On 10/17/19 3:06 PM, Robin Murphy wrote: > On 17/10/2019 11:55, Marek Vasut wrote: >> On 10/17/19 9:06 AM, Geert Uytterhoeven wrote: >> >> [...] >> >>>>>>> I suppose if your intent is to use inbound windows as a poor man's >>>>>>> IOMMU to prevent accesses to the holes, then yes you would list them >>>>>>> out. But I think that's wrong and difficult to maintain. You'd also >>>>>>> need to deal with reserved-memory regions too. >>>>>> >>>>>> What's the problem with that? The bootloader has all that information >>>>>> and can patch the DT correctly. In fact, in my specific case, I have >>>>>> platform which can be populated with differently sized DRAM, so the >>>>>> holes are also dynamically calculated ; there is no one DT then, the >>>>>> bootloader is responsible to generate the dma-ranges accordingly. >>>>> >>>>> The problems are it doesn't work: >>>>> >>>>> Your dma-mask and offset are not going to be correct. >>>>> >>>>> You are running out of inbound windows. Your patch does nothing to >>>>> solve that. The solution would be merging multiple dma-ranges entries >>>>> to a single inbound window. We'd have to do that both for dma-mask and >>>>> inbound windows. The former would also have to figure out which >>>>> entries apply to setting up dma-mask. I'm simply suggesting just do >>>>> that up front and avoid any pointless splits. >>>> >>>> But then the PCI device can trigger a transaction to non-existent DRAM >>>> and cause undefined behavior. Surely we do not want that ? >>> >>> The PCI device will trigger transactions to memory only when instructed >>> to do so by Linux, right? Hence if Linux takes into account >>> chosen/memory >>> and dma-ranges, there is no problem? >> >> Unless of course the remote device initiates a transfer. And if the >> controller is programmed such that accesses to the missing DRAM in the >> holes are not filtered out by the controller, then the controller will >> gladly let the transaction through. Do we really want to let this >> happen ? > > If you've got devices making random unsolicited accesses then who's to > say they wouldn't also hit valid windows and corrupt memory? If it's > happening at all you've already lost. Not necessarily. If your controller is programmed correctly with just the ranges that are valid, then it will filter out at least the accesses outside of valid memory. If it is programmed incorrectly, as you suggest, then the accesses will go through, causing undefined behavior. And note that there is such weird buggy PCI hardware. A slightly unrelated example are some of the ath9k, which are generating spurious MSIs even if they are in legacy PCI IRQ mode. If the controller is configured correctly, even those buggy cards work, because it can filter the spurious MSIs out. If not, they do not. That's why I would prefer to configure the controller correctly, not just hope that nothing bad will come out of misconfiguring it slightly. > And realistically, if the address > isn't valid then it's not going to make much difference anyway - in > probably 99% of cases, either the transaction doesn't hit a window and > the host bridge returns a completer abort, or it does hit a window, the > AXI side returns DECERR or SLVERR, and the host bridge translates that > into a completer abort. Consider also that many PCI IPs don't have > discrete windows and just map the entirety of PCI mem space directly to > the system PA space. And in that 1% of cases, we are OK with failure which could have been easily prevented if the controller was programmed correctly ? That does not look like a good thing. > I don't believe this is a valid argument for anything whichever way round. -- Best regards, Marek Vasut