| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
 Re: [Xen-devel] [PATCH v2 08/27] ARM: GICv3 ITS: introduce host LPI	array
 
 
Hi Andre,
On 16/03/17 11:20, Andre Przywara wrote:
 
The number of LPIs on a host can be potentially huge (millions),
although in practise will be mostly reasonable. So prematurely allocating
an array of struct irq_desc's for each LPI is not an option.
However Xen itself does not care about LPIs, as every LPI will be injected
into a guest (Dom0 for now).
Create a dense data structure (8 Bytes) for each LPI which holds just
enough information to determine the virtual IRQ number and the VCPU into
which the LPI needs to be injected.
Also to not artificially limit the number of LPIs, we create a 2-level
table for holding those structures.
This patch introduces functions to initialize these tables and to
create, lookup and destroy entries for a given LPI.
By using the naturally atomic access guarantee the native uint64_t data
type gives us, we allocate and access LPI information in a way that does
not require a lock.
Signed-off-by: Andre Przywara <andre.przywara@xxxxxxx>
---
 xen/arch/arm/gic-v3-its.c        |  90 ++++++++++++++++++-
 xen/arch/arm/gic-v3-lpi.c        | 188 +++++++++++++++++++++++++++++++++++++++
 xen/include/asm-arm/gic.h        |   5 ++
 xen/include/asm-arm/gic_v3_its.h |  11 +++
 4 files changed, 292 insertions(+), 2 deletions(-)
diff --git a/xen/arch/arm/gic-v3-its.c b/xen/arch/arm/gic-v3-its.c
index 60b15b5..ed14d95 100644
--- a/xen/arch/arm/gic-v3-its.c
+++ b/xen/arch/arm/gic-v3-its.c
@@ -148,6 +148,20 @@ static int its_send_cmd_sync(struct host_its *its, 
unsigned int cpu)
     return its_send_command(its, cmd);
 }
+static int its_send_cmd_mapti(struct host_its *its,
+                              uint32_t deviceid, uint32_t eventid,
+                              uint32_t pintid, uint16_t icid)
+{
+    uint64_t cmd[4];
+
+    cmd[0] = GITS_CMD_MAPTI | ((uint64_t)deviceid << 32);
+    cmd[1] = eventid | ((uint64_t)pintid << 32);
+    cmd[2] = icid;
+    cmd[3] = 0x00;
+
+    return its_send_command(its, cmd);
+}
+
 static int its_send_cmd_mapc(struct host_its *its, uint32_t collection_id,
                              unsigned int cpu)
 {
@@ -180,6 +194,19 @@ static int its_send_cmd_mapd(struct host_its *its, 
uint32_t deviceid,
     return its_send_command(its, cmd);
 }
+static int its_send_cmd_inv(struct host_its *its,
+                            uint32_t deviceid, uint32_t eventid)
+{
+    uint64_t cmd[4];
+
+    cmd[0] = GITS_CMD_INV | ((uint64_t)deviceid << 32);
+    cmd[1] = eventid;
+    cmd[2] = 0x00;
+    cmd[3] = 0x00;
+
+    return its_send_command(its, cmd);
+}
+
 /* Set up the (1:1) collection mapping for the given host CPU. */
 int gicv3_its_setup_collection(unsigned int cpu)
 {
@@ -462,7 +489,7 @@ int gicv3_its_init(void)
 static int remove_mapped_guest_device(struct its_devices *dev)
 {
-    int ret;
+    int ret, i;
     if ( dev->hw_its )
     {
@@ -471,11 +498,19 @@ static int remove_mapped_guest_device(struct its_devices 
*dev)
             return ret;
     }
+    /*
+     * The only error the function below would return is -ENOENT, in which
+     * case there is nothing to free here. So we just ignore it.
+     */
 
The function gicv3_free_host_lpi_block will only be used here. And to be 
fair, if you try to free something that does not exist then it is not 
really an error... 
So I would prefer to see the function to be void.
 
+    for ( i = 0; i < DIV_ROUND_UP(dev->eventids, LPI_BLOCK); i++ )
+        gicv3_free_host_lpi_block(dev->hw_its, dev->host_lpis[i]);
 
Again, without looking at the implementation of 
gicv3_free_host_lpi_block, I think the usage of the function is very 
confusing. When I read host_lpis, I expect to see one LPI per event. But 
instead it be the first LPI of a block. The lack of documentation of the 
field in its_devices does not help to understand what's going on. 
So please add some documentation and probably renaming some fields.
Lastly, you have not answered to my question: should not we discard the 
LPIs before removing the device? Or does MAPD take care for you?" 
 
+
     ret = gicv3_its_wait_commands(dev->hw_its);
     if ( ret )
         return ret;
 
I know I asked to wait the command, thank you for addressing it. But 
now, if the function fail you will end-up to leak memory. This is not 
better than failing to wait commands. 
 
     xfree(dev->itt_addr);
+    xfree(dev->host_lpis);
     xfree(dev);
     return 0;
@@ -513,6 +548,36 @@ static int compare_its_guest_devices(struct its_devices 
*dev,
 }
 /*
+ * On the host ITS @its, map @nr_events consecutive LPIs.
+ * The mapping connects a device @devid and event @eventid pair to LPI @lpi,
+ * increasing both @eventid and @lpi to cover the number of requested LPIs.
+ */
+int gicv3_its_map_host_events(struct host_its *its,
+                              uint32_t devid, uint32_t eventid, uint32_t lpi,
+                              uint32_t nr_events)
+{
+    uint32_t i;
+    int ret;
+
+    for ( i = 0; i < nr_events; i++ )
+    {
+        /* For now we map every host LPI to host CPU 0 */
+        ret = its_send_cmd_mapti(its, devid, eventid + i, lpi + i, 0);
+        if ( ret )
+            return ret;
+        ret = its_send_cmd_inv(its, devid, eventid + i);
 
So the spec allows up to 32KB event per device. As all the LPIs will be 
routed to CPU0 (e.g collection 0), it would be more efficient to do an 
INVALL. I would be happy to defer that to post Xen 4.9, but the rest 
needs to be fixed. 
Furthermore, what if the queue is full? AFAIU, you will return an error 
but it is not propagate. So Xen will think the device has been mapped 
even if it is not true. 
I think we need to have a plan here as this may likely happen if a 
device has many MSI and/or the queue is nearly full. 
 
+        if ( ret )
+            return ret;
+    }
+
+    ret = its_send_cmd_sync(its, 0);
+    if ( ret )
+        return ret;
+
+    return gicv3_its_wait_commands(its);
+}
+
+/*
  * Map a hardware device, identified by a certain host ITS and its device ID
  * to domain d, a guest ITS (identified by its doorbell address) and device ID.
  * Also provide the number of events (MSIs) needed for that device.
@@ -528,7 +593,7 @@ int gicv3_its_map_guest_device(struct domain *d,
     struct host_its *hw_its;
     struct its_devices *dev = NULL, *temp;
     struct rb_node **new = &d->arch.vgic.its_devices.rb_node, *parent = NULL;
-    int ret = -ENOENT;
+    int ret = -ENOENT, i;
 
Again, i should be unsigned.
 
     hw_its = gicv3_its_find_by_doorbell(host_doorbell);
     if ( !hw_its )
@@ -574,6 +639,11 @@ int gicv3_its_map_guest_device(struct domain *d,
     if ( !dev )
         goto out_unlock;
+    dev->host_lpis = xzalloc_array(uint32_t,
+                                   DIV_ROUND_UP(nr_events, LPI_BLOCK));
 
Rather than having DIV_ROUND_UP spread everywhere. Would not be easier 
to round_up nr_events once for all? 
 
+    if ( !dev->host_lpis )
+        goto out_unlock;
+
     ret = its_send_cmd_mapd(hw_its, host_devid, fls(nr_events - 1) - 1,
                             virt_to_maddr(itt_addr), true);
     if ( ret )
@@ -591,10 +661,26 @@ int gicv3_its_map_guest_device(struct domain *d,
     spin_unlock(&d->arch.vgic.its_devices_lock);
+    /*
+     * Map all host LPIs within this device already. We can't afford to queue
+     * any host ITS commands later on during the guest's runtime.
+     */
+    for ( i = 0; i < DIV_ROUND_UP(nr_events, LPI_BLOCK); i++ )
+    {
+        ret = gicv3_allocate_host_lpi_block(hw_its, d, host_devid,
+                                            i * LPI_BLOCK);
+        if ( ret < 0 )
+            goto out;
 
This sounds quite wrong to me. If you fail to allocate a block, you will 
end-up with half of the device configured. However, you are freeing the 
memory but not reverting the ITS command. This is going to end up very 
badly. 
Please be really careful with the error path. Most of them are not 
correct and I don't want to end up dealing with security issue later on. 
 
+
+        dev->host_lpis[i] = ret;
 
Hmmm... as I said on the previous version you should not use the return 
for both error code and LPIs. LPIs are encoded on 32-bit, sooner or 
later there will be a clash between the error and the LPI. 
 
+    }
+
     return 0;
 out_unlock:
     spin_unlock(&d->arch.vgic.its_devices_lock);
+
+out:
     if ( dev )
         xfree(dev->host_lpis);
     xfree(itt_addr);
diff --git a/xen/arch/arm/gic-v3-lpi.c b/xen/arch/arm/gic-v3-lpi.c
index 51d7425..59d3ba4 100644
--- a/xen/arch/arm/gic-v3-lpi.c
+++ b/xen/arch/arm/gic-v3-lpi.c
@@ -20,24 +20,44 @@
 #include <xen/lib.h>
 #include <xen/mm.h>
+#include <xen/sched.h>
+#include <asm/atomic.h>
+#include <asm/domain.h>
 #include <asm/gic.h>
 #include <asm/gic_v3_defs.h>
 #include <asm/gic_v3_its.h>
 #include <asm/io.h>
 #include <asm/page.h>
+/* LPIs on the host always go to a guest, so no struct irq_desc for them. */
+union host_lpi {
+    uint64_t data;
+    struct {
+        uint32_t virt_lpi;
+        uint16_t dom_id;
+        uint16_t vcpu_id;
+    };
+};
+
 #define LPI_PROPTABLE_NEEDS_FLUSHING    (1U << 0)
 /* Global state */
 static struct {
     /* The global LPI property table, shared by all redistributors. */
     uint8_t *lpi_property;
     /*
+     * A two-level table to lookup LPIs firing on the host and look up the
+     * domain and virtual LPI number to inject.
+     */
+    union host_lpi **host_lpis;
+    /*
      * Number of physical LPIs the host supports. This is a property of
      * the GIC hardware. We depart from the habit of naming these things
      * "physical" in Xen, as the GICv3/4 spec uses the term "physical LPI"
      * in a different context to differentiate them from "virtual LPIs".
      */
     unsigned long int nr_host_lpis;
+    /* Protects allocation and deallocation of host LPIs, but not the access */
+    spinlock_t host_lpis_lock;
     unsigned int flags;
 } lpi_data;
@@ -50,6 +70,19 @@ struct lpi_redist_data {
 static DEFINE_PER_CPU(struct lpi_redist_data, lpi_redist);
 #define MAX_PHYS_LPIS   (lpi_data.nr_host_lpis - LPI_OFFSET)
+#define HOST_LPIS_PER_PAGE      (PAGE_SIZE / sizeof(union host_lpi))
+
+static union host_lpi *gic_get_host_lpi(uint32_t plpi)
+{
+    if ( !is_lpi(plpi) || plpi >= MAX_PHYS_LPIS + LPI_OFFSET )
+        return NULL;
+
+    plpi -= LPI_OFFSET;
+    if ( !lpi_data.host_lpis[plpi / HOST_LPIS_PER_PAGE] )
+        return NULL;
+
+    return &lpi_data.host_lpis[plpi / HOST_LPIS_PER_PAGE][plpi % 
HOST_LPIS_PER_PAGE];
+}
 /* Stores this redistributor's physical address and ID in a per-CPU variable */
 void gicv3_set_redist_address(paddr_t address, unsigned int redist_id)
@@ -204,15 +237,170 @@ int gicv3_lpi_init_rdist(void __iomem * rdist_base)
 static unsigned int max_lpi_bits = CONFIG_MAX_PHYS_LPI_BITS;
 integer_param("max_lpi_bits", max_lpi_bits);
+/*
+ * Allocate the 2nd level array for host LPIs. This one holds pointers
+ * to the page with the actual "union host_lpi" entries. Our LPI limit
+ * avoids excessive memory usage.
+ */
 int gicv3_lpi_init_host_lpis(unsigned int hw_lpi_bits)
 {
+    int nr_lpi_ptrs;
 
unsigned int please.
 
+
+    /* We rely on the data structure being atomically accessible. */
+    BUILD_BUG_ON(sizeof(union host_lpi) > sizeof(unsigned long));
+
     lpi_data.nr_host_lpis = BIT_ULL(min(hw_lpi_bits, max_lpi_bits));
+    spin_lock_init(&lpi_data.host_lpis_lock);
+
+    nr_lpi_ptrs = MAX_PHYS_LPIS / (PAGE_SIZE / sizeof(union host_lpi));
+    lpi_data.host_lpis = xzalloc_array(union host_lpi *, nr_lpi_ptrs);
+    if ( !lpi_data.host_lpis )
+        return -ENOMEM;
+
     printk("GICv3: using at most %ld LPIs on the host.\n", MAX_PHYS_LPIS);
     return 0;
 }
+/* Must be called with host_lpis_lock held. */
 
Again, this is a call for adding an ASSERT in the function.
 
+static int find_unused_host_lpi(int start, uint32_t *index)
 
start should probably be unsigned.
 
+{
+    int chunk;
 
Ditto.
 
+    uint32_t i = *index;
+
+    for ( chunk = start; chunk < MAX_PHYS_LPIS / HOST_LPIS_PER_PAGE; chunk++ )
+    {
+        /* If we hit an unallocated chunk, use entry 0 in that one. */
+        if ( !lpi_data.host_lpis[chunk] )
+        {
+            *index = 0;
+            return chunk;
+        }
+
+        /* Find an unallocated entry in this chunk. */
+        for ( ; i < HOST_LPIS_PER_PAGE; i += LPI_BLOCK )
+        {
+            if ( lpi_data.host_lpis[chunk][i].dom_id == INVALID_DOMID )
+            {
+                *index = i;
+                return chunk;
+            }
+        }
+        i = 0;
+    }
+
+    return -1;
+}
+
+/*
+ * Allocate a block of 32 LPIs on the given host ITS for device "devid",
+ * starting with "eventid". Put them into the respective ITT by issuing a
+ * MAPTI command for each of them.
+ */
+int gicv3_allocate_host_lpi_block(struct host_its *its, struct domain *d,
+                                  uint32_t host_devid, uint32_t eventid)
 
Again, most of the parameters here is just for calling back ITS and the 
caller should all in hand. So I would much prefer to avoid a call chain 
ITS -> LPI -> ITS and make the LPI code ITS agnostic. 
Furthermore, the return value is both used to return an error and the 
LPI. Given that an LPI is encoded on 32-bit, sooner or later there will 
be a clash with between the error and the LPI. So it would be wise to 
dissociate the error code and the LPIs. 
The prototype of this function would like:
int gicv3_allocate_host_lpi_block(struct domain *domain, uint32_t 
*first_lpi); 
 
+{
+    static uint32_t next_lpi = 0;
+    uint32_t lpi, lpi_idx = next_lpi % HOST_LPIS_PER_PAGE;
+    int chunk;
+    int i;
+
+    spin_lock(&lpi_data.host_lpis_lock);
+    chunk = find_unused_host_lpi(next_lpi / HOST_LPIS_PER_PAGE, &lpi_idx);
+
+    if ( chunk == - 1 )          /* rescan for a hole from the beginning */
+    {
+        lpi_idx = 0;
+        chunk = find_unused_host_lpi(0, &lpi_idx);
+        if ( chunk == -1 )
+        {
+            spin_unlock(&lpi_data.host_lpis_lock);
+            return -ENOSPC;
+        }
 
The algo does not seem to have changed since the previous version. 
Looking at it again, my understanding is you will always try to allocate 
forward. So if the current chunk is full, you will allocate the next one 
rather than looking whether a previous chunk has space available. This 
will result to allocate more memory than necessary. 
Similarly unused chunk could be freed to save memory.
To be clear, I am asking for confirmation, documentation, and listing as 
an improvement. 
 
+    }
+
+    /* If we hit an unallocated chunk, we initialize it and use entry 0. */
+    if ( !lpi_data.host_lpis[chunk] )
+    {
+        union host_lpi *new_chunk;
+
+        new_chunk = alloc_xenheap_pages(0, 0);
 
As said on the previous version, please use alloc_xenheap_page as you 
only allocate one page. 
Also, when NUMA support will be added we may want to take into account 
the node associated to the device saving us some time when reading the 
memory. You don't need to handle that now, but a TODO would be quite 
helpful. 
 
+        if ( !new_chunk )
+        {
+            spin_unlock(&lpi_data.host_lpis_lock);
+            return -ENOMEM;
+        }
+
+        for ( i = 0; i < HOST_LPIS_PER_PAGE; i += LPI_BLOCK )
+            new_chunk[i].dom_id = INVALID_DOMID;
+
+        lpi_data.host_lpis[chunk] = new_chunk;
+        lpi_idx = 0;
+    }
+
+    lpi = chunk * HOST_LPIS_PER_PAGE + lpi_idx;
+
+    for ( i = 0; i < LPI_BLOCK; i++ )
+    {
+        union host_lpi hlpi;
+
+        /*
+         * Mark this host LPI as belonging to the domain, but don't assign
+         * any virtual LPI or a VCPU yet.
+         */
+        hlpi.virt_lpi = INVALID_LPI;
+        hlpi.dom_id = d->domain_id;
+        hlpi.vcpu_id = INVALID_DOMID;
 
Again, please don't mix vcpu and domain. If INVALID_VCPUID does not 
exist then it might be worth adding one. 
 
+        write_u64_atomic(&lpi_data.host_lpis[chunk][lpi_idx + i].data,
+                         hlpi.data);
+
+        /*
+         * Enable this host LPI, so we don't have to do this during the
+         * guest's runtime.
+         */
+        lpi_data.lpi_property[lpi + i] |= LPI_PROP_ENABLED;
+    }
+
+    /*
+     * We have allocated and initialized the host LPI entries, so it's safe
+     * to drop the lock now. Access to the structures can be done concurrently
+     * as it involves only an atomic uint64_t access.
+     */
+    spin_unlock(&lpi_data.host_lpis_lock);
+
+    if ( lpi_data.flags & LPI_PROPTABLE_NEEDS_FLUSHING )
+        clean_and_invalidate_dcache_va_range(&lpi_data.lpi_property[lpi],
+                                             LPI_BLOCK);
+
+    gicv3_its_map_host_events(its, host_devid, eventid, lpi + LPI_OFFSET,
+                              LPI_BLOCK);
 
See my comment at the top of the function.
 
+
+    next_lpi = lpi + LPI_BLOCK;
 
Newline here please.
 
+    return lpi + LPI_OFFSET;
+}
+
+int gicv3_free_host_lpi_block(struct host_its *its, uint32_t lpi)
+{
+    union host_lpi *hlpi, empty_lpi = { .dom_id = INVALID_DOMID };
+    int i;
+
+    hlpi = gic_get_host_lpi(lpi);
+    if ( !hlpi )
+        return -ENOENT;
+
+    spin_lock(&lpi_data.host_lpis_lock);
+
+    for ( i = 0; i < LPI_BLOCK; i++ )
+        write_u64_atomic(&hlpi[i].data, empty_lpi.data);
+
+    /* TODO: Call a function in gic-v3-its.c to send DISCARDs */
 
It is quite worrying to see a TODO in a code that is supposed to be 
merged really soon. 
I think this should be done by the caller and not here. You also need to 
disable the interrupts which has not been done here. 
 
+
+    spin_unlock(&lpi_data.host_lpis_lock);
+
+    return 0;
+}
+
 /*
  * Local variables:
  * mode: C
diff --git a/xen/include/asm-arm/gic.h b/xen/include/asm-arm/gic.h
index 12bd155..7825575 100644
--- a/xen/include/asm-arm/gic.h
+++ b/xen/include/asm-arm/gic.h
@@ -220,7 +220,12 @@ enum gic_version {
     GIC_V3,
 };
+#define INVALID_LPI     0
 #define LPI_OFFSET      8192
 
Again, newline here please.
 
+static inline bool is_lpi(unsigned int irq)
+{
+    return irq >= LPI_OFFSET;
+}
 
Again, I think both INVALID_LPI and is_lpi should be moved in irq.h.
 
 extern enum gic_version gic_hw_version(void);
diff --git a/xen/include/asm-arm/gic_v3_its.h b/xen/include/asm-arm/gic_v3_its.h
index 3421ea0..2387972 100644
--- a/xen/include/asm-arm/gic_v3_its.h
+++ b/xen/include/asm-arm/gic_v3_its.h
@@ -106,6 +106,11 @@
 #define HOST_ITS_FLUSH_CMD_QUEUE        (1U << 0)
 #define HOST_ITS_USES_PTA               (1U << 1)
+#define INVALID_DOMID ((uint16_t)~0)
 
Again, rather than defining your own invalid domid, it would be better 
to use the one defined in xen.h (see DOMID_INVALID). 
 
+
+/* We allocate LPIs on the hosts in chunks of 32 to reduce handling overhead. 
*/
+#define LPI_BLOCK                       32
+
 /* data structure for each hardware ITS */
 struct host_its {
     struct list_head entry;
@@ -151,6 +156,12 @@ int gicv3_its_map_guest_device(struct domain *d,
                                paddr_t host_doorbell, uint32_t host_devid,
                                paddr_t guest_doorbell, uint32_t guest_devid,
                                uint32_t nr_events, bool valid);
+int gicv3_its_map_host_events(struct host_its *its,
+                              uint32_t host_devid, uint32_t eventid,
+                              uint32_t lpi, uint32_t nrevents);
+int gicv3_allocate_host_lpi_block(struct host_its *its, struct domain *d,
+                                  uint32_t host_devid, uint32_t eventid);
+int gicv3_free_host_lpi_block(struct host_its *its, uint32_t lpi);
 #else
 
Cheers,
--
Julien Grall
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel
 
 |