| blob | 4674e618797c155581e0254347edcb9a9c92a416 |
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Handle device page faults
4 *
5 * Copyright (C) 2020 ARM Ltd.
6 */
8 #include <linux/iommu.h>
9 #include <linux/list.h>
10 #include <linux/sched/mm.h>
11 #include <linux/slab.h>
12 #include <linux/workqueue.h>
16 /*
17 * Return the fault parameter of a device if it exists. Otherwise, return NULL.
18 * On a successful return, the caller takes a reference of this parameter and
19 * should put it after use by calling iopf_put_dev_fault_param().
20 */
22 {
33 }
35 /* Caller must hold a reference of the fault parameter. */
37 {
40 }
43 {
49 }
51 /* Pair with iommu_report_device_fault(). */
53 }
56 {
59 }
62 /* Non-last request of a group. Postpone until the last one. */
65 {
79 }
84 {
90 /*
91 * We always need to construct the group as we need it to abort
92 * the request at the driver if it can't be handled.
93 */
95 }
103 /* See if we have partial faults for this group */
107 /* Insert *before* the last fault */
109 }
116 }
120 {
132 /*
133 * The iommu driver for this device supports user-
134 * managed PASID table. Therefore page faults for
135 * any PASID should go through the NESTING domain
136 * attached to the device RID.
137 */
140 IOMMU_DOMAIN_NESTED);
143 }
150 }
156 }
159 {
166 };
169 }
171 /**
172 * iommu_report_device_fault() - Report fault event to device driver
173 * @dev: the device
174 * @evt: fault event data
175 *
176 * Called by IOMMU drivers when a fault is detected, typically in a threaded IRQ
177 * handler. If this function fails then ops->page_response() was called to
178 * complete evt if required.
179 *
180 * This module doesn't handle PCI PASID Stop Marker; IOMMU drivers must discard
181 * them before reporting faults. A PASID Stop Marker (LRW = 0b100) doesn't
182 * expect a response. It may be generated when disabling a PASID (issuing a
183 * PASID stop request) by some PCI devices.
184 *
185 * The PASID stop request is issued by the device driver before unbind(). Once
186 * it completes, no page request is generated for this PASID anymore and
187 * outstanding ones have been pushed to the IOMMU (as per PCIe 4.0r1.0 - 6.20.1
188 * and 10.4.1.2 - Managing PASID TLP Prefix Usage). Some PCI devices will wait
189 * for all outstanding page requests to come back with a response before
190 * completing the PASID stop request. Others do not wait for page responses, and
191 * instead issue this Stop Marker that tells us when the PASID can be
192 * reallocated.
193 *
194 * It is safe to discard the Stop Marker because it is an optimization.
195 * a. Page requests, which are posted requests, have been flushed to the IOMMU
196 * when the stop request completes.
197 * b. The IOMMU driver flushes all fault queues on unbind() before freeing the
198 * PASID.
199 *
200 * So even though the Stop Marker might be issued by the device *after* the stop
201 * request completes, outstanding faults will have been dealt with by the time
202 * the PASID is freed.
203 *
204 * Any valid page fault will be eventually routed to an iommu domain and the
205 * page fault handler installed there will get called. The users of this
206 * handling framework should guarantee that the iommu domain could only be
207 * freed after the device has stopped generating page faults (or the iommu
208 * hardware has been set to block the page faults) and the pending page faults
209 * have been flushed. In case no page fault handler is attached or no iopf params
210 * are setup, then the ops->page_response() is called to complete the evt.
211 *
212 * Returns 0 on success, or an error in case of a bad/failed iopf setup.
213 */
215 {
226 /*
227 * Something has gone wrong if a fault capable domain is attached but no
228 * iopf_param is setup
229 */
239 /* A request that is not the last does not need to be ack'd */
242 }
244 /*
245 * This is the last page fault of a group. Allocate an iopf group and
246 * pass it to domain's page fault handler. The group holds a reference
247 * count of the fault parameter. It will be released after response or
248 * error path of this function. If an error is returned, the caller
249 * will send a response to the hardware. We need to clean up before
250 * leaving, otherwise partial faults will be stuck.
251 */
258 /*
259 * On success iopf_handler must call iopf_group_response() and
260 * iopf_free_group()
261 */
267 err_abort:
273 else
278 err_bad_iopf:
283 }
286 /**
287 * iopf_queue_flush_dev - Ensure that all queued faults have been processed
288 * @dev: the endpoint whose faults need to be flushed.
289 *
290 * The IOMMU driver calls this before releasing a PASID, to ensure that all
291 * pending faults for this PASID have been handled, and won't hit the address
292 * space of the next process that uses this PASID. The driver must make sure
293 * that no new fault is added to the queue. In particular it must flush its
294 * low-level queue before calling this function.
295 *
296 * Return: 0 on success and <0 on error.
297 */
299 {
302 /*
303 * It's a driver bug to be here after iopf_queue_remove_device().
304 * Therefore, it's safe to dereference the fault parameter without
305 * holding the lock.
306 */
314 }
317 /**
318 * iopf_group_response - Respond a group of page faults
319 * @group: the group of faults with the same group id
320 * @status: the response code
321 */
324 {
333 };
335 /* Only send response if there is a fault report pending */
340 }
342 }
345 /**
346 * iopf_queue_discard_partial - Remove all pending partial fault
347 * @queue: the queue whose partial faults need to be discarded
348 *
349 * When the hardware queue overflows, last page faults in a group may have been
350 * lost and the IOMMU driver calls this to discard all partial faults. The
351 * driver shouldn't be adding new faults to this queue concurrently.
352 *
353 * Return: 0 on success and <0 on error.
354 */
356 {
367 list) {
370 }
372 }
375 }
378 /**
379 * iopf_queue_add_device - Add producer to the fault queue
380 * @queue: IOPF queue
381 * @dev: device to add
382 *
383 * Return: 0 on success and <0 on error.
384 */
386 {
401 }
407 }
419 done_unlock:
424 }
427 /**
428 * iopf_queue_remove_device - Remove producer from fault queue
429 * @queue: IOPF queue
430 * @dev: device to remove
431 *
432 * Removing a device from an iopf_queue. It's recommended to follow these
433 * steps when removing a device:
434 *
435 * - Disable new PRI reception: Turn off PRI generation in the IOMMU hardware
436 * and flush any hardware page request queues. This should be done before
437 * calling into this helper.
438 * - Acknowledge all outstanding PRQs to the device: Respond to all outstanding
439 * page requests with IOMMU_PAGE_RESP_INVALID, indicating the device should
440 * not retry. This helper function handles this.
441 * - Disable PRI on the device: After calling this helper, the caller could
442 * then disable PRI on the device.
443 *
444 * Calling iopf_queue_remove_device() essentially disassociates the device.
445 * The fault_param might still exist, but iommu_page_response() will do
446 * nothing. The device fault parameter reference count has been properly
447 * passed from iommu_report_device_fault() to the fault handling work, and
448 * will eventually be released after iommu_page_response().
449 */
451 {
477 };
481 }
486 /* dec the ref owned by iopf_queue_add_device() */
489 unlock:
492 }
495 /**
496 * iopf_queue_alloc - Allocate and initialize a fault queue
497 * @name: a unique string identifying the queue (for workqueue)
498 *
499 * Return: the queue on success and NULL on error.
500 */
502 {
509 /*
510 * The WQ is unordered because the low-level handler enqueues faults by
511 * group. PRI requests within a group have to be ordered, but once
512 * that's dealt with, the high-level function can handle groups out of
513 * order.
514 */
519 }
525 }
528 /**
529 * iopf_queue_free - Free IOPF queue
530 * @queue: queue to free
531 *
532 * Counterpart to iopf_queue_alloc(). The driver must not be queuing faults or
533 * adding/removing devices on this queue anymore.
534 */
536 {
547 }