Re: [PATCH v4 18/24] iommu/arm-smmu-v3: Introduce master->ats_broken flag

[Jason Gunthorpe <jgg@nvidia.com>]

On Mon, Jun 01, 2026 at 10:44:36PM -0700, Nicolin Chen wrote:
> On Mon, Jun 01, 2026 at 09:15:47PM -0300, Jason Gunthorpe wrote:
> > On Mon, Jun 01, 2026 at 01:41:26PM -0700, Nicolin Chen wrote:
> > > On Mon, Jun 01, 2026 at 09:32:31AM -0300, Jason Gunthorpe wrote:
> > > > On Fri, May 29, 2026 at 06:27:40PM -0700, Nicolin Chen wrote:
> > > > > On Tue, May 19, 2026 at 09:06:58AM -0300, Jason Gunthorpe wrote:
> > > > > > On Mon, May 18, 2026 at 08:39:01PM -0700, Nicolin Chen wrote:
> > > > > So I've tried INV_TYPE_ATS_BROKEN: during per-domain invalidation,
> > > > > each batch is built from domain->invs so it can carry the "invs";
> > > > > if the batch times out, we can immediately mutate its ATS entries.
> > > > > 
> > > > > But I realized a limitation. E.g., if a device attaches to two SVA
> > > > > domains on two SSIDs. An invalidation timing out on one of the SVA
> > > > > domains could mark INV_TYPE_ATS_BROKEN in its own invs, but not in
> > > > > the other SVA domain's invs?
> > > > 
> > > > You'd have to mark all the S1's sharing the STE.
> > > 
> > > That would be a bit convoluted as we would have to go through all
> > > other domains' invs arrays.
> > 
> > Ok, that is certainly an annoying problem.
> > 
> > I don't have a better idea than storing the master unfortunately
> > 
> > But I think the locking for that is going to be tricky, I'm not sure it does
> > actually fully work..
> 
> Yes, there can be a race that sets STE.EATS back while per-master
> flag is set, which would skip the ATC_INV in commit(), so no more
> ATC_INV timeout that resets STE.EATS=0. To close it, we can force 
> STE.EATS=0 at the end of commit() when state->ats_enabled and the
> per-master flag are both set, which is only possible in a race.

I don't see any of these options as appealing. We have to maintain a
few key invariants, and I think it cannot be done without a way to
find all the domains that are using the STE.

One way or another you have to be using the invs list rw locks to
synchronize the EATS state changes.

It is okayish to be sloppy when turning EATS off, but when turning it
back on we do need to cycle through every invs list and toggle its
lock to ensure that the invalidations are synchronized before
EATS=enable happens.

Given you must have a way to go from STE -> master -> all invs lists
I'm not sure either option really makes such a large difference.

If so then adjusting the invs to disable the ATS is pretty simple, run
over the xarray and set them all off. Yes you could find the master
through a SID lookup with some locking adjustment.
> 
> (1) Per-invs marker: INV_TYPE_ATS_BROKEN + master_domains
>     disable_ats() in the timeout path walks master->master_domains
>     and flips matching ATS invs entries to the BROKEN type.
> 
>   + invs walker is free (one case label in the existing type switch).
>   + No lock or pointer deref in the invs walker.
>   + No master pointer stored in invs; no lifetime concern.
> 
>   - disable_ats() walks every (master, domain) and marks each invs
>     set; the list needs locking usable from atomic.

This doesn't seem so bad

> (2) Per-master flag + streams_lock
>     invs walker resolves SID -> master via streams_lock and reads
>     master->ats_broken.
> 
>   + Single source of truth on the master.
>   + disable_ats() is one WRITE_ONCE.
>   + atc_inv_master early-skips via one READ_ONCE.
>   + attach gates ats_enabled on the flag; a concurrent quarantine
>     race can be closed by a short post-attach re-check in commit()
>   + No master pointer in invs; no lifetime concern.
> 
>   - invs walker pays streams_lock + rb_find(SID) per ATS entry on
>     every invalidation. Measurable on ATS-heavy workloads.

Doesn't consider how to enable

> (3) Per-master flag + inv->master pointer (v4)
>     invs entry carries a master pointer; the invs walker reads
>     cur->master->ats_broken directly.
> 
>   + invs walker is one READ_ONCE through a cached pointer.
>   + disable_ats is one WRITE_ONCE.
>   + atc_inv_master early-skip via one READ_ONCE.
>   + attach gate + post-attach re-check, same as (2).
> 
>   - invs holds a master ptr, so release_device must synchronize_rcu()
>     before freeing the master to drain walkers under rcu_read_lock().
>     We dropped this from v4 for that reason.

synchronize_rcu is not right because you have to have gone through the
rwlock so there can be no readers.

Jason