From: Jason Gunthorpe <jgg@nvidia.com>
To: Nicolin Chen <nicolinc@nvidia.com>
Cc: Will Deacon <will@kernel.org>,
robin.murphy@arm.com, joro@8bytes.org,
linux-arm-kernel@lists.infradead.org, iommu@lists.linux.dev,
linux-kernel@vger.kernel.org, skolothumtho@nvidia.com,
praan@google.com, xueshuai@linux.alibaba.com,
smostafa@google.com
Subject: Re: [PATCH rc v5 1/4] iommu/arm-smmu-v3: Add update_safe bits to fix STE update sequence
Date: Tue, 13 Jan 2026 16:51:12 -0400 [thread overview]
Message-ID: <20260113205112.GJ812923@nvidia.com> (raw)
In-Reply-To: <aWarF90zBqxD0Gef@Asurada-Nvidia>
On Tue, Jan 13, 2026 at 12:29:11PM -0800, Nicolin Chen wrote:
> On Tue, Jan 13, 2026 at 12:12:53PM -0400, Jason Gunthorpe wrote:
> > On Tue, Jan 13, 2026 at 03:05:52PM +0000, Will Deacon wrote:
> > > I suppose we shouldn't ever see the case that they both have S2S, but
> > > that's fine.
> >
> > If they both have S2S then it works correctly? Any S2S forces EATS to
> > follow the normal rules.
> >
> > > The spec also suggests that there's an additional illegal STE case w/
> > > split-stage ATS (EATS_S1CHK) if Config != S1+S2.
> >
> > The driver doesn't support that either..
> >
> > It is fixed by checking if new EATS is valid under old config and old
> > EATS valid under new config.
> >
> > Also to support S1CHK someday we cannot allow the hypervisor to leave
> > S1_S2 and go to S2, since the HW can't deal with that...
>
> Perhaps the safe bits should only have EATS_TRANS, excluding S1CHK:
>
> --------------------------------------------------------------------------
> + * When an STE changes EATS_TRANS, the sequencing code in the attach
> + * logic already will have the PCI cap for ATS disabled. Thus at this
> + * moment we can expect that the device will not generate ATS queries
> + * and so we don't care about the sequencing of EATS. The purpose of
> + * EATS_TRANS is to protect the system from hostile untrusted devices
> + * that issue ATS when the PCI config space is disabled. However, if
> + * EATS_TRANS is being changed, then we must have already trusted the
> + * device as the EATS_TRANS security block is being disabled.
> + *
> + * Note: now the EATS_TRANS update is moved to the first entry_set().
> + * Changing S2S and EATS might transiently result in S2S=1 and EATS=1
> + * which is a bad STE (see "5.2 Stream Table Entry"). In such a case,
> + * we can't do a hitless update. Also, STRTAB_STE_1_EATS_S1CHK should
> + * not be added to the safe bits because it relies on CFG[2:0]=0b111,
> + * to prevent another bad STE.
> */
> - safe_bits[1] |= cpu_to_le64(STRTAB_STE_1_EATS);
> + if (!((cur[2] | target[2]) & cpu_to_le64(STRTAB_STE_2_S2S)))
> + safe_bits[1] |= cpu_to_le64(
> + FIELD_PREP(STRTAB_STE_1_EATS, STRTAB_STE_1_EATS_TRANS));
> --------------------------------------------------------------------------
>
> @will, does this look good to you? I can send a v7 with this.
That is an easy way to address Will's observation, makes sense to me.
Thanks,
Jason
next prev parent reply other threads:[~2026-01-13 20:51 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-18 21:41 [PATCH rc v5 0/4] iommu/arm-smmu-v3: Fix hitless STE update in nesting cases Nicolin Chen
2025-12-18 21:41 ` [PATCH rc v5 1/4] iommu/arm-smmu-v3: Add update_safe bits to fix STE update sequence Nicolin Chen
2026-01-02 18:26 ` Mostafa Saleh
2026-01-07 21:20 ` Will Deacon
2026-01-08 0:36 ` Jason Gunthorpe
2026-01-12 15:53 ` Will Deacon
2026-01-12 16:10 ` Jason Gunthorpe
2026-01-12 18:58 ` Nicolin Chen
2026-01-13 15:05 ` Will Deacon
2026-01-13 16:12 ` Jason Gunthorpe
2026-01-13 20:29 ` Nicolin Chen
2026-01-13 20:51 ` Jason Gunthorpe [this message]
2026-01-15 13:11 ` Jason Gunthorpe
2026-01-15 16:25 ` Nicolin Chen
2026-01-15 16:29 ` Jason Gunthorpe
2026-01-15 16:34 ` Nicolin Chen
2026-01-15 17:39 ` Will Deacon
2025-12-18 21:41 ` [PATCH rc v5 2/4] iommu/arm-smmu-v3: Mark STE MEV safe when computing the " Nicolin Chen
2026-01-02 18:27 ` Mostafa Saleh
2025-12-18 21:41 ` [PATCH rc v5 3/4] iommu/arm-smmu-v3: Mark STE EATS " Nicolin Chen
2025-12-18 21:41 ` [PATCH rc v5 4/4] iommu/arm-smmu-v3-test: Add nested s1bypass/s1dssbypass coverage Nicolin Chen
2026-01-02 18:27 ` Mostafa Saleh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260113205112.GJ812923@nvidia.com \
--to=jgg@nvidia.com \
--cc=iommu@lists.linux.dev \
--cc=joro@8bytes.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nicolinc@nvidia.com \
--cc=praan@google.com \
--cc=robin.murphy@arm.com \
--cc=skolothumtho@nvidia.com \
--cc=smostafa@google.com \
--cc=will@kernel.org \
--cc=xueshuai@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox