[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v4 1/2] xen/arm: fix arm_iommu_map_page after f9f6b22abf1d

  • To: <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Stewart Hildebrand <stewart.hildebrand@xxxxxxx>
  • Date: Wed, 23 Jul 2025 14:13:27 -0400
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=i2P/GPA9yVyoll9LNMSxP19sd95UPOLj6PtIs+8xl1Y=; b=Hw1LoDMdce6opOlm/9JAVJk96m+tTKlbOOzMyHfVO5HbMIbGaNc5oEr6WYSzXJhukFNscvJL1EmLhJhXujSN7RINzx4q0B+1w/xxqsex889L96P060a+Tg+T8C4aBadEWc72tUiNHr0oWfDw+4x5fkUt465x1QZTFqTYKRlSPCrwJKY8v/OayXnkbKNL5wn4ogXt82ybf/dc4q5yf8dIi2m8iNkL6Wq6p1VkFJ/dpL3Lr+WYcm34a05DwAJ6OQwDpItxyAqbY583AdOPn3qgPZtVAgxNwklUeWisym+s+KCVHuU688TPnImHTBDfPd993qfIVIai8ZekCQp6yClBDQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=IfyagBXkeO6T+nNfiTHjupMAHpNR9oKM+CpIA+PiFPokrCnR2sqRuZxFzdy1c75WL2iPl0hc3y/zHPcqP+kVzInzMMoTUz/fxHcwjXAOysjKIR2j4XpZFzcSKQOGaRbMSWMvdpCcVGogBtbhg68Evx+lTgbp/sLdj2u7QVLwLEMBqFagKwZncsC8WrZa9o1RhizbNSYkP/FMdQzygg/ZzXTj2juxTzfyaeLtp5YFNhT5/VsWNfw6iyNFSdS/Bv5sP3Dlv5Cqv3TNuc5CGH69KlpGSMDoLzTyTH1y1LVfMQZvYFCCPfYJGwkiepgaQD5xYI/lJePvj58rXmxHPCbG5g==
  • Cc: Stefano Stabellini <stefano.stabellini@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, "Julien Grall" <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, "Bertrand Marquis" <bertrand.marquis@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Stewart Hildebrand <stewart.hildebrand@xxxxxxx>
  • Delivery-date: Wed, 23 Jul 2025 18:13:52 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
From: Stefano Stabellini <stefano.stabellini@xxxxxxx>

Up until f9f6b22abf1d "xen/arm: Map ITS doorbell register to IOMMU page
tables" the only caller of iommu_map on ARM was grant_table.c which has
a specific usage model and restrictions as described by the in-code
comment in arm_iommu_map_page.

f9f6b22abf1d introduced a second caller to iommu_map on ARM:
vgic_v3_its_init_virtual. This specific statement in the
f9f6b22abf1d commit message is partially wrong:

"Note that the 1:1 check in arm_iommu_map_page remains for now, as
virtual ITSes are currently only created for hwdom where the doorbell
mapping is always 1:1."

Leading to crashes any time the hardware domain is not direct-mapped
(e.g. cache coloring and non-Dom0 hardware domain):

(XEN) Xen BUG at drivers/passthrough/arm/iommu_helpers.c:47
[...]
(XEN) Xen call trace:
(XEN)    [<00000a000024c758>] arm_iommu_map_page+0x80/0x90 (PC)
(XEN)    [<00000a000024c750>] arm_iommu_map_page+0x78/0x90 (LR)
(XEN)    [<00000a0000250884>] iommu_map+0xcc/0x29c
(XEN)    [<00000a0000288024>] vgic_v3_its_init_domain+0x18c/0x1e8
(XEN)    [<00000a0000285228>] vgic-v3.c#vgic_v3_domain_init+0x168/0x21c
(XEN)    [<00000a0000281dcc>] domain_vgic_init+0x14c/0x210
(XEN)    [<00000a00002705a4>] arch_domain_create+0x150/0x1f0
(XEN)    [<00000a00002055e8>] domain_create+0x47c/0x6c0
(XEN)    [<00000a00002cf090>] create_domUs+0x7f8/0x8cc
(XEN)    [<00000a00002eb588>] start_xen+0x8f4/0x998
(XEN)    [<00000a000020018c>] head.o#primary_switched+0x4/0x10

Specifically, non-1:1 hardware domain exists with cache coloring
enabled. For that, is_domain_direct_mapped(d) is false but
domain_use_host_layout(d) is true.

Change the is_domain_direct_mapped(d) checks in arm_iommu_map_page and
arm_iommu_unmap_page into domain_use_host_layout(d) checks.

Move the in-code comment specific to the grant table to grant-table.c
and adjust to be architecture-neutral.

Fixes: f9f6b22abf1d ("xen/arm: Map ITS doorbell register to IOMMU page tables")
Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxx>
Signed-off-by: Stewart Hildebrand <stewart.hildebrand@xxxxxxx>
---
v3->v4:
* adjust comment to be architecture-neutral

v2->v3:
* split change into 2 patches
* 12-character commit IDs
* change both arm_iommu_map_page and arm_iommu_unmap_page
* s/IPA/GFN/ in comment
---
 xen/common/grant_table.c                    |  5 +++++
 xen/drivers/passthrough/arm/iommu_helpers.c | 16 ++--------------
 2 files changed, 7 insertions(+), 14 deletions(-)

diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index cf131c43a1f1..1b7f63a448a7 100644
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -1274,6 +1274,11 @@ map_grant_ref(
         }
 
         /*
+         * Grant mappings can be used for DMA requests. The dev_bus_addr
+         * returned by the hypercall is the MFN (not the GFN). For device
+         * protected by an IOMMU, Xen needs to add a 1:1 mapping in the domain
+         * p2m to allow DMA request to work.
+         *
          * We're not translated, so we know that dfns and mfns are
          * the same things, so the IOMMU entry is always 1-to-1.
          */
diff --git a/xen/drivers/passthrough/arm/iommu_helpers.c 
b/xen/drivers/passthrough/arm/iommu_helpers.c
index 5cb198748193..bdb271584b0d 100644
--- a/xen/drivers/passthrough/arm/iommu_helpers.c
+++ b/xen/drivers/passthrough/arm/iommu_helpers.c
@@ -36,15 +36,7 @@ int __must_check arm_iommu_map_page(struct domain *d, dfn_t 
dfn, mfn_t mfn,
 {
     p2m_type_t t;
 
-    /*
-     * Grant mappings can be used for DMA requests. The dev_bus_addr
-     * returned by the hypercall is the MFN (not the IPA). For device
-     * protected by an IOMMU, Xen needs to add a 1:1 mapping in the domain
-     * p2m to allow DMA request to work.
-     * This is only valid when the domain is directed mapped. Hence this
-     * function should only be used by gnttab code with gfn == mfn == dfn.
-     */
-    BUG_ON(!is_domain_direct_mapped(d));
+    BUG_ON(!domain_use_host_layout(d));
     BUG_ON(mfn_x(mfn) != dfn_x(dfn));
 
     /* We only support readable and writable flags */
@@ -66,11 +58,7 @@ int __must_check arm_iommu_unmap_page(struct domain *d, 
dfn_t dfn,
                                       unsigned int order,
                                       unsigned int *flush_flags)
 {
-    /*
-     * This function should only be used by gnttab code when the domain
-     * is direct mapped (i.e. gfn == mfn == dfn).
-     */
-    if ( !is_domain_direct_mapped(d) )
+    if ( !domain_use_host_layout(d) )
         return -EINVAL;
 
     return guest_physmap_remove_page(d, _gfn(dfn_x(dfn)), _mfn(dfn_x(dfn)),

base-commit: 5c798ac8854af3528a78ca5a622c9ea68399809b
-- 
2.50.1

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.