Re: [PATCH v2] vfio: add external user support
On Thu, 2013-06-27 at 17:14 +1000, Alexey Kardashevskiy wrote: VFIO is designed to be used via ioctls on file descriptors returned by VFIO. However in some situations support for an external user is required. The first user is KVM on PPC64 (SPAPR TCE protocol) which is going to use the existing VFIO groups for exclusive access in real/virtual mode in the host kernel to avoid passing map/unmap requests to the user space which would made things pretty slow. The proposed protocol includes: 1. do normal VFIO init stuff such as opening a new container, attaching group(s) to it, setting an IOMMU driver for a container. When IOMMU is set for a container, all groups in it are considered ready to use by an external user. 2. pass a fd of the group we want to accelerate to KVM. KVM calls vfio_group_iommu_id_from_file() to verify if the group is initialized and IOMMU is set for it. The current TCE IOMMU driver marks the whole IOMMU table as busy when IOMMU is set for a container what this prevents other DMA users from allocating from it so it is safe to pass the group to the user space. 3. KVM increases the container users counter via vfio_group_add_external_user(). This prevents the VFIO group from being disposed prior to exiting KVM. 4. When KVM is finished and doing cleanup, it releases the group file and decrements the container users counter. Everything gets released. 5. KVM also keeps the group file as otherwise its fd might have been closed at the moment of KVM finish so vfio_group_del_external_user() call will not be possible. This is the wrong order in my mind. An external user has no business checking or maintaining any state of a group until it calls add_external_user(). Only after that call is successful can the user assume the filep to group relationship is static and get the iommu_id. Any use of the external user API should start with add and end with del. The vfio: Limit group opens patch is also required for the consistency. Signed-off-by: Alexey Kardashevskiy a...@ozlabs.ru --- v1-v2: added definitions to vfio.h :) Should not compile but compiled. Hm. --- drivers/vfio/vfio.c | 54 ++ include/linux/vfio.h |7 +++ 2 files changed, 61 insertions(+) diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c index c488da5..40875d2 100644 --- a/drivers/vfio/vfio.c +++ b/drivers/vfio/vfio.c @@ -1370,6 +1370,60 @@ static const struct file_operations vfio_device_fops = { }; /** + * External user API, exported by symbols to be linked dynamically. + */ + +/* Allows an external user (for example, KVM) to lock an IOMMU group */ +int vfio_group_add_external_user(struct file *filep) +{ + struct vfio_group *group = filep-private_data; + + if (filep-f_op != vfio_group_fops) + return -EINVAL; + + if (!atomic_inc_not_zero(group-container_users)) + return -EINVAL; This is the place where I was suggesting we need tests to match get_device_fd. It's not clear what the external user is holding if the group has no iommu or is not viable here. if (!group-container-iommu_driver || !vfio_group_viable(group)) { vfio_group_try_dissolve_container(group); return -EINVAL; } + + return 0; +} +EXPORT_SYMBOL_GPL(vfio_group_add_external_user); + +/* Allows an external user (for example, KVM) to unlock an IOMMU group */ +void vfio_group_del_external_user(struct file *filep) +{ + struct vfio_group *group = filep-private_data; + + if (WARN_ON(filep-f_op != vfio_group_fops)) + return; How about we make this return int so we can return 0/-EINVAL and the caller can decide the severity of the response? + + vfio_group_try_dissolve_container(group); +} +EXPORT_SYMBOL_GPL(vfio_group_del_external_user); + +/* + * Checks if a group for the specified file can be used by + * an external user and returns the IOMMU ID if external use is possible. + */ +int vfio_group_iommu_id_from_file(struct file *filep) Let's name this in a way that makes it clear that it's part of the external_user API. vfio_group_external_user_iommu_id? +{ + int ret; + struct vfio_group *group = filep-private_data; + + if (WARN_ON(filep-f_op != vfio_group_fops)) + return -EINVAL; This one probably doesn't deserve a WARN_ON either, let the caller blowup if it wants. + + if (0 == atomic_read(group-container_users) || + !group-container-iommu_driver || + !vfio_group_viable(group)) + return -EINVAL; The above test just becomes a weak test that the caller is correctly using the API since we should be enforcing these tests when the external user is added. It doesn't hurt to leave them, but it's not very convincing that the caller is the one holding anything. + ret = iommu_group_id(group-iommu_group); The 'ret' variable isn't needed.
Re: [PATCH v2] vfio: add external user support
On 06/28/2013 01:44 AM, Alex Williamson wrote: On Thu, 2013-06-27 at 17:14 +1000, Alexey Kardashevskiy wrote: VFIO is designed to be used via ioctls on file descriptors returned by VFIO. However in some situations support for an external user is required. The first user is KVM on PPC64 (SPAPR TCE protocol) which is going to use the existing VFIO groups for exclusive access in real/virtual mode in the host kernel to avoid passing map/unmap requests to the user space which would made things pretty slow. The proposed protocol includes: 1. do normal VFIO init stuff such as opening a new container, attaching group(s) to it, setting an IOMMU driver for a container. When IOMMU is set for a container, all groups in it are considered ready to use by an external user. 2. pass a fd of the group we want to accelerate to KVM. KVM calls vfio_group_iommu_id_from_file() to verify if the group is initialized and IOMMU is set for it. The current TCE IOMMU driver marks the whole IOMMU table as busy when IOMMU is set for a container what this prevents other DMA users from allocating from it so it is safe to pass the group to the user space. 3. KVM increases the container users counter via vfio_group_add_external_user(). This prevents the VFIO group from being disposed prior to exiting KVM. 4. When KVM is finished and doing cleanup, it releases the group file and decrements the container users counter. Everything gets released. 5. KVM also keeps the group file as otherwise its fd might have been closed at the moment of KVM finish so vfio_group_del_external_user() call will not be possible. This is the wrong order in my mind. An external user has no business checking or maintaining any state of a group until it calls add_external_user(). Only after that call is successful can the user assume the filep to group relationship is static and get the iommu_id. Any use of the external user API should start with add and end with del. Yes, this is what I actually do, just wrong commit message, will fix. The vfio: Limit group opens patch is also required for the consistency. Signed-off-by: Alexey Kardashevskiy a...@ozlabs.ru --- v1-v2: added definitions to vfio.h :) Should not compile but compiled. Hm. --- drivers/vfio/vfio.c | 54 ++ include/linux/vfio.h |7 +++ 2 files changed, 61 insertions(+) diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c index c488da5..40875d2 100644 --- a/drivers/vfio/vfio.c +++ b/drivers/vfio/vfio.c @@ -1370,6 +1370,60 @@ static const struct file_operations vfio_device_fops = { }; /** + * External user API, exported by symbols to be linked dynamically. + */ + +/* Allows an external user (for example, KVM) to lock an IOMMU group */ +int vfio_group_add_external_user(struct file *filep) +{ +struct vfio_group *group = filep-private_data; + +if (filep-f_op != vfio_group_fops) +return -EINVAL; + +if (!atomic_inc_not_zero(group-container_users)) +return -EINVAL; This is the place where I was suggesting we need tests to match get_device_fd. It's not clear what the external user is holding if the group has no iommu or is not viable here. In my mind this test must include test for iommu id so I would merge it with vfio_group_iommu_id_from_file(). Till I check iommu id, I still cannot use this group so where to put check for iommu/viable does not really matter (for me). if (!group-container-iommu_driver || !vfio_group_viable(group)) { vfio_group_try_dissolve_container(group); return -EINVAL; } + +return 0; +} +EXPORT_SYMBOL_GPL(vfio_group_add_external_user); + +/* Allows an external user (for example, KVM) to unlock an IOMMU group */ +void vfio_group_del_external_user(struct file *filep) +{ +struct vfio_group *group = filep-private_data; + +if (WARN_ON(filep-f_op != vfio_group_fops)) +return; How about we make this return int so we can return 0/-EINVAL and the caller can decide the severity of the response? And what can the caller possibly do on !0? -- Alexey -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2] vfio: add external user support
On Fri, 2013-06-28 at 08:57 +1000, Alexey Kardashevskiy wrote: On 06/28/2013 01:44 AM, Alex Williamson wrote: On Thu, 2013-06-27 at 17:14 +1000, Alexey Kardashevskiy wrote: VFIO is designed to be used via ioctls on file descriptors returned by VFIO. However in some situations support for an external user is required. The first user is KVM on PPC64 (SPAPR TCE protocol) which is going to use the existing VFIO groups for exclusive access in real/virtual mode in the host kernel to avoid passing map/unmap requests to the user space which would made things pretty slow. The proposed protocol includes: 1. do normal VFIO init stuff such as opening a new container, attaching group(s) to it, setting an IOMMU driver for a container. When IOMMU is set for a container, all groups in it are considered ready to use by an external user. 2. pass a fd of the group we want to accelerate to KVM. KVM calls vfio_group_iommu_id_from_file() to verify if the group is initialized and IOMMU is set for it. The current TCE IOMMU driver marks the whole IOMMU table as busy when IOMMU is set for a container what this prevents other DMA users from allocating from it so it is safe to pass the group to the user space. 3. KVM increases the container users counter via vfio_group_add_external_user(). This prevents the VFIO group from being disposed prior to exiting KVM. 4. When KVM is finished and doing cleanup, it releases the group file and decrements the container users counter. Everything gets released. 5. KVM also keeps the group file as otherwise its fd might have been closed at the moment of KVM finish so vfio_group_del_external_user() call will not be possible. This is the wrong order in my mind. An external user has no business checking or maintaining any state of a group until it calls add_external_user(). Only after that call is successful can the user assume the filep to group relationship is static and get the iommu_id. Any use of the external user API should start with add and end with del. Yes, this is what I actually do, just wrong commit message, will fix. The vfio: Limit group opens patch is also required for the consistency. Signed-off-by: Alexey Kardashevskiy a...@ozlabs.ru --- v1-v2: added definitions to vfio.h :) Should not compile but compiled. Hm. --- drivers/vfio/vfio.c | 54 ++ include/linux/vfio.h |7 +++ 2 files changed, 61 insertions(+) diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c index c488da5..40875d2 100644 --- a/drivers/vfio/vfio.c +++ b/drivers/vfio/vfio.c @@ -1370,6 +1370,60 @@ static const struct file_operations vfio_device_fops = { }; /** + * External user API, exported by symbols to be linked dynamically. + */ + +/* Allows an external user (for example, KVM) to lock an IOMMU group */ +int vfio_group_add_external_user(struct file *filep) +{ + struct vfio_group *group = filep-private_data; + + if (filep-f_op != vfio_group_fops) + return -EINVAL; + + if (!atomic_inc_not_zero(group-container_users)) + return -EINVAL; This is the place where I was suggesting we need tests to match get_device_fd. It's not clear what the external user is holding if the group has no iommu or is not viable here. In my mind this test must include test for iommu id so I would merge it with vfio_group_iommu_id_from_file(). I'm not sure what that means. Till I check iommu id, I still cannot use this group so where to put check for iommu/viable does not really matter (for me). The difference is that getting the group id may just be the first of several external user API interfaces. The idea of external user interface is that from add-del the group is maintained in the same state as if a device was opened. If we disassemble that so that add sets up some stuff and getting the group id does a little more, what happens if we start adding more external user API callbacks? A user of the interface shouldn't need to know the internals to know which interface allows what aspect of use. Besides, I don't want to have to worry about managing another state slightly different from that used by the device fd. if (!group-container-iommu_driver || !vfio_group_viable(group)) { vfio_group_try_dissolve_container(group); return -EINVAL; } + + return 0; +} +EXPORT_SYMBOL_GPL(vfio_group_add_external_user); + +/* Allows an external user (for example, KVM) to unlock an IOMMU group */ +void vfio_group_del_external_user(struct file *filep) +{ + struct vfio_group *group = filep-private_data; + + if (WARN_ON(filep-f_op != vfio_group_fops)) + return; How about we make this return int so we can return 0/-EINVAL and the caller can decide the severity of the response? And what can the caller possibly do on !0?
Re: [PATCH v2] vfio: add external user support
On 06/28/2013 10:41 AM, Alex Williamson wrote: On Fri, 2013-06-28 at 08:57 +1000, Alexey Kardashevskiy wrote: On 06/28/2013 01:44 AM, Alex Williamson wrote: On Thu, 2013-06-27 at 17:14 +1000, Alexey Kardashevskiy wrote: VFIO is designed to be used via ioctls on file descriptors returned by VFIO. However in some situations support for an external user is required. The first user is KVM on PPC64 (SPAPR TCE protocol) which is going to use the existing VFIO groups for exclusive access in real/virtual mode in the host kernel to avoid passing map/unmap requests to the user space which would made things pretty slow. The proposed protocol includes: 1. do normal VFIO init stuff such as opening a new container, attaching group(s) to it, setting an IOMMU driver for a container. When IOMMU is set for a container, all groups in it are considered ready to use by an external user. 2. pass a fd of the group we want to accelerate to KVM. KVM calls vfio_group_iommu_id_from_file() to verify if the group is initialized and IOMMU is set for it. The current TCE IOMMU driver marks the whole IOMMU table as busy when IOMMU is set for a container what this prevents other DMA users from allocating from it so it is safe to pass the group to the user space. 3. KVM increases the container users counter via vfio_group_add_external_user(). This prevents the VFIO group from being disposed prior to exiting KVM. 4. When KVM is finished and doing cleanup, it releases the group file and decrements the container users counter. Everything gets released. 5. KVM also keeps the group file as otherwise its fd might have been closed at the moment of KVM finish so vfio_group_del_external_user() call will not be possible. This is the wrong order in my mind. An external user has no business checking or maintaining any state of a group until it calls add_external_user(). Only after that call is successful can the user assume the filep to group relationship is static and get the iommu_id. Any use of the external user API should start with add and end with del. Yes, this is what I actually do, just wrong commit message, will fix. The vfio: Limit group opens patch is also required for the consistency. Signed-off-by: Alexey Kardashevskiy a...@ozlabs.ru --- v1-v2: added definitions to vfio.h :) Should not compile but compiled. Hm. --- drivers/vfio/vfio.c | 54 ++ include/linux/vfio.h |7 +++ 2 files changed, 61 insertions(+) diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c index c488da5..40875d2 100644 --- a/drivers/vfio/vfio.c +++ b/drivers/vfio/vfio.c @@ -1370,6 +1370,60 @@ static const struct file_operations vfio_device_fops = { }; /** + * External user API, exported by symbols to be linked dynamically. + */ + +/* Allows an external user (for example, KVM) to lock an IOMMU group */ +int vfio_group_add_external_user(struct file *filep) +{ + struct vfio_group *group = filep-private_data; + + if (filep-f_op != vfio_group_fops) + return -EINVAL; + + if (!atomic_inc_not_zero(group-container_users)) + return -EINVAL; This is the place where I was suggesting we need tests to match get_device_fd. It's not clear what the external user is holding if the group has no iommu or is not viable here. In my mind this test must include test for iommu id so I would merge it with vfio_group_iommu_id_from_file(). I'm not sure what that means. Sorry. Still a mess in my head :( I'll to explain. vfio_group_add_external_user() should tell if the group is viable and has iommu (does not the latter include check for viable?). vfio_group_iommu_id_from_file() tells the group id which has to be compared by KVM with what KVM got from the userspace and KVM should reject if the group id is wrong. So there are 3 checks. KVM can continue if all three passed. Till I check iommu id, I still cannot use this group so where to put check for iommu/viable does not really matter (for me). The difference is that getting the group id may just be the first of several external user API interfaces. The idea of external user interface is that from add-del the group is maintained in the same state as if a device was opened. Good point. If we disassemble that so that add sets up some stuff and getting the group id does a little more, what happens if we start adding more external user API callbacks? A user of the interface shouldn't need to know the internals to know which interface allows what aspect of use. Besides, I don't want to have to worry about managing another state slightly different from that used by the device fd. if (!group-container-iommu_driver || !vfio_group_viable(group)) { vfio_group_try_dissolve_container(group); return -EINVAL; } + + return 0; +} +EXPORT_SYMBOL_GPL(vfio_group_add_external_user); + +/* Allows an external user (for example, KVM) to
Re: [PATCH v2] vfio: add external user support
On Fri, 2013-06-28 at 11:38 +1000, Alexey Kardashevskiy wrote: On 06/28/2013 10:41 AM, Alex Williamson wrote: On Fri, 2013-06-28 at 08:57 +1000, Alexey Kardashevskiy wrote: On 06/28/2013 01:44 AM, Alex Williamson wrote: On Thu, 2013-06-27 at 17:14 +1000, Alexey Kardashevskiy wrote: VFIO is designed to be used via ioctls on file descriptors returned by VFIO. However in some situations support for an external user is required. The first user is KVM on PPC64 (SPAPR TCE protocol) which is going to use the existing VFIO groups for exclusive access in real/virtual mode in the host kernel to avoid passing map/unmap requests to the user space which would made things pretty slow. The proposed protocol includes: 1. do normal VFIO init stuff such as opening a new container, attaching group(s) to it, setting an IOMMU driver for a container. When IOMMU is set for a container, all groups in it are considered ready to use by an external user. 2. pass a fd of the group we want to accelerate to KVM. KVM calls vfio_group_iommu_id_from_file() to verify if the group is initialized and IOMMU is set for it. The current TCE IOMMU driver marks the whole IOMMU table as busy when IOMMU is set for a container what this prevents other DMA users from allocating from it so it is safe to pass the group to the user space. 3. KVM increases the container users counter via vfio_group_add_external_user(). This prevents the VFIO group from being disposed prior to exiting KVM. 4. When KVM is finished and doing cleanup, it releases the group file and decrements the container users counter. Everything gets released. 5. KVM also keeps the group file as otherwise its fd might have been closed at the moment of KVM finish so vfio_group_del_external_user() call will not be possible. This is the wrong order in my mind. An external user has no business checking or maintaining any state of a group until it calls add_external_user(). Only after that call is successful can the user assume the filep to group relationship is static and get the iommu_id. Any use of the external user API should start with add and end with del. Yes, this is what I actually do, just wrong commit message, will fix. The vfio: Limit group opens patch is also required for the consistency. Signed-off-by: Alexey Kardashevskiy a...@ozlabs.ru --- v1-v2: added definitions to vfio.h :) Should not compile but compiled. Hm. --- drivers/vfio/vfio.c | 54 ++ include/linux/vfio.h |7 +++ 2 files changed, 61 insertions(+) diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c index c488da5..40875d2 100644 --- a/drivers/vfio/vfio.c +++ b/drivers/vfio/vfio.c @@ -1370,6 +1370,60 @@ static const struct file_operations vfio_device_fops = { }; /** + * External user API, exported by symbols to be linked dynamically. + */ + +/* Allows an external user (for example, KVM) to lock an IOMMU group */ +int vfio_group_add_external_user(struct file *filep) +{ +struct vfio_group *group = filep-private_data; + +if (filep-f_op != vfio_group_fops) +return -EINVAL; + +if (!atomic_inc_not_zero(group-container_users)) +return -EINVAL; This is the place where I was suggesting we need tests to match get_device_fd. It's not clear what the external user is holding if the group has no iommu or is not viable here. In my mind this test must include test for iommu id so I would merge it with vfio_group_iommu_id_from_file(). I'm not sure what that means. Sorry. Still a mess in my head :( I'll to explain. vfio_group_add_external_user() should tell if the group is viable and has iommu Agreed (does not the latter include check for viable?). Mostly paranoia vfio_group_iommu_id_from_file() tells the group id which has to be compared by KVM with what KVM got from the userspace and KVM should reject if the group id is wrong. So there are 3 checks. KVM can continue if all three passed. That's KVM's business, but what does it prove for userspace to give KVM both a vfio group file descriptor and a group id? It seems redundant since the group id from vfio needs to take precedence. More paranoia? Till I check iommu id, I still cannot use this group so where to put check for iommu/viable does not really matter (for me). The difference is that getting the group id may just be the first of several external user API interfaces. The idea of external user interface is that from add-del the group is maintained in the same state as if a device was opened. Good point. If we disassemble that so that add sets up some stuff and getting the group id does a little more, what happens if we start adding more external user API callbacks? A user of the interface shouldn't need to know the
Re: [PATCH v2] vfio: add external user support
On 06/28/2013 12:37 PM, Alex Williamson wrote: On Fri, 2013-06-28 at 11:38 +1000, Alexey Kardashevskiy wrote: On 06/28/2013 10:41 AM, Alex Williamson wrote: On Fri, 2013-06-28 at 08:57 +1000, Alexey Kardashevskiy wrote: On 06/28/2013 01:44 AM, Alex Williamson wrote: On Thu, 2013-06-27 at 17:14 +1000, Alexey Kardashevskiy wrote: VFIO is designed to be used via ioctls on file descriptors returned by VFIO. However in some situations support for an external user is required. The first user is KVM on PPC64 (SPAPR TCE protocol) which is going to use the existing VFIO groups for exclusive access in real/virtual mode in the host kernel to avoid passing map/unmap requests to the user space which would made things pretty slow. The proposed protocol includes: 1. do normal VFIO init stuff such as opening a new container, attaching group(s) to it, setting an IOMMU driver for a container. When IOMMU is set for a container, all groups in it are considered ready to use by an external user. 2. pass a fd of the group we want to accelerate to KVM. KVM calls vfio_group_iommu_id_from_file() to verify if the group is initialized and IOMMU is set for it. The current TCE IOMMU driver marks the whole IOMMU table as busy when IOMMU is set for a container what this prevents other DMA users from allocating from it so it is safe to pass the group to the user space. 3. KVM increases the container users counter via vfio_group_add_external_user(). This prevents the VFIO group from being disposed prior to exiting KVM. 4. When KVM is finished and doing cleanup, it releases the group file and decrements the container users counter. Everything gets released. 5. KVM also keeps the group file as otherwise its fd might have been closed at the moment of KVM finish so vfio_group_del_external_user() call will not be possible. This is the wrong order in my mind. An external user has no business checking or maintaining any state of a group until it calls add_external_user(). Only after that call is successful can the user assume the filep to group relationship is static and get the iommu_id. Any use of the external user API should start with add and end with del. Yes, this is what I actually do, just wrong commit message, will fix. The vfio: Limit group opens patch is also required for the consistency. Signed-off-by: Alexey Kardashevskiy a...@ozlabs.ru --- v1-v2: added definitions to vfio.h :) Should not compile but compiled. Hm. --- drivers/vfio/vfio.c | 54 ++ include/linux/vfio.h |7 +++ 2 files changed, 61 insertions(+) diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c index c488da5..40875d2 100644 --- a/drivers/vfio/vfio.c +++ b/drivers/vfio/vfio.c @@ -1370,6 +1370,60 @@ static const struct file_operations vfio_device_fops = { }; /** + * External user API, exported by symbols to be linked dynamically. + */ + +/* Allows an external user (for example, KVM) to lock an IOMMU group */ +int vfio_group_add_external_user(struct file *filep) +{ +struct vfio_group *group = filep-private_data; + +if (filep-f_op != vfio_group_fops) +return -EINVAL; + +if (!atomic_inc_not_zero(group-container_users)) +return -EINVAL; This is the place where I was suggesting we need tests to match get_device_fd. It's not clear what the external user is holding if the group has no iommu or is not viable here. In my mind this test must include test for iommu id so I would merge it with vfio_group_iommu_id_from_file(). I'm not sure what that means. Sorry. Still a mess in my head :( I'll to explain. vfio_group_add_external_user() should tell if the group is viable and has iommu Agreed (does not the latter include check for viable?). Mostly paranoia vfio_group_iommu_id_from_file() tells the group id which has to be compared by KVM with what KVM got from the userspace and KVM should reject if the group id is wrong. So there are 3 checks. KVM can continue if all three passed. That's KVM's business, but what does it prove for userspace to give KVM both a vfio group file descriptor and a group id? It seems redundant since the group id from vfio needs to take precedence. More paranoia? Yep, that's her :) Without this check, the user space is allowed to mix up PHB ID (liobn) and IOMMU group. It has the right to do so and it should not break anything but nice to check, no? Till I check iommu id, I still cannot use this group so where to put check for iommu/viable does not really matter (for me). The difference is that getting the group id may just be the first of several external user API interfaces. The idea of external user interface is that from add-del the group is maintained in the same state as if a device was opened. Good point. If we disassemble that so that add sets up some stuff and getting the group id does a