankita@nvidia.com>

Generalizing S2 setting from DEVICE_nGnRE to NormalNc for non PCI
devices may be problematic. E.g. GICv2 vCPU interface, which is
effectively a shared peripheral, can allow a guest to affect another
guest's interrupt distribution. The issue may be solved by limiting
the relaxation to mappings that have a user VMA. Still there is
insufficient information and uncertainity in the behavior of
non PCI drivers.

Add a new flag VM_ALLOW_ANY_UNCACHED to indicate KVM that the device
is WC capable and these S2 changes can be extended to it. KVM can use
this flag to activate the code.

Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Ankit Agrawal <ankita@nvidia.com>
---
 include/linux/mm.h | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/include/linux/mm.h b/include/linux/mm.h
index f5a97dec5169..59576e56c58b 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -391,6 +391,20 @@ extern unsigned int kobjsize(const void *objp);
 # define VM_UFFD_MINOR		VM_NONE
 #endif /* CONFIG_HAVE_ARCH_USERFAULTFD_MINOR */
 
+/*
+ * This flag is used to connect VFIO to arch specific KVM code. It
+ * indicates that the memory under this VMA is safe for use with any
+ * non-cachable memory type inside KVM. Some VFIO devices, on some
+ * platforms, are thought to be unsafe and can cause machine crashes
+ * if KVM does not lock down the memory type.
+ */
+#ifdef CONFIG_64BIT
+#define VM_ALLOW_ANY_UNCACHED_BIT	39
+#define VM_ALLOW_ANY_UNCACHED		BIT(VM_ALLOW_ANY_UNCACHED_BIT)
+#else
+#define VM_ALLOW_ANY_UNCACHED		VM_NONE
+#endif
+
 /* Bits set in the VMA until the stack is in its final location */
 #define VM_STACK_INCOMPLETE_SETUP (VM_RAND_READ | VM_SEQ_READ | VM_STACK_EARLY)
 
-- 
2.34.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v7 3/4] kvm: arm64: set io memory s2 pte as normalnc for vfio pci device

[ankita]

From: Ankit Agrawal <ankita@nvidia.com>

To provide VM with the ability to get device IO memory with NormalNC
property, map device MMIO in KVM for ARM64 at stage2 as NormalNC.
Having NormalNC S2 default puts guests in control (based on [1],
"Combining stage 1 and stage 2 memory type attributes") of device
MMIO regions memory mappings. The rules are summarized below:
([(S1) - stage1], [(S2) - stage 2])

S1           |  S2           | Result
NORMAL-WB    |  NORMAL-NC    | NORMAL-NC
NORMAL-WT    |  NORMAL-NC    | NORMAL-NC
NORMAL-NC    |  NORMAL-NC    | NORMAL-NC
DEVICE<attr> |  NORMAL-NC    | DEVICE<attr>

Still this cannot be generalized to non PCI devices such as GICv2.
There is insufficient information and uncertainity in the behavior
of non PCI driver. A driver must indicate support using the
new flag VM_ALLOW_ANY_UNCACHED.

Adapt KVM to make use of the flag VM_ALLOW_ANY_UNCACHED as indicator to
activate the S2 setting to NormalNc.

[1] section D8.5.5 of DDI0487J_a_a-profile_architecture_reference_manual.pdf

Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
Acked-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ankit Agrawal <ankita@nvidia.com>
---
 arch/arm64/kvm/mmu.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c
index d14504821b79..1742fdccb432 100644
--- a/arch/arm64/kvm/mmu.c
+++ b/arch/arm64/kvm/mmu.c
@@ -1381,7 +1381,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
 	int ret = 0;
 	bool write_fault, writable, force_pte = false;
 	bool exec_fault, mte_allowed;
-	bool device = false;
+	bool device = false, vfio_allow_any_uc = false;
 	unsigned long mmu_seq;
 	struct kvm *kvm = vcpu->kvm;
 	struct kvm_mmu_memory_cache *memcache = &vcpu->arch.mmu_page_cache;
@@ -1472,6 +1472,8 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
 	gfn = fault_ipa >> PAGE_SHIFT;
 	mte_allowed = kvm_vma_mte_allowed(vma);
 
+	vfio_allow_any_uc = vma->vm_flags & VM_ALLOW_ANY_UNCACHED;
+
 	/* Don't use the VMA after the unlock -- it may have vanished */
 	vma = NULL;
 
@@ -1557,10 +1559,14 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
 	if (exec_fault)
 		prot |= KVM_PGTABLE_PROT_X;
 
-	if (device)
-		prot |= KVM_PGTABLE_PROT_DEVICE;
-	else if (cpus_have_final_cap(ARM64_HAS_CACHE_DIC))
+	if (device) {
+		if (vfio_allow_any_uc)
+			prot |= KVM_PGTABLE_PROT_NORMAL_NC;
+		else
+			prot |= KVM_PGTABLE_PROT_DEVICE;
+	} else if (cpus_have_final_cap(ARM64_HAS_CACHE_DIC)) {
 		prot |= KVM_PGTABLE_PROT_X;
+	}
 
 	/*
 	 * Under the premise of getting a FSC_PERM fault, we just need to relax
-- 
2.34.1

[PATCH v7 3/4] kvm: arm64: set io memory s2 pte as normalnc for vfio pci device

[ankita]

From: Ankit Agrawal <ankita@nvidia.com>

To provide VM with the ability to get device IO memory with NormalNC
property, map device MMIO in KVM for ARM64 at stage2 as NormalNC.
Having NormalNC S2 default puts guests in control (based on [1],
"Combining stage 1 and stage 2 memory type attributes") of device
MMIO regions memory mappings. The rules are summarized below:
([(S1) - stage1], [(S2) - stage 2])

S1           |  S2           | Result
NORMAL-WB    |  NORMAL-NC    | NORMAL-NC
NORMAL-WT    |  NORMAL-NC    | NORMAL-NC
NORMAL-NC    |  NORMAL-NC    | NORMAL-NC
DEVICE<attr> |  NORMAL-NC    | DEVICE<attr>

Still this cannot be generalized to non PCI devices such as GICv2.
There is insufficient information and uncertainity in the behavior
of non PCI driver. A driver must indicate support using the
new flag VM_ALLOW_ANY_UNCACHED.

Adapt KVM to make use of the flag VM_ALLOW_ANY_UNCACHED as indicator to
activate the S2 setting to NormalNc.

[1] section D8.5.5 of DDI0487J_a_a-profile_architecture_reference_manual.pdf

Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
Acked-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ankit Agrawal <ankita@nvidia.com>
---
 arch/arm64/kvm/mmu.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c
index d14504821b79..1742fdccb432 100644
--- a/arch/arm64/kvm/mmu.c
+++ b/arch/arm64/kvm/mmu.c
@@ -1381,7 +1381,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
 	int ret = 0;
 	bool write_fault, writable, force_pte = false;
 	bool exec_fault, mte_allowed;
-	bool device = false;
+	bool device = false, vfio_allow_any_uc = false;
 	unsigned long mmu_seq;
 	struct kvm *kvm = vcpu->kvm;
 	struct kvm_mmu_memory_cache *memcache = &vcpu->arch.mmu_page_cache;
@@ -1472,6 +1472,8 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
 	gfn = fault_ipa >> PAGE_SHIFT;
 	mte_allowed = kvm_vma_mte_allowed(vma);
 
+	vfio_allow_any_uc = vma->vm_flags & VM_ALLOW_ANY_UNCACHED;
+
 	/* Don't use the VMA after the unlock -- it may have vanished */
 	vma = NULL;
 
@@ -1557,10 +1559,14 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
 	if (exec_fault)
 		prot |= KVM_PGTABLE_PROT_X;
 
-	if (device)
-		prot |= KVM_PGTABLE_PROT_DEVICE;
-	else if (cpus_have_final_cap(ARM64_HAS_CACHE_DIC))
+	if (device) {
+		if (vfio_allow_any_uc)
+			prot |= KVM_PGTABLE_PROT_NORMAL_NC;
+		else
+			prot |= KVM_PGTABLE_PROT_DEVICE;
+	} else if (cpus_have_final_cap(ARM64_HAS_CACHE_DIC)) {
 		prot |= KVM_PGTABLE_PROT_X;
+	}
 
 	/*
 	 * Under the premise of getting a FSC_PERM fault, we just need to relax
-- 
2.34.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v7 4/4] vfio: convey kvm that the vfio-pci device is wc safe

[ankita]

From: Ankit Agrawal <ankita@nvidia.com>

The code to map the MMIO in S2 as NormalNC is enabled when conveyed
that the device is WC safe using a new flag VM_ALLOW_ANY_UNCACHED.

Make vfio-pci set the VM_ALLOW_ANY_UNCACHED flag.

This could be extended to other devices in the future once that
is deemed safe.

Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
Acked-by: Jason Gunthorpe <jgg@nvidia.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ankit Agrawal <ankita@nvidia.com>
---
 drivers/vfio/pci/vfio_pci_core.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
index 1cbc990d42e0..eba2146202f9 100644
--- a/drivers/vfio/pci/vfio_pci_core.c
+++ b/drivers/vfio/pci/vfio_pci_core.c
@@ -1862,8 +1862,12 @@ int vfio_pci_core_mmap(struct vfio_device *core_vdev, struct vm_area_struct *vma
 	/*
 	 * See remap_pfn_range(), called from vfio_pci_fault() but we can't
 	 * change vm_flags within the fault handler.  Set them now.
+	 *
+	 * Set an additional flag VM_ALLOW_ANY_UNCACHED to convey kvm that
+	 * the device is wc safe.
 	 */
-	vm_flags_set(vma, VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP);
+	vm_flags_set(vma, VM_ALLOW_ANY_UNCACHED | VM_IO | VM_PFNMAP |
+			VM_DONTEXPAND | VM_DONTDUMP);
 	vma->vm_ops = &vfio_pci_mmap_ops;
 
 	return 0;
-- 
2.34.1

[PATCH v7 4/4] vfio: convey kvm that the vfio-pci device is wc safe

[ankita]

From: Ankit Agrawal <ankita@nvidia.com>

The code to map the MMIO in S2 as NormalNC is enabled when conveyed
that the device is WC safe using a new flag VM_ALLOW_ANY_UNCACHED.

Make vfio-pci set the VM_ALLOW_ANY_UNCACHED flag.

This could be extended to other devices in the future once that
is deemed safe.

Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
Acked-by: Jason Gunthorpe <jgg@nvidia.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ankit Agrawal <ankita@nvidia.com>
---
 drivers/vfio/pci/vfio_pci_core.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
index 1cbc990d42e0..eba2146202f9 100644
--- a/drivers/vfio/pci/vfio_pci_core.c
+++ b/drivers/vfio/pci/vfio_pci_core.c
@@ -1862,8 +1862,12 @@ int vfio_pci_core_mmap(struct vfio_device *core_vdev, struct vm_area_struct *vma
 	/*
 	 * See remap_pfn_range(), called from vfio_pci_fault() but we can't
 	 * change vm_flags within the fault handler.  Set them now.
+	 *
+	 * Set an additional flag VM_ALLOW_ANY_UNCACHED to convey kvm that
+	 * the device is wc safe.
 	 */
-	vm_flags_set(vma, VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP);
+	vm_flags_set(vma, VM_ALLOW_ANY_UNCACHED | VM_IO | VM_PFNMAP |
+			VM_DONTEXPAND | VM_DONTDUMP);
 	vma->vm_ops = &vfio_pci_mmap_ops;
 
 	return 0;
-- 
2.34.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v7 0/4] kvm: arm64: allow the VM to select DEVICE_* and NORMAL_NC for IO memory

[David Hildenbrand]

On 11.02.24 18:47, ankita@nvidia.com wrote:
> From: Ankit Agrawal <ankita@nvidia.com>
> 

Hi,

> Currently, KVM for ARM64 maps at stage 2 memory that is considered device
> with DEVICE_nGnRE memory attributes; this setting overrides (per
> ARM architecture [1]) any device MMIO mapping present at stage 1,
> resulting in a set-up whereby a guest operating system cannot
> determine device MMIO mapping memory attributes on its own but
> it is always overridden by the KVM stage 2 default.
> 
> This set-up does not allow guest operating systems to select device
> memory attributes independently from KVM stage-2 mappings
> (refer to [1], "Combining stage 1 and stage 2 memory type attributes"),
> which turns out to be an issue in that guest operating systems
> (e.g. Linux) may request to map devices MMIO regions with memory
> attributes that guarantee better performance (e.g. gathering
> attribute - that for some devices can generate larger PCIe memory
> writes TLPs) and specific operations (e.g. unaligned transactions)
> such as the NormalNC memory type.
> 
> The default device stage 2 mapping was chosen in KVM for ARM64 since
> it was considered safer (i.e. it would not allow guests to trigger
> uncontained failures ultimately crashing the machine) but this
> turned out to be asynchronous (SError) defeating the purpose.
> 
> For these reasons, relax the KVM stage 2 device memory attributes
> from DEVICE_nGnRE to Normal-NC.
> 
> Generalizing to other devices may be problematic, however. E.g.
> GICv2 VCPU interface, which is effectively a shared peripheral, can
> allow a guest to affect another guest's interrupt distribution. Hence
> limit the change to VFIO PCI as caution. This is achieved by
> making the VFIO PCI core module set a flag that is tested by KVM
> to activate the code. This could be extended to other devices in
> the future once that is deemed safe.

I still have to digest some of the stuff I learned about this issue, 
please bear with me :)

(1) PCI BARs might contain mixtures of RAM and MMIO, the exact 
locations/semantics within a BAR are only really known to the actual 
device driver.

We must not unconditionally map PFNs "the wrong way", because it can 
have undesired side effects. Side effects might include 
read-speculation, that can be very problematic with MMIO regions.

The safe way (for the host) is DEVICE_nGnRE. But that is actually 
problematic for performance (where we want WC?) and unaligned accesses 
(where we want NC?).

We can trigger both cases right now inside VMs, where we want the device 
driver to actually make the decision.


(2) For a VM, that device driver lives inside the VM, for DPDK and 
friends, it lives in user space. They have this information.

We only focus here on optimizing (fixing?) the mapping for VMs, DPDK is 
out of the picture. So we want to allow the VM to achieve a WC/NC 
mapping by using a relaxed (NC) mapping in stage-1. Whatever is set in 
stage-2 wins.


(3) vfio knows whether using WC (and NC?) could be problematic, and must 
forbid it, if that is the case. There are cases where we could otherwise 
cause harm (bring down the host?). We must keep mapping the memory as 
DEVICE_nGnRE when in doubt.


Now, what the new mmap() flag does is tell the world "using the wrong 
mapping type cannot bring down the host", and KVM uses that to use a 
different mapping type (NC) in stage-1 as setup by vfio in the user 
space page tables.

I was trying to find ways of avoiding a mmap() flag and was hoping that 
we could just use a PTE bit that does not have semantics in VM_PFNMAP 
mappings. Unfortunately, arm64 does not support uffd-wp, which I had in 
mind, so it's not that easy.


Further, I was wondering if there would be a way to let DPDK similarly 
benefit, because it looks like we are happily ignoring that (I was told 
they apply some hacks to work around that).


In essence, user space knows how it will consume that memory: QEMU wants 
to mmap() it only to get it into stage-1 and not access it via the user 
page tables. DPDK wants to mmap() it to actually access it from user space.


So I am curious, is the following problematic, and why:

(a) User space tells VFIO which parts of a BAR it would like to have 
mapped differently. For QEMU, this would mean, requesting a NC mapping 
for the whole BAR. For DPDK, it could mean requesting different types 
for parts of a BAR.

(b) VFIO decides if it is safe to use a relaxed mapping. If in doubt, it 
falls back to existing (legacy) handling -- DEVICE_nGnRE.

(c) KVM simply uses the existing mapping type instead of diverging from 
the one in the user space mapping.


That would mean, that we would map NC already in QEMU. I wonder if that 
could be a problem with read speculation, even if QEMU never really 
accesses that mmap'ed region.

Something like that would of course require user space changes. Handling 
it without such changes (ignoring DPDK of course) would require some 
information exchange between KVM and vfio, like the mmap flag proposed.

-- 
Cheers,

David / dhildenb

Re: [PATCH v7 0/4] kvm: arm64: allow the VM to select DEVICE_* and NORMAL_NC for IO memory

[David Hildenbrand]

On 11.02.24 18:47, ankita@nvidia.com wrote:
> From: Ankit Agrawal <ankita@nvidia.com>
> 

Hi,

> Currently, KVM for ARM64 maps at stage 2 memory that is considered device
> with DEVICE_nGnRE memory attributes; this setting overrides (per
> ARM architecture [1]) any device MMIO mapping present at stage 1,
> resulting in a set-up whereby a guest operating system cannot
> determine device MMIO mapping memory attributes on its own but
> it is always overridden by the KVM stage 2 default.
> 
> This set-up does not allow guest operating systems to select device
> memory attributes independently from KVM stage-2 mappings
> (refer to [1], "Combining stage 1 and stage 2 memory type attributes"),
> which turns out to be an issue in that guest operating systems
> (e.g. Linux) may request to map devices MMIO regions with memory
> attributes that guarantee better performance (e.g. gathering
> attribute - that for some devices can generate larger PCIe memory
> writes TLPs) and specific operations (e.g. unaligned transactions)
> such as the NormalNC memory type.
> 
> The default device stage 2 mapping was chosen in KVM for ARM64 since
> it was considered safer (i.e. it would not allow guests to trigger
> uncontained failures ultimately crashing the machine) but this
> turned out to be asynchronous (SError) defeating the purpose.
> 
> For these reasons, relax the KVM stage 2 device memory attributes
> from DEVICE_nGnRE to Normal-NC.
> 
> Generalizing to other devices may be problematic, however. E.g.
> GICv2 VCPU interface, which is effectively a shared peripheral, can
> allow a guest to affect another guest's interrupt distribution. Hence
> limit the change to VFIO PCI as caution. This is achieved by
> making the VFIO PCI core module set a flag that is tested by KVM
> to activate the code. This could be extended to other devices in
> the future once that is deemed safe.

I still have to digest some of the stuff I learned about this issue, 
please bear with me :)

(1) PCI BARs might contain mixtures of RAM and MMIO, the exact 
locations/semantics within a BAR are only really known to the actual 
device driver.

We must not unconditionally map PFNs "the wrong way", because it can 
have undesired side effects. Side effects might include 
read-speculation, that can be very problematic with MMIO regions.

The safe way (for the host) is DEVICE_nGnRE. But that is actually 
problematic for performance (where we want WC?) and unaligned accesses 
(where we want NC?).

We can trigger both cases right now inside VMs, where we want the device 
driver to actually make the decision.


(2) For a VM, that device driver lives inside the VM, for DPDK and 
friends, it lives in user space. They have this information.

We only focus here on optimizing (fixing?) the mapping for VMs, DPDK is 
out of the picture. So we want to allow the VM to achieve a WC/NC 
mapping by using a relaxed (NC) mapping in stage-1. Whatever is set in 
stage-2 wins.


(3) vfio knows whether using WC (and NC?) could be problematic, and must 
forbid it, if that is the case. There are cases where we could otherwise 
cause harm (bring down the host?). We must keep mapping the memory as 
DEVICE_nGnRE when in doubt.


Now, what the new mmap() flag does is tell the world "using the wrong 
mapping type cannot bring down the host", and KVM uses that to use a 
different mapping type (NC) in stage-1 as setup by vfio in the user 
space page tables.

I was trying to find ways of avoiding a mmap() flag and was hoping that 
we could just use a PTE bit that does not have semantics in VM_PFNMAP 
mappings. Unfortunately, arm64 does not support uffd-wp, which I had in 
mind, so it's not that easy.


Further, I was wondering if there would be a way to let DPDK similarly 
benefit, because it looks like we are happily ignoring that (I was told 
they apply some hacks to work around that).


In essence, user space knows how it will consume that memory: QEMU wants 
to mmap() it only to get it into stage-1 and not access it via the user 
page tables. DPDK wants to mmap() it to actually access it from user space.


So I am curious, is the following problematic, and why:

(a) User space tells VFIO which parts of a BAR it would like to have 
mapped differently. For QEMU, this would mean, requesting a NC mapping 
for the whole BAR. For DPDK, it could mean requesting different types 
for parts of a BAR.

(b) VFIO decides if it is safe to use a relaxed mapping. If in doubt, it 
falls back to existing (legacy) handling -- DEVICE_nGnRE.

(c) KVM simply uses the existing mapping type instead of diverging from 
the one in the user space mapping.


That would mean, that we would map NC already in QEMU. I wonder if that 
could be a problem with read speculation, even if QEMU never really 
accesses that mmap'ed region.

Something like that would of course require user space changes. Handling 
it without such changes (ignoring DPDK of course) would require some 
information exchange between KVM and vfio, like the mmap flag proposed.

-- 
Cheers,

David / dhildenb


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v7 0/4] kvm: arm64: allow the VM to select DEVICE_* and NORMAL_NC for IO memory

[Jason Gunthorpe]

On Mon, Feb 12, 2024 at 11:26:12AM +0100, David Hildenbrand wrote:

> I still have to digest some of the stuff I learned about this issue, please
> bear with me :)
> 
> (1) PCI BARs might contain mixtures of RAM and MMIO, the exact
> locations/semantics within a BAR are only really known to the actual device
> driver.

Nit: Not RAM and MMIO but different kinds of MMIO that have different
access patterns. The conclusion is correct.

> We must not unconditionally map PFNs "the wrong way", because it can have
> undesired side effects. Side effects might include read-speculation, that
> can be very problematic with MMIO regions.

It is worse that some hand wavey "side effect". If you map memory with
NORMAL_NC (ie for write combining) then writel() doesn't work
correctly at all.

The memory must be mapped according to which kernel APIs the actual
driver in the VM will use. writel() vs __iowrite64_copy().

> We can trigger both cases right now inside VMs, where we want the device
> driver to actually make the decision.

Yes
 
> (2) For a VM, that device driver lives inside the VM, for DPDK and friends,
> it lives in user space. They have this information.

Yes
 
> We only focus here on optimizing (fixing?) the mapping for VMs, DPDK is out
> of the picture.

DPDK will be solved through some VFIO ioctl, we know how to do it,
just nobody has cared enough to do it.

> So we want to allow the VM to achieve a WC/NC mapping by using a
> relaxed (NC) mapping in stage-1. Whatever is set in stage-2 wins.

Yes
 
> 
> (3) vfio knows whether using WC (and NC?) could be problematic, and must
> forbid it, if that is the case. There are cases where we could otherwise
> cause harm (bring down the host?). We must keep mapping the memory as
> DEVICE_nGnRE when in doubt.

Yes, there is an unspecific fear that on ARM platforms using NORMAL_NC
in the wrong way can trigger a catastrophic error and kill the
host. There is no way to know if the platform has this bug, so the
agreement was to be conservative and only allow it for vfio-pci, based
on some specific details of how PCI has to be implemented and ARM
guidance on PCI integration..

> Now, what the new mmap() flag does is tell the world "using the wrong
> mapping type cannot bring down the host", and KVM uses that to use a
> different mapping type (NC) in stage-1 as setup by vfio in the user space
> page tables.

The inverse meaning, we assume VMAs with the flag can bring down the
host, but yes.

> I was trying to find ways of avoiding a mmap() flag and was hoping that we
> could just use a PTE bit that does not have semantics in VM_PFNMAP mappings.
> Unfortunately, arm64 does not support uffd-wp, which I had in mind, so it's
> not that easy.

Seems like a waste of a valuable PTE bit to me.

> Further, I was wondering if there would be a way to let DPDK similarly
> benefit, because it looks like we are happily ignoring that (I was told they
> apply some hacks to work around that).

dpdk doesn't need the VMA bit, we know how to solve it with vfio
ioctls, it is very straightforward. dpdk just does a ioctl & mmap and
VFIO will create a vma with pgprote_writecombine(). Completely
trivial, the only nasty bit is fitting this into the VFIO uAPI.

> (a) User space tells VFIO which parts of a BAR it would like to have mapped
> differently. For QEMU, this would mean, requesting a NC mapping for the
> whole BAR. For DPDK, it could mean requesting different types for parts of a
> BAR.

We don't want to have have the memory mapped as NC in qemu. As I said
above if it is mapped NC then writel() doesn't work. We can't have
conflicting mappings that go toward NC when the right answer is
DEVICE. 

writel() on NC will malfunction.

__iowrite64_copy() on DEVICE will be functionally correct but slower.

The S2 mapping that KVM creates is special because it doesn't actually
map it once the VM kernel gets started. The VM kernel always supplies
a S1 table that sets the correct type.

So if qemu has DEVICE, the S2 has NC and the VM's S1 has DEVICE then
the mapping is realiably made to be DEVICE. The hidden S2 doesn't
cause a problem.

> That would mean, that we would map NC already in QEMU. I wonder if that
> could be a problem with read speculation, even if QEMU never really accesses
> that mmap'ed region.

Also correct.

Further, qemu may need to do emulation for MMIO in various cases and
the qemu logic for this requires a DEVICE mapping or the emulation
will malfunction.

Using NC in qemu is off the table.

Jason

Re: [PATCH v7 0/4] kvm: arm64: allow the VM to select DEVICE_* and NORMAL_NC for IO memory

[Jason Gunthorpe]

On Mon, Feb 12, 2024 at 11:26:12AM +0100, David Hildenbrand wrote:

> I still have to digest some of the stuff I learned about this issue, please
> bear with me :)
> 
> (1) PCI BARs might contain mixtures of RAM and MMIO, the exact
> locations/semantics within a BAR are only really known to the actual device
> driver.

Nit: Not RAM and MMIO but different kinds of MMIO that have different
access patterns. The conclusion is correct.

> We must not unconditionally map PFNs "the wrong way", because it can have
> undesired side effects. Side effects might include read-speculation, that
> can be very problematic with MMIO regions.

It is worse that some hand wavey "side effect". If you map memory with
NORMAL_NC (ie for write combining) then writel() doesn't work
correctly at all.

The memory must be mapped according to which kernel APIs the actual
driver in the VM will use. writel() vs __iowrite64_copy().

> We can trigger both cases right now inside VMs, where we want the device
> driver to actually make the decision.

Yes
 
> (2) For a VM, that device driver lives inside the VM, for DPDK and friends,
> it lives in user space. They have this information.

Yes
 
> We only focus here on optimizing (fixing?) the mapping for VMs, DPDK is out
> of the picture.

DPDK will be solved through some VFIO ioctl, we know how to do it,
just nobody has cared enough to do it.

> So we want to allow the VM to achieve a WC/NC mapping by using a
> relaxed (NC) mapping in stage-1. Whatever is set in stage-2 wins.

Yes
 
> 
> (3) vfio knows whether using WC (and NC?) could be problematic, and must
> forbid it, if that is the case. There are cases where we could otherwise
> cause harm (bring down the host?). We must keep mapping the memory as
> DEVICE_nGnRE when in doubt.

Yes, there is an unspecific fear that on ARM platforms using NORMAL_NC
in the wrong way can trigger a catastrophic error and kill the
host. There is no way to know if the platform has this bug, so the
agreement was to be conservative and only allow it for vfio-pci, based
on some specific details of how PCI has to be implemented and ARM
guidance on PCI integration..

> Now, what the new mmap() flag does is tell the world "using the wrong
> mapping type cannot bring down the host", and KVM uses that to use a
> different mapping type (NC) in stage-1 as setup by vfio in the user space
> page tables.

The inverse meaning, we assume VMAs with the flag can bring down the
host, but yes.

> I was trying to find ways of avoiding a mmap() flag and was hoping that we
> could just use a PTE bit that does not have semantics in VM_PFNMAP mappings.
> Unfortunately, arm64 does not support uffd-wp, which I had in mind, so it's
> not that easy.

Seems like a waste of a valuable PTE bit to me.

> Further, I was wondering if there would be a way to let DPDK similarly
> benefit, because it looks like we are happily ignoring that (I was told they
> apply some hacks to work around that).

dpdk doesn't need the VMA bit, we know how to solve it with vfio
ioctls, it is very straightforward. dpdk just does a ioctl & mmap and
VFIO will create a vma with pgprote_writecombine(). Completely
trivial, the only nasty bit is fitting this into the VFIO uAPI.

> (a) User space tells VFIO which parts of a BAR it would like to have mapped
> differently. For QEMU, this would mean, requesting a NC mapping for the
> whole BAR. For DPDK, it could mean requesting different types for parts of a
> BAR.

We don't want to have have the memory mapped as NC in qemu. As I said
above if it is mapped NC then writel() doesn't work. We can't have
conflicting mappings that go toward NC when the right answer is
DEVICE. 

writel() on NC will malfunction.

__iowrite64_copy() on DEVICE will be functionally correct but slower.

The S2 mapping that KVM creates is special because it doesn't actually
map it once the VM kernel gets started. The VM kernel always supplies
a S1 table that sets the correct type.

So if qemu has DEVICE, the S2 has NC and the VM's S1 has DEVICE then
the mapping is realiably made to be DEVICE. The hidden S2 doesn't
cause a problem.

> That would mean, that we would map NC already in QEMU. I wonder if that
> could be a problem with read speculation, even if QEMU never really accesses
> that mmap'ed region.

Also correct.

Further, qemu may need to do emulation for MMIO in various cases and
the qemu logic for this requires a DEVICE mapping or the emulation
will malfunction.

Using NC in qemu is off the table.

Jason

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v7 0/4] kvm: arm64: allow the VM to select DEVICE_* and NORMAL_NC for IO memory

[David Hildenbrand]

Hi Jason,

Thanks for all the details (some might be valuable to document in more 
detail, but I'm not that experienced with all of the mapping types on 
arm64, so it might "just be me").

> It is worse that some hand wavey "side effect". If you map memory with
> NORMAL_NC (ie for write combining) then writel() doesn't work
> correctly at all.
> 
> The memory must be mapped according to which kernel APIs the actual
> driver in the VM will use. writel() vs __iowrite64_copy().
> 
>> We can trigger both cases right now inside VMs, where we want the device
>> driver to actually make the decision.
> 
> Yes
>   
>> (2) For a VM, that device driver lives inside the VM, for DPDK and friends,
>> it lives in user space. They have this information.
> 
> Yes
>   
>> We only focus here on optimizing (fixing?) the mapping for VMs, DPDK is out
>> of the picture.
> 
> DPDK will be solved through some VFIO ioctl, we know how to do it,
> just nobody has cared enough to do it.

Good!

> 
>> So we want to allow the VM to achieve a WC/NC mapping by using a
>> relaxed (NC) mapping in stage-1. Whatever is set in stage-2 wins.
> 
> Yes
>   
>>
>> (3) vfio knows whether using WC (and NC?) could be problematic, and must
>> forbid it, if that is the case. There are cases where we could otherwise
>> cause harm (bring down the host?). We must keep mapping the memory as
>> DEVICE_nGnRE when in doubt.
> 
> Yes, there is an unspecific fear that on ARM platforms using NORMAL_NC
> in the wrong way can trigger a catastrophic error and kill the
> host. There is no way to know if the platform has this bug, so the
> agreement was to be conservative and only allow it for vfio-pci, based
> on some specific details of how PCI has to be implemented and ARM
> guidance on PCI integration..
> 
>> Now, what the new mmap() flag does is tell the world "using the wrong
>> mapping type cannot bring down the host", and KVM uses that to use a
>> different mapping type (NC) in stage-1 as setup by vfio in the user space
>> page tables.
> 
> The inverse meaning, we assume VMAs with the flag can bring down the
> host, but yes.

Got it, will have a closer look at the patch soon.

> 
>> I was trying to find ways of avoiding a mmap() flag and was hoping that we
>> could just use a PTE bit that does not have semantics in VM_PFNMAP mappings.
>> Unfortunately, arm64 does not support uffd-wp, which I had in mind, so it's
>> not that easy.
> 
> Seems like a waste of a valuable PTE bit to me.

It would rather have been "it's already unused there, so let's reuse 
it". But there was no such low-hanging gruit.

> 
>> Further, I was wondering if there would be a way to let DPDK similarly
>> benefit, because it looks like we are happily ignoring that (I was told they
>> apply some hacks to work around that).
> 
> dpdk doesn't need the VMA bit, we know how to solve it with vfio
> ioctls, it is very straightforward. dpdk just does a ioctl & mmap and
> VFIO will create a vma with pgprote_writecombine(). Completely
> trivial, the only nasty bit is fitting this into the VFIO uAPI.

That's what I thought.

> 
>> (a) User space tells VFIO which parts of a BAR it would like to have mapped
>> differently. For QEMU, this would mean, requesting a NC mapping for the
>> whole BAR. For DPDK, it could mean requesting different types for parts of a
>> BAR.
> 
> We don't want to have have the memory mapped as NC in qemu. As I said
> above if it is mapped NC then writel() doesn't work. We can't have
> conflicting mappings that go toward NC when the right answer is
> DEVICE.

I was wondering who would trigger that, but as I read below it could be 
MMIO emulation.

> 
> writel() on NC will malfunction.
> 
> __iowrite64_copy() on DEVICE will be functionally correct but slower.
> 
> The S2 mapping that KVM creates is special because it doesn't actually
> map it once the VM kernel gets started. The VM kernel always supplies
> a S1 table that sets the correct type.
> 
> So if qemu has DEVICE, the S2 has NC and the VM's S1 has DEVICE then
> the mapping is realiably made to be DEVICE. The hidden S2 doesn't
> cause a problem.
> 
>> That would mean, that we would map NC already in QEMU. I wonder if that
>> could be a problem with read speculation, even if QEMU never really accesses
>> that mmap'ed region.
> 
> Also correct.
> 
> Further, qemu may need to do emulation for MMIO in various cases and
> the qemu logic for this requires a DEVICE mapping or the emulation
> will malfunction.
> 
> Using NC in qemu is off the table.

Good, thanks for the details, all makes sense to me.

-- 
Cheers,

David / dhildenb

Re: [PATCH v7 0/4] kvm: arm64: allow the VM to select DEVICE_* and NORMAL_NC for IO memory

[David Hildenbrand]

Hi Jason,

Thanks for all the details (some might be valuable to document in more 
detail, but I'm not that experienced with all of the mapping types on 
arm64, so it might "just be me").

> It is worse that some hand wavey "side effect". If you map memory with
> NORMAL_NC (ie for write combining) then writel() doesn't work
> correctly at all.
> 
> The memory must be mapped according to which kernel APIs the actual
> driver in the VM will use. writel() vs __iowrite64_copy().
> 
>> We can trigger both cases right now inside VMs, where we want the device
>> driver to actually make the decision.
> 
> Yes
>   
>> (2) For a VM, that device driver lives inside the VM, for DPDK and friends,
>> it lives in user space. They have this information.
> 
> Yes
>   
>> We only focus here on optimizing (fixing?) the mapping for VMs, DPDK is out
>> of the picture.
> 
> DPDK will be solved through some VFIO ioctl, we know how to do it,
> just nobody has cared enough to do it.

Good!

> 
>> So we want to allow the VM to achieve a WC/NC mapping by using a
>> relaxed (NC) mapping in stage-1. Whatever is set in stage-2 wins.
> 
> Yes
>   
>>
>> (3) vfio knows whether using WC (and NC?) could be problematic, and must
>> forbid it, if that is the case. There are cases where we could otherwise
>> cause harm (bring down the host?). We must keep mapping the memory as
>> DEVICE_nGnRE when in doubt.
> 
> Yes, there is an unspecific fear that on ARM platforms using NORMAL_NC
> in the wrong way can trigger a catastrophic error and kill the
> host. There is no way to know if the platform has this bug, so the
> agreement was to be conservative and only allow it for vfio-pci, based
> on some specific details of how PCI has to be implemented and ARM
> guidance on PCI integration..
> 
>> Now, what the new mmap() flag does is tell the world "using the wrong
>> mapping type cannot bring down the host", and KVM uses that to use a
>> different mapping type (NC) in stage-1 as setup by vfio in the user space
>> page tables.
> 
> The inverse meaning, we assume VMAs with the flag can bring down the
> host, but yes.

Got it, will have a closer look at the patch soon.

> 
>> I was trying to find ways of avoiding a mmap() flag and was hoping that we
>> could just use a PTE bit that does not have semantics in VM_PFNMAP mappings.
>> Unfortunately, arm64 does not support uffd-wp, which I had in mind, so it's
>> not that easy.
> 
> Seems like a waste of a valuable PTE bit to me.

It would rather have been "it's already unused there, so let's reuse 
it". But there was no such low-hanging gruit.

> 
>> Further, I was wondering if there would be a way to let DPDK similarly
>> benefit, because it looks like we are happily ignoring that (I was told they
>> apply some hacks to work around that).
> 
> dpdk doesn't need the VMA bit, we know how to solve it with vfio
> ioctls, it is very straightforward. dpdk just does a ioctl & mmap and
> VFIO will create a vma with pgprote_writecombine(). Completely
> trivial, the only nasty bit is fitting this into the VFIO uAPI.

That's what I thought.

> 
>> (a) User space tells VFIO which parts of a BAR it would like to have mapped
>> differently. For QEMU, this would mean, requesting a NC mapping for the
>> whole BAR. For DPDK, it could mean requesting different types for parts of a
>> BAR.
> 
> We don't want to have have the memory mapped as NC in qemu. As I said
> above if it is mapped NC then writel() doesn't work. We can't have
> conflicting mappings that go toward NC when the right answer is
> DEVICE.

I was wondering who would trigger that, but as I read below it could be 
MMIO emulation.

> 
> writel() on NC will malfunction.
> 
> __iowrite64_copy() on DEVICE will be functionally correct but slower.
> 
> The S2 mapping that KVM creates is special because it doesn't actually
> map it once the VM kernel gets started. The VM kernel always supplies
> a S1 table that sets the correct type.
> 
> So if qemu has DEVICE, the S2 has NC and the VM's S1 has DEVICE then
> the mapping is realiably made to be DEVICE. The hidden S2 doesn't
> cause a problem.
> 
>> That would mean, that we would map NC already in QEMU. I wonder if that
>> could be a problem with read speculation, even if QEMU never really accesses
>> that mmap'ed region.
> 
> Also correct.
> 
> Further, qemu may need to do emulation for MMIO in various cases and
> the qemu logic for this requires a DEVICE mapping or the emulation
> will malfunction.
> 
> Using NC in qemu is off the table.

Good, thanks for the details, all makes sense to me.

-- 
Cheers,

David / dhildenb


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v7 2/4] mm: introduce new flag to indicate wc safe

[David Hildenbrand]

On 11.02.24 18:47, ankita@nvidia.com wrote:
> From: Ankit Agrawal <ankita@nvidia.com>
> 
> Generalizing S2 setting from DEVICE_nGnRE to NormalNc for non PCI
> devices may be problematic. E.g. GICv2 vCPU interface, which is
> effectively a shared peripheral, can allow a guest to affect another
> guest's interrupt distribution. The issue may be solved by limiting
> the relaxation to mappings that have a user VMA. Still there is
> insufficient information and uncertainity in the behavior of

s/uncertainity/uncertainty/

> non PCI drivers.
> 
> Add a new flag VM_ALLOW_ANY_UNCACHED to indicate KVM that the device
> is WC capable and these S2 changes can be extended to it. KVM can use
> this flag to activate the code.
> 

MM people will stumble only over this commit at some point, looking for 
details. It might make sense to add a bit more details on the underlying 
problem (user space tables vs. stage-1 vs. stage-2) and why we want to 
have a different mapping in user space compared to stage-1.

Then, describe that the VMA flag was found to be the simplest and 
cleanest way to communicate this information from VFIO to KVM.

> Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
> Signed-off-by: Ankit Agrawal <ankita@nvidia.com>
> ---
>   include/linux/mm.h | 14 ++++++++++++++
>   1 file changed, 14 insertions(+)
> 
> diff --git a/include/linux/mm.h b/include/linux/mm.h
> index f5a97dec5169..59576e56c58b 100644
> --- a/include/linux/mm.h
> +++ b/include/linux/mm.h
> @@ -391,6 +391,20 @@ extern unsigned int kobjsize(const void *objp);
>   # define VM_UFFD_MINOR		VM_NONE
>   #endif /* CONFIG_HAVE_ARCH_USERFAULTFD_MINOR */
>   
> +/*
> + * This flag is used to connect VFIO to arch specific KVM code. It
> + * indicates that the memory under this VMA is safe for use with any
> + * non-cachable memory type inside KVM. Some VFIO devices, on some
> + * platforms, are thought to be unsafe and can cause machine crashes
> + * if KVM does not lock down the memory type.
> + */
> +#ifdef CONFIG_64BIT
> +#define VM_ALLOW_ANY_UNCACHED_BIT	39
> +#define VM_ALLOW_ANY_UNCACHED		BIT(VM_ALLOW_ANY_UNCACHED_BIT)
> +#else
> +#define VM_ALLOW_ANY_UNCACHED		VM_NONE
> +#endif
> +
>   /* Bits set in the VMA until the stack is in its final location */
>   #define VM_STACK_INCOMPLETE_SETUP (VM_RAND_READ | VM_SEQ_READ | VM_STACK_EARLY)
>   

It's not perfect (very VFIO <-> KVM specific right now, VMA flags feel a 
bit wrong), but it certainly easier and cleaner than any alternatives I 
could think of.

Acked-by: David Hildenbrand <david@redhat.com>

-- 
Cheers,

David / dhildenb

Re: [PATCH v7 2/4] mm: introduce new flag to indicate wc safe

[David Hildenbrand]

On 11.02.24 18:47, ankita@nvidia.com wrote:
> From: Ankit Agrawal <ankita@nvidia.com>
> 
> Generalizing S2 setting from DEVICE_nGnRE to NormalNc for non PCI
> devices may be problematic. E.g. GICv2 vCPU interface, which is
> effectively a shared peripheral, can allow a guest to affect another
> guest's interrupt distribution. The issue may be solved by limiting
> the relaxation to mappings that have a user VMA. Still there is
> insufficient information and uncertainity in the behavior of

s/uncertainity/uncertainty/

> non PCI drivers.
> 
> Add a new flag VM_ALLOW_ANY_UNCACHED to indicate KVM that the device
> is WC capable and these S2 changes can be extended to it. KVM can use
> this flag to activate the code.
> 

MM people will stumble only over this commit at some point, looking for 
details. It might make sense to add a bit more details on the underlying 
problem (user space tables vs. stage-1 vs. stage-2) and why we want to 
have a different mapping in user space compared to stage-1.

Then, describe that the VMA flag was found to be the simplest and 
cleanest way to communicate this information from VFIO to KVM.

> Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
> Signed-off-by: Ankit Agrawal <ankita@nvidia.com>
> ---
>   include/linux/mm.h | 14 ++++++++++++++
>   1 file changed, 14 insertions(+)
> 
> diff --git a/include/linux/mm.h b/include/linux/mm.h
> index f5a97dec5169..59576e56c58b 100644
> --- a/include/linux/mm.h
> +++ b/include/linux/mm.h
> @@ -391,6 +391,20 @@ extern unsigned int kobjsize(const void *objp);
>   # define VM_UFFD_MINOR		VM_NONE
>   #endif /* CONFIG_HAVE_ARCH_USERFAULTFD_MINOR */
>   
> +/*
> + * This flag is used to connect VFIO to arch specific KVM code. It
> + * indicates that the memory under this VMA is safe for use with any
> + * non-cachable memory type inside KVM. Some VFIO devices, on some
> + * platforms, are thought to be unsafe and can cause machine crashes
> + * if KVM does not lock down the memory type.
> + */
> +#ifdef CONFIG_64BIT
> +#define VM_ALLOW_ANY_UNCACHED_BIT	39
> +#define VM_ALLOW_ANY_UNCACHED		BIT(VM_ALLOW_ANY_UNCACHED_BIT)
> +#else
> +#define VM_ALLOW_ANY_UNCACHED		VM_NONE
> +#endif
> +
>   /* Bits set in the VMA until the stack is in its final location */
>   #define VM_STACK_INCOMPLETE_SETUP (VM_RAND_READ | VM_SEQ_READ | VM_STACK_EARLY)
>   

It's not perfect (very VFIO <-> KVM specific right now, VMA flags feel a 
bit wrong), but it certainly easier and cleaner than any alternatives I 
could think of.

Acked-by: David Hildenbrand <david@redhat.com>

-- 
Cheers,

David / dhildenb


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v7 4/4] vfio: convey kvm that the vfio-pci device is wc safe

[David Hildenbrand]

On 11.02.24 18:47, ankita@nvidia.com wrote:
> From: Ankit Agrawal <ankita@nvidia.com>
> 
> The code to map the MMIO in S2 as NormalNC is enabled when conveyed
> that the device is WC safe using a new flag VM_ALLOW_ANY_UNCACHED.
> 
> Make vfio-pci set the VM_ALLOW_ANY_UNCACHED flag.
> 
> This could be extended to other devices in the future once that
> is deemed safe.

Maybe add some more details how one could make a decision whether it 
would be safe (either here or in patch #2).

> 
> Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
> Acked-by: Jason Gunthorpe <jgg@nvidia.com>
> Acked-by: Catalin Marinas <catalin.marinas@arm.com>
> Signed-off-by: Ankit Agrawal <ankita@nvidia.com>
> ---
>   drivers/vfio/pci/vfio_pci_core.c | 6 +++++-
>   1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
> index 1cbc990d42e0..eba2146202f9 100644
> --- a/drivers/vfio/pci/vfio_pci_core.c
> +++ b/drivers/vfio/pci/vfio_pci_core.c
> @@ -1862,8 +1862,12 @@ int vfio_pci_core_mmap(struct vfio_device *core_vdev, struct vm_area_struct *vma
>   	/*
>   	 * See remap_pfn_range(), called from vfio_pci_fault() but we can't
>   	 * change vm_flags within the fault handler.  Set them now.
> +	 *
> +	 * Set an additional flag VM_ALLOW_ANY_UNCACHED to convey kvm that
> +	 * the device is wc safe.
>   	 */
> -	vm_flags_set(vma, VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP);
> +	vm_flags_set(vma, VM_ALLOW_ANY_UNCACHED | VM_IO | VM_PFNMAP |
> +			VM_DONTEXPAND | VM_DONTDUMP);
>   	vma->vm_ops = &vfio_pci_mmap_ops;
>   
>   	return 0;

Reviewed-by: David Hildenbrand <david@redhat.com>

-- 
Cheers,

David / dhildenb

Re: [PATCH v7 4/4] vfio: convey kvm that the vfio-pci device is wc safe

[David Hildenbrand]

On 11.02.24 18:47, ankita@nvidia.com wrote:
> From: Ankit Agrawal <ankita@nvidia.com>
> 
> The code to map the MMIO in S2 as NormalNC is enabled when conveyed
> that the device is WC safe using a new flag VM_ALLOW_ANY_UNCACHED.
> 
> Make vfio-pci set the VM_ALLOW_ANY_UNCACHED flag.
> 
> This could be extended to other devices in the future once that
> is deemed safe.

Maybe add some more details how one could make a decision whether it 
would be safe (either here or in patch #2).

> 
> Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
> Acked-by: Jason Gunthorpe <jgg@nvidia.com>
> Acked-by: Catalin Marinas <catalin.marinas@arm.com>
> Signed-off-by: Ankit Agrawal <ankita@nvidia.com>
> ---
>   drivers/vfio/pci/vfio_pci_core.c | 6 +++++-
>   1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
> index 1cbc990d42e0..eba2146202f9 100644
> --- a/drivers/vfio/pci/vfio_pci_core.c
> +++ b/drivers/vfio/pci/vfio_pci_core.c
> @@ -1862,8 +1862,12 @@ int vfio_pci_core_mmap(struct vfio_device *core_vdev, struct vm_area_struct *vma
>   	/*
>   	 * See remap_pfn_range(), called from vfio_pci_fault() but we can't
>   	 * change vm_flags within the fault handler.  Set them now.
> +	 *
> +	 * Set an additional flag VM_ALLOW_ANY_UNCACHED to convey kvm that
> +	 * the device is wc safe.
>   	 */
> -	vm_flags_set(vma, VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP);
> +	vm_flags_set(vma, VM_ALLOW_ANY_UNCACHED | VM_IO | VM_PFNMAP |
> +			VM_DONTEXPAND | VM_DONTDUMP);
>   	vma->vm_ops = &vfio_pci_mmap_ops;
>   
>   	return 0;

Reviewed-by: David Hildenbrand <david@redhat.com>

-- 
Cheers,

David / dhildenb


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v7 4/4] vfio: convey kvm that the vfio-pci device is wc safe

[Alex Williamson]

On Sun, 11 Feb 2024 23:17:05 +0530
<ankita@nvidia.com> wrote:

> From: Ankit Agrawal <ankita@nvidia.com>
> 
> The code to map the MMIO in S2 as NormalNC is enabled when conveyed
> that the device is WC safe using a new flag VM_ALLOW_ANY_UNCACHED.
> 
> Make vfio-pci set the VM_ALLOW_ANY_UNCACHED flag.
> 
> This could be extended to other devices in the future once that
> is deemed safe.
> 
> Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
> Acked-by: Jason Gunthorpe <jgg@nvidia.com>
> Acked-by: Catalin Marinas <catalin.marinas@arm.com>
> Signed-off-by: Ankit Agrawal <ankita@nvidia.com>
> ---
>  drivers/vfio/pci/vfio_pci_core.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
> index 1cbc990d42e0..eba2146202f9 100644
> --- a/drivers/vfio/pci/vfio_pci_core.c
> +++ b/drivers/vfio/pci/vfio_pci_core.c
> @@ -1862,8 +1862,12 @@ int vfio_pci_core_mmap(struct vfio_device *core_vdev, struct vm_area_struct *vma
>  	/*
>  	 * See remap_pfn_range(), called from vfio_pci_fault() but we can't
>  	 * change vm_flags within the fault handler.  Set them now.
> +	 *
> +	 * Set an additional flag VM_ALLOW_ANY_UNCACHED to convey kvm that
> +	 * the device is wc safe.
>  	 */

That's a pretty superficial comment.  Check that this is accurate, but
maybe something like:

	The VM_ALLOW_ANY_UNCACHED flag is implemented for ARM64,
	allowing stage 2 device mapping attributes to use Normal-NC
	rather than DEVICE_nGnRE, which allows guest mappings
	supporting combining attributes (WC).  This attribute has
	potential risks with the GICv2 VCPU interface, but is expected
	to be safe for vfio-pci use cases.

And specifically, I think these other devices that may be problematic
as described in the cover letter is a warning against use for
vfio-platform, is that correct?

Thanks,
Alex

> -	vm_flags_set(vma, VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP);
> +	vm_flags_set(vma, VM_ALLOW_ANY_UNCACHED | VM_IO | VM_PFNMAP |
> +			VM_DONTEXPAND | VM_DONTDUMP);
>  	vma->vm_ops = &vfio_pci_mmap_ops;
>  
>  	return 0;

Re: [PATCH v7 4/4] vfio: convey kvm that the vfio-pci device is wc safe

[Alex Williamson]

On Sun, 11 Feb 2024 23:17:05 +0530
<ankita@nvidia.com> wrote:

> From: Ankit Agrawal <ankita@nvidia.com>
> 
> The code to map the MMIO in S2 as NormalNC is enabled when conveyed
> that the device is WC safe using a new flag VM_ALLOW_ANY_UNCACHED.
> 
> Make vfio-pci set the VM_ALLOW_ANY_UNCACHED flag.
> 
> This could be extended to other devices in the future once that
> is deemed safe.
> 
> Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
> Acked-by: Jason Gunthorpe <jgg@nvidia.com>
> Acked-by: Catalin Marinas <catalin.marinas@arm.com>
> Signed-off-by: Ankit Agrawal <ankita@nvidia.com>
> ---
>  drivers/vfio/pci/vfio_pci_core.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
> index 1cbc990d42e0..eba2146202f9 100644
> --- a/drivers/vfio/pci/vfio_pci_core.c
> +++ b/drivers/vfio/pci/vfio_pci_core.c
> @@ -1862,8 +1862,12 @@ int vfio_pci_core_mmap(struct vfio_device *core_vdev, struct vm_area_struct *vma
>  	/*
>  	 * See remap_pfn_range(), called from vfio_pci_fault() but we can't
>  	 * change vm_flags within the fault handler.  Set them now.
> +	 *
> +	 * Set an additional flag VM_ALLOW_ANY_UNCACHED to convey kvm that
> +	 * the device is wc safe.
>  	 */

That's a pretty superficial comment.  Check that this is accurate, but
maybe something like:

	The VM_ALLOW_ANY_UNCACHED flag is implemented for ARM64,
	allowing stage 2 device mapping attributes to use Normal-NC
	rather than DEVICE_nGnRE, which allows guest mappings
	supporting combining attributes (WC).  This attribute has
	potential risks with the GICv2 VCPU interface, but is expected
	to be safe for vfio-pci use cases.

And specifically, I think these other devices that may be problematic
as described in the cover letter is a warning against use for
vfio-platform, is that correct?

Thanks,
Alex

> -	vm_flags_set(vma, VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP);
> +	vm_flags_set(vma, VM_ALLOW_ANY_UNCACHED | VM_IO | VM_PFNMAP |
> +			VM_DONTEXPAND | VM_DONTDUMP);
>  	vma->vm_ops = &vfio_pci_mmap_ops;
>  
>  	return 0;


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v7 4/4] vfio: convey kvm that the vfio-pci device is wc safe

[Jason Gunthorpe]

On Mon, Feb 12, 2024 at 10:05:02AM -0700, Alex Williamson wrote:

> > --- a/drivers/vfio/pci/vfio_pci_core.c
> > +++ b/drivers/vfio/pci/vfio_pci_core.c
> > @@ -1862,8 +1862,12 @@ int vfio_pci_core_mmap(struct vfio_device *core_vdev, struct vm_area_struct *vma
> >  	/*
> >  	 * See remap_pfn_range(), called from vfio_pci_fault() but we can't
> >  	 * change vm_flags within the fault handler.  Set them now.
> > +	 *
> > +	 * Set an additional flag VM_ALLOW_ANY_UNCACHED to convey kvm that
> > +	 * the device is wc safe.
> >  	 */
> 
> That's a pretty superficial comment.  Check that this is accurate, but
> maybe something like:
> 
> 	The VM_ALLOW_ANY_UNCACHED flag is implemented for ARM64,
> 	allowing stage 2 device mapping attributes to use Normal-NC
               ^^^^ 

> 	rather than DEVICE_nGnRE, which allows guest mappings
> 	supporting combining attributes (WC).  This attribute has
> 	potential risks with the GICv2 VCPU interface, but is expected
> 	to be safe for vfio-pci use cases.

Sure, if you want to elaborate more

  The VM_ALLOW_ANY_UNCACHED flag is implemented for ARM64,
  allowing KVM stage 2 device mapping attributes to use Normal-NC
  rather than DEVICE_nGnRE, which allows guest mappings
  supporting combining attributes (WC). ARM does not architecturally
  guarentee this is safe, and indeed some MMIO regions like the GICv2
  VCPU interface can trigger uncontained faults if Normal-NC is used.

  Even worse we expect there are platforms where even DEVICE_nGnRE can
  allow uncontained faults in conercases. Unfortunately existing ARM
  IP requires platform integration to take responsibility to prevent
  this.

  To safely use VFIO in KVM the platform must guarantee full safety
  in the guest where no action taken against a MMIO mapping can
  trigger an uncontainer failure. We belive that most VFIO PCI
  platforms support this for both mapping types, at least in common
  flows, based on some expectations of how PCI IP is integrated. This
  can be enabled more broadly, for instance into vfio-platform
  drivers, but only after the platform vendor completes auditing for
  safety.
 
> And specifically, I think these other devices that may be problematic
> as described in the cover letter is a warning against use for
> vfio-platform, is that correct?

Maybe more like "we have a general consensus that vfio-pci is likely
safe due to how PCI IP is typically integrated, but it is much less
obvious for other VFIO bus types. As there is no known WC user for
vfio-platform drivers be conservative and do not enable it."

Jason

Re: [PATCH v7 4/4] vfio: convey kvm that the vfio-pci device is wc safe

[Jason Gunthorpe]

On Mon, Feb 12, 2024 at 10:05:02AM -0700, Alex Williamson wrote:

> > --- a/drivers/vfio/pci/vfio_pci_core.c
> > +++ b/drivers/vfio/pci/vfio_pci_core.c
> > @@ -1862,8 +1862,12 @@ int vfio_pci_core_mmap(struct vfio_device *core_vdev, struct vm_area_struct *vma
> >  	/*
> >  	 * See remap_pfn_range(), called from vfio_pci_fault() but we can't
> >  	 * change vm_flags within the fault handler.  Set them now.
> > +	 *
> > +	 * Set an additional flag VM_ALLOW_ANY_UNCACHED to convey kvm that
> > +	 * the device is wc safe.
> >  	 */
> 
> That's a pretty superficial comment.  Check that this is accurate, but
> maybe something like:
> 
> 	The VM_ALLOW_ANY_UNCACHED flag is implemented for ARM64,
> 	allowing stage 2 device mapping attributes to use Normal-NC
               ^^^^ 

> 	rather than DEVICE_nGnRE, which allows guest mappings
> 	supporting combining attributes (WC).  This attribute has
> 	potential risks with the GICv2 VCPU interface, but is expected
> 	to be safe for vfio-pci use cases.

Sure, if you want to elaborate more

  The VM_ALLOW_ANY_UNCACHED flag is implemented for ARM64,
  allowing KVM stage 2 device mapping attributes to use Normal-NC
  rather than DEVICE_nGnRE, which allows guest mappings
  supporting combining attributes (WC). ARM does not architecturally
  guarentee this is safe, and indeed some MMIO regions like the GICv2
  VCPU interface can trigger uncontained faults if Normal-NC is used.

  Even worse we expect there are platforms where even DEVICE_nGnRE can
  allow uncontained faults in conercases. Unfortunately existing ARM
  IP requires platform integration to take responsibility to prevent
  this.

  To safely use VFIO in KVM the platform must guarantee full safety
  in the guest where no action taken against a MMIO mapping can
  trigger an uncontainer failure. We belive that most VFIO PCI
  platforms support this for both mapping types, at least in common
  flows, based on some expectations of how PCI IP is integrated. This
  can be enabled more broadly, for instance into vfio-platform
  drivers, but only after the platform vendor completes auditing for
  safety.
 
> And specifically, I think these other devices that may be problematic
> as described in the cover letter is a warning against use for
> vfio-platform, is that correct?

Maybe more like "we have a general consensus that vfio-pci is likely
safe due to how PCI IP is typically integrated, but it is much less
obvious for other VFIO bus types. As there is no known WC user for
vfio-platform drivers be conservative and do not enable it."

Jason

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v7 4/4] vfio: convey kvm that the vfio-pci device is wc safe

[Alex Williamson]

On Mon, 12 Feb 2024 13:20:01 -0400
Jason Gunthorpe <jgg@nvidia.com> wrote:

> On Mon, Feb 12, 2024 at 10:05:02AM -0700, Alex Williamson wrote:
> 
> > > --- a/drivers/vfio/pci/vfio_pci_core.c
> > > +++ b/drivers/vfio/pci/vfio_pci_core.c
> > > @@ -1862,8 +1862,12 @@ int vfio_pci_core_mmap(struct vfio_device *core_vdev, struct vm_area_struct *vma
> > >  	/*
> > >  	 * See remap_pfn_range(), called from vfio_pci_fault() but we can't
> > >  	 * change vm_flags within the fault handler.  Set them now.
> > > +	 *
> > > +	 * Set an additional flag VM_ALLOW_ANY_UNCACHED to convey kvm that
> > > +	 * the device is wc safe.
> > >  	 */  
> > 
> > That's a pretty superficial comment.  Check that this is accurate, but
> > maybe something like:
> > 
> > 	The VM_ALLOW_ANY_UNCACHED flag is implemented for ARM64,
> > 	allowing stage 2 device mapping attributes to use Normal-NC  
>                ^^^^ 
> 
> > 	rather than DEVICE_nGnRE, which allows guest mappings
> > 	supporting combining attributes (WC).  This attribute has
> > 	potential risks with the GICv2 VCPU interface, but is expected
> > 	to be safe for vfio-pci use cases.  
> 
> Sure, if you want to elaborate more
> 
>   The VM_ALLOW_ANY_UNCACHED flag is implemented for ARM64,
>   allowing KVM stage 2 device mapping attributes to use Normal-NC
>   rather than DEVICE_nGnRE, which allows guest mappings
>   supporting combining attributes (WC). ARM does not architecturally
>   guarentee this is safe, and indeed some MMIO regions like the GICv2
>   VCPU interface can trigger uncontained faults if Normal-NC is used.
> 
>   Even worse we expect there are platforms where even DEVICE_nGnRE can
>   allow uncontained faults in conercases. Unfortunately existing ARM
                                ^^^^^^^^^^

*corner cases


>   IP requires platform integration to take responsibility to prevent
>   this.
> 
>   To safely use VFIO in KVM the platform must guarantee full safety
>   in the guest where no action taken against a MMIO mapping can
>   trigger an uncontainer failure. We belive that most VFIO PCI
>   platforms support this for both mapping types, at least in common
>   flows, based on some expectations of how PCI IP is integrated. This
>   can be enabled more broadly, for instance into vfio-platform
>   drivers, but only after the platform vendor completes auditing for
>   safety.

I like it, please incorporate into the next version.
  
> > And specifically, I think these other devices that may be problematic
> > as described in the cover letter is a warning against use for
> > vfio-platform, is that correct?  
> 
> Maybe more like "we have a general consensus that vfio-pci is likely
> safe due to how PCI IP is typically integrated, but it is much less
> obvious for other VFIO bus types. As there is no known WC user for
> vfio-platform drivers be conservative and do not enable it."

Ok.  Thanks for the clarification.

Alex

Re: [PATCH v7 4/4] vfio: convey kvm that the vfio-pci device is wc safe

[Alex Williamson]

On Mon, 12 Feb 2024 13:20:01 -0400
Jason Gunthorpe <jgg@nvidia.com> wrote:

> On Mon, Feb 12, 2024 at 10:05:02AM -0700, Alex Williamson wrote:
> 
> > > --- a/drivers/vfio/pci/vfio_pci_core.c
> > > +++ b/drivers/vfio/pci/vfio_pci_core.c
> > > @@ -1862,8 +1862,12 @@ int vfio_pci_core_mmap(struct vfio_device *core_vdev, struct vm_area_struct *vma
> > >  	/*
> > >  	 * See remap_pfn_range(), called from vfio_pci_fault() but we can't
> > >  	 * change vm_flags within the fault handler.  Set them now.
> > > +	 *
> > > +	 * Set an additional flag VM_ALLOW_ANY_UNCACHED to convey kvm that
> > > +	 * the device is wc safe.
> > >  	 */  
> > 
> > That's a pretty superficial comment.  Check that this is accurate, but
> > maybe something like:
> > 
> > 	The VM_ALLOW_ANY_UNCACHED flag is implemented for ARM64,
> > 	allowing stage 2 device mapping attributes to use Normal-NC  
>                ^^^^ 
> 
> > 	rather than DEVICE_nGnRE, which allows guest mappings
> > 	supporting combining attributes (WC).  This attribute has
> > 	potential risks with the GICv2 VCPU interface, but is expected
> > 	to be safe for vfio-pci use cases.  
> 
> Sure, if you want to elaborate more
> 
>   The VM_ALLOW_ANY_UNCACHED flag is implemented for ARM64,
>   allowing KVM stage 2 device mapping attributes to use Normal-NC
>   rather than DEVICE_nGnRE, which allows guest mappings
>   supporting combining attributes (WC). ARM does not architecturally
>   guarentee this is safe, and indeed some MMIO regions like the GICv2
>   VCPU interface can trigger uncontained faults if Normal-NC is used.
> 
>   Even worse we expect there are platforms where even DEVICE_nGnRE can
>   allow uncontained faults in conercases. Unfortunately existing ARM
                                ^^^^^^^^^^

*corner cases


>   IP requires platform integration to take responsibility to prevent
>   this.
> 
>   To safely use VFIO in KVM the platform must guarantee full safety
>   in the guest where no action taken against a MMIO mapping can
>   trigger an uncontainer failure. We belive that most VFIO PCI
>   platforms support this for both mapping types, at least in common
>   flows, based on some expectations of how PCI IP is integrated. This
>   can be enabled more broadly, for instance into vfio-platform
>   drivers, but only after the platform vendor completes auditing for
>   safety.

I like it, please incorporate into the next version.
  
> > And specifically, I think these other devices that may be problematic
> > as described in the cover letter is a warning against use for
> > vfio-platform, is that correct?  
> 
> Maybe more like "we have a general consensus that vfio-pci is likely
> safe due to how PCI IP is typically integrated, but it is much less
> obvious for other VFIO bus types. As there is no known WC user for
> vfio-platform drivers be conservative and do not enable it."

Ok.  Thanks for the clarification.

Alex


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v7 0/4] kvm: arm64: allow the VM to select DEVICE_* and NORMAL_NC for IO memory

[Oliver Upton]

On Sun, Feb 11, 2024 at 11:17:01PM +0530, ankita@nvidia.com wrote:
> From: Ankit Agrawal <ankita@nvidia.com>
> 
> Currently, KVM for ARM64 maps at stage 2 memory that is considered device
> with DEVICE_nGnRE memory attributes; this setting overrides (per
> ARM architecture [1]) any device MMIO mapping present at stage 1,
> resulting in a set-up whereby a guest operating system cannot
> determine device MMIO mapping memory attributes on its own but
> it is always overridden by the KVM stage 2 default.
> 
> This set-up does not allow guest operating systems to select device
> memory attributes independently from KVM stage-2 mappings
> (refer to [1], "Combining stage 1 and stage 2 memory type attributes"),
> which turns out to be an issue in that guest operating systems
> (e.g. Linux) may request to map devices MMIO regions with memory
> attributes that guarantee better performance (e.g. gathering
> attribute - that for some devices can generate larger PCIe memory
> writes TLPs) and specific operations (e.g. unaligned transactions)
> such as the NormalNC memory type.
> 
> The default device stage 2 mapping was chosen in KVM for ARM64 since
> it was considered safer (i.e. it would not allow guests to trigger
> uncontained failures ultimately crashing the machine) but this
> turned out to be asynchronous (SError) defeating the purpose.
> 
> For these reasons, relax the KVM stage 2 device memory attributes
> from DEVICE_nGnRE to Normal-NC.

Hi Ankit,

Thanks for being responsive in respinning the series according to the
feedback. I think we're pretty close here, but it'd be good to address
the comment / changelog feedback as well.

Can you respin this once more? Hopefully we can get this stuff soaking
in -next thereafter.

-- 
Thanks,
Oliver

Re: [PATCH v7 0/4] kvm: arm64: allow the VM to select DEVICE_* and NORMAL_NC for IO memory

[Oliver Upton]

On Sun, Feb 11, 2024 at 11:17:01PM +0530, ankita@nvidia.com wrote:
> From: Ankit Agrawal <ankita@nvidia.com>
> 
> Currently, KVM for ARM64 maps at stage 2 memory that is considered device
> with DEVICE_nGnRE memory attributes; this setting overrides (per
> ARM architecture [1]) any device MMIO mapping present at stage 1,
> resulting in a set-up whereby a guest operating system cannot
> determine device MMIO mapping memory attributes on its own but
> it is always overridden by the KVM stage 2 default.
> 
> This set-up does not allow guest operating systems to select device
> memory attributes independently from KVM stage-2 mappings
> (refer to [1], "Combining stage 1 and stage 2 memory type attributes"),
> which turns out to be an issue in that guest operating systems
> (e.g. Linux) may request to map devices MMIO regions with memory
> attributes that guarantee better performance (e.g. gathering
> attribute - that for some devices can generate larger PCIe memory
> writes TLPs) and specific operations (e.g. unaligned transactions)
> such as the NormalNC memory type.
> 
> The default device stage 2 mapping was chosen in KVM for ARM64 since
> it was considered safer (i.e. it would not allow guests to trigger
> uncontained failures ultimately crashing the machine) but this
> turned out to be asynchronous (SError) defeating the purpose.
> 
> For these reasons, relax the KVM stage 2 device memory attributes
> from DEVICE_nGnRE to Normal-NC.

Hi Ankit,

Thanks for being responsive in respinning the series according to the
feedback. I think we're pretty close here, but it'd be good to address
the comment / changelog feedback as well.

Can you respin this once more? Hopefully we can get this stuff soaking
in -next thereafter.

-- 
Thanks,
Oliver

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v7 4/4] vfio: convey kvm that the vfio-pci device is wc safe

[Ankit Agrawal]

>>   IP requires platform integration to take responsibility to prevent
>>   this.
>>
>>   To safely use VFIO in KVM the platform must guarantee full safety
>>   in the guest where no action taken against a MMIO mapping can
>>   trigger an uncontainer failure. We belive that most VFIO PCI
>>   platforms support this for both mapping types, at least in common
>>   flows, based on some expectations of how PCI IP is integrated. This
>>   can be enabled more broadly, for instance into vfio-platform
>>   drivers, but only after the platform vendor completes auditing for
>>   safety.
>
> I like it, please incorporate into the next version.

Yes, will fix the typos and add it.

Re: [PATCH v7 4/4] vfio: convey kvm that the vfio-pci device is wc safe

[Ankit Agrawal]

>>   IP requires platform integration to take responsibility to prevent
>>   this.
>>
>>   To safely use VFIO in KVM the platform must guarantee full safety
>>   in the guest where no action taken against a MMIO mapping can
>>   trigger an uncontainer failure. We belive that most VFIO PCI
>>   platforms support this for both mapping types, at least in common
>>   flows, based on some expectations of how PCI IP is integrated. This
>>   can be enabled more broadly, for instance into vfio-platform
>>   drivers, but only after the platform vendor completes auditing for
>>   safety.
>
> I like it, please incorporate into the next version.

Yes, will fix the typos and add it.

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v7 0/4] kvm: arm64: allow the VM to select DEVICE_* and NORMAL_NC for IO memory

[Ankit Agrawal]

>>
>> The default device stage 2 mapping was chosen in KVM for ARM64 since
>> it was considered safer (i.e. it would not allow guests to trigger
>> uncontained failures ultimately crashing the machine) but this
>> turned out to be asynchronous (SError) defeating the purpose.
>>
>> For these reasons, relax the KVM stage 2 device memory attributes
>> from DEVICE_nGnRE to Normal-NC.
>
> Hi Ankit,
>
> Thanks for being responsive in respinning the series according to the
> feedback. I think we're pretty close here, but it'd be good to address
> the comment / changelog feedback as well.
>
> Can you respin this once more? Hopefully we can get this stuff soaking
> in -next thereafter.

Hi Oliver, yes I am planning to refresh it in the next few days after
incorporating the comments.

Re: [PATCH v7 0/4] kvm: arm64: allow the VM to select DEVICE_* and NORMAL_NC for IO memory

[Ankit Agrawal]

>>
>> The default device stage 2 mapping was chosen in KVM for ARM64 since
>> it was considered safer (i.e. it would not allow guests to trigger
>> uncontained failures ultimately crashing the machine) but this
>> turned out to be asynchronous (SError) defeating the purpose.
>>
>> For these reasons, relax the KVM stage 2 device memory attributes
>> from DEVICE_nGnRE to Normal-NC.
>
> Hi Ankit,
>
> Thanks for being responsive in respinning the series according to the
> feedback. I think we're pretty close here, but it'd be good to address
> the comment / changelog feedback as well.
>
> Can you respin this once more? Hopefully we can get this stuff soaking
> in -next thereafter.

Hi Oliver, yes I am planning to refresh it in the next few days after
incorporating the comments.
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v7 2/4] mm: introduce new flag to indicate wc safe

[Ankit Agrawal]

>> insufficient information and uncertainity in the behavior of
>
> s/uncertainity/uncertainty/

Ack.

>> non PCI drivers.
>>
>> Add a new flag VM_ALLOW_ANY_UNCACHED to indicate KVM that the device
>> is WC capable and these S2 changes can be extended to it. KVM can use
>> this flag to activate the code.
>>
>
> MM people will stumble only over this commit at some point, looking for
> details. It might make sense to add a bit more details on the underlying
> problem (user space tables vs. stage-1 vs. stage-2) and why we want to
> have a different mapping in user space compared to stage-1.
>
> Then, describe that the VMA flag was found to be the simplest and
> cleanest way to communicate this information from VFIO to KVM.

Okay, I'll work on the commit message and describe in more details in
the next version.

>> +/*
>> + * This flag is used to connect VFIO to arch specific KVM code. It
>> + * indicates that the memory under this VMA is safe for use with any
>> + * non-cachable memory type inside KVM. Some VFIO devices, on some
>> + * platforms, are thought to be unsafe and can cause machine crashes
>> + * if KVM does not lock down the memory type.
>> + */
>> +#ifdef CONFIG_64BIT
>> +#define VM_ALLOW_ANY_UNCACHED_BIT    39
>> +#define VM_ALLOW_ANY_UNCACHED                BIT(VM_ALLOW_ANY_UNCACHED_BIT)
>> +#else
>> +#define VM_ALLOW_ANY_UNCACHED                VM_NONE
>> +#endif
>> +
>>   /* Bits set in the VMA until the stack is in its final location */
>>   #define VM_STACK_INCOMPLETE_SETUP (VM_RAND_READ | VM_SEQ_READ | VM_STACK_EARLY)
>>
>
> It's not perfect (very VFIO <-> KVM specific right now, VMA flags feel a
> bit wrong), but it certainly easier and cleaner than any alternatives I
> could think of.
>
> Acked-by: David Hildenbrand <david@redhat.com>

Thanks! FWIW, it was found the cleanest way to restrict the changes to vfio-pci.

Re: [PATCH v7 2/4] mm: introduce new flag to indicate wc safe

[Ankit Agrawal]

>> insufficient information and uncertainity in the behavior of
>
> s/uncertainity/uncertainty/

Ack.

>> non PCI drivers.
>>
>> Add a new flag VM_ALLOW_ANY_UNCACHED to indicate KVM that the device
>> is WC capable and these S2 changes can be extended to it. KVM can use
>> this flag to activate the code.
>>
>
> MM people will stumble only over this commit at some point, looking for
> details. It might make sense to add a bit more details on the underlying
> problem (user space tables vs. stage-1 vs. stage-2) and why we want to
> have a different mapping in user space compared to stage-1.
>
> Then, describe that the VMA flag was found to be the simplest and
> cleanest way to communicate this information from VFIO to KVM.

Okay, I'll work on the commit message and describe in more details in
the next version.

>> +/*
>> + * This flag is used to connect VFIO to arch specific KVM code. It
>> + * indicates that the memory under this VMA is safe for use with any
>> + * non-cachable memory type inside KVM. Some VFIO devices, on some
>> + * platforms, are thought to be unsafe and can cause machine crashes
>> + * if KVM does not lock down the memory type.
>> + */
>> +#ifdef CONFIG_64BIT
>> +#define VM_ALLOW_ANY_UNCACHED_BIT    39
>> +#define VM_ALLOW_ANY_UNCACHED                BIT(VM_ALLOW_ANY_UNCACHED_BIT)
>> +#else
>> +#define VM_ALLOW_ANY_UNCACHED                VM_NONE
>> +#endif
>> +
>>   /* Bits set in the VMA until the stack is in its final location */
>>   #define VM_STACK_INCOMPLETE_SETUP (VM_RAND_READ | VM_SEQ_READ | VM_STACK_EARLY)
>>
>
> It's not perfect (very VFIO <-> KVM specific right now, VMA flags feel a
> bit wrong), but it certainly easier and cleaner than any alternatives I
> could think of.
>
> Acked-by: David Hildenbrand <david@redhat.com>

Thanks! FWIW, it was found the cleanest way to restrict the changes to vfio-pci.
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel