vfio/pci: Align huge faults to order

jira LE-3557
Rebuild_History Non-Buildable kernel-5.14.0-570.26.1.el9_6
commit-author Alex Williamson <[email protected]>
commit c1d9dac
Empty-Commit: Cherry-Pick Conflicts during history rebuild.
Will be included in final tarball splat. Ref for failed cherry-pick at:
ciq/ciq_backports/kernel-5.14.0-570.26.1.el9_6/c1d9dac0.failed

The vfio-pci huge_fault handler doesn't make any attempt to insert a
mapping containing the faulting address, it only inserts mappings if the
faulting address and resulting pfn are aligned.  This works in a lot of
cases, particularly in conjunction with QEMU where DMA mappings linearly
fault the mmap.  However, there are configurations where we don't get
that linear faulting and pages are faulted on-demand.

The scenario reported in the bug below is such a case, where the physical
address width of the CPU is greater than that of the IOMMU, resulting in a
VM where guest firmware has mapped device MMIO beyond the address width of
the IOMMU.  In this configuration, the MMIO is faulted on demand and
tracing indicates that occasionally the faults generate a VM_FAULT_OOM.
Given the use case, this results in a "error: kvm run failed Bad address",
killing the VM.

The host is not under memory pressure in this test, therefore it's
suspected that VM_FAULT_OOM is actually the result of a NULL return from
__pte_offset_map_lock() in the get_locked_pte() path from insert_pfn().
This suggests a potential race inserting a pte concurrent to a pmd, and
maybe indicates some deficiency in the mm layer properly handling such a
case.

Nevertheless, Peter noted the inconsistency of vfio-pci's huge_fault
handler where our mapping granularity depends on the alignment of the
faulting address relative to the order rather than aligning the faulting
address to the order to more consistently insert huge mappings.  This
change not only uses the page tables more consistently and efficiently, but
as any fault to an aligned page results in the same mapping, the race
condition suspected in the VM_FAULT_OOM is avoided.

	Reported-by: Adolfo <[email protected]>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220057
Fixes: 09dfc8a ("vfio/pci: Fallback huge faults for unaligned pfn")
	Cc: [email protected]
	Tested-by: Adolfo <[email protected]>
Co-developed-by: Peter Xu <[email protected]>
	Signed-off-by: Peter Xu <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
	Signed-off-by: Alex Williamson <[email protected]>
(cherry picked from commit c1d9dac)
	Signed-off-by: Jonathan Maple <[email protected]>

# Conflicts:
#	drivers/vfio/pci/vfio_pci_core.c

Author: PlaidCat

ciq/ciq_backports/kernel-5.14.0-570.26.1.el9_6/c1d9dac0.failed

@@ -0,0 +1,157 @@
+vfio/pci: Align huge faults to order
+
+jira LE-3557
+Rebuild_History Non-Buildable kernel-5.14.0-570.26.1.el9_6
+commit-author Alex Williamson <[email protected]>
+commit c1d9dac0db168198b6f63f460665256dedad9b6e
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-570.26.1.el9_6/c1d9dac0.failed
+
+The vfio-pci huge_fault handler doesn't make any attempt to insert a
+mapping containing the faulting address, it only inserts mappings if the
+faulting address and resulting pfn are aligned.  This works in a lot of
+cases, particularly in conjunction with QEMU where DMA mappings linearly
+fault the mmap.  However, there are configurations where we don't get
+that linear faulting and pages are faulted on-demand.
+
+The scenario reported in the bug below is such a case, where the physical
+address width of the CPU is greater than that of the IOMMU, resulting in a
+VM where guest firmware has mapped device MMIO beyond the address width of
+the IOMMU.  In this configuration, the MMIO is faulted on demand and
+tracing indicates that occasionally the faults generate a VM_FAULT_OOM.
+Given the use case, this results in a "error: kvm run failed Bad address",
+killing the VM.
+
+The host is not under memory pressure in this test, therefore it's
+suspected that VM_FAULT_OOM is actually the result of a NULL return from
+__pte_offset_map_lock() in the get_locked_pte() path from insert_pfn().
+This suggests a potential race inserting a pte concurrent to a pmd, and
+maybe indicates some deficiency in the mm layer properly handling such a
+case.
+
+Nevertheless, Peter noted the inconsistency of vfio-pci's huge_fault
+handler where our mapping granularity depends on the alignment of the
+faulting address relative to the order rather than aligning the faulting
+address to the order to more consistently insert huge mappings.  This
+change not only uses the page tables more consistently and efficiently, but
+as any fault to an aligned page results in the same mapping, the race
+condition suspected in the VM_FAULT_OOM is avoided.
+
+	Reported-by: Adolfo <[email protected]>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220057
+Fixes: 09dfc8a5f2ce ("vfio/pci: Fallback huge faults for unaligned pfn")
+	Cc: [email protected]
+	Tested-by: Adolfo <[email protected]>
+Co-developed-by: Peter Xu <[email protected]>
+	Signed-off-by: Peter Xu <[email protected]>
+Link: https://lore.kernel.org/r/[email protected]
+	Signed-off-by: Alex Williamson <[email protected]>
+(cherry picked from commit c1d9dac0db168198b6f63f460665256dedad9b6e)
+	Signed-off-by: Jonathan Maple <[email protected]>
+
+# Conflicts:
+#	drivers/vfio/pci/vfio_pci_core.c
+diff --cc drivers/vfio/pci/vfio_pci_core.c
+index ffda816e0119,6328c3a05bcd..000000000000
+--- a/drivers/vfio/pci/vfio_pci_core.c
++++ b/drivers/vfio/pci/vfio_pci_core.c
+@@@ -1770,49 -1646,59 +1770,63 @@@ static vm_fault_t vfio_pci_mmap_fault(s
+  {
+  	struct vm_area_struct *vma = vmf->vma;
+  	struct vfio_pci_core_device *vdev = vma->vm_private_data;
+++<<<<<<< HEAD
+ +	struct vfio_pci_mmap_vma *mmap_vma;
+ +	vm_fault_t ret = VM_FAULT_NOPAGE;
+++=======
++ 	unsigned long addr = vmf->address & ~((PAGE_SIZE << order) - 1);
++ 	unsigned long pgoff = (addr - vma->vm_start) >> PAGE_SHIFT;
++ 	unsigned long pfn = vma_to_pfn(vma) + pgoff;
++ 	vm_fault_t ret = VM_FAULT_SIGBUS;
++ 
++ 	if (order && (addr < vma->vm_start ||
++ 		      addr + (PAGE_SIZE << order) > vma->vm_end ||
++ 		      pfn & ((1 << order) - 1))) {
++ 		ret = VM_FAULT_FALLBACK;
++ 		goto out;
++ 	}
+++>>>>>>> c1d9dac0db16 (vfio/pci: Align huge faults to order)
+  
+ +	mutex_lock(&vdev->vma_lock);
+  	down_read(&vdev->memory_lock);
+  
+ -	if (vdev->pm_runtime_engaged || !__vfio_pci_memory_enabled(vdev))
+ -		goto out_unlock;
+ +	/*
+ +	 * Memory region cannot be accessed if the low power feature is engaged
+ +	 * or memory access is disabled.
+ +	 */
+ +	if (vdev->pm_runtime_engaged || !__vfio_pci_memory_enabled(vdev)) {
+ +		ret = VM_FAULT_SIGBUS;
+ +		goto up_out;
+ +	}
+  
+ -	switch (order) {
+ -	case 0:
+ -		ret = vmf_insert_pfn(vma, vmf->address, pfn);
+ -		break;
+ -#ifdef CONFIG_ARCH_SUPPORTS_PMD_PFNMAP
+ -	case PMD_ORDER:
+ -		ret = vmf_insert_pfn_pmd(vmf,
+ -					 __pfn_to_pfn_t(pfn, PFN_DEV), false);
+ -		break;
+ -#endif
+ -#ifdef CONFIG_ARCH_SUPPORTS_PUD_PFNMAP
+ -	case PUD_ORDER:
+ -		ret = vmf_insert_pfn_pud(vmf,
+ -					 __pfn_to_pfn_t(pfn, PFN_DEV), false);
+ -		break;
+ -#endif
+ -	default:
+ -		ret = VM_FAULT_FALLBACK;
+ +	/*
+ +	 * We populate the whole vma on fault, so we need to test whether
+ +	 * the vma has already been mapped, such as for concurrent faults
+ +	 * to the same vma.  io_remap_pfn_range() will trigger a BUG_ON if
+ +	 * we ask it to fill the same range again.
+ +	 */
+ +	list_for_each_entry(mmap_vma, &vdev->vma_list, vma_next) {
+ +		if (mmap_vma->vma == vma)
+ +			goto up_out;
+  	}
+  
+ -out_unlock:
+ -	up_read(&vdev->memory_lock);
+ -out:
+ -	dev_dbg_ratelimited(&vdev->pdev->dev,
+ -			   "%s(,order = %d) BAR %ld page offset 0x%lx: 0x%x\n",
+ -			    __func__, order,
+ -			    vma->vm_pgoff >>
+ -				(VFIO_PCI_OFFSET_SHIFT - PAGE_SHIFT),
+ -			    pgoff, (unsigned int)ret);
+ +	if (io_remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff,
+ +			       vma->vm_end - vma->vm_start,
+ +			       vma->vm_page_prot)) {
+ +		ret = VM_FAULT_SIGBUS;
+ +		zap_vma_ptes(vma, vma->vm_start, vma->vm_end - vma->vm_start);
+ +		goto up_out;
+ +	}
+  
+ -	return ret;
+ -}
+ +	if (__vfio_pci_add_vma(vdev, vma)) {
+ +		ret = VM_FAULT_OOM;
+ +		zap_vma_ptes(vma, vma->vm_start, vma->vm_end - vma->vm_start);
+ +	}
+  
+ -static vm_fault_t vfio_pci_mmap_page_fault(struct vm_fault *vmf)
+ -{
+ -	return vfio_pci_mmap_huge_fault(vmf, 0);
+ +up_out:
+ +	up_read(&vdev->memory_lock);
+ +	mutex_unlock(&vdev->vma_lock);
+ +	return ret;
+  }
+  
+  static const struct vm_operations_struct vfio_pci_mmap_ops = {
+* Unmerged path drivers/vfio/pci/vfio_pci_core.c