From nobody Mon Feb 9 23:01:10 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1529378682816761.5185630968547; Mon, 18 Jun 2018 20:24:42 -0700 (PDT) Received: from localhost ([::1]:39008 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fV7G4-0004io-B4 for importer@patchew.org; Mon, 18 Jun 2018 23:24:40 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47403) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fV5k3-0003Tx-CA for qemu-devel@nongnu.org; Mon, 18 Jun 2018 21:47:32 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fV5k1-00014c-QQ for qemu-devel@nongnu.org; Mon, 18 Jun 2018 21:47:31 -0400 Received: from mail-ot0-x241.google.com ([2607:f8b0:4003:c0f::241]:34696) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fV5k1-000147-Jg; Mon, 18 Jun 2018 21:47:29 -0400 Received: by mail-ot0-x241.google.com with SMTP id r18-v6so20785737otk.1; Mon, 18 Jun 2018 18:47:29 -0700 (PDT) Received: from localhost (76-251-165-188.lightspeed.austtx.sbcglobal.net. [76.251.165.188]) by smtp.gmail.com with ESMTPSA id q23-v6sm10139788otd.25.2018.06.18.18.47.26 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 18 Jun 2018 18:47:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references; bh=wb/TkEmmfEqx+fAb7J2Y8VjV15vjvUEUWE0q9bNizKA=; b=AyDHItWdGDagHlPKlG1VVhm0f3m9MxkFYHZMbdlnF8JEd8/idXfVHxQH2h2ZhM0YhF Cz2pLKgaELrA/4e2Iqmj/W3W8GHp5Ujfujj8jQn2TRUyqj6A5ZWWhOFa5poZ+NPzAIGj f9BFOCSED53iGrQ/Zr5h0jUm7knFMrxs8B4KNiUcrl1qk/WHupc++itWnGNR3a1bVfO/ cUdf7tfUnXIyMaB/jeuh3AO14ovZv9AV9pC6qFZjbLOVW5mV1ANUuMXugXLLEBfAWeEs Ru9kGtAotkOWPAPEYXVj9VerXUhWzqbLtZQCPD0w8HKxdcRd3WSdBAlBv7pT6lQFQXDV S+Ww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references; bh=wb/TkEmmfEqx+fAb7J2Y8VjV15vjvUEUWE0q9bNizKA=; b=KbhT3Jrh+wuYsRr0vGmaLxm645+ejtNc4j4ogXUKj9IFU766o/qrL6QBE/Ca1WTlLJ 7Ewy1lF1wFeww9SrgDn7SbKqeitA59z6HXU2dxb3NtygHoo8dAXIxvaqs42tZYLSoGk2 z/G+lGfaSq03A7TlFSzx4zaIP5396EcbNxWaKkDHnhGQ8u4y52oyOxz4mnyfg4yOqhxG rwtMfH7eq1Y7Yz5InFrXL5Hqphhy74ReomBvPQV+YraRwHAewShnVwf90cI3DZ2WyjyA OHHVJ25OmjuoeJyxAng6QOI5SpA7DOYkjuLpjyt+cRmP+/P1AsGNy5TvYUFhfj1qMvlT H6rA== X-Gm-Message-State: APt69E1cdek+hri27TBCJhhnosFrRrTAc0eDDW+mAbas1rCvDOhBnj1z NsD9Lw8RZQ3tjK6kAbmDhmetfREaZeY= X-Google-Smtp-Source: ADUXVKJnUpoK6ttPii8IiO/kr8T0jx2tRO5xXl+L6KQWcwyNGKw8i5gzIp+jWd9Ww643p+Z3RC2PjA== X-Received: by 2002:a9d:1f23:: with SMTP id x32-v6mr8757556otd.201.1529372848422; Mon, 18 Jun 2018 18:47:28 -0700 (PDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 18 Jun 2018 20:42:56 -0500 Message-Id: <20180619014319.28272-91-mdroth@linux.vnet.ibm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20180619014319.28272-1-mdroth@linux.vnet.ibm.com> References: <20180619014319.28272-1-mdroth@linux.vnet.ibm.com> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4003:c0f::241 Subject: [Qemu-devel] [PATCH 090/113] intel-iommu: add iommu lock X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-stable@nongnu.org, Peter Xu , "Michael S . Tsirkin" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Peter Xu SECURITY IMPLICATION: this patch fixes a potential race when multiple threads access the IOMMU IOTLB cache. Add a per-iommu big lock to protect IOMMU status. Currently the only thing to be protected is the IOTLB/context cache, since that can be accessed even without BQL, e.g., in IO dataplane. Note that we don't need to protect device page tables since that's fully controlled by the guest kernel. However there is still possibility that malicious drivers will program the device to not obey the rule. In that case QEMU can't really do anything useful, instead the guest itself will be responsible for all uncertainties. CC: QEMU Stable Reported-by: Fam Zheng Signed-off-by: Peter Xu Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin (cherry picked from commit 1d9efa73e12ddf361ea997c2d532cc4afa6674d1) Signed-off-by: Michael Roth --- hw/i386/intel_iommu.c | 56 ++++++++++++++++++++++++++++++++++++---= ---- include/hw/i386/intel_iommu.h | 6 +++++ 2 files changed, 53 insertions(+), 9 deletions(-) diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c index be2f445758..cfcd1046e7 100644 --- a/hw/i386/intel_iommu.c +++ b/hw/i386/intel_iommu.c @@ -128,6 +128,16 @@ static uint64_t vtd_set_clear_mask_quad(IntelIOMMUStat= e *s, hwaddr addr, return new_val; } =20 +static inline void vtd_iommu_lock(IntelIOMMUState *s) +{ + qemu_mutex_lock(&s->iommu_lock); +} + +static inline void vtd_iommu_unlock(IntelIOMMUState *s) +{ + qemu_mutex_unlock(&s->iommu_lock); +} + /* GHashTable functions */ static gboolean vtd_uint64_equal(gconstpointer v1, gconstpointer v2) { @@ -172,9 +182,9 @@ static gboolean vtd_hash_remove_by_page(gpointer key, g= pointer value, } =20 /* Reset all the gen of VTDAddressSpace to zero and set the gen of - * IntelIOMMUState to 1. + * IntelIOMMUState to 1. Must be called with IOMMU lock held. */ -static void vtd_reset_context_cache(IntelIOMMUState *s) +static void vtd_reset_context_cache_locked(IntelIOMMUState *s) { VTDAddressSpace *vtd_as; VTDBus *vtd_bus; @@ -197,12 +207,20 @@ static void vtd_reset_context_cache(IntelIOMMUState *= s) s->context_cache_gen =3D 1; } =20 -static void vtd_reset_iotlb(IntelIOMMUState *s) +/* Must be called with IOMMU lock held. */ +static void vtd_reset_iotlb_locked(IntelIOMMUState *s) { assert(s->iotlb); g_hash_table_remove_all(s->iotlb); } =20 +static void vtd_reset_iotlb(IntelIOMMUState *s) +{ + vtd_iommu_lock(s); + vtd_reset_iotlb_locked(s); + vtd_iommu_unlock(s); +} + static uint64_t vtd_get_iotlb_key(uint64_t gfn, uint16_t source_id, uint32_t level) { @@ -215,6 +233,7 @@ static uint64_t vtd_get_iotlb_gfn(hwaddr addr, uint32_t= level) return (addr & vtd_slpt_level_page_mask(level)) >> VTD_PAGE_SHIFT_4K; } =20 +/* Must be called with IOMMU lock held */ static VTDIOTLBEntry *vtd_lookup_iotlb(IntelIOMMUState *s, uint16_t source= _id, hwaddr addr) { @@ -235,6 +254,7 @@ out: return entry; } =20 +/* Must be with IOMMU lock held */ static void vtd_update_iotlb(IntelIOMMUState *s, uint16_t source_id, uint16_t domain_id, hwaddr addr, uint64_t slp= te, uint8_t access_flags, uint32_t level) @@ -246,7 +266,7 @@ static void vtd_update_iotlb(IntelIOMMUState *s, uint16= _t source_id, trace_vtd_iotlb_page_update(source_id, addr, slpte, domain_id); if (g_hash_table_size(s->iotlb) >=3D VTD_IOTLB_MAX_SIZE) { trace_vtd_iotlb_reset("iotlb exceeds size limit"); - vtd_reset_iotlb(s); + vtd_reset_iotlb_locked(s); } =20 entry->gfn =3D gfn; @@ -1106,7 +1126,7 @@ static bool vtd_do_iommu_translate(VTDAddressSpace *v= td_as, PCIBus *bus, IntelIOMMUState *s =3D vtd_as->iommu_state; VTDContextEntry ce; uint8_t bus_num =3D pci_bus_num(bus); - VTDContextCacheEntry *cc_entry =3D &vtd_as->context_cache_entry; + VTDContextCacheEntry *cc_entry; uint64_t slpte, page_mask; uint32_t level; uint16_t source_id =3D vtd_make_source_id(bus_num, devfn); @@ -1123,6 +1143,10 @@ static bool vtd_do_iommu_translate(VTDAddressSpace *= vtd_as, PCIBus *bus, */ assert(!vtd_is_interrupt_addr(addr)); =20 + vtd_iommu_lock(s); + + cc_entry =3D &vtd_as->context_cache_entry; + /* Try to fetch slpte form IOTLB */ iotlb_entry =3D vtd_lookup_iotlb(s, source_id, addr); if (iotlb_entry) { @@ -1182,7 +1206,7 @@ static bool vtd_do_iommu_translate(VTDAddressSpace *v= td_as, PCIBus *bus, * IOMMU region can be swapped back. */ vtd_pt_enable_fast_path(s, source_id); - + vtd_iommu_unlock(s); return true; } =20 @@ -1203,6 +1227,7 @@ static bool vtd_do_iommu_translate(VTDAddressSpace *v= td_as, PCIBus *bus, vtd_update_iotlb(s, source_id, VTD_CONTEXT_ENTRY_DID(ce.hi), addr, slp= te, access_flags, level); out: + vtd_iommu_unlock(s); entry->iova =3D addr & page_mask; entry->translated_addr =3D vtd_get_slpte_addr(slpte, s->aw_bits) & pag= e_mask; entry->addr_mask =3D ~page_mask; @@ -1210,6 +1235,7 @@ out: return true; =20 error: + vtd_iommu_unlock(s); entry->iova =3D 0; entry->translated_addr =3D 0; entry->addr_mask =3D 0; @@ -1258,10 +1284,13 @@ static void vtd_iommu_replay_all(IntelIOMMUState *s) static void vtd_context_global_invalidate(IntelIOMMUState *s) { trace_vtd_inv_desc_cc_global(); + /* Protects context cache */ + vtd_iommu_lock(s); s->context_cache_gen++; if (s->context_cache_gen =3D=3D VTD_CONTEXT_CACHE_GEN_MAX) { - vtd_reset_context_cache(s); + vtd_reset_context_cache_locked(s); } + vtd_iommu_unlock(s); vtd_switch_address_space_all(s); /* * From VT-d spec 6.5.2.1, a global context entry invalidation @@ -1313,7 +1342,9 @@ static void vtd_context_device_invalidate(IntelIOMMUS= tate *s, if (vtd_as && ((devfn_it & mask) =3D=3D (devfn & mask))) { trace_vtd_inv_desc_cc_device(bus_n, VTD_PCI_SLOT(devfn_it), VTD_PCI_FUNC(devfn_it)); + vtd_iommu_lock(s); vtd_as->context_cache_entry.context_cache_gen =3D 0; + vtd_iommu_unlock(s); /* * Do switch address space when needed, in case if the * device passthrough bit is switched. @@ -1377,8 +1408,10 @@ static void vtd_iotlb_domain_invalidate(IntelIOMMUSt= ate *s, uint16_t domain_id) =20 trace_vtd_inv_desc_iotlb_domain(domain_id); =20 + vtd_iommu_lock(s); g_hash_table_foreach_remove(s->iotlb, vtd_hash_remove_by_domain, &domain_id); + vtd_iommu_unlock(s); =20 QLIST_FOREACH(vtd_as, &s->vtd_as_with_notifiers, next) { if (!vtd_dev_to_context_entry(s, pci_bus_num(vtd_as->bus), @@ -1426,7 +1459,9 @@ static void vtd_iotlb_page_invalidate(IntelIOMMUState= *s, uint16_t domain_id, info.domain_id =3D domain_id; info.addr =3D addr; info.mask =3D ~((1 << am) - 1); + vtd_iommu_lock(s); g_hash_table_foreach_remove(s->iotlb, vtd_hash_remove_by_page, &info); + vtd_iommu_unlock(s); vtd_iotlb_page_invalidate_notify(s, domain_id, addr, am); } =20 @@ -2922,8 +2957,10 @@ static void vtd_init(IntelIOMMUState *s) s->cap |=3D VTD_CAP_CM; } =20 - vtd_reset_context_cache(s); - vtd_reset_iotlb(s); + vtd_iommu_lock(s); + vtd_reset_context_cache_locked(s); + vtd_reset_iotlb_locked(s); + vtd_iommu_unlock(s); =20 /* Define registers with default values and bit semantics */ vtd_define_long(s, DMAR_VER_REG, 0x10UL, 0, 0); @@ -3072,6 +3109,7 @@ static void vtd_realize(DeviceState *dev, Error **err= p) } =20 QLIST_INIT(&s->vtd_as_with_notifiers); + qemu_mutex_init(&s->iommu_lock); memset(s->vtd_as_by_bus_num, 0, sizeof(s->vtd_as_by_bus_num)); memory_region_init_io(&s->csrmem, OBJECT(s), &vtd_mem_ops, s, "intel_iommu", DMAR_REG_SIZE); diff --git a/include/hw/i386/intel_iommu.h b/include/hw/i386/intel_iommu.h index 032e33bcb2..016e74bedb 100644 --- a/include/hw/i386/intel_iommu.h +++ b/include/hw/i386/intel_iommu.h @@ -300,6 +300,12 @@ struct IntelIOMMUState { OnOffAuto intr_eim; /* Toggle for EIM cabability */ bool buggy_eim; /* Force buggy EIM unless eim=3Doff */ uint8_t aw_bits; /* Host/IOVA address width (in bits) */ + + /* + * Protects IOMMU states in general. Currently it protects the + * per-IOMMU IOTLB cache, and context entry cache in VTDAddressSpace. + */ + QemuMutex iommu_lock; }; =20 /* Find the VTD Address space associated with the given bus pointer, --=20 2.11.0