diff mbox series

[v3,8/8] vfio/pci: Add the support for PCI D3cold state

Message ID 20220425092615.10133-9-abhsahu@nvidia.com
State New
Headers show
Series vfio/pci: power management changes | expand

Commit Message

Abhishek Sahu April 25, 2022, 9:26 a.m. UTC
Currently, if the runtime power management is enabled for vfio pci
based device in the guest OS, then guest OS will do the register
write for PCI_PM_CTRL register. This write request will be handled in
vfio_pm_config_write() where it will do the actual register write
of PCI_PM_CTRL register. With this, the maximum D3hot state can be
achieved for low power. If we can use the runtime PM framework,
then we can achieve the D3cold state which will help in saving
maximum power.

1. Since D3cold state can't be achieved by writing PCI standard
   PM config registers, so this patch adds a new feature in the
   existing VFIO_DEVICE_FEATURE IOCTL. This IOCTL can be used
   to change the PCI device from D3hot to D3cold state and
   then D3cold to D0 state. The device feature uses low power term
   instead of D3cold so that if other vfio driver wants to implement
   low power support, then the same IOCTL can be used.

2. The hypervisors can implement virtual ACPI methods. For
   example, in guest linux OS if PCI device ACPI node has _PR3 and _PR0
   power resources with _ON/_OFF method, then guest linux OS makes the
   _OFF call during D3cold transition and then _ON during D0 transition.
   The hypervisor can tap these virtual ACPI calls and then do the D3cold
   related IOCTL in the vfio driver.

3. The vfio driver uses runtime PM framework to achieve the
   D3cold state. For the D3cold transition, decrement the usage count and
   for the D0 transition, increment the usage count.

4. For D3cold, the device current power state should be D3hot.
   Then during runtime suspend, the pci_platform_power_transition() is
   required for D3cold state. If the D3cold state is not supported, then
   the device will still be in D3hot state. But with the runtime PM, the
   root port can now also go into suspended state.

5. For most of the systems, the D3cold is supported at the root
   port level. So, when root port will transition to D3cold state, then
   the vfio PCI device will go from D3hot to D3cold state during its
   runtime suspend. If root port does not support D3cold, then the root
   will go into D3hot state.

6. The runtime suspend callback can now happen for 2 cases: there
   are no users of vfio device and the case where user has initiated
   D3cold. The 'platform_pm_engaged' flag can help to distinguish
   between these 2 cases.

7. In D3cold, all kind of BAR related access needs to be disabled
   like D3hot. Additionally, the config space will also be disabled in
   D3cold state. To prevent access of config space in D3cold state, do
   increment the runtime PM usage count before doing any config space
   access.

8. If user has engaged low power entry through IOCTL, then user should
   do low power exit first. The user can issue config access or IOCTL
   after low power entry. We can add an explicit error check but since
   we are already waking-up device, so IOCTL and config access can be
   fulfilled. But 'power_state_d3' won't be cleared without issuing
   low power exit so all BAR related access will still return error till
   user do low power exit.

9. Since multiple layers are involved, so following is the high level
   code flow for D3cold entry and exit.

D3cold entry:

a. User put the PCI device into D3hot by writing into standard config
   register (vfio_pm_config_write() -> vfio_lock_and_set_power_state() ->
   vfio_pci_set_power_state()). The device power state will be D3hot and
   power_state_d3 will be true.
b. Set vfio_device_feature_power_management::low_power_state =
   VFIO_DEVICE_LOW_POWER_STATE_ENTER and call VFIO_DEVICE_FEATURE IOCTL.
c. Inside vfio_device_fops_unl_ioctl(), pm_runtime_resume_and_get()
   will be called first which will make the usage count as 2 and then
   vfio_pci_core_ioctl_feature() will be invoked.
d. vfio_pci_core_feature_pm() will be called and it will go inside
   VFIO_DEVICE_LOW_POWER_STATE_ENTER switch case. platform_pm_engaged will
   be true and pm_runtime_put_noidle() will decrement the usage count
   to 1.
e. Inside vfio_device_fops_unl_ioctl() while returning the
   pm_runtime_put() will make the usage count to 0 and the runtime PM
   framework will engage the runtime suspend entry.
f. pci_pm_runtime_suspend() will be called and invokes driver runtime
   suspend callback.
g. vfio_pci_core_runtime_suspend() will change the power state to D0
   and do the INTx mask related handling.
h. pci_pm_runtime_suspend() will take care of saving the PCI state and
   all power management handling for D3cold.

D3cold exit:

a. Set vfio_device_feature_power_management::low_power_state =
   VFIO_DEVICE_LOW_POWER_STATE_EXIT and call VFIO_DEVICE_FEATURE IOCTL.
b. Inside vfio_device_fops_unl_ioctl(), pm_runtime_resume_and_get()
   will be called first which will make the usage count as 1.
c. pci_pm_runtime_resume() will take care of moving the device into D0
   state again and then vfio_pci_core_runtime_resume() will be called.
d. vfio_pci_core_runtime_resume() will do the INTx unmask related
   handling.
e. vfio_pci_core_ioctl_feature() will be invoked.
f. vfio_pci_core_feature_pm() will be called and it will go inside
   VFIO_DEVICE_LOW_POWER_STATE_EXIT switch case. platform_pm_engaged and
   power_state_d3 will be cleared and pm_runtime_get_noresume() will make
   the usage count as 2.
g. Inside vfio_device_fops_unl_ioctl() while returning the
   pm_runtime_put() will make the usage count to 1 and the device will
   be in D0 state only.

Signed-off-by: Abhishek Sahu <abhsahu@nvidia.com>
---
 drivers/vfio/pci/vfio_pci_config.c |  11 ++-
 drivers/vfio/pci/vfio_pci_core.c   | 131 ++++++++++++++++++++++++++++-
 include/linux/vfio_pci_core.h      |   1 +
 include/uapi/linux/vfio.h          |  18 ++++
 4 files changed, 159 insertions(+), 2 deletions(-)

Comments

Abhishek Sahu May 5, 2022, 12:16 p.m. UTC | #1
On 5/5/2022 1:15 AM, Alex Williamson wrote:
> On Mon, 25 Apr 2022 14:56:15 +0530
> Abhishek Sahu <abhsahu@nvidia.com> wrote:
> 
>> Currently, if the runtime power management is enabled for vfio pci
>> based device in the guest OS, then guest OS will do the register
>> write for PCI_PM_CTRL register. This write request will be handled in
>> vfio_pm_config_write() where it will do the actual register write
>> of PCI_PM_CTRL register. With this, the maximum D3hot state can be
>> achieved for low power. If we can use the runtime PM framework,
>> then we can achieve the D3cold state which will help in saving
>> maximum power.
>>
>> 1. Since D3cold state can't be achieved by writing PCI standard
>>    PM config registers, so this patch adds a new feature in the
>>    existing VFIO_DEVICE_FEATURE IOCTL. This IOCTL can be used
>>    to change the PCI device from D3hot to D3cold state and
>>    then D3cold to D0 state. The device feature uses low power term
>>    instead of D3cold so that if other vfio driver wants to implement
>>    low power support, then the same IOCTL can be used.
> 
> How does this enable you to handle the full-off vs memory-refresh modes
> for NVIDIA GPUs?
> 
 
 Thanks Alex.

 This patch series will just enable the full-off for nvidia GPU.
 The self-refresh mode won't work.

 The self-refresh case is nvidia specific and needs driver
 involvement each time before going into d3cold. We are evaluating
 internally if we have enough use case for self-refresh mode and then
 I will plan separate patch series to support self-refresh mode use
 case, if required. But that will be independent of this patch series.

 At the high level, we need some way to disable the PCI device access
 from the host side or forward the event to VM for every access on the
 host side if we want to support NVIDIA self-refresh use case inside VM.
 Otherwise, from the driver side, we can disable self-refresh mode if
 driver is running inside VM. In that case, if memory usage is higher than
 threshold then we don’t engage RTD3 itself. 

> The feature ioctl supports a probe, but here the probe only indicates
> that the ioctl is available, not what degree of low power support
> available.  Even if the host doesn't support d3cold for the device, we
> can still achieve root port d3hot, but can we provide further
> capability info to the user?
>

 I wanted to add more information here but was not sure which
 information will be helpful for user. There is no certain way to
 predict that the runtime suspend will use D3cold state only even
 on the supported systems. User can disable runtime power management from 

 /sys/bus/pci/devices/…/power/control

 Or disable d3cold itself 

 /sys/bus/pci/devices/…/d3cold_allowed


 Even if all these are allowed, then platform_pci_choose_state()
 is the main function where the target low power state is selected
 in runtime.

 Probably we can add pci_pr3_present() status to user which gives
 hint to user that required ACPI methods for d3cold is present in
 the platform. 
  
>> 2. The hypervisors can implement virtual ACPI methods. For
>>    example, in guest linux OS if PCI device ACPI node has _PR3 and _PR0
>>    power resources with _ON/_OFF method, then guest linux OS makes the
>>    _OFF call during D3cold transition and then _ON during D0 transition.
>>    The hypervisor can tap these virtual ACPI calls and then do the D3cold
>>    related IOCTL in the vfio driver.
>>
>> 3. The vfio driver uses runtime PM framework to achieve the
>>    D3cold state. For the D3cold transition, decrement the usage count and
>>    for the D0 transition, increment the usage count.
>>
>> 4. For D3cold, the device current power state should be D3hot.
>>    Then during runtime suspend, the pci_platform_power_transition() is
>>    required for D3cold state. If the D3cold state is not supported, then
>>    the device will still be in D3hot state. But with the runtime PM, the
>>    root port can now also go into suspended state.
> 
> Why do we create this requirement for the device to be in d3hot prior
> to entering low power 

 This is mainly to make integration in the hypervisor with
 the PCI power management code flow.

 If we see the power management steps, then following 2 steps
 are involved 

 1. First move the device from D0 to D3hot state by writing
    into config register.
 2. Then invoke ACPI routines (mainly _PR3 OFF method) to
    move from D3hot to D3cold.

 So, in the guest side, we can follow the same steps. The guest can
 do the config register write and then for step 2, the hypervisor
 can implement the virtual ACPI with _PR3/_PR0 power resources.
 Inside this virtual ACPI implementation, the hypervisor can invoke
 the power management IOCTL.

 Also, if runtime PM has been disabled from the host side,
 then also the device will be in d3hot state. 

> when our pm ops suspend function wakes the device do d0?

 The changing to D0 here is happening due to 2 reasons here,

 1. First to preserve device state for the NoSoftRst-.
 2. To make use of PCI core layer generic code for runtime suspend,
    otherwise we need to do all handling here which is present in
    pci_pm_runtime_suspend().

>> 5. For most of the systems, the D3cold is supported at the root
>>    port level. So, when root port will transition to D3cold state, then
>>    the vfio PCI device will go from D3hot to D3cold state during its
>>    runtime suspend. If root port does not support D3cold, then the root
>>    will go into D3hot state.
>>
>> 6. The runtime suspend callback can now happen for 2 cases: there
>>    are no users of vfio device and the case where user has initiated
>>    D3cold. The 'platform_pm_engaged' flag can help to distinguish
>>    between these 2 cases.
> 
> If this were the only use case we could rely on vfio_device.open_count
> instead.  I don't think it is though.  

 platform_pm_engaged is mainly to track the user initiated
 low power entry with the IOCTL. So even if we use vfio_device.open_count
 here, we will still require platform_pm_engaged.

>> 7. In D3cold, all kind of BAR related access needs to be disabled
>>    like D3hot. Additionally, the config space will also be disabled in
>>    D3cold state. To prevent access of config space in D3cold state, do
>>    increment the runtime PM usage count before doing any config space
>>    access.
> 
> Or we could actually prevent access to config space rather than waking
> the device for the access.  Addressed in further comment below.
>  
>> 8. If user has engaged low power entry through IOCTL, then user should
>>    do low power exit first. The user can issue config access or IOCTL
>>    after low power entry. We can add an explicit error check but since
>>    we are already waking-up device, so IOCTL and config access can be
>>    fulfilled. But 'power_state_d3' won't be cleared without issuing
>>    low power exit so all BAR related access will still return error till
>>    user do low power exit.
> 
> The fact that power_state_d3 no longer tracks the device power state
> when platform_pm_engaged is set is a confusing discontinuity.
> 

 If we refer the power management steps (as mentioned in the above),
 then these 2 variable tracks different things.

 1. power_state_d3 tracks the config space write.  
 2. platform_pm_engaged tracks the IOCTL call. In the IOCTL, we decrement
    the runtime usage count so we need to track that we have decremented
    it. 

>> 9. Since multiple layers are involved, so following is the high level
>>    code flow for D3cold entry and exit.
>>
>> D3cold entry:
>>
>> a. User put the PCI device into D3hot by writing into standard config
>>    register (vfio_pm_config_write() -> vfio_lock_and_set_power_state() ->
>>    vfio_pci_set_power_state()). The device power state will be D3hot and
>>    power_state_d3 will be true.
>> b. Set vfio_device_feature_power_management::low_power_state =
>>    VFIO_DEVICE_LOW_POWER_STATE_ENTER and call VFIO_DEVICE_FEATURE IOCTL.
>> c. Inside vfio_device_fops_unl_ioctl(), pm_runtime_resume_and_get()
>>    will be called first which will make the usage count as 2 and then
>>    vfio_pci_core_ioctl_feature() will be invoked.
>> d. vfio_pci_core_feature_pm() will be called and it will go inside
>>    VFIO_DEVICE_LOW_POWER_STATE_ENTER switch case. platform_pm_engaged will
>>    be true and pm_runtime_put_noidle() will decrement the usage count
>>    to 1.
>> e. Inside vfio_device_fops_unl_ioctl() while returning the
>>    pm_runtime_put() will make the usage count to 0 and the runtime PM
>>    framework will engage the runtime suspend entry.
>> f. pci_pm_runtime_suspend() will be called and invokes driver runtime
>>    suspend callback.
>> g. vfio_pci_core_runtime_suspend() will change the power state to D0
>>    and do the INTx mask related handling.
>> h. pci_pm_runtime_suspend() will take care of saving the PCI state and
>>    all power management handling for D3cold.
>>
>> D3cold exit:
>>
>> a. Set vfio_device_feature_power_management::low_power_state =
>>    VFIO_DEVICE_LOW_POWER_STATE_EXIT and call VFIO_DEVICE_FEATURE IOCTL.
>> b. Inside vfio_device_fops_unl_ioctl(), pm_runtime_resume_and_get()
>>    will be called first which will make the usage count as 1.
>> c. pci_pm_runtime_resume() will take care of moving the device into D0
>>    state again and then vfio_pci_core_runtime_resume() will be called.
>> d. vfio_pci_core_runtime_resume() will do the INTx unmask related
>>    handling.
>> e. vfio_pci_core_ioctl_feature() will be invoked.
>> f. vfio_pci_core_feature_pm() will be called and it will go inside
>>    VFIO_DEVICE_LOW_POWER_STATE_EXIT switch case. platform_pm_engaged and
>>    power_state_d3 will be cleared and pm_runtime_get_noresume() will make
>>    the usage count as 2.
>> g. Inside vfio_device_fops_unl_ioctl() while returning the
>>    pm_runtime_put() will make the usage count to 1 and the device will
>>    be in D0 state only.
>>
>> Signed-off-by: Abhishek Sahu <abhsahu@nvidia.com>
>> ---
>>  drivers/vfio/pci/vfio_pci_config.c |  11 ++-
>>  drivers/vfio/pci/vfio_pci_core.c   | 131 ++++++++++++++++++++++++++++-
>>  include/linux/vfio_pci_core.h      |   1 +
>>  include/uapi/linux/vfio.h          |  18 ++++
>>  4 files changed, 159 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
>> index af0ae80ef324..65b1bc9586ab 100644
>> --- a/drivers/vfio/pci/vfio_pci_config.c
>> +++ b/drivers/vfio/pci/vfio_pci_config.c
>> @@ -25,6 +25,7 @@
>>  #include <linux/uaccess.h>
>>  #include <linux/vfio.h>
>>  #include <linux/slab.h>
>> +#include <linux/pm_runtime.h>
>>  
>>  #include <linux/vfio_pci_core.h>
>>  
>> @@ -1936,16 +1937,23 @@ static ssize_t vfio_config_do_rw(struct vfio_pci_core_device *vdev, char __user
>>  ssize_t vfio_pci_config_rw(struct vfio_pci_core_device *vdev, char __user *buf,
>>  			   size_t count, loff_t *ppos, bool iswrite)
>>  {
>> +	struct device *dev = &vdev->pdev->dev;
>>  	size_t done = 0;
>>  	int ret = 0;
>>  	loff_t pos = *ppos;
>>  
>>  	pos &= VFIO_PCI_OFFSET_MASK;
>>  
>> +	ret = pm_runtime_resume_and_get(dev);
>> +	if (ret < 0)
>> +		return ret;
> 
> Alternatively we could just check platform_pm_engaged here and return
> -EINVAL, right?  Why is waking the device the better option?
> 

 This is mainly to prevent race condition where config space access
 happens parallelly with IOCTL access. So, lets consider the following case.

 1. Config space access happens and vfio_pci_config_rw() will be called.
 2. The IOCTL to move into low power state is called.
 3. The IOCTL will move the device into d3cold.
 4. Exit from vfio_pci_config_rw() happened.

 Now, if we just check platform_pm_engaged, then in the above
 sequence it won’t work. I checked this parallel access by writing
 a small program where I opened the 2 instances and then
 created 2 threads for config space and IOCTL.
 In my case, I got the above sequence.

 The pm_runtime_resume_and_get() will make sure that device
 usage count keep incremented throughout the config space
 access (or IOCTL access in the previous patch) and the
 runtime PM framework will not move the device into suspended
 state.

>> +
>>  	while (count) {
>>  		ret = vfio_config_do_rw(vdev, buf, count, &pos, iswrite);
>> -		if (ret < 0)
>> +		if (ret < 0) {
>> +			pm_runtime_put(dev);
>>  			return ret;
>> +		}
>>  
>>  		count -= ret;
>>  		done += ret;
>> @@ -1953,6 +1961,7 @@ ssize_t vfio_pci_config_rw(struct vfio_pci_core_device *vdev, char __user *buf,
>>  		pos += ret;
>>  	}
>>  
>> +	pm_runtime_put(dev);
>>  	*ppos += done;
>>  
>>  	return done;
>> diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
>> index 05a68ca9d9e7..beac6e05f97f 100644
>> --- a/drivers/vfio/pci/vfio_pci_core.c
>> +++ b/drivers/vfio/pci/vfio_pci_core.c
>> @@ -234,7 +234,14 @@ int vfio_pci_set_power_state(struct vfio_pci_core_device *vdev, pci_power_t stat
>>  	ret = pci_set_power_state(pdev, state);
>>  
>>  	if (!ret) {
>> -		vdev->power_state_d3 = (pdev->current_state >= PCI_D3hot);
>> +		/*
>> +		 * If 'platform_pm_engaged' is true then 'power_state_d3' can
>> +		 * be cleared only when user makes the explicit request to
>> +		 * move out of low power state by using power management ioctl.
>> +		 */
>> +		if (!vdev->platform_pm_engaged)
>> +			vdev->power_state_d3 =
>> +				(pdev->current_state >= PCI_D3hot);
> 
> power_state_d3 is essentially only used as a secondary test to
> __vfio_pci_memory_enabled() to block r/w access to device regions and
> generate a fault on mmap access.  Its existence already seems a little
> questionable when we could just look at vdev->pdev->current_state, and
> we could incorporate that into __vfio_pci_memory_enabled().  So rather
> than creating this inconsistency, couldn't we just make that function
> return:
> 
> !vdev->platform_pm_enagaged && pdev->current_state < PCI_D3hot &&
> (pdev->no_command_memory || (cmd & PCI_COMMAND_MEMORY))
> 

 The main reason for power_state_d3 is to get it under
 memory_lock semaphore. But pdev->current_state is not
 protected with any lock. So, will use of pdev->current_state
 here be safe?
 
> 
>>  
>>  		/* D3 might be unsupported via quirk, skip unless in D3 */
>>  		if (needs_save && pdev->current_state >= PCI_D3hot) {
>> @@ -266,6 +273,25 @@ static int vfio_pci_core_runtime_suspend(struct device *dev)
>>  {
>>  	struct vfio_pci_core_device *vdev = dev_get_drvdata(dev);
>>  
>> +	down_read(&vdev->memory_lock);
>> +
>> +	/* 'platform_pm_engaged' will be false if there are no users. */
>> +	if (!vdev->platform_pm_engaged) {
>> +		up_read(&vdev->memory_lock);
>> +		return 0;
>> +	}
>> +
>> +	/*
>> +	 * The user will move the device into D3hot state first before invoking
>> +	 * power management ioctl. Move the device into D0 state here and then
>> +	 * the pci-driver core runtime PM suspend will move the device into
>> +	 * low power state. Also, for the devices which have NoSoftRst-,
>> +	 * it will help in restoring the original state (saved locally in
>> +	 * 'vdev->pm_save').
>> +	 */
>> +	vfio_pci_set_power_state(vdev, PCI_D0);
>> +	up_read(&vdev->memory_lock);
>> +
>>  	/*
>>  	 * If INTx is enabled, then mask INTx before going into runtime
>>  	 * suspended state and unmask the same in the runtime resume.
>> @@ -395,6 +421,19 @@ void vfio_pci_core_disable(struct vfio_pci_core_device *vdev)
>>  
>>  	/*
>>  	 * This function can be invoked while the power state is non-D0.
>> +	 * This non-D0 power state can be with or without runtime PM.
>> +	 * Increment the usage count corresponding to pm_runtime_put()
>> +	 * called during setting of 'platform_pm_engaged'. The device will
>> +	 * wake up if it has already went into suspended state. Otherwise,
>> +	 * the next vfio_pci_set_power_state() will change the
>> +	 * device power state to D0.
>> +	 */
>> +	if (vdev->platform_pm_engaged) {
>> +		pm_runtime_resume_and_get(&pdev->dev);
>> +		vdev->platform_pm_engaged = false;
>> +	}
>> +
>> +	/*
>>  	 * This function calls __pci_reset_function_locked() which internally
>>  	 * can use pci_pm_reset() for the function reset. pci_pm_reset() will
>>  	 * fail if the power state is non-D0. Also, for the devices which
>> @@ -1192,6 +1231,80 @@ long vfio_pci_core_ioctl(struct vfio_device *core_vdev, unsigned int cmd,
>>  }
>>  EXPORT_SYMBOL_GPL(vfio_pci_core_ioctl);
>>  
>> +#ifdef CONFIG_PM
>> +static int vfio_pci_core_feature_pm(struct vfio_device *device, u32 flags,
>> +				    void __user *arg, size_t argsz)
>> +{
>> +	struct vfio_pci_core_device *vdev =
>> +		container_of(device, struct vfio_pci_core_device, vdev);
>> +	struct pci_dev *pdev = vdev->pdev;
>> +	struct vfio_device_feature_power_management vfio_pm = { 0 };
>> +	int ret = 0;
>> +
>> +	ret = vfio_check_feature(flags, argsz,
>> +				 VFIO_DEVICE_FEATURE_SET |
>> +				 VFIO_DEVICE_FEATURE_GET,
>> +				 sizeof(vfio_pm));
>> +	if (ret != 1)
>> +		return ret;
>> +
>> +	if (flags & VFIO_DEVICE_FEATURE_GET) {
>> +		down_read(&vdev->memory_lock);
>> +		vfio_pm.low_power_state = vdev->platform_pm_engaged ?
>> +				VFIO_DEVICE_LOW_POWER_STATE_ENTER :
>> +				VFIO_DEVICE_LOW_POWER_STATE_EXIT;
>> +		up_read(&vdev->memory_lock);
>> +		if (copy_to_user(arg, &vfio_pm, sizeof(vfio_pm)))
>> +			return -EFAULT;
>> +		return 0;
>> +	}
>> +
>> +	if (copy_from_user(&vfio_pm, arg, sizeof(vfio_pm)))
>> +		return -EFAULT;
>> +
>> +	/*
>> +	 * The vdev power related fields are protected with memory_lock
>> +	 * semaphore.
>> +	 */
>> +	down_write(&vdev->memory_lock);
>> +	switch (vfio_pm.low_power_state) {
>> +	case VFIO_DEVICE_LOW_POWER_STATE_ENTER:
>> +		if (!vdev->power_state_d3 || vdev->platform_pm_engaged) {
>> +			ret = EINVAL;
>> +			break;
>> +		}
>> +
>> +		vdev->platform_pm_engaged = true;
>> +
>> +		/*
>> +		 * The pm_runtime_put() will be called again while returning
>> +		 * from ioctl after which the device can go into runtime
>> +		 * suspended.
>> +		 */
>> +		pm_runtime_put_noidle(&pdev->dev);
>> +		break;
>> +
>> +	case VFIO_DEVICE_LOW_POWER_STATE_EXIT:
>> +		if (!vdev->platform_pm_engaged) {
>> +			ret = EINVAL;
>> +			break;
>> +		}
>> +
>> +		vdev->platform_pm_engaged = false;
>> +		vdev->power_state_d3 = false;
>> +		pm_runtime_get_noresume(&pdev->dev);
>> +		break;
>> +
>> +	default:
>> +		ret = EINVAL;
>> +		break;
>> +	}
>> +
>> +	up_write(&vdev->memory_lock);
>> +	return ret;
>> +}
>> +#endif
>> +
>>  static int vfio_pci_core_feature_token(struct vfio_device *device, u32 flags,
>>  				       void __user *arg, size_t argsz)
>>  {
>> @@ -1226,6 +1339,10 @@ int vfio_pci_core_ioctl_feature(struct vfio_device *device, u32 flags,
>>  	switch (flags & VFIO_DEVICE_FEATURE_MASK) {
>>  	case VFIO_DEVICE_FEATURE_PCI_VF_TOKEN:
>>  		return vfio_pci_core_feature_token(device, flags, arg, argsz);
>> +#ifdef CONFIG_PM
>> +	case VFIO_DEVICE_FEATURE_POWER_MANAGEMENT:
>> +		return vfio_pci_core_feature_pm(device, flags, arg, argsz);
>> +#endif
>>  	default:
>>  		return -ENOTTY;
>>  	}
>> @@ -2189,6 +2306,15 @@ static int vfio_pci_dev_set_hot_reset(struct vfio_device_set *dev_set,
>>  		goto err_unlock;
>>  	}
>>  
>> +	/*
>> +	 * Some of the devices in the dev_set can be in the runtime suspended
>> +	 * state. Increment the usage count for all the devices in the dev_set
>> +	 * before reset and decrement the same after reset.
>> +	 */
>> +	ret = vfio_pci_dev_set_pm_runtime_get(dev_set);
>> +	if (ret)
>> +		goto err_unlock;
>> +
>>  	list_for_each_entry(cur_vma, &dev_set->device_list, vdev.dev_set_list) {
>>  		/*
>>  		 * Test whether all the affected devices are contained by the
>> @@ -2244,6 +2370,9 @@ static int vfio_pci_dev_set_hot_reset(struct vfio_device_set *dev_set,
>>  		else
>>  			mutex_unlock(&cur->vma_lock);
>>  	}
>> +
>> +	list_for_each_entry(cur, &dev_set->device_list, vdev.dev_set_list)
>> +		pm_runtime_put(&cur->pdev->dev);
>>  err_unlock:
>>  	mutex_unlock(&dev_set->lock);
>>  	return ret;
>> diff --git a/include/linux/vfio_pci_core.h b/include/linux/vfio_pci_core.h
>> index e84f31e44238..337983a877d6 100644
>> --- a/include/linux/vfio_pci_core.h
>> +++ b/include/linux/vfio_pci_core.h
>> @@ -126,6 +126,7 @@ struct vfio_pci_core_device {
>>  	bool			needs_pm_restore;
>>  	bool			power_state_d3;
>>  	bool			pm_intx_masked;
>> +	bool			platform_pm_engaged;
>>  	struct pci_saved_state	*pci_saved_state;
>>  	struct pci_saved_state	*pm_save;
>>  	int			ioeventfds_nr;
>> diff --git a/include/uapi/linux/vfio.h b/include/uapi/linux/vfio.h
>> index fea86061b44e..53ff890dbd27 100644
>> --- a/include/uapi/linux/vfio.h
>> +++ b/include/uapi/linux/vfio.h
>> @@ -986,6 +986,24 @@ enum vfio_device_mig_state {
>>  	VFIO_DEVICE_STATE_RUNNING_P2P = 5,
>>  };
>>  
>> +/*
>> + * Use platform-based power management for moving the device into low power
>> + * state.  This low power state is device specific.
>> + *
>> + * For PCI, this low power state is D3cold.  The native PCI power management
>> + * does not support the D3cold power state.  For moving the device into D3cold
>> + * state, change the PCI state to D3hot with standard configuration registers
>> + * and then call this IOCTL to setting the D3cold state.  Similarly, if the
>> + * device in D3cold state, then call this IOCTL to exit from D3cold state.
>> + */
>> +struct vfio_device_feature_power_management {
>> +#define VFIO_DEVICE_LOW_POWER_STATE_EXIT	0x0
>> +#define VFIO_DEVICE_LOW_POWER_STATE_ENTER	0x1
>> +	__u64	low_power_state;
>> +};
>> +
>> +#define VFIO_DEVICE_FEATURE_POWER_MANAGEMENT	3
> 
> __u8 seems more than sufficient here.  Thanks,
> 
> Alex
>

 I have used __u64 mainly to get this structure 64 bit aligned.
 I was impression that the ioctl structure should be 64 bit aligned
 but in this case since we will have just have __u8 member so
 alignment should not be required?
 
 Regards,
 Abhishek
Alex Williamson May 9, 2022, 9:48 p.m. UTC | #2
On Thu, 5 May 2022 17:46:20 +0530
Abhishek Sahu <abhsahu@nvidia.com> wrote:

> On 5/5/2022 1:15 AM, Alex Williamson wrote:
> > On Mon, 25 Apr 2022 14:56:15 +0530
> > Abhishek Sahu <abhsahu@nvidia.com> wrote:
> >   
> >> Currently, if the runtime power management is enabled for vfio pci
> >> based device in the guest OS, then guest OS will do the register
> >> write for PCI_PM_CTRL register. This write request will be handled in
> >> vfio_pm_config_write() where it will do the actual register write
> >> of PCI_PM_CTRL register. With this, the maximum D3hot state can be
> >> achieved for low power. If we can use the runtime PM framework,
> >> then we can achieve the D3cold state which will help in saving
> >> maximum power.
> >>
> >> 1. Since D3cold state can't be achieved by writing PCI standard
> >>    PM config registers, so this patch adds a new feature in the
> >>    existing VFIO_DEVICE_FEATURE IOCTL. This IOCTL can be used
> >>    to change the PCI device from D3hot to D3cold state and
> >>    then D3cold to D0 state. The device feature uses low power term
> >>    instead of D3cold so that if other vfio driver wants to implement
> >>    low power support, then the same IOCTL can be used.  
> > 
> > How does this enable you to handle the full-off vs memory-refresh modes
> > for NVIDIA GPUs?
> >   
>  
>  Thanks Alex.
> 
>  This patch series will just enable the full-off for nvidia GPU.
>  The self-refresh mode won't work.
> 
>  The self-refresh case is nvidia specific and needs driver
>  involvement each time before going into d3cold. We are evaluating
>  internally if we have enough use case for self-refresh mode and then
>  I will plan separate patch series to support self-refresh mode use
>  case, if required. But that will be independent of this patch series.
> 
>  At the high level, we need some way to disable the PCI device access
>  from the host side or forward the event to VM for every access on the
>  host side if we want to support NVIDIA self-refresh use case inside VM.
>  Otherwise, from the driver side, we can disable self-refresh mode if
>  driver is running inside VM. In that case, if memory usage is higher than
>  threshold then we don’t engage RTD3 itself. 

Disabling PCI access on the host seems impractical to me, but PM and
PCI folks are welcome to weigh in.

We've also discussed that the GPU memory could exceed RAM + swap for a
VM, leaving them with no practical means to make use of d3cold if we
don't support this capability.  Also, existing drivers expect to have
this capability and it's not uncommon for those in the gaming community
making use of GPU assignment to attempt to hide the fact that they're
running in a VM to avoid falsely triggering anti-cheat detection, DRM,
or working around certain GPU vendors who previously restricted use of
consumer GPUs in VMs.

That seems to suggest to me that our only option is along the lines of
notifying the VM when the device returns to D0 and by default only
re-entering d3cold under the direction of the VM.  We might also do some
sort of negotiation based on device vendor and class code where we
could enable the kernel to perform the transition back to d3cold.
There's a fair chance that an AMD GPU might have similar requirements,
do we know if they do?

I'd suggest perhaps splitting this patch series so that we can start
taking advantage of using d3cold for idle devices while we figure out
how to make use of VM directed d3cold without creating scenarios that
don't break existing drivers.
 
> > The feature ioctl supports a probe, but here the probe only indicates
> > that the ioctl is available, not what degree of low power support
> > available.  Even if the host doesn't support d3cold for the device, we
> > can still achieve root port d3hot, but can we provide further
> > capability info to the user?
> >  
> 
>  I wanted to add more information here but was not sure which
>  information will be helpful for user. There is no certain way to
>  predict that the runtime suspend will use D3cold state only even
>  on the supported systems. User can disable runtime power management from 
> 
>  /sys/bus/pci/devices/…/power/control
> 
>  Or disable d3cold itself 
> 
>  /sys/bus/pci/devices/…/d3cold_allowed
> 
> 
>  Even if all these are allowed, then platform_pci_choose_state()
>  is the main function where the target low power state is selected
>  in runtime.
> 
>  Probably we can add pci_pr3_present() status to user which gives
>  hint to user that required ACPI methods for d3cold is present in
>  the platform. 

I expected that might be the answer.  The proposed interface name also
avoids tying us directly to an ACPI implementation, so I imagine there
could be a variety of backends supporting runtime power management in
the host kernel.

In the VM I think the ACPI controls are at the root port, so we
probably need to add power control to each root port regardless of what
happens to be plugged into it at the time.  Maybe that means we can't
really take advantage of knowing the degree of device support, we just
need to wire it up as if it works regardless.

We might also want to consider parallels to device hotplug here.  For
example, if QEMU could know that a device does not retain state in
d3cold, it might choose to unplug the device backend so that the device
could be used elsewhere in the interim, or simply use the idle device
handling for d3cold in vfio-pci.  That opens up a lot of questions
regarding SLA contracts with management tools to be able to replace the
device with a fungible substitute on demand, but I can imagine data
center logistics might rather have that problem than VMs sitting on
powered-off devices.

> >> 2. The hypervisors can implement virtual ACPI methods. For
> >>    example, in guest linux OS if PCI device ACPI node has _PR3 and _PR0
> >>    power resources with _ON/_OFF method, then guest linux OS makes the
> >>    _OFF call during D3cold transition and then _ON during D0 transition.
> >>    The hypervisor can tap these virtual ACPI calls and then do the D3cold
> >>    related IOCTL in the vfio driver.
> >>
> >> 3. The vfio driver uses runtime PM framework to achieve the
> >>    D3cold state. For the D3cold transition, decrement the usage count and
> >>    for the D0 transition, increment the usage count.
> >>
> >> 4. For D3cold, the device current power state should be D3hot.
> >>    Then during runtime suspend, the pci_platform_power_transition() is
> >>    required for D3cold state. If the D3cold state is not supported, then
> >>    the device will still be in D3hot state. But with the runtime PM, the
> >>    root port can now also go into suspended state.  
> > 
> > Why do we create this requirement for the device to be in d3hot prior
> > to entering low power   
> 
>  This is mainly to make integration in the hypervisor with
>  the PCI power management code flow.
> 
>  If we see the power management steps, then following 2 steps
>  are involved 
> 
>  1. First move the device from D0 to D3hot state by writing
>     into config register.
>  2. Then invoke ACPI routines (mainly _PR3 OFF method) to
>     move from D3hot to D3cold.
> 
>  So, in the guest side, we can follow the same steps. The guest can
>  do the config register write and then for step 2, the hypervisor
>  can implement the virtual ACPI with _PR3/_PR0 power resources.
>  Inside this virtual ACPI implementation, the hypervisor can invoke
>  the power management IOCTL.
> 
>  Also, if runtime PM has been disabled from the host side,
>  then also the device will be in d3hot state. 

That's true regardless of us making it a requirement.  I don't see what
it buys us to make this a requirement though.  If I trigger the _PR3
method on bare metal, does ACPI care if the device is in D3hot first?
At best that seems dependent on the ACPI implementation.
 
> > when our pm ops suspend function wakes the device do d0?  
> 
>  The changing to D0 here is happening due to 2 reasons here,
> 
>  1. First to preserve device state for the NoSoftRst-.
>  2. To make use of PCI core layer generic code for runtime suspend,
>     otherwise we need to do all handling here which is present in
>     pci_pm_runtime_suspend().

What problem do we cause if we allow the user to trigger this ioctl
from D0?  The restriction follows the expected use case, but otherwise
imposing the restriction is arbitrary.

 
> >> 5. For most of the systems, the D3cold is supported at the root
> >>    port level. So, when root port will transition to D3cold state, then
> >>    the vfio PCI device will go from D3hot to D3cold state during its
> >>    runtime suspend. If root port does not support D3cold, then the root
> >>    will go into D3hot state.
> >>
> >> 6. The runtime suspend callback can now happen for 2 cases: there
> >>    are no users of vfio device and the case where user has initiated
> >>    D3cold. The 'platform_pm_engaged' flag can help to distinguish
> >>    between these 2 cases.  
> > 
> > If this were the only use case we could rely on vfio_device.open_count
> > instead.  I don't think it is though.    
> 
>  platform_pm_engaged is mainly to track the user initiated
>  low power entry with the IOCTL. So even if we use vfio_device.open_count
>  here, we will still require platform_pm_engaged.
> 
> >> 7. In D3cold, all kind of BAR related access needs to be disabled
> >>    like D3hot. Additionally, the config space will also be disabled in
> >>    D3cold state. To prevent access of config space in D3cold state, do
> >>    increment the runtime PM usage count before doing any config space
> >>    access.  
> > 
> > Or we could actually prevent access to config space rather than waking
> > the device for the access.  Addressed in further comment below.
> >    
> >> 8. If user has engaged low power entry through IOCTL, then user should
> >>    do low power exit first. The user can issue config access or IOCTL
> >>    after low power entry. We can add an explicit error check but since
> >>    we are already waking-up device, so IOCTL and config access can be
> >>    fulfilled. But 'power_state_d3' won't be cleared without issuing
> >>    low power exit so all BAR related access will still return error till
> >>    user do low power exit.  
> > 
> > The fact that power_state_d3 no longer tracks the device power state
> > when platform_pm_engaged is set is a confusing discontinuity.
> >   
> 
>  If we refer the power management steps (as mentioned in the above),
>  then these 2 variable tracks different things.
> 
>  1. power_state_d3 tracks the config space write.  
>  2. platform_pm_engaged tracks the IOCTL call. In the IOCTL, we decrement
>     the runtime usage count so we need to track that we have decremented
>     it. 
> 
> >> 9. Since multiple layers are involved, so following is the high level
> >>    code flow for D3cold entry and exit.
> >>
> >> D3cold entry:
> >>
> >> a. User put the PCI device into D3hot by writing into standard config
> >>    register (vfio_pm_config_write() -> vfio_lock_and_set_power_state() ->
> >>    vfio_pci_set_power_state()). The device power state will be D3hot and
> >>    power_state_d3 will be true.
> >> b. Set vfio_device_feature_power_management::low_power_state =
> >>    VFIO_DEVICE_LOW_POWER_STATE_ENTER and call VFIO_DEVICE_FEATURE IOCTL.
> >> c. Inside vfio_device_fops_unl_ioctl(), pm_runtime_resume_and_get()
> >>    will be called first which will make the usage count as 2 and then
> >>    vfio_pci_core_ioctl_feature() will be invoked.
> >> d. vfio_pci_core_feature_pm() will be called and it will go inside
> >>    VFIO_DEVICE_LOW_POWER_STATE_ENTER switch case. platform_pm_engaged will
> >>    be true and pm_runtime_put_noidle() will decrement the usage count
> >>    to 1.
> >> e. Inside vfio_device_fops_unl_ioctl() while returning the
> >>    pm_runtime_put() will make the usage count to 0 and the runtime PM
> >>    framework will engage the runtime suspend entry.
> >> f. pci_pm_runtime_suspend() will be called and invokes driver runtime
> >>    suspend callback.
> >> g. vfio_pci_core_runtime_suspend() will change the power state to D0
> >>    and do the INTx mask related handling.
> >> h. pci_pm_runtime_suspend() will take care of saving the PCI state and
> >>    all power management handling for D3cold.
> >>
> >> D3cold exit:
> >>
> >> a. Set vfio_device_feature_power_management::low_power_state =
> >>    VFIO_DEVICE_LOW_POWER_STATE_EXIT and call VFIO_DEVICE_FEATURE IOCTL.
> >> b. Inside vfio_device_fops_unl_ioctl(), pm_runtime_resume_and_get()
> >>    will be called first which will make the usage count as 1.
> >> c. pci_pm_runtime_resume() will take care of moving the device into D0
> >>    state again and then vfio_pci_core_runtime_resume() will be called.
> >> d. vfio_pci_core_runtime_resume() will do the INTx unmask related
> >>    handling.
> >> e. vfio_pci_core_ioctl_feature() will be invoked.
> >> f. vfio_pci_core_feature_pm() will be called and it will go inside
> >>    VFIO_DEVICE_LOW_POWER_STATE_EXIT switch case. platform_pm_engaged and
> >>    power_state_d3 will be cleared and pm_runtime_get_noresume() will make
> >>    the usage count as 2.
> >> g. Inside vfio_device_fops_unl_ioctl() while returning the
> >>    pm_runtime_put() will make the usage count to 1 and the device will
> >>    be in D0 state only.
> >>
> >> Signed-off-by: Abhishek Sahu <abhsahu@nvidia.com>
> >> ---
> >>  drivers/vfio/pci/vfio_pci_config.c |  11 ++-
> >>  drivers/vfio/pci/vfio_pci_core.c   | 131 ++++++++++++++++++++++++++++-
> >>  include/linux/vfio_pci_core.h      |   1 +
> >>  include/uapi/linux/vfio.h          |  18 ++++
> >>  4 files changed, 159 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
> >> index af0ae80ef324..65b1bc9586ab 100644
> >> --- a/drivers/vfio/pci/vfio_pci_config.c
> >> +++ b/drivers/vfio/pci/vfio_pci_config.c
> >> @@ -25,6 +25,7 @@
> >>  #include <linux/uaccess.h>
> >>  #include <linux/vfio.h>
> >>  #include <linux/slab.h>
> >> +#include <linux/pm_runtime.h>
> >>  
> >>  #include <linux/vfio_pci_core.h>
> >>  
> >> @@ -1936,16 +1937,23 @@ static ssize_t vfio_config_do_rw(struct vfio_pci_core_device *vdev, char __user
> >>  ssize_t vfio_pci_config_rw(struct vfio_pci_core_device *vdev, char __user *buf,
> >>  			   size_t count, loff_t *ppos, bool iswrite)
> >>  {
> >> +	struct device *dev = &vdev->pdev->dev;
> >>  	size_t done = 0;
> >>  	int ret = 0;
> >>  	loff_t pos = *ppos;
> >>  
> >>  	pos &= VFIO_PCI_OFFSET_MASK;
> >>  
> >> +	ret = pm_runtime_resume_and_get(dev);
> >> +	if (ret < 0)
> >> +		return ret;  
> > 
> > Alternatively we could just check platform_pm_engaged here and return
> > -EINVAL, right?  Why is waking the device the better option?
> >   
> 
>  This is mainly to prevent race condition where config space access
>  happens parallelly with IOCTL access. So, lets consider the following case.
> 
>  1. Config space access happens and vfio_pci_config_rw() will be called.
>  2. The IOCTL to move into low power state is called.
>  3. The IOCTL will move the device into d3cold.
>  4. Exit from vfio_pci_config_rw() happened.
> 
>  Now, if we just check platform_pm_engaged, then in the above
>  sequence it won’t work. I checked this parallel access by writing
>  a small program where I opened the 2 instances and then
>  created 2 threads for config space and IOCTL.
>  In my case, I got the above sequence.
> 
>  The pm_runtime_resume_and_get() will make sure that device
>  usage count keep incremented throughout the config space
>  access (or IOCTL access in the previous patch) and the
>  runtime PM framework will not move the device into suspended
>  state.

I think we're inventing problems here.  If we define that config space
is not accessible while the device is in low power and the only way to
get the device out of low power is via ioctl, then we should be denying
access to the device while in low power.  If the user races exiting the
device from low power and a config space access, that's their problem.

> >> +
> >>  	while (count) {
> >>  		ret = vfio_config_do_rw(vdev, buf, count, &pos, iswrite);
> >> -		if (ret < 0)
> >> +		if (ret < 0) {
> >> +			pm_runtime_put(dev);
> >>  			return ret;
> >> +		}
> >>  
> >>  		count -= ret;
> >>  		done += ret;
> >> @@ -1953,6 +1961,7 @@ ssize_t vfio_pci_config_rw(struct vfio_pci_core_device *vdev, char __user *buf,
> >>  		pos += ret;
> >>  	}
> >>  
> >> +	pm_runtime_put(dev);
> >>  	*ppos += done;
> >>  
> >>  	return done;
> >> diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
> >> index 05a68ca9d9e7..beac6e05f97f 100644
> >> --- a/drivers/vfio/pci/vfio_pci_core.c
> >> +++ b/drivers/vfio/pci/vfio_pci_core.c
> >> @@ -234,7 +234,14 @@ int vfio_pci_set_power_state(struct vfio_pci_core_device *vdev, pci_power_t stat
> >>  	ret = pci_set_power_state(pdev, state);
> >>  
> >>  	if (!ret) {
> >> -		vdev->power_state_d3 = (pdev->current_state >= PCI_D3hot);
> >> +		/*
> >> +		 * If 'platform_pm_engaged' is true then 'power_state_d3' can
> >> +		 * be cleared only when user makes the explicit request to
> >> +		 * move out of low power state by using power management ioctl.
> >> +		 */
> >> +		if (!vdev->platform_pm_engaged)
> >> +			vdev->power_state_d3 =
> >> +				(pdev->current_state >= PCI_D3hot);  
> > 
> > power_state_d3 is essentially only used as a secondary test to
> > __vfio_pci_memory_enabled() to block r/w access to device regions and
> > generate a fault on mmap access.  Its existence already seems a little
> > questionable when we could just look at vdev->pdev->current_state, and
> > we could incorporate that into __vfio_pci_memory_enabled().  So rather
> > than creating this inconsistency, couldn't we just make that function
> > return:
> > 
> > !vdev->platform_pm_enagaged && pdev->current_state < PCI_D3hot &&
> > (pdev->no_command_memory || (cmd & PCI_COMMAND_MEMORY))
> >   
> 
>  The main reason for power_state_d3 is to get it under
>  memory_lock semaphore. But pdev->current_state is not
>  protected with any lock. So, will use of pdev->current_state
>  here be safe?

If we're only testing and modifying pdev->current_state under
memory_lock, isn't it equivalent?
 
> >>  
> >>  		/* D3 might be unsupported via quirk, skip unless in D3 */
> >>  		if (needs_save && pdev->current_state >= PCI_D3hot) {
> >> @@ -266,6 +273,25 @@ static int vfio_pci_core_runtime_suspend(struct device *dev)
> >>  {
> >>  	struct vfio_pci_core_device *vdev = dev_get_drvdata(dev);
> >>  
> >> +	down_read(&vdev->memory_lock);
> >> +
> >> +	/* 'platform_pm_engaged' will be false if there are no users. */
> >> +	if (!vdev->platform_pm_engaged) {
> >> +		up_read(&vdev->memory_lock);
> >> +		return 0;
> >> +	}
> >> +
> >> +	/*
> >> +	 * The user will move the device into D3hot state first before invoking
> >> +	 * power management ioctl. Move the device into D0 state here and then
> >> +	 * the pci-driver core runtime PM suspend will move the device into
> >> +	 * low power state. Also, for the devices which have NoSoftRst-,
> >> +	 * it will help in restoring the original state (saved locally in
> >> +	 * 'vdev->pm_save').
> >> +	 */
> >> +	vfio_pci_set_power_state(vdev, PCI_D0);
> >> +	up_read(&vdev->memory_lock);
> >> +
> >>  	/*
> >>  	 * If INTx is enabled, then mask INTx before going into runtime
> >>  	 * suspended state and unmask the same in the runtime resume.
> >> @@ -395,6 +421,19 @@ void vfio_pci_core_disable(struct vfio_pci_core_device *vdev)
> >>  
> >>  	/*
> >>  	 * This function can be invoked while the power state is non-D0.
> >> +	 * This non-D0 power state can be with or without runtime PM.
> >> +	 * Increment the usage count corresponding to pm_runtime_put()
> >> +	 * called during setting of 'platform_pm_engaged'. The device will
> >> +	 * wake up if it has already went into suspended state. Otherwise,
> >> +	 * the next vfio_pci_set_power_state() will change the
> >> +	 * device power state to D0.
> >> +	 */
> >> +	if (vdev->platform_pm_engaged) {
> >> +		pm_runtime_resume_and_get(&pdev->dev);
> >> +		vdev->platform_pm_engaged = false;
> >> +	}
> >> +
> >> +	/*
> >>  	 * This function calls __pci_reset_function_locked() which internally
> >>  	 * can use pci_pm_reset() for the function reset. pci_pm_reset() will
> >>  	 * fail if the power state is non-D0. Also, for the devices which
> >> @@ -1192,6 +1231,80 @@ long vfio_pci_core_ioctl(struct vfio_device *core_vdev, unsigned int cmd,
> >>  }
> >>  EXPORT_SYMBOL_GPL(vfio_pci_core_ioctl);
> >>  
> >> +#ifdef CONFIG_PM
> >> +static int vfio_pci_core_feature_pm(struct vfio_device *device, u32 flags,
> >> +				    void __user *arg, size_t argsz)
> >> +{
> >> +	struct vfio_pci_core_device *vdev =
> >> +		container_of(device, struct vfio_pci_core_device, vdev);
> >> +	struct pci_dev *pdev = vdev->pdev;
> >> +	struct vfio_device_feature_power_management vfio_pm = { 0 };
> >> +	int ret = 0;
> >> +
> >> +	ret = vfio_check_feature(flags, argsz,
> >> +				 VFIO_DEVICE_FEATURE_SET |
> >> +				 VFIO_DEVICE_FEATURE_GET,
> >> +				 sizeof(vfio_pm));
> >> +	if (ret != 1)
> >> +		return ret;
> >> +
> >> +	if (flags & VFIO_DEVICE_FEATURE_GET) {
> >> +		down_read(&vdev->memory_lock);
> >> +		vfio_pm.low_power_state = vdev->platform_pm_engaged ?
> >> +				VFIO_DEVICE_LOW_POWER_STATE_ENTER :
> >> +				VFIO_DEVICE_LOW_POWER_STATE_EXIT;
> >> +		up_read(&vdev->memory_lock);
> >> +		if (copy_to_user(arg, &vfio_pm, sizeof(vfio_pm)))
> >> +			return -EFAULT;
> >> +		return 0;
> >> +	}
> >> +
> >> +	if (copy_from_user(&vfio_pm, arg, sizeof(vfio_pm)))
> >> +		return -EFAULT;
> >> +
> >> +	/*
> >> +	 * The vdev power related fields are protected with memory_lock
> >> +	 * semaphore.
> >> +	 */
> >> +	down_write(&vdev->memory_lock);
> >> +	switch (vfio_pm.low_power_state) {
> >> +	case VFIO_DEVICE_LOW_POWER_STATE_ENTER:
> >> +		if (!vdev->power_state_d3 || vdev->platform_pm_engaged) {
> >> +			ret = EINVAL;
> >> +			break;
> >> +		}
> >> +
> >> +		vdev->platform_pm_engaged = true;
> >> +
> >> +		/*
> >> +		 * The pm_runtime_put() will be called again while returning
> >> +		 * from ioctl after which the device can go into runtime
> >> +		 * suspended.
> >> +		 */
> >> +		pm_runtime_put_noidle(&pdev->dev);
> >> +		break;
> >> +
> >> +	case VFIO_DEVICE_LOW_POWER_STATE_EXIT:
> >> +		if (!vdev->platform_pm_engaged) {
> >> +			ret = EINVAL;
> >> +			break;
> >> +		}
> >> +
> >> +		vdev->platform_pm_engaged = false;
> >> +		vdev->power_state_d3 = false;
> >> +		pm_runtime_get_noresume(&pdev->dev);
> >> +		break;
> >> +
> >> +	default:
> >> +		ret = EINVAL;
> >> +		break;
> >> +	}
> >> +
> >> +	up_write(&vdev->memory_lock);
> >> +	return ret;
> >> +}
> >> +#endif
> >> +
> >>  static int vfio_pci_core_feature_token(struct vfio_device *device, u32 flags,
> >>  				       void __user *arg, size_t argsz)
> >>  {
> >> @@ -1226,6 +1339,10 @@ int vfio_pci_core_ioctl_feature(struct vfio_device *device, u32 flags,
> >>  	switch (flags & VFIO_DEVICE_FEATURE_MASK) {
> >>  	case VFIO_DEVICE_FEATURE_PCI_VF_TOKEN:
> >>  		return vfio_pci_core_feature_token(device, flags, arg, argsz);
> >> +#ifdef CONFIG_PM
> >> +	case VFIO_DEVICE_FEATURE_POWER_MANAGEMENT:
> >> +		return vfio_pci_core_feature_pm(device, flags, arg, argsz);
> >> +#endif
> >>  	default:
> >>  		return -ENOTTY;
> >>  	}
> >> @@ -2189,6 +2306,15 @@ static int vfio_pci_dev_set_hot_reset(struct vfio_device_set *dev_set,
> >>  		goto err_unlock;
> >>  	}
> >>  
> >> +	/*
> >> +	 * Some of the devices in the dev_set can be in the runtime suspended
> >> +	 * state. Increment the usage count for all the devices in the dev_set
> >> +	 * before reset and decrement the same after reset.
> >> +	 */
> >> +	ret = vfio_pci_dev_set_pm_runtime_get(dev_set);
> >> +	if (ret)
> >> +		goto err_unlock;
> >> +
> >>  	list_for_each_entry(cur_vma, &dev_set->device_list, vdev.dev_set_list) {
> >>  		/*
> >>  		 * Test whether all the affected devices are contained by the
> >> @@ -2244,6 +2370,9 @@ static int vfio_pci_dev_set_hot_reset(struct vfio_device_set *dev_set,
> >>  		else
> >>  			mutex_unlock(&cur->vma_lock);
> >>  	}
> >> +
> >> +	list_for_each_entry(cur, &dev_set->device_list, vdev.dev_set_list)
> >> +		pm_runtime_put(&cur->pdev->dev);
> >>  err_unlock:
> >>  	mutex_unlock(&dev_set->lock);
> >>  	return ret;
> >> diff --git a/include/linux/vfio_pci_core.h b/include/linux/vfio_pci_core.h
> >> index e84f31e44238..337983a877d6 100644
> >> --- a/include/linux/vfio_pci_core.h
> >> +++ b/include/linux/vfio_pci_core.h
> >> @@ -126,6 +126,7 @@ struct vfio_pci_core_device {
> >>  	bool			needs_pm_restore;
> >>  	bool			power_state_d3;
> >>  	bool			pm_intx_masked;
> >> +	bool			platform_pm_engaged;
> >>  	struct pci_saved_state	*pci_saved_state;
> >>  	struct pci_saved_state	*pm_save;
> >>  	int			ioeventfds_nr;
> >> diff --git a/include/uapi/linux/vfio.h b/include/uapi/linux/vfio.h
> >> index fea86061b44e..53ff890dbd27 100644
> >> --- a/include/uapi/linux/vfio.h
> >> +++ b/include/uapi/linux/vfio.h
> >> @@ -986,6 +986,24 @@ enum vfio_device_mig_state {
> >>  	VFIO_DEVICE_STATE_RUNNING_P2P = 5,
> >>  };
> >>  
> >> +/*
> >> + * Use platform-based power management for moving the device into low power
> >> + * state.  This low power state is device specific.
> >> + *
> >> + * For PCI, this low power state is D3cold.  The native PCI power management
> >> + * does not support the D3cold power state.  For moving the device into D3cold
> >> + * state, change the PCI state to D3hot with standard configuration registers
> >> + * and then call this IOCTL to setting the D3cold state.  Similarly, if the
> >> + * device in D3cold state, then call this IOCTL to exit from D3cold state.
> >> + */
> >> +struct vfio_device_feature_power_management {
> >> +#define VFIO_DEVICE_LOW_POWER_STATE_EXIT	0x0
> >> +#define VFIO_DEVICE_LOW_POWER_STATE_ENTER	0x1
> >> +	__u64	low_power_state;
> >> +};
> >> +
> >> +#define VFIO_DEVICE_FEATURE_POWER_MANAGEMENT	3  
> > 
> > __u8 seems more than sufficient here.  Thanks,
> > 
> > Alex
> >  
> 
>  I have used __u64 mainly to get this structure 64 bit aligned.
>  I was impression that the ioctl structure should be 64 bit aligned
>  but in this case since we will have just have __u8 member so
>  alignment should not be required?

We can add a directive to enforce an alignment regardless of the field
size.  I believe the feature ioctl header is already going to be eight
byte aligned, so it's probably not strictly necessary, but Jason seems
to be adding more of these directives elsewhere, so probably a good
idea regardless.  Thanks,

Alex
Abhishek Sahu May 10, 2022, 1:26 p.m. UTC | #3
On 5/10/2022 3:18 AM, Alex Williamson wrote:
> On Thu, 5 May 2022 17:46:20 +0530
> Abhishek Sahu <abhsahu@nvidia.com> wrote:
> 
>> On 5/5/2022 1:15 AM, Alex Williamson wrote:
>>> On Mon, 25 Apr 2022 14:56:15 +0530
>>> Abhishek Sahu <abhsahu@nvidia.com> wrote:
>>>   
>>>> Currently, if the runtime power management is enabled for vfio pci
>>>> based device in the guest OS, then guest OS will do the register
>>>> write for PCI_PM_CTRL register. This write request will be handled in
>>>> vfio_pm_config_write() where it will do the actual register write
>>>> of PCI_PM_CTRL register. With this, the maximum D3hot state can be
>>>> achieved for low power. If we can use the runtime PM framework,
>>>> then we can achieve the D3cold state which will help in saving
>>>> maximum power.
>>>>
>>>> 1. Since D3cold state can't be achieved by writing PCI standard
>>>>    PM config registers, so this patch adds a new feature in the
>>>>    existing VFIO_DEVICE_FEATURE IOCTL. This IOCTL can be used
>>>>    to change the PCI device from D3hot to D3cold state and
>>>>    then D3cold to D0 state. The device feature uses low power term
>>>>    instead of D3cold so that if other vfio driver wants to implement
>>>>    low power support, then the same IOCTL can be used.  
>>>
>>> How does this enable you to handle the full-off vs memory-refresh modes
>>> for NVIDIA GPUs?
>>>   
>>  
>>  Thanks Alex.
>>
>>  This patch series will just enable the full-off for nvidia GPU.
>>  The self-refresh mode won't work.
>>
>>  The self-refresh case is nvidia specific and needs driver
>>  involvement each time before going into d3cold. We are evaluating
>>  internally if we have enough use case for self-refresh mode and then
>>  I will plan separate patch series to support self-refresh mode use
>>  case, if required. But that will be independent of this patch series.
>>
>>  At the high level, we need some way to disable the PCI device access
>>  from the host side or forward the event to VM for every access on the
>>  host side if we want to support NVIDIA self-refresh use case inside VM.
>>  Otherwise, from the driver side, we can disable self-refresh mode if
>>  driver is running inside VM. In that case, if memory usage is higher than
>>  threshold then we don’t engage RTD3 itself. 
> 
> Disabling PCI access on the host seems impractical to me, but PM and
> PCI folks are welcome to weigh in.
> 
> We've also discussed that the GPU memory could exceed RAM + swap for a
> VM, leaving them with no practical means to make use of d3cold if we
> don't support this capability.  Also, existing drivers expect to have
> this capability and it's not uncommon for those in the gaming community
> making use of GPU assignment to attempt to hide the fact that they're
> running in a VM to avoid falsely triggering anti-cheat detection, DRM,
> or working around certain GPU vendors who previously restricted use of
> consumer GPUs in VMs.
> 
> That seems to suggest to me that our only option is along the lines of
> notifying the VM when the device returns to D0 and by default only
> re-entering d3cold under the direction of the VM.  We might also do some
> sort of negotiation based on device vendor and class code where we
> could enable the kernel to perform the transition back to d3cold.
> There's a fair chance that an AMD GPU might have similar requirements,
> do we know if they do?
> 

 That SW involvement before going into D3cold can be possible for
 other devices as well although I am not sure about the current
 AMD GPU implementation. For NVIDIA GPU, the firmware running on the
 GPU listens for PME_turn_Off and then do the handling for self-refresh.
 For other devices also, if they have firmware involvement before
 D3cold entry then the similar issue can come there also.

> I'd suggest perhaps splitting this patch series so that we can start
> taking advantage of using d3cold for idle devices while we figure out
> how to make use of VM directed d3cold without creating scenarios that
> don't break existing drivers.
>  

 Sure. I can make this patch series and will move the last 3
 patches in separate patch series along with the VM notification
 support for the wake-up triggered by host.

>>> The feature ioctl supports a probe, but here the probe only indicates
>>> that the ioctl is available, not what degree of low power support
>>> available.  Even if the host doesn't support d3cold for the device, we
>>> can still achieve root port d3hot, but can we provide further
>>> capability info to the user?
>>>  
>>
>>  I wanted to add more information here but was not sure which
>>  information will be helpful for user. There is no certain way to
>>  predict that the runtime suspend will use D3cold state only even
>>  on the supported systems. User can disable runtime power management from 
>>
>>  /sys/bus/pci/devices/…/power/control
>>
>>  Or disable d3cold itself 
>>
>>  /sys/bus/pci/devices/…/d3cold_allowed
>>
>>
>>  Even if all these are allowed, then platform_pci_choose_state()
>>  is the main function where the target low power state is selected
>>  in runtime.
>>
>>  Probably we can add pci_pr3_present() status to user which gives
>>  hint to user that required ACPI methods for d3cold is present in
>>  the platform. 
> 
> I expected that might be the answer.  The proposed interface name also
> avoids tying us directly to an ACPI implementation, so I imagine there
> could be a variety of backends supporting runtime power management in
> the host kernel.
> 
> In the VM I think the ACPI controls are at the root port, so we
> probably need to add power control to each root port regardless of what
> happens to be plugged into it at the time.  Maybe that means we can't
> really take advantage of knowing the degree of device support, we just
> need to wire it up as if it works regardless.
> 

 In the host side ACPI, the power resources will be mostly associated
 with root port but from the ACPI specification side, the power resources
 can be associated with the device itself. In the guest side,
 we need to do virtual implementation so either it can be associated
 with virtual root port or from the device itself.

 But with that also, the host level degree of support information
 won’t help much.

> We might also want to consider parallels to device hotplug here.  For
> example, if QEMU could know that a device does not retain state in
> d3cold, it might choose to unplug the device backend so that the device
> could be used elsewhere in the interim, or simply use the idle device
> handling for d3cold in vfio-pci.  That opens up a lot of questions
> regarding SLA contracts with management tools to be able to replace the
> device with a fungible substitute on demand, but I can imagine data
> center logistics might rather have that problem than VMs sitting on
> powered-off devices.
> 
>>>> 2. The hypervisors can implement virtual ACPI methods. For
>>>>    example, in guest linux OS if PCI device ACPI node has _PR3 and _PR0
>>>>    power resources with _ON/_OFF method, then guest linux OS makes the
>>>>    _OFF call during D3cold transition and then _ON during D0 transition.
>>>>    The hypervisor can tap these virtual ACPI calls and then do the D3cold
>>>>    related IOCTL in the vfio driver.
>>>>
>>>> 3. The vfio driver uses runtime PM framework to achieve the
>>>>    D3cold state. For the D3cold transition, decrement the usage count and
>>>>    for the D0 transition, increment the usage count.
>>>>
>>>> 4. For D3cold, the device current power state should be D3hot.
>>>>    Then during runtime suspend, the pci_platform_power_transition() is
>>>>    required for D3cold state. If the D3cold state is not supported, then
>>>>    the device will still be in D3hot state. But with the runtime PM, the
>>>>    root port can now also go into suspended state.  
>>>
>>> Why do we create this requirement for the device to be in d3hot prior
>>> to entering low power   
>>
>>  This is mainly to make integration in the hypervisor with
>>  the PCI power management code flow.
>>
>>  If we see the power management steps, then following 2 steps
>>  are involved 
>>
>>  1. First move the device from D0 to D3hot state by writing
>>     into config register.
>>  2. Then invoke ACPI routines (mainly _PR3 OFF method) to
>>     move from D3hot to D3cold.
>>
>>  So, in the guest side, we can follow the same steps. The guest can
>>  do the config register write and then for step 2, the hypervisor
>>  can implement the virtual ACPI with _PR3/_PR0 power resources.
>>  Inside this virtual ACPI implementation, the hypervisor can invoke
>>  the power management IOCTL.
>>
>>  Also, if runtime PM has been disabled from the host side,
>>  then also the device will be in d3hot state. 
> 
> That's true regardless of us making it a requirement.  I don't see what
> it buys us to make this a requirement though.  If I trigger the _PR3
> method on bare metal, does ACPI care if the device is in D3hot first?
> At best that seems dependent on the ACPI implementation.
>

 Yes. That depends upon the ACPI implementation. 

>>> when our pm ops suspend function wakes the device do d0?  
>>
>>  The changing to D0 here is happening due to 2 reasons here,
>>
>>  1. First to preserve device state for the NoSoftRst-.
>>  2. To make use of PCI core layer generic code for runtime suspend,
>>     otherwise we need to do all handling here which is present in
>>     pci_pm_runtime_suspend().
> 
> What problem do we cause if we allow the user to trigger this ioctl
> from D0?  The restriction follows the expected use case, but otherwise
> imposing the restriction is arbitrary.
> 

 It seems then we can remove this restriction. It should be fine
 if user triggers this IOCTL from D0 and then the runtime power
 management itself will take care of device state itself.

>  
>>>> 5. For most of the systems, the D3cold is supported at the root
>>>>    port level. So, when root port will transition to D3cold state, then
>>>>    the vfio PCI device will go from D3hot to D3cold state during its
>>>>    runtime suspend. If root port does not support D3cold, then the root
>>>>    will go into D3hot state.
>>>>
>>>> 6. The runtime suspend callback can now happen for 2 cases: there
>>>>    are no users of vfio device and the case where user has initiated
>>>>    D3cold. The 'platform_pm_engaged' flag can help to distinguish
>>>>    between these 2 cases.  
>>>
>>> If this were the only use case we could rely on vfio_device.open_count
>>> instead.  I don't think it is though.    
>>
>>  platform_pm_engaged is mainly to track the user initiated
>>  low power entry with the IOCTL. So even if we use vfio_device.open_count
>>  here, we will still require platform_pm_engaged.
>>
>>>> 7. In D3cold, all kind of BAR related access needs to be disabled
>>>>    like D3hot. Additionally, the config space will also be disabled in
>>>>    D3cold state. To prevent access of config space in D3cold state, do
>>>>    increment the runtime PM usage count before doing any config space
>>>>    access.  
>>>
>>> Or we could actually prevent access to config space rather than waking
>>> the device for the access.  Addressed in further comment below.
>>>    
>>>> 8. If user has engaged low power entry through IOCTL, then user should
>>>>    do low power exit first. The user can issue config access or IOCTL
>>>>    after low power entry. We can add an explicit error check but since
>>>>    we are already waking-up device, so IOCTL and config access can be
>>>>    fulfilled. But 'power_state_d3' won't be cleared without issuing
>>>>    low power exit so all BAR related access will still return error till
>>>>    user do low power exit.  
>>>
>>> The fact that power_state_d3 no longer tracks the device power state
>>> when platform_pm_engaged is set is a confusing discontinuity.
>>>   
>>
>>  If we refer the power management steps (as mentioned in the above),
>>  then these 2 variable tracks different things.
>>
>>  1. power_state_d3 tracks the config space write.  
>>  2. platform_pm_engaged tracks the IOCTL call. In the IOCTL, we decrement
>>     the runtime usage count so we need to track that we have decremented
>>     it. 
>>
>>>> 9. Since multiple layers are involved, so following is the high level
>>>>    code flow for D3cold entry and exit.
>>>>
>>>> D3cold entry:
>>>>
>>>> a. User put the PCI device into D3hot by writing into standard config
>>>>    register (vfio_pm_config_write() -> vfio_lock_and_set_power_state() ->
>>>>    vfio_pci_set_power_state()). The device power state will be D3hot and
>>>>    power_state_d3 will be true.
>>>> b. Set vfio_device_feature_power_management::low_power_state =
>>>>    VFIO_DEVICE_LOW_POWER_STATE_ENTER and call VFIO_DEVICE_FEATURE IOCTL.
>>>> c. Inside vfio_device_fops_unl_ioctl(), pm_runtime_resume_and_get()
>>>>    will be called first which will make the usage count as 2 and then
>>>>    vfio_pci_core_ioctl_feature() will be invoked.
>>>> d. vfio_pci_core_feature_pm() will be called and it will go inside
>>>>    VFIO_DEVICE_LOW_POWER_STATE_ENTER switch case. platform_pm_engaged will
>>>>    be true and pm_runtime_put_noidle() will decrement the usage count
>>>>    to 1.
>>>> e. Inside vfio_device_fops_unl_ioctl() while returning the
>>>>    pm_runtime_put() will make the usage count to 0 and the runtime PM
>>>>    framework will engage the runtime suspend entry.
>>>> f. pci_pm_runtime_suspend() will be called and invokes driver runtime
>>>>    suspend callback.
>>>> g. vfio_pci_core_runtime_suspend() will change the power state to D0
>>>>    and do the INTx mask related handling.
>>>> h. pci_pm_runtime_suspend() will take care of saving the PCI state and
>>>>    all power management handling for D3cold.
>>>>
>>>> D3cold exit:
>>>>
>>>> a. Set vfio_device_feature_power_management::low_power_state =
>>>>    VFIO_DEVICE_LOW_POWER_STATE_EXIT and call VFIO_DEVICE_FEATURE IOCTL.
>>>> b. Inside vfio_device_fops_unl_ioctl(), pm_runtime_resume_and_get()
>>>>    will be called first which will make the usage count as 1.
>>>> c. pci_pm_runtime_resume() will take care of moving the device into D0
>>>>    state again and then vfio_pci_core_runtime_resume() will be called.
>>>> d. vfio_pci_core_runtime_resume() will do the INTx unmask related
>>>>    handling.
>>>> e. vfio_pci_core_ioctl_feature() will be invoked.
>>>> f. vfio_pci_core_feature_pm() will be called and it will go inside
>>>>    VFIO_DEVICE_LOW_POWER_STATE_EXIT switch case. platform_pm_engaged and
>>>>    power_state_d3 will be cleared and pm_runtime_get_noresume() will make
>>>>    the usage count as 2.
>>>> g. Inside vfio_device_fops_unl_ioctl() while returning the
>>>>    pm_runtime_put() will make the usage count to 1 and the device will
>>>>    be in D0 state only.
>>>>
>>>> Signed-off-by: Abhishek Sahu <abhsahu@nvidia.com>
>>>> ---
>>>>  drivers/vfio/pci/vfio_pci_config.c |  11 ++-
>>>>  drivers/vfio/pci/vfio_pci_core.c   | 131 ++++++++++++++++++++++++++++-
>>>>  include/linux/vfio_pci_core.h      |   1 +
>>>>  include/uapi/linux/vfio.h          |  18 ++++
>>>>  4 files changed, 159 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
>>>> index af0ae80ef324..65b1bc9586ab 100644
>>>> --- a/drivers/vfio/pci/vfio_pci_config.c
>>>> +++ b/drivers/vfio/pci/vfio_pci_config.c
>>>> @@ -25,6 +25,7 @@
>>>>  #include <linux/uaccess.h>
>>>>  #include <linux/vfio.h>
>>>>  #include <linux/slab.h>
>>>> +#include <linux/pm_runtime.h>
>>>>  
>>>>  #include <linux/vfio_pci_core.h>
>>>>  
>>>> @@ -1936,16 +1937,23 @@ static ssize_t vfio_config_do_rw(struct vfio_pci_core_device *vdev, char __user
>>>>  ssize_t vfio_pci_config_rw(struct vfio_pci_core_device *vdev, char __user *buf,
>>>>  			   size_t count, loff_t *ppos, bool iswrite)
>>>>  {
>>>> +	struct device *dev = &vdev->pdev->dev;
>>>>  	size_t done = 0;
>>>>  	int ret = 0;
>>>>  	loff_t pos = *ppos;
>>>>  
>>>>  	pos &= VFIO_PCI_OFFSET_MASK;
>>>>  
>>>> +	ret = pm_runtime_resume_and_get(dev);
>>>> +	if (ret < 0)
>>>> +		return ret;  
>>>
>>> Alternatively we could just check platform_pm_engaged here and return
>>> -EINVAL, right?  Why is waking the device the better option?
>>>   
>>
>>  This is mainly to prevent race condition where config space access
>>  happens parallelly with IOCTL access. So, lets consider the following case.
>>
>>  1. Config space access happens and vfio_pci_config_rw() will be called.
>>  2. The IOCTL to move into low power state is called.
>>  3. The IOCTL will move the device into d3cold.
>>  4. Exit from vfio_pci_config_rw() happened.
>>
>>  Now, if we just check platform_pm_engaged, then in the above
>>  sequence it won’t work. I checked this parallel access by writing
>>  a small program where I opened the 2 instances and then
>>  created 2 threads for config space and IOCTL.
>>  In my case, I got the above sequence.
>>
>>  The pm_runtime_resume_and_get() will make sure that device
>>  usage count keep incremented throughout the config space
>>  access (or IOCTL access in the previous patch) and the
>>  runtime PM framework will not move the device into suspended
>>  state.
> 
> I think we're inventing problems here.  If we define that config space
> is not accessible while the device is in low power and the only way to
> get the device out of low power is via ioctl, then we should be denying
> access to the device while in low power.  If the user races exiting the
> device from low power and a config space access, that's their problem.
> 

 But what about malicious user who intentionally tries to create
 this sequence. If the platform_pm_engaged check passed and
 then user put the device into low power state. In that case,
 there may be chances where config read happens while the device
 is in low power state.

 Can we prevent this concurrent access somehow or make sure
 that nothing else is running when the low power ioctl runs?

>>>> +
>>>>  	while (count) {
>>>>  		ret = vfio_config_do_rw(vdev, buf, count, &pos, iswrite);
>>>> -		if (ret < 0)
>>>> +		if (ret < 0) {
>>>> +			pm_runtime_put(dev);
>>>>  			return ret;
>>>> +		}
>>>>  
>>>>  		count -= ret;
>>>>  		done += ret;
>>>> @@ -1953,6 +1961,7 @@ ssize_t vfio_pci_config_rw(struct vfio_pci_core_device *vdev, char __user *buf,
>>>>  		pos += ret;
>>>>  	}
>>>>  
>>>> +	pm_runtime_put(dev);
>>>>  	*ppos += done;
>>>>  
>>>>  	return done;
>>>> diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
>>>> index 05a68ca9d9e7..beac6e05f97f 100644
>>>> --- a/drivers/vfio/pci/vfio_pci_core.c
>>>> +++ b/drivers/vfio/pci/vfio_pci_core.c
>>>> @@ -234,7 +234,14 @@ int vfio_pci_set_power_state(struct vfio_pci_core_device *vdev, pci_power_t stat
>>>>  	ret = pci_set_power_state(pdev, state);
>>>>  
>>>>  	if (!ret) {
>>>> -		vdev->power_state_d3 = (pdev->current_state >= PCI_D3hot);
>>>> +		/*
>>>> +		 * If 'platform_pm_engaged' is true then 'power_state_d3' can
>>>> +		 * be cleared only when user makes the explicit request to
>>>> +		 * move out of low power state by using power management ioctl.
>>>> +		 */
>>>> +		if (!vdev->platform_pm_engaged)
>>>> +			vdev->power_state_d3 =
>>>> +				(pdev->current_state >= PCI_D3hot);  
>>>
>>> power_state_d3 is essentially only used as a secondary test to
>>> __vfio_pci_memory_enabled() to block r/w access to device regions and
>>> generate a fault on mmap access.  Its existence already seems a little
>>> questionable when we could just look at vdev->pdev->current_state, and
>>> we could incorporate that into __vfio_pci_memory_enabled().  So rather
>>> than creating this inconsistency, couldn't we just make that function
>>> return:
>>>
>>> !vdev->platform_pm_enagaged && pdev->current_state < PCI_D3hot &&
>>> (pdev->no_command_memory || (cmd & PCI_COMMAND_MEMORY))
>>>   
>>
>>  The main reason for power_state_d3 is to get it under
>>  memory_lock semaphore. But pdev->current_state is not
>>  protected with any lock. So, will use of pdev->current_state
>>  here be safe?
> 
> If we're only testing and modifying pdev->current_state under
> memory_lock, isn't it equivalent?
>

 pdev->current_state can be modified by PCI runtime PM core
 layer itself like when user invokes lspci, config dump command
 but in that case, platform_pm_enagaged should block this access.
 While for config space writes, the PM core layer code should not
 touch the pdev->current_state. So, yes we can use pdev->current_state.
 I will make this change and update the other patch in this series.

>>>>  
>>>>  		/* D3 might be unsupported via quirk, skip unless in D3 */
>>>>  		if (needs_save && pdev->current_state >= PCI_D3hot) {
>>>> @@ -266,6 +273,25 @@ static int vfio_pci_core_runtime_suspend(struct device *dev)
>>>>  {
>>>>  	struct vfio_pci_core_device *vdev = dev_get_drvdata(dev);
>>>>  
>>>> +	down_read(&vdev->memory_lock);
>>>> +
>>>> +	/* 'platform_pm_engaged' will be false if there are no users. */
>>>> +	if (!vdev->platform_pm_engaged) {
>>>> +		up_read(&vdev->memory_lock);
>>>> +		return 0;
>>>> +	}
>>>> +
>>>> +	/*
>>>> +	 * The user will move the device into D3hot state first before invoking
>>>> +	 * power management ioctl. Move the device into D0 state here and then
>>>> +	 * the pci-driver core runtime PM suspend will move the device into
>>>> +	 * low power state. Also, for the devices which have NoSoftRst-,
>>>> +	 * it will help in restoring the original state (saved locally in
>>>> +	 * 'vdev->pm_save').
>>>> +	 */
>>>> +	vfio_pci_set_power_state(vdev, PCI_D0);
>>>> +	up_read(&vdev->memory_lock);
>>>> +
>>>>  	/*
>>>>  	 * If INTx is enabled, then mask INTx before going into runtime
>>>>  	 * suspended state and unmask the same in the runtime resume.
>>>> @@ -395,6 +421,19 @@ void vfio_pci_core_disable(struct vfio_pci_core_device *vdev)
>>>>  
>>>>  	/*
>>>>  	 * This function can be invoked while the power state is non-D0.
>>>> +	 * This non-D0 power state can be with or without runtime PM.
>>>> +	 * Increment the usage count corresponding to pm_runtime_put()
>>>> +	 * called during setting of 'platform_pm_engaged'. The device will
>>>> +	 * wake up if it has already went into suspended state. Otherwise,
>>>> +	 * the next vfio_pci_set_power_state() will change the
>>>> +	 * device power state to D0.
>>>> +	 */
>>>> +	if (vdev->platform_pm_engaged) {
>>>> +		pm_runtime_resume_and_get(&pdev->dev);
>>>> +		vdev->platform_pm_engaged = false;
>>>> +	}
>>>> +
>>>> +	/*
>>>>  	 * This function calls __pci_reset_function_locked() which internally
>>>>  	 * can use pci_pm_reset() for the function reset. pci_pm_reset() will
>>>>  	 * fail if the power state is non-D0. Also, for the devices which
>>>> @@ -1192,6 +1231,80 @@ long vfio_pci_core_ioctl(struct vfio_device *core_vdev, unsigned int cmd,
>>>>  }
>>>>  EXPORT_SYMBOL_GPL(vfio_pci_core_ioctl);
>>>>  
>>>> +#ifdef CONFIG_PM
>>>> +static int vfio_pci_core_feature_pm(struct vfio_device *device, u32 flags,
>>>> +				    void __user *arg, size_t argsz)
>>>> +{
>>>> +	struct vfio_pci_core_device *vdev =
>>>> +		container_of(device, struct vfio_pci_core_device, vdev);
>>>> +	struct pci_dev *pdev = vdev->pdev;
>>>> +	struct vfio_device_feature_power_management vfio_pm = { 0 };
>>>> +	int ret = 0;
>>>> +
>>>> +	ret = vfio_check_feature(flags, argsz,
>>>> +				 VFIO_DEVICE_FEATURE_SET |
>>>> +				 VFIO_DEVICE_FEATURE_GET,
>>>> +				 sizeof(vfio_pm));
>>>> +	if (ret != 1)
>>>> +		return ret;
>>>> +
>>>> +	if (flags & VFIO_DEVICE_FEATURE_GET) {
>>>> +		down_read(&vdev->memory_lock);
>>>> +		vfio_pm.low_power_state = vdev->platform_pm_engaged ?
>>>> +				VFIO_DEVICE_LOW_POWER_STATE_ENTER :
>>>> +				VFIO_DEVICE_LOW_POWER_STATE_EXIT;
>>>> +		up_read(&vdev->memory_lock);
>>>> +		if (copy_to_user(arg, &vfio_pm, sizeof(vfio_pm)))
>>>> +			return -EFAULT;
>>>> +		return 0;
>>>> +	}
>>>> +
>>>> +	if (copy_from_user(&vfio_pm, arg, sizeof(vfio_pm)))
>>>> +		return -EFAULT;
>>>> +
>>>> +	/*
>>>> +	 * The vdev power related fields are protected with memory_lock
>>>> +	 * semaphore.
>>>> +	 */
>>>> +	down_write(&vdev->memory_lock);
>>>> +	switch (vfio_pm.low_power_state) {
>>>> +	case VFIO_DEVICE_LOW_POWER_STATE_ENTER:
>>>> +		if (!vdev->power_state_d3 || vdev->platform_pm_engaged) {
>>>> +			ret = EINVAL;
>>>> +			break;
>>>> +		}
>>>> +
>>>> +		vdev->platform_pm_engaged = true;
>>>> +
>>>> +		/*
>>>> +		 * The pm_runtime_put() will be called again while returning
>>>> +		 * from ioctl after which the device can go into runtime
>>>> +		 * suspended.
>>>> +		 */
>>>> +		pm_runtime_put_noidle(&pdev->dev);
>>>> +		break;
>>>> +
>>>> +	case VFIO_DEVICE_LOW_POWER_STATE_EXIT:
>>>> +		if (!vdev->platform_pm_engaged) {
>>>> +			ret = EINVAL;
>>>> +			break;
>>>> +		}
>>>> +
>>>> +		vdev->platform_pm_engaged = false;
>>>> +		vdev->power_state_d3 = false;
>>>> +		pm_runtime_get_noresume(&pdev->dev);
>>>> +		break;
>>>> +
>>>> +	default:
>>>> +		ret = EINVAL;
>>>> +		break;
>>>> +	}
>>>> +
>>>> +	up_write(&vdev->memory_lock);
>>>> +	return ret;
>>>> +}
>>>> +#endif
>>>> +
>>>>  static int vfio_pci_core_feature_token(struct vfio_device *device, u32 flags,
>>>>  				       void __user *arg, size_t argsz)
>>>>  {
>>>> @@ -1226,6 +1339,10 @@ int vfio_pci_core_ioctl_feature(struct vfio_device *device, u32 flags,
>>>>  	switch (flags & VFIO_DEVICE_FEATURE_MASK) {
>>>>  	case VFIO_DEVICE_FEATURE_PCI_VF_TOKEN:
>>>>  		return vfio_pci_core_feature_token(device, flags, arg, argsz);
>>>> +#ifdef CONFIG_PM
>>>> +	case VFIO_DEVICE_FEATURE_POWER_MANAGEMENT:
>>>> +		return vfio_pci_core_feature_pm(device, flags, arg, argsz);
>>>> +#endif
>>>>  	default:
>>>>  		return -ENOTTY;
>>>>  	}
>>>> @@ -2189,6 +2306,15 @@ static int vfio_pci_dev_set_hot_reset(struct vfio_device_set *dev_set,
>>>>  		goto err_unlock;
>>>>  	}
>>>>  
>>>> +	/*
>>>> +	 * Some of the devices in the dev_set can be in the runtime suspended
>>>> +	 * state. Increment the usage count for all the devices in the dev_set
>>>> +	 * before reset and decrement the same after reset.
>>>> +	 */
>>>> +	ret = vfio_pci_dev_set_pm_runtime_get(dev_set);
>>>> +	if (ret)
>>>> +		goto err_unlock;
>>>> +
>>>>  	list_for_each_entry(cur_vma, &dev_set->device_list, vdev.dev_set_list) {
>>>>  		/*
>>>>  		 * Test whether all the affected devices are contained by the
>>>> @@ -2244,6 +2370,9 @@ static int vfio_pci_dev_set_hot_reset(struct vfio_device_set *dev_set,
>>>>  		else
>>>>  			mutex_unlock(&cur->vma_lock);
>>>>  	}
>>>> +
>>>> +	list_for_each_entry(cur, &dev_set->device_list, vdev.dev_set_list)
>>>> +		pm_runtime_put(&cur->pdev->dev);
>>>>  err_unlock:
>>>>  	mutex_unlock(&dev_set->lock);
>>>>  	return ret;
>>>> diff --git a/include/linux/vfio_pci_core.h b/include/linux/vfio_pci_core.h
>>>> index e84f31e44238..337983a877d6 100644
>>>> --- a/include/linux/vfio_pci_core.h
>>>> +++ b/include/linux/vfio_pci_core.h
>>>> @@ -126,6 +126,7 @@ struct vfio_pci_core_device {
>>>>  	bool			needs_pm_restore;
>>>>  	bool			power_state_d3;
>>>>  	bool			pm_intx_masked;
>>>> +	bool			platform_pm_engaged;
>>>>  	struct pci_saved_state	*pci_saved_state;
>>>>  	struct pci_saved_state	*pm_save;
>>>>  	int			ioeventfds_nr;
>>>> diff --git a/include/uapi/linux/vfio.h b/include/uapi/linux/vfio.h
>>>> index fea86061b44e..53ff890dbd27 100644
>>>> --- a/include/uapi/linux/vfio.h
>>>> +++ b/include/uapi/linux/vfio.h
>>>> @@ -986,6 +986,24 @@ enum vfio_device_mig_state {
>>>>  	VFIO_DEVICE_STATE_RUNNING_P2P = 5,
>>>>  };
>>>>  
>>>> +/*
>>>> + * Use platform-based power management for moving the device into low power
>>>> + * state.  This low power state is device specific.
>>>> + *
>>>> + * For PCI, this low power state is D3cold.  The native PCI power management
>>>> + * does not support the D3cold power state.  For moving the device into D3cold
>>>> + * state, change the PCI state to D3hot with standard configuration registers
>>>> + * and then call this IOCTL to setting the D3cold state.  Similarly, if the
>>>> + * device in D3cold state, then call this IOCTL to exit from D3cold state.
>>>> + */
>>>> +struct vfio_device_feature_power_management {
>>>> +#define VFIO_DEVICE_LOW_POWER_STATE_EXIT	0x0
>>>> +#define VFIO_DEVICE_LOW_POWER_STATE_ENTER	0x1
>>>> +	__u64	low_power_state;
>>>> +};
>>>> +
>>>> +#define VFIO_DEVICE_FEATURE_POWER_MANAGEMENT	3  
>>>
>>> __u8 seems more than sufficient here.  Thanks,
>>>
>>> Alex
>>>  
>>
>>  I have used __u64 mainly to get this structure 64 bit aligned.
>>  I was impression that the ioctl structure should be 64 bit aligned
>>  but in this case since we will have just have __u8 member so
>>  alignment should not be required?
> 
> We can add a directive to enforce an alignment regardless of the field
> size.  I believe the feature ioctl header is already going to be eight
> byte aligned, so it's probably not strictly necessary, but Jason seems
> to be adding more of these directives elsewhere, so probably a good
> idea regardless.  Thanks,
> 
> Alex
> 

So, should I change it like

__u8    low_power_state __attribute__((aligned(8)));

 Or

__aligned_u64 low_power_state

In the existing code, there are very few references for the
first one.

Thanks,
Abhishek
Jason Gunthorpe May 10, 2022, 1:30 p.m. UTC | #4
On Tue, May 10, 2022 at 06:56:02PM +0530, Abhishek Sahu wrote:
> > We can add a directive to enforce an alignment regardless of the field
> > size.  I believe the feature ioctl header is already going to be eight
> > byte aligned, so it's probably not strictly necessary, but Jason seems
> > to be adding more of these directives elsewhere, so probably a good
> > idea regardless.  Thanks,

> So, should I change it like
> 
> __u8    low_power_state __attribute__((aligned(8)));
> 
>  Or
> 
> __aligned_u64 low_power_state

You should be explicit about padding, add a reserved to cover the gap.

Jasno
Abhishek Sahu May 30, 2022, 11:15 a.m. UTC | #5
On 5/10/2022 6:56 PM, Abhishek Sahu wrote:
> On 5/10/2022 3:18 AM, Alex Williamson wrote:
>> On Thu, 5 May 2022 17:46:20 +0530
>> Abhishek Sahu <abhsahu@nvidia.com> wrote:
>>
>>> On 5/5/2022 1:15 AM, Alex Williamson wrote:
>>>> On Mon, 25 Apr 2022 14:56:15 +0530
>>>> Abhishek Sahu <abhsahu@nvidia.com> wrote:
>>>>

<snip>

>>>>> diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
>>>>> index af0ae80ef324..65b1bc9586ab 100644
>>>>> --- a/drivers/vfio/pci/vfio_pci_config.c
>>>>> +++ b/drivers/vfio/pci/vfio_pci_config.c
>>>>> @@ -25,6 +25,7 @@
>>>>>  #include <linux/uaccess.h>
>>>>>  #include <linux/vfio.h>
>>>>>  #include <linux/slab.h>
>>>>> +#include <linux/pm_runtime.h>
>>>>>  
>>>>>  #include <linux/vfio_pci_core.h>
>>>>>  
>>>>> @@ -1936,16 +1937,23 @@ static ssize_t vfio_config_do_rw(struct vfio_pci_core_device *vdev, char __user
>>>>>  ssize_t vfio_pci_config_rw(struct vfio_pci_core_device *vdev, char __user *buf,
>>>>>  			   size_t count, loff_t *ppos, bool iswrite)
>>>>>  {
>>>>> +	struct device *dev = &vdev->pdev->dev;
>>>>>  	size_t done = 0;
>>>>>  	int ret = 0;
>>>>>  	loff_t pos = *ppos;
>>>>>  
>>>>>  	pos &= VFIO_PCI_OFFSET_MASK;
>>>>>  
>>>>> +	ret = pm_runtime_resume_and_get(dev);
>>>>> +	if (ret < 0)
>>>>> +		return ret;  
>>>>
>>>> Alternatively we could just check platform_pm_engaged here and return
>>>> -EINVAL, right?  Why is waking the device the better option?
>>>>   
>>>
>>>  This is mainly to prevent race condition where config space access
>>>  happens parallelly with IOCTL access. So, lets consider the following case.
>>>
>>>  1. Config space access happens and vfio_pci_config_rw() will be called.
>>>  2. The IOCTL to move into low power state is called.
>>>  3. The IOCTL will move the device into d3cold.
>>>  4. Exit from vfio_pci_config_rw() happened.
>>>
>>>  Now, if we just check platform_pm_engaged, then in the above
>>>  sequence it won’t work. I checked this parallel access by writing
>>>  a small program where I opened the 2 instances and then
>>>  created 2 threads for config space and IOCTL.
>>>  In my case, I got the above sequence.
>>>
>>>  The pm_runtime_resume_and_get() will make sure that device
>>>  usage count keep incremented throughout the config space
>>>  access (or IOCTL access in the previous patch) and the
>>>  runtime PM framework will not move the device into suspended
>>>  state.
>>
>> I think we're inventing problems here.  If we define that config space
>> is not accessible while the device is in low power and the only way to
>> get the device out of low power is via ioctl, then we should be denying
>> access to the device while in low power.  If the user races exiting the
>> device from low power and a config space access, that's their problem.
>>
> 
>  But what about malicious user who intentionally tries to create
>  this sequence. If the platform_pm_engaged check passed and
>  then user put the device into low power state. In that case,
>  there may be chances where config read happens while the device
>  is in low power state.
> 

 Hi Alex,

 I need help in concluding below part to proceed further on my
 implementation.
 
>  Can we prevent this concurrent access somehow or make sure
>  that nothing else is running when the low power ioctl runs?
> 

 If I add the 'platform_pm_engaged' alone and return early. 
 
 vfio_pci_config_rw()
 {
 ...
     down_read(&vdev->memory_lock);
     if (vdev->platform_pm_engaged) {
         up_read(&vdev->memory_lock);
         return -EIO;
     }
 ...
 }
 
 Then from user side, if two threads are running then there are chances
 that 'platform_pm_engaged' is false while we do check but it gets true
 before returning from this function. If runtime PM framework puts the
 device into D3cold state, then there are chances that config
 read/write happens with D3cold internally. I have added prints in this
 function locally at entry and exit. In entry, the 'platform_pm_engaged'
 is coming false while in exit it is coming as true, if I create 2
 threads from user space. It will be similar to memory access issue
 on disabled memory.
 
 So, we need to make sure that the VFIO_DEVICE_FEATURE_POWER_MANAGEMENT
 ioctl request should be exclusive and no other config or ioctl
 request should be running in parallel.
 
 Could you or someone else please suggest a way to handle this case.
 
 From my side, I have following solution to handle this but not sure if
 this will be acceptable and work for all the cases.
 
 1. In real use case, config or any other ioctl should not come along
    with VFIO_DEVICE_FEATURE_POWER_MANAGEMENT ioctl request.
 
 2. Maintain some 'access_count' which will be incremented when we
    do any config space access or ioctl.
 
 3. At the beginning of config space access or ioctl, we can do
    something like this

         down_read(&vdev->memory_lock);
         atomic_inc(&vdev->access_count);
         if (vdev->platform_pm_engaged) {
                 atomic_dec(&vdev->access_count);
                 up_read(&vdev->memory_lock);
                 return -EIO;
         }
         up_read(&vdev->memory_lock);
 
     And before returning, we can decrement the 'access_count'.
 
         down_read(&vdev->memory_lock);
         atomic_dec(&vdev->access_count);
         up_read(&vdev->memory_lock);

     The atmoic_dec() is put under 'memory_lock' to maintain
     lock ordering rules for the arch where atomic_t is internally
     implemented using locks.
 
 4. Inside vfio_pci_core_feature_pm(), we can do something like this
         down_write(&vdev->memory_lock);
         if (atomic_read(&vdev->access_count) != 1) {
                 up_write(&vdev->memory_lock);
                 return -EBUSY;
         }
         vdev->platform_pm_engaged = true;
         up_write(&vdev->memory_lock);
 
 
 5. The idea here is to check the 'access_count' in
    vfio_pci_core_feature_pm(). If 'access_count' is greater than 1,
    that means some other ioctl or config space is happening,
    and we return early. Otherwise, we can set 'platform_pm_engaged' and
    release the lock.
 
 6. In case of race condition, if vfio_pci_core_feature_pm() gets
    lock and found 'access_count' 1, then its sets 'platform_pm_engaged'.
    Now at the config space access or ioctl, the 'platform_pm_engaged'
    will get as true and it will return early.
 
    If config space access or ioctl happens first, then
    'platform_pm_engaged' will be false and the request will be
    successful. But the 'access_count' will be kept incremented till
    the last. Now, in vfio_pci_core_feature_pm(), it will get
    refcount as 2 and will return -EBUSY.
 
 7. For ioctl access, I need to add two callbacks functions (one
    for start and one for end) in the struct vfio_device_ops and call
    the same at start and end of ioctl from vfio_device_fops_unl_ioctl().
 
 Another option was to add one more lock like 'memory_lock' and maintain
 it throughout the config and ioctl access but maintaining
 two locks won't be easy since memory lock is already being
 used inside inside config and ioctl. 

 Thanks,
 Abhishek
Jason Gunthorpe May 30, 2022, 12:25 p.m. UTC | #6
On Mon, May 30, 2022 at 04:45:59PM +0530, Abhishek Sahu wrote:

>  1. In real use case, config or any other ioctl should not come along
>     with VFIO_DEVICE_FEATURE_POWER_MANAGEMENT ioctl request.
>  
>  2. Maintain some 'access_count' which will be incremented when we
>     do any config space access or ioctl.

Please don't open code locks - if you need a lock then write a proper
lock. You can use the 'try' variants to bail out in cases where that
is appropriate.

Jason
Abhishek Sahu May 31, 2022, 12:14 p.m. UTC | #7
On 5/30/2022 5:55 PM, Jason Gunthorpe wrote:
> On Mon, May 30, 2022 at 04:45:59PM +0530, Abhishek Sahu wrote:
> 
>>  1. In real use case, config or any other ioctl should not come along
>>     with VFIO_DEVICE_FEATURE_POWER_MANAGEMENT ioctl request.
>>  
>>  2. Maintain some 'access_count' which will be incremented when we
>>     do any config space access or ioctl.
> 
> Please don't open code locks - if you need a lock then write a proper
> lock. You can use the 'try' variants to bail out in cases where that
> is appropriate.
> 
> Jason

 Thanks Jason for providing your inputs.

 In that case, should I introduce new rw_semaphore (For example
 power_lock) and move ‘platform_pm_engaged’ under ‘power_lock’ ?
 
 I was mainly concerned about locking rules w.r.t. existing
 ‘memory_lock’ and the code present in
 vfio_pci_zap_and_down_write_memory_lock() which is internally taking
 ‘mmap_lock’ and ‘vma_lock’. But from the initial analysis, it seems
 this should not cause any issue since we should not need ‘power_lock’
 in the mmap fault handler or any read/write functions. We can
 maintain following locking order
 
   power_lock => memory_lock
 
 1. At the beginning of config space access or ioctl, we can take the
    lock
 
     down_read(&vdev->power_lock);
     if (vdev->platform_pm_engaged) {
         up_read(&vdev->power_lock);
         return -EIO;
     }
 
    And before returning from config or ioctl, we can release the lock.
 
 2.  Now ‘platform_pm_engaged’ is not protected with memory_lock and we
     need to support the case where VFIO_DEVICE_FEATURE_POWER_MANAGEMENT
     can be called without putting the device into D3hot explicitly.
     So, I need to introduce a second variable which tracks the memory
     disablement (like power_state_d3 in this patch) and will be
     protected with 'memory_lock'. It will be set for both the cases,
     where users change the power state to D3hot by config
     write or user makes this ioctl. Inside vfio_pci_core_feature_pm(), now
     the code will become
    
         down_write(&vdev->power_lock);
         ...
         switch (vfio_pm.low_power_state) {
         case VFIO_DEVICE_LOW_POWER_STATE_ENTER:
                 ...
                         vfio_pci_zap_and_down_write_memory_lock(vdev);
                         vdev->power_state_d3 = true;
                         up_write(&vdev->memory_lock);

         ...
         up_write(&vdev->power_lock);
 
 3.  Inside __vfio_pci_memory_enabled(), we can check
     vdev->power_state_d3 instead of current_state.
 
 4.  For ioctl access, as mentioned previously I need to add two
     callbacks functions (one for start and one for end) in the struct
     vfio_device_ops and call the same at start and end of ioctl from
     vfio_device_fops_unl_ioctl().

 Thanks,
 Abhishek
Jason Gunthorpe May 31, 2022, 7:43 p.m. UTC | #8
On Tue, May 31, 2022 at 05:44:11PM +0530, Abhishek Sahu wrote:
> On 5/30/2022 5:55 PM, Jason Gunthorpe wrote:
> > On Mon, May 30, 2022 at 04:45:59PM +0530, Abhishek Sahu wrote:
> > 
> >>  1. In real use case, config or any other ioctl should not come along
> >>     with VFIO_DEVICE_FEATURE_POWER_MANAGEMENT ioctl request.
> >>  
> >>  2. Maintain some 'access_count' which will be incremented when we
> >>     do any config space access or ioctl.
> > 
> > Please don't open code locks - if you need a lock then write a proper
> > lock. You can use the 'try' variants to bail out in cases where that
> > is appropriate.
> > 
> > Jason
> 
>  Thanks Jason for providing your inputs.
> 
>  In that case, should I introduce new rw_semaphore (For example
>  power_lock) and move ‘platform_pm_engaged’ under ‘power_lock’ ?

Possibly, this is better than an atomic at least

>  1. At the beginning of config space access or ioctl, we can take the
>     lock
>  
>      down_read(&vdev->power_lock);

You can also do down_read_trylock() here and bail out as you were
suggesting with the atomic.

trylock doesn't have lock odering rules because it can't sleep so it
gives a bit more flexability when designing the lock ordering.

Though userspace has to be able to tolerate the failure, or never make
the request.

>          down_write(&vdev->power_lock);
>          ...
>          switch (vfio_pm.low_power_state) {
>          case VFIO_DEVICE_LOW_POWER_STATE_ENTER:
>                  ...
>                          vfio_pci_zap_and_down_write_memory_lock(vdev);
>                          vdev->power_state_d3 = true;
>                          up_write(&vdev->memory_lock);
> 
>          ...
>          up_write(&vdev->power_lock);

And something checks the power lock before allowing the memor to be
re-enabled?

>  4.  For ioctl access, as mentioned previously I need to add two
>      callbacks functions (one for start and one for end) in the struct
>      vfio_device_ops and call the same at start and end of ioctl from
>      vfio_device_fops_unl_ioctl().

Not sure I followed this..

Jason
Alex Williamson May 31, 2022, 10:52 p.m. UTC | #9
On Tue, 31 May 2022 16:43:04 -0300
Jason Gunthorpe <jgg@nvidia.com> wrote:

> On Tue, May 31, 2022 at 05:44:11PM +0530, Abhishek Sahu wrote:
> > On 5/30/2022 5:55 PM, Jason Gunthorpe wrote:  
> > > On Mon, May 30, 2022 at 04:45:59PM +0530, Abhishek Sahu wrote:
> > >   
> > >>  1. In real use case, config or any other ioctl should not come along
> > >>     with VFIO_DEVICE_FEATURE_POWER_MANAGEMENT ioctl request.
> > >>  
> > >>  2. Maintain some 'access_count' which will be incremented when we
> > >>     do any config space access or ioctl.  
> > > 
> > > Please don't open code locks - if you need a lock then write a proper
> > > lock. You can use the 'try' variants to bail out in cases where that
> > > is appropriate.
> > > 
> > > Jason  
> > 
> >  Thanks Jason for providing your inputs.
> > 
> >  In that case, should I introduce new rw_semaphore (For example
> >  power_lock) and move ‘platform_pm_engaged’ under ‘power_lock’ ?  
> 
> Possibly, this is better than an atomic at least
> 
> >  1. At the beginning of config space access or ioctl, we can take the
> >     lock
> >  
> >      down_read(&vdev->power_lock);  
> 
> You can also do down_read_trylock() here and bail out as you were
> suggesting with the atomic.
> 
> trylock doesn't have lock odering rules because it can't sleep so it
> gives a bit more flexability when designing the lock ordering.
> 
> Though userspace has to be able to tolerate the failure, or never make
> the request.
> 
> >          down_write(&vdev->power_lock);
> >          ...
> >          switch (vfio_pm.low_power_state) {
> >          case VFIO_DEVICE_LOW_POWER_STATE_ENTER:
> >                  ...
> >                          vfio_pci_zap_and_down_write_memory_lock(vdev);
> >                          vdev->power_state_d3 = true;
> >                          up_write(&vdev->memory_lock);
> > 
> >          ...
> >          up_write(&vdev->power_lock);  
> 
> And something checks the power lock before allowing the memor to be
> re-enabled?
> 
> >  4.  For ioctl access, as mentioned previously I need to add two
> >      callbacks functions (one for start and one for end) in the struct
> >      vfio_device_ops and call the same at start and end of ioctl from
> >      vfio_device_fops_unl_ioctl().  
> 
> Not sure I followed this..

I'm kinda lost here too.  A couple replies back there was some concern
about race scenarios with multiple user threads accessing the device.
The ones concerning non-deterministic behavior if a user is
concurrently changing power state and performing other accesses are a
non-issue, imo.  I think our goal is only to expand the current
memory_lock to block accesses, including config space, while the device
is in low power, or some approximation bounded by the entry/exit ioctl.

I think the remaining issues is how to do that relative to the fact
that config space access can change the memory enable state and would
therefore need to upgrade the memory_lock read-lock to a write-lock.
For that I think we can simply drop the read-lock, acquire the
write-lock, and re-test the low power state.  If it has changed, that
suggests the user has again raced changing power state with another
access and we can simply drop the lock and return -EIO.

If I'm still misunderstanding, please let me know.  Thanks,

Alex
Abhishek Sahu June 1, 2022, 9:49 a.m. UTC | #10
On 6/1/2022 4:22 AM, Alex Williamson wrote:
> On Tue, 31 May 2022 16:43:04 -0300
> Jason Gunthorpe <jgg@nvidia.com> wrote:
> 
>> On Tue, May 31, 2022 at 05:44:11PM +0530, Abhishek Sahu wrote:
>>> On 5/30/2022 5:55 PM, Jason Gunthorpe wrote:  
>>>> On Mon, May 30, 2022 at 04:45:59PM +0530, Abhishek Sahu wrote:
>>>>   
>>>>>  1. In real use case, config or any other ioctl should not come along
>>>>>     with VFIO_DEVICE_FEATURE_POWER_MANAGEMENT ioctl request.
>>>>>  
>>>>>  2. Maintain some 'access_count' which will be incremented when we
>>>>>     do any config space access or ioctl.  
>>>>
>>>> Please don't open code locks - if you need a lock then write a proper
>>>> lock. You can use the 'try' variants to bail out in cases where that
>>>> is appropriate.
>>>>
>>>> Jason  
>>>
>>>  Thanks Jason for providing your inputs.
>>>
>>>  In that case, should I introduce new rw_semaphore (For example
>>>  power_lock) and move ‘platform_pm_engaged’ under ‘power_lock’ ?  
>>
>> Possibly, this is better than an atomic at least
>>
>>>  1. At the beginning of config space access or ioctl, we can take the
>>>     lock
>>>  
>>>      down_read(&vdev->power_lock);  
>>
>> You can also do down_read_trylock() here and bail out as you were
>> suggesting with the atomic.
>>
>> trylock doesn't have lock odering rules because it can't sleep so it
>> gives a bit more flexability when designing the lock ordering.
>>
>> Though userspace has to be able to tolerate the failure, or never make
>> the request.
>>

 Thanks Alex and Jason for providing your inputs.

 Using down_read_trylock() along with Alex suggestion seems fine.
 In real use case, config space access should not happen when the
 device is in low power state so returning error should not
 cause any issue in this case.

>>>          down_write(&vdev->power_lock);
>>>          ...
>>>          switch (vfio_pm.low_power_state) {
>>>          case VFIO_DEVICE_LOW_POWER_STATE_ENTER:
>>>                  ...
>>>                          vfio_pci_zap_and_down_write_memory_lock(vdev);
>>>                          vdev->power_state_d3 = true;
>>>                          up_write(&vdev->memory_lock);
>>>
>>>          ...
>>>          up_write(&vdev->power_lock);  
>>
>> And something checks the power lock before allowing the memor to be
>> re-enabled?
>>
>>>  4.  For ioctl access, as mentioned previously I need to add two
>>>      callbacks functions (one for start and one for end) in the struct
>>>      vfio_device_ops and call the same at start and end of ioctl from
>>>      vfio_device_fops_unl_ioctl().  
>>
>> Not sure I followed this..
> 
> I'm kinda lost here too.


 I have summarized the things below

 1. In the current patch (v3 8/8), if config space access or ioctl was
    being made by the user when the device is already in low power state,
    then it was waking the device. This wake up was happening with
    pm_runtime_resume_and_get() API in vfio_pci_config_rw() and
    vfio_device_fops_unl_ioctl() (with patch v3 7/8 in this patch series).

 2. Now, it has been decided to return error instead of waking the
    device if the device is already in low power state.

 3. Initially I thought to add following code in config space path
    (and similar in ioctl)

        vfio_pci_config_rw() {
            ...
            down_read(&vdev->memory_lock);
            if (vdev->platform_pm_engaged)
            {
                up_read(&vdev->memory_lock);
                return -EIO;
            }
            ...
        }

     And then there was a possibility that the physical config happens
     when the device in D3cold in case of race condition.

 4.  So, I wanted to add some mechanism so that the low power entry
     ioctl will be serialized with other ioctl or config space. With this
     if low power entry gets scheduled first then config/other ioctls will
     get failure, otherwise low power entry will wait.

 5.  For serializing this access, I need to ensure that lock is held
     throughout the operation. For config space I can add the code in
     vfio_pci_config_rw(). But for ioctls, I was not sure what is the best
     way since few ioctls (VFIO_DEVICE_FEATURE_MIGRATION,
     VFIO_DEVICE_FEATURE_MIG_DEVICE_STATE etc.) are being handled in the
     vfio core layer itself.

 The memory_lock and the variables to track low power in specific to
 vfio-pci so I need some mechanism by which I add low power check for
 each ioctl. For serialization, I need to call function implemented in
 vfio-pci before vfio core layer makes the actual ioctl to grab the
 locks. Similarly, I need to release the lock once vfio core layer
 finished the actual ioctl. I have mentioned about this problem in the
 above point (point 4 in my earlier mail).

> A couple replies back there was some concern
> about race scenarios with multiple user threads accessing the device.
> The ones concerning non-deterministic behavior if a user is
> concurrently changing power state and performing other accesses are a
> non-issue, imo.  

 What does non-deterministic behavior here mean.
 Is it for user side that user will see different result
 (failure or success) during race condition or in the kernel side
 (as explained in point 3 above where physical config access
 happens when the device in D3cold) ? My concern here is for later
 part where this config space access in D3cold can cause fatal error
 on the system side as we have seen for memory disablement.

> I think our goal is only to expand the current
> memory_lock to block accesses, including config space, while the device
> is in low power, or some approximation bounded by the entry/exit ioctl.
> 
> I think the remaining issues is how to do that relative to the fact
> that config space access can change the memory enable state and would
> therefore need to upgrade the memory_lock read-lock to a write-lock.
> For that I think we can simply drop the read-lock, acquire the
> write-lock, and re-test the low power state.  If it has changed, that
> suggests the user has again raced changing power state with another
> access and we can simply drop the lock and return -EIO.
> 

 Yes. This looks better option. So, just to confirm, I can take the
 memory_lock read-lock at the starting of vfio_pci_config_rw() and
 release it just before returning from vfio_pci_config_rw() and
 for memory related config access, we will release this lock and
 re-aquiring again write version of this. Once memory write happens,
 then we can downgrade this write lock to read lock ?

 Also, what about IOCTLs. How can I take and release memory_lock for
 ioctl. is it okay to go with Patch 7 where we call
 pm_runtime_resume_and_get() before each ioctl or we need to do the
 same low power check for ioctl also ?
 In Later case, I am not sure how should I do the implementation so
 that all other ioctl are covered from vfio core layer itself.

 Thanks,
 Abhishek

> If I'm still misunderstanding, please let me know.  Thanks,
> 
> Alex
>
Alex Williamson June 1, 2022, 4:21 p.m. UTC | #11
On Wed, 1 Jun 2022 15:19:07 +0530
Abhishek Sahu <abhsahu@nvidia.com> wrote:

> On 6/1/2022 4:22 AM, Alex Williamson wrote:
> > On Tue, 31 May 2022 16:43:04 -0300
> > Jason Gunthorpe <jgg@nvidia.com> wrote:
> >   
> >> On Tue, May 31, 2022 at 05:44:11PM +0530, Abhishek Sahu wrote:  
> >>> On 5/30/2022 5:55 PM, Jason Gunthorpe wrote:    
> >>>> On Mon, May 30, 2022 at 04:45:59PM +0530, Abhishek Sahu wrote:
> >>>>     
> >>>>>  1. In real use case, config or any other ioctl should not come along
> >>>>>     with VFIO_DEVICE_FEATURE_POWER_MANAGEMENT ioctl request.
> >>>>>  
> >>>>>  2. Maintain some 'access_count' which will be incremented when we
> >>>>>     do any config space access or ioctl.    
> >>>>
> >>>> Please don't open code locks - if you need a lock then write a proper
> >>>> lock. You can use the 'try' variants to bail out in cases where that
> >>>> is appropriate.
> >>>>
> >>>> Jason    
> >>>
> >>>  Thanks Jason for providing your inputs.
> >>>
> >>>  In that case, should I introduce new rw_semaphore (For example
> >>>  power_lock) and move ‘platform_pm_engaged’ under ‘power_lock’ ?    
> >>
> >> Possibly, this is better than an atomic at least
> >>  
> >>>  1. At the beginning of config space access or ioctl, we can take the
> >>>     lock
> >>>  
> >>>      down_read(&vdev->power_lock);    
> >>
> >> You can also do down_read_trylock() here and bail out as you were
> >> suggesting with the atomic.
> >>
> >> trylock doesn't have lock odering rules because it can't sleep so it
> >> gives a bit more flexability when designing the lock ordering.
> >>
> >> Though userspace has to be able to tolerate the failure, or never make
> >> the request.
> >>  
> 
>  Thanks Alex and Jason for providing your inputs.
> 
>  Using down_read_trylock() along with Alex suggestion seems fine.
>  In real use case, config space access should not happen when the
>  device is in low power state so returning error should not
>  cause any issue in this case.
> 
> >>>          down_write(&vdev->power_lock);
> >>>          ...
> >>>          switch (vfio_pm.low_power_state) {
> >>>          case VFIO_DEVICE_LOW_POWER_STATE_ENTER:
> >>>                  ...
> >>>                          vfio_pci_zap_and_down_write_memory_lock(vdev);
> >>>                          vdev->power_state_d3 = true;
> >>>                          up_write(&vdev->memory_lock);
> >>>
> >>>          ...
> >>>          up_write(&vdev->power_lock);    
> >>
> >> And something checks the power lock before allowing the memor to be
> >> re-enabled?
> >>  
> >>>  4.  For ioctl access, as mentioned previously I need to add two
> >>>      callbacks functions (one for start and one for end) in the struct
> >>>      vfio_device_ops and call the same at start and end of ioctl from
> >>>      vfio_device_fops_unl_ioctl().    
> >>
> >> Not sure I followed this..  
> > 
> > I'm kinda lost here too.  
> 
> 
>  I have summarized the things below
> 
>  1. In the current patch (v3 8/8), if config space access or ioctl was
>     being made by the user when the device is already in low power state,
>     then it was waking the device. This wake up was happening with
>     pm_runtime_resume_and_get() API in vfio_pci_config_rw() and
>     vfio_device_fops_unl_ioctl() (with patch v3 7/8 in this patch series).
> 
>  2. Now, it has been decided to return error instead of waking the
>     device if the device is already in low power state.
> 
>  3. Initially I thought to add following code in config space path
>     (and similar in ioctl)
> 
>         vfio_pci_config_rw() {
>             ...
>             down_read(&vdev->memory_lock);
>             if (vdev->platform_pm_engaged)
>             {
>                 up_read(&vdev->memory_lock);
>                 return -EIO;
>             }
>             ...
>         }
> 
>      And then there was a possibility that the physical config happens
>      when the device in D3cold in case of race condition.
> 
>  4.  So, I wanted to add some mechanism so that the low power entry
>      ioctl will be serialized with other ioctl or config space. With this
>      if low power entry gets scheduled first then config/other ioctls will
>      get failure, otherwise low power entry will wait.
> 
>  5.  For serializing this access, I need to ensure that lock is held
>      throughout the operation. For config space I can add the code in
>      vfio_pci_config_rw(). But for ioctls, I was not sure what is the best
>      way since few ioctls (VFIO_DEVICE_FEATURE_MIGRATION,
>      VFIO_DEVICE_FEATURE_MIG_DEVICE_STATE etc.) are being handled in the
>      vfio core layer itself.
> 
>  The memory_lock and the variables to track low power in specific to
>  vfio-pci so I need some mechanism by which I add low power check for
>  each ioctl. For serialization, I need to call function implemented in
>  vfio-pci before vfio core layer makes the actual ioctl to grab the
>  locks. Similarly, I need to release the lock once vfio core layer
>  finished the actual ioctl. I have mentioned about this problem in the
>  above point (point 4 in my earlier mail).
> 
> > A couple replies back there was some concern
> > about race scenarios with multiple user threads accessing the device.
> > The ones concerning non-deterministic behavior if a user is
> > concurrently changing power state and performing other accesses are a
> > non-issue, imo.    
> 
>  What does non-deterministic behavior here mean.
>  Is it for user side that user will see different result
>  (failure or success) during race condition or in the kernel side
>  (as explained in point 3 above where physical config access
>  happens when the device in D3cold) ? My concern here is for later
>  part where this config space access in D3cold can cause fatal error
>  on the system side as we have seen for memory disablement.

Yes, our only concern should be to prevent such an access.  The user
seeing non-deterministic behavior, such as during concurrent power
control and config space access, all combinations of success/failure
are possible, is par for the course when we decide to block accesses
across the life of the low power state.
 
> > I think our goal is only to expand the current
> > memory_lock to block accesses, including config space, while the device
> > is in low power, or some approximation bounded by the entry/exit ioctl.
> > 
> > I think the remaining issues is how to do that relative to the fact
> > that config space access can change the memory enable state and would
> > therefore need to upgrade the memory_lock read-lock to a write-lock.
> > For that I think we can simply drop the read-lock, acquire the
> > write-lock, and re-test the low power state.  If it has changed, that
> > suggests the user has again raced changing power state with another
> > access and we can simply drop the lock and return -EIO.
> >   
> 
>  Yes. This looks better option. So, just to confirm, I can take the
>  memory_lock read-lock at the starting of vfio_pci_config_rw() and
>  release it just before returning from vfio_pci_config_rw() and
>  for memory related config access, we will release this lock and
>  re-aquiring again write version of this. Once memory write happens,
>  then we can downgrade this write lock to read lock ?

We only need to lock for the device access, so if you've finished that
access after acquiring the write-lock, there'd be no point to then
downgrade that to a read-lock.  The access should be finished by that
point.
 
>  Also, what about IOCTLs. How can I take and release memory_lock for
>  ioctl. is it okay to go with Patch 7 where we call
>  pm_runtime_resume_and_get() before each ioctl or we need to do the
>  same low power check for ioctl also ?
>  In Later case, I am not sure how should I do the implementation so
>  that all other ioctl are covered from vfio core layer itself.

Some ioctls clearly cannot occur while the device is in low power, such
as resets and interrupt control, but even less obvious things like
getting region info require device access.  Migration also provides a
channel to device access.  Do we want to manage a list of ioctls that
are allowed in low power, or do we only want to allow the ioctl to exit
low power?

I'm also still curious how we're going to handle devices that cannot
return to low power such as the self-refresh mode on the GPU.  We can
potentially prevent any wake-ups from the vfio device interface, but
that doesn't preclude a wake-up via an external lspci.  I think we need
to understand how we're going to handle such devices before we can
really complete the design.  AIUI, we cannot disable the self-refresh
sleep mode without imposing unreasonable latency and memory
requirements on the guest and we cannot retrigger the self-refresh
low-power mode without non-trivial device specific code.  Thanks,

Alex
Jason Gunthorpe June 1, 2022, 5:30 p.m. UTC | #12
On Wed, Jun 01, 2022 at 10:21:51AM -0600, Alex Williamson wrote:

> Some ioctls clearly cannot occur while the device is in low power, such
> as resets and interrupt control, but even less obvious things like
> getting region info require device access.  Migration also provides a
> channel to device access.  

I wonder what power management means in a case like that.

For the migration drivers they all rely on a PF driver that is not
VFIO, so it should be impossible for power management to cause the PF
to stop working.

I would expect any sane design of power management for a VF to not
cause any harm to the migration driver..

> I'm also still curious how we're going to handle devices that cannot
> return to low power such as the self-refresh mode on the GPU.  We can
> potentially prevent any wake-ups from the vfio device interface, but
> that doesn't preclude a wake-up via an external lspci.  I think we need
> to understand how we're going to handle such devices before we can
> really complete the design.  AIUI, we cannot disable the self-refresh
> sleep mode without imposing unreasonable latency and memory
> requirements on the guest and we cannot retrigger the self-refresh
> low-power mode without non-trivial device specific code.

It begs the question if power management should be something that only
a device-specific drivers should allow?

Jason
Alex Williamson June 1, 2022, 6:15 p.m. UTC | #13
On Wed, 1 Jun 2022 14:30:54 -0300
Jason Gunthorpe <jgg@nvidia.com> wrote:

> On Wed, Jun 01, 2022 at 10:21:51AM -0600, Alex Williamson wrote:
> 
> > Some ioctls clearly cannot occur while the device is in low power, such
> > as resets and interrupt control, but even less obvious things like
> > getting region info require device access.  Migration also provides a
> > channel to device access.    
> 
> I wonder what power management means in a case like that.
> 
> For the migration drivers they all rely on a PF driver that is not
> VFIO, so it should be impossible for power management to cause the PF
> to stop working.
> 
> I would expect any sane design of power management for a VF to not
> cause any harm to the migration driver..

Is there even a significant benefit or use case for power management
for VFs?  The existing D3hot support should be ok, but I imagine to
support D3cold, all the VFs and the PF would need to move to low power.
It might be safe to simply exclude VFs from providing this feature for
now.

> > I'm also still curious how we're going to handle devices that cannot
> > return to low power such as the self-refresh mode on the GPU.  We can
> > potentially prevent any wake-ups from the vfio device interface, but
> > that doesn't preclude a wake-up via an external lspci.  I think we need
> > to understand how we're going to handle such devices before we can
> > really complete the design.  AIUI, we cannot disable the self-refresh
> > sleep mode without imposing unreasonable latency and memory
> > requirements on the guest and we cannot retrigger the self-refresh
> > low-power mode without non-trivial device specific code.  
> 
> It begs the question if power management should be something that only
> a device-specific drivers should allow?

Yes, but that's also penalizing devices that require no special
support, for the few that do.  I'm not opposed to some sort of
vfio-pci-nvidia-gpu variant driver to provide that device specific
support, but I'd think the device table for such a driver might just be
added to the exclusion list for power management support in vfio-pci.
vfio-pci-core would need some way for drivers to opt-out/in for power
management.  Thanks,

Alex
Jason Gunthorpe June 1, 2022, 11:17 p.m. UTC | #14
On Wed, Jun 01, 2022 at 12:15:47PM -0600, Alex Williamson wrote:
> On Wed, 1 Jun 2022 14:30:54 -0300
> Jason Gunthorpe <jgg@nvidia.com> wrote:
> 
> > On Wed, Jun 01, 2022 at 10:21:51AM -0600, Alex Williamson wrote:
> > 
> > > Some ioctls clearly cannot occur while the device is in low power, such
> > > as resets and interrupt control, but even less obvious things like
> > > getting region info require device access.  Migration also provides a
> > > channel to device access.    
> > 
> > I wonder what power management means in a case like that.
> > 
> > For the migration drivers they all rely on a PF driver that is not
> > VFIO, so it should be impossible for power management to cause the PF
> > to stop working.
> > 
> > I would expect any sane design of power management for a VF to not
> > cause any harm to the migration driver..
> 
> Is there even a significant benefit or use case for power management
> for VFs?  The existing D3hot support should be ok, but I imagine to
> support D3cold, all the VFs and the PF would need to move to low power.
> It might be safe to simply exclude VFs from providing this feature for
> now.

I know of no use case, I think it would be a good idea to exclude VFs.

> Yes, but that's also penalizing devices that require no special
> support, for the few that do.  I'm not opposed to some sort of
> vfio-pci-nvidia-gpu variant driver to provide that device specific
> support, but I'd think the device table for such a driver might just be
> added to the exclusion list for power management support in vfio-pci.
> vfio-pci-core would need some way for drivers to opt-out/in for power
> management. 

If you think it can be done generically with a small exclusion list
then that probably makes sense.

Jason
Abhishek Sahu June 2, 2022, 11:52 a.m. UTC | #15
On 6/1/2022 9:51 PM, Alex Williamson wrote:
> On Wed, 1 Jun 2022 15:19:07 +0530
> Abhishek Sahu <abhsahu@nvidia.com> wrote:
> 
>> On 6/1/2022 4:22 AM, Alex Williamson wrote:
>>> On Tue, 31 May 2022 16:43:04 -0300
>>> Jason Gunthorpe <jgg@nvidia.com> wrote:
>>>   
>>>> On Tue, May 31, 2022 at 05:44:11PM +0530, Abhishek Sahu wrote:  
>>>>> On 5/30/2022 5:55 PM, Jason Gunthorpe wrote:    
>>>>>> On Mon, May 30, 2022 at 04:45:59PM +0530, Abhishek Sahu wrote:
>>>>>>     
>>>>>>>  1. In real use case, config or any other ioctl should not come along
>>>>>>>     with VFIO_DEVICE_FEATURE_POWER_MANAGEMENT ioctl request.
>>>>>>>  
>>>>>>>  2. Maintain some 'access_count' which will be incremented when we
>>>>>>>     do any config space access or ioctl.    
>>>>>>
>>>>>> Please don't open code locks - if you need a lock then write a proper
>>>>>> lock. You can use the 'try' variants to bail out in cases where that
>>>>>> is appropriate.
>>>>>>
>>>>>> Jason    
>>>>>
>>>>>  Thanks Jason for providing your inputs.
>>>>>
>>>>>  In that case, should I introduce new rw_semaphore (For example
>>>>>  power_lock) and move ‘platform_pm_engaged’ under ‘power_lock’ ?    
>>>>
>>>> Possibly, this is better than an atomic at least
>>>>  
>>>>>  1. At the beginning of config space access or ioctl, we can take the
>>>>>     lock
>>>>>  
>>>>>      down_read(&vdev->power_lock);    
>>>>
>>>> You can also do down_read_trylock() here and bail out as you were
>>>> suggesting with the atomic.
>>>>
>>>> trylock doesn't have lock odering rules because it can't sleep so it
>>>> gives a bit more flexability when designing the lock ordering.
>>>>
>>>> Though userspace has to be able to tolerate the failure, or never make
>>>> the request.
>>>>  
>>
>>  Thanks Alex and Jason for providing your inputs.
>>
>>  Using down_read_trylock() along with Alex suggestion seems fine.
>>  In real use case, config space access should not happen when the
>>  device is in low power state so returning error should not
>>  cause any issue in this case.
>>
>>>>>          down_write(&vdev->power_lock);
>>>>>          ...
>>>>>          switch (vfio_pm.low_power_state) {
>>>>>          case VFIO_DEVICE_LOW_POWER_STATE_ENTER:
>>>>>                  ...
>>>>>                          vfio_pci_zap_and_down_write_memory_lock(vdev);
>>>>>                          vdev->power_state_d3 = true;
>>>>>                          up_write(&vdev->memory_lock);
>>>>>
>>>>>          ...
>>>>>          up_write(&vdev->power_lock);    
>>>>
>>>> And something checks the power lock before allowing the memor to be
>>>> re-enabled?
>>>>  
>>>>>  4.  For ioctl access, as mentioned previously I need to add two
>>>>>      callbacks functions (one for start and one for end) in the struct
>>>>>      vfio_device_ops and call the same at start and end of ioctl from
>>>>>      vfio_device_fops_unl_ioctl().    
>>>>
>>>> Not sure I followed this..  
>>>
>>> I'm kinda lost here too.  
>>
>>
>>  I have summarized the things below
>>
>>  1. In the current patch (v3 8/8), if config space access or ioctl was
>>     being made by the user when the device is already in low power state,
>>     then it was waking the device. This wake up was happening with
>>     pm_runtime_resume_and_get() API in vfio_pci_config_rw() and
>>     vfio_device_fops_unl_ioctl() (with patch v3 7/8 in this patch series).
>>
>>  2. Now, it has been decided to return error instead of waking the
>>     device if the device is already in low power state.
>>
>>  3. Initially I thought to add following code in config space path
>>     (and similar in ioctl)
>>
>>         vfio_pci_config_rw() {
>>             ...
>>             down_read(&vdev->memory_lock);
>>             if (vdev->platform_pm_engaged)
>>             {
>>                 up_read(&vdev->memory_lock);
>>                 return -EIO;
>>             }
>>             ...
>>         }
>>
>>      And then there was a possibility that the physical config happens
>>      when the device in D3cold in case of race condition.
>>
>>  4.  So, I wanted to add some mechanism so that the low power entry
>>      ioctl will be serialized with other ioctl or config space. With this
>>      if low power entry gets scheduled first then config/other ioctls will
>>      get failure, otherwise low power entry will wait.
>>
>>  5.  For serializing this access, I need to ensure that lock is held
>>      throughout the operation. For config space I can add the code in
>>      vfio_pci_config_rw(). But for ioctls, I was not sure what is the best
>>      way since few ioctls (VFIO_DEVICE_FEATURE_MIGRATION,
>>      VFIO_DEVICE_FEATURE_MIG_DEVICE_STATE etc.) are being handled in the
>>      vfio core layer itself.
>>
>>  The memory_lock and the variables to track low power in specific to
>>  vfio-pci so I need some mechanism by which I add low power check for
>>  each ioctl. For serialization, I need to call function implemented in
>>  vfio-pci before vfio core layer makes the actual ioctl to grab the
>>  locks. Similarly, I need to release the lock once vfio core layer
>>  finished the actual ioctl. I have mentioned about this problem in the
>>  above point (point 4 in my earlier mail).
>>
>>> A couple replies back there was some concern
>>> about race scenarios with multiple user threads accessing the device.
>>> The ones concerning non-deterministic behavior if a user is
>>> concurrently changing power state and performing other accesses are a
>>> non-issue, imo.    
>>
>>  What does non-deterministic behavior here mean.
>>  Is it for user side that user will see different result
>>  (failure or success) during race condition or in the kernel side
>>  (as explained in point 3 above where physical config access
>>  happens when the device in D3cold) ? My concern here is for later
>>  part where this config space access in D3cold can cause fatal error
>>  on the system side as we have seen for memory disablement.
> 
> Yes, our only concern should be to prevent such an access.  The user
> seeing non-deterministic behavior, such as during concurrent power
> control and config space access, all combinations of success/failure
> are possible, is par for the course when we decide to block accesses
> across the life of the low power state.
>  
>>> I think our goal is only to expand the current
>>> memory_lock to block accesses, including config space, while the device
>>> is in low power, or some approximation bounded by the entry/exit ioctl.
>>>
>>> I think the remaining issues is how to do that relative to the fact
>>> that config space access can change the memory enable state and would
>>> therefore need to upgrade the memory_lock read-lock to a write-lock.
>>> For that I think we can simply drop the read-lock, acquire the
>>> write-lock, and re-test the low power state.  If it has changed, that
>>> suggests the user has again raced changing power state with another
>>> access and we can simply drop the lock and return -EIO.
>>>   
>>
>>  Yes. This looks better option. So, just to confirm, I can take the
>>  memory_lock read-lock at the starting of vfio_pci_config_rw() and
>>  release it just before returning from vfio_pci_config_rw() and
>>  for memory related config access, we will release this lock and
>>  re-aquiring again write version of this. Once memory write happens,
>>  then we can downgrade this write lock to read lock ?
> 
> We only need to lock for the device access, so if you've finished that
> access after acquiring the write-lock, there'd be no point to then
> downgrade that to a read-lock.  The access should be finished by that
> point.
>

 I was planning to take memory_lock read-lock at the beginning of
 vfio_pci_config_rw() and release the same just before returning from
 this function. If I don't downgrade it back to read-lock, then the
 release in the end will be called for the lock which has not taken.
 Also, user can specify count to any number of bytes and then the
 vfio_config_do_rw() will be invoked multiple times and then in
 the second call, it will be without lock.
  
>>  Also, what about IOCTLs. How can I take and release memory_lock for
>>  ioctl. is it okay to go with Patch 7 where we call
>>  pm_runtime_resume_and_get() before each ioctl or we need to do the
>>  same low power check for ioctl also ?
>>  In Later case, I am not sure how should I do the implementation so
>>  that all other ioctl are covered from vfio core layer itself.
> 
> Some ioctls clearly cannot occur while the device is in low power, such
> as resets and interrupt control, but even less obvious things like
> getting region info require device access.  Migration also provides a
> channel to device access.  Do we want to manage a list of ioctls that
> are allowed in low power, or do we only want to allow the ioctl to exit
> low power?
> 

 In previous version of this patch, you mentioned that maintaining the
 safe ioctl list will be tough to maintain. So, currently we wanted to
 allow the ioctl for low power exit.

> I'm also still curious how we're going to handle devices that cannot
> return to low power such as the self-refresh mode on the GPU.  We can
> potentially prevent any wake-ups from the vfio device interface, but
> that doesn't preclude a wake-up via an external lspci.  I think we need
> to understand how we're going to handle such devices before we can
> really complete the design.  AIUI, we cannot disable the self-refresh
> sleep mode without imposing unreasonable latency and memory
> requirements on the guest and we cannot retrigger the self-refresh
> low-power mode without non-trivial device specific code.  Thanks,
> 
> Alex
> 

 I am working on adding support to notify guest through virtual PME
 whenever there is any wake-up triggered by the host and the guest has
 already put the device into runtime suspended state. This virtual PME
 will be similar to physical PME. Normally, if PCI device need power
 management transition, then it sends PME event which will be
 ultimately handled by host OS. In virtual PME case, if host need power
 management transition, then it sends event to guest and then guest OS
 handles these virtual PME events. Following is summary:

 1. Add the support for one more event like VFIO_PCI_ERR_IRQ_INDEX
    named VFIO_PCI_PME_IRQ_INDEX and add the required code for this
    virtual PME event.

 2. From the guest side, when the PME_IRQ is enabled then we will
    set event_fd for PME.

 3. In the vfio driver, the PME support bits are already
    virtualized and currently set to 0. We can set PME capability support
    for D3cold so that in guest, it looks like

     Capabilities: [60] Power Management version 3
     Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA
            PME(D0-,D1-,D2-,D3hot-,D3cold+)

 4. From the guest side, it can do PME enable (PME_En bit in Power
    Management Control/Status Register) which will be again virtualized.

 5. When host gets request for resuming the device other than from
    low power ioctl, then device pm usage count will be incremented, the
    PME status (PME_Status bit in Power Management Control/Status Register)
    will be set and then we can do the event_fd signal.

 6. In the PCIe, the PME events will be handled by root port. For
    using low power D3cold feature, it is required to create virtual root
    port in hypervisor side and when hypervisor receives this PME event,
    then it can send virtual interrupt to root port.

 7. If we take example of Linux kernel, then pcie_pme_irq() will
    handle this and then do the runtime resume on the guest side. Also, it
    will clear the PME status bit here. Then guest can put the device
    again into suspended state.

 8. I did prototype changes in QEMU for above logic and was getting wake-up
    in the guest whenever I do lspci on the host side.

 9. Since currently only nvidia GPU has this limitation to require
    driver interaction each time before going into D3cold so we can allow
    the reentry for other device. We can have nvidia vendor (along with
    VGA/3D controller class code). In future, if any other device also has
    similar requirement then we can update this list. For other device
    host can put the device into D3cold in case of any wake-up.

 10. In the vfio driver, we can put all these restriction for
     enabling PME and return error if user tries to make low power entry
     ioctl without enabling the PME related things.

 11. The virtual PME can help in handling physical PME also for all
     the devices. The PME logic is not dependent upon nvidia GPU
     restriction. If virtual PME is enabled by hypervisor, then when
     physical PME wakes the device, then it will resume on the guest side
     also.

 Thanks,
 Abhishek
Alex Williamson June 2, 2022, 5:44 p.m. UTC | #16
On Thu, 2 Jun 2022 17:22:03 +0530
Abhishek Sahu <abhsahu@nvidia.com> wrote:

> On 6/1/2022 9:51 PM, Alex Williamson wrote:
> > On Wed, 1 Jun 2022 15:19:07 +0530
> > Abhishek Sahu <abhsahu@nvidia.com> wrote:
> >   
> >> On 6/1/2022 4:22 AM, Alex Williamson wrote:  
> >>> On Tue, 31 May 2022 16:43:04 -0300
> >>> Jason Gunthorpe <jgg@nvidia.com> wrote:
> >>>     
> >>>> On Tue, May 31, 2022 at 05:44:11PM +0530, Abhishek Sahu wrote:    
> >>>>> On 5/30/2022 5:55 PM, Jason Gunthorpe wrote:      
> >>>>>> On Mon, May 30, 2022 at 04:45:59PM +0530, Abhishek Sahu wrote:
> >>>>>>       
> >>>>>>>  1. In real use case, config or any other ioctl should not come along
> >>>>>>>     with VFIO_DEVICE_FEATURE_POWER_MANAGEMENT ioctl request.
> >>>>>>>  
> >>>>>>>  2. Maintain some 'access_count' which will be incremented when we
> >>>>>>>     do any config space access or ioctl.      
> >>>>>>
> >>>>>> Please don't open code locks - if you need a lock then write a proper
> >>>>>> lock. You can use the 'try' variants to bail out in cases where that
> >>>>>> is appropriate.
> >>>>>>
> >>>>>> Jason      
> >>>>>
> >>>>>  Thanks Jason for providing your inputs.
> >>>>>
> >>>>>  In that case, should I introduce new rw_semaphore (For example
> >>>>>  power_lock) and move ‘platform_pm_engaged’ under ‘power_lock’ ?      
> >>>>
> >>>> Possibly, this is better than an atomic at least
> >>>>    
> >>>>>  1. At the beginning of config space access or ioctl, we can take the
> >>>>>     lock
> >>>>>  
> >>>>>      down_read(&vdev->power_lock);      
> >>>>
> >>>> You can also do down_read_trylock() here and bail out as you were
> >>>> suggesting with the atomic.
> >>>>
> >>>> trylock doesn't have lock odering rules because it can't sleep so it
> >>>> gives a bit more flexability when designing the lock ordering.
> >>>>
> >>>> Though userspace has to be able to tolerate the failure, or never make
> >>>> the request.
> >>>>    
> >>
> >>  Thanks Alex and Jason for providing your inputs.
> >>
> >>  Using down_read_trylock() along with Alex suggestion seems fine.
> >>  In real use case, config space access should not happen when the
> >>  device is in low power state so returning error should not
> >>  cause any issue in this case.
> >>  
> >>>>>          down_write(&vdev->power_lock);
> >>>>>          ...
> >>>>>          switch (vfio_pm.low_power_state) {
> >>>>>          case VFIO_DEVICE_LOW_POWER_STATE_ENTER:
> >>>>>                  ...
> >>>>>                          vfio_pci_zap_and_down_write_memory_lock(vdev);
> >>>>>                          vdev->power_state_d3 = true;
> >>>>>                          up_write(&vdev->memory_lock);
> >>>>>
> >>>>>          ...
> >>>>>          up_write(&vdev->power_lock);      
> >>>>
> >>>> And something checks the power lock before allowing the memor to be
> >>>> re-enabled?
> >>>>    
> >>>>>  4.  For ioctl access, as mentioned previously I need to add two
> >>>>>      callbacks functions (one for start and one for end) in the struct
> >>>>>      vfio_device_ops and call the same at start and end of ioctl from
> >>>>>      vfio_device_fops_unl_ioctl().      
> >>>>
> >>>> Not sure I followed this..    
> >>>
> >>> I'm kinda lost here too.    
> >>
> >>
> >>  I have summarized the things below
> >>
> >>  1. In the current patch (v3 8/8), if config space access or ioctl was
> >>     being made by the user when the device is already in low power state,
> >>     then it was waking the device. This wake up was happening with
> >>     pm_runtime_resume_and_get() API in vfio_pci_config_rw() and
> >>     vfio_device_fops_unl_ioctl() (with patch v3 7/8 in this patch series).
> >>
> >>  2. Now, it has been decided to return error instead of waking the
> >>     device if the device is already in low power state.
> >>
> >>  3. Initially I thought to add following code in config space path
> >>     (and similar in ioctl)
> >>
> >>         vfio_pci_config_rw() {
> >>             ...
> >>             down_read(&vdev->memory_lock);
> >>             if (vdev->platform_pm_engaged)
> >>             {
> >>                 up_read(&vdev->memory_lock);
> >>                 return -EIO;
> >>             }
> >>             ...
> >>         }
> >>
> >>      And then there was a possibility that the physical config happens
> >>      when the device in D3cold in case of race condition.
> >>
> >>  4.  So, I wanted to add some mechanism so that the low power entry
> >>      ioctl will be serialized with other ioctl or config space. With this
> >>      if low power entry gets scheduled first then config/other ioctls will
> >>      get failure, otherwise low power entry will wait.
> >>
> >>  5.  For serializing this access, I need to ensure that lock is held
> >>      throughout the operation. For config space I can add the code in
> >>      vfio_pci_config_rw(). But for ioctls, I was not sure what is the best
> >>      way since few ioctls (VFIO_DEVICE_FEATURE_MIGRATION,
> >>      VFIO_DEVICE_FEATURE_MIG_DEVICE_STATE etc.) are being handled in the
> >>      vfio core layer itself.
> >>
> >>  The memory_lock and the variables to track low power in specific to
> >>  vfio-pci so I need some mechanism by which I add low power check for
> >>  each ioctl. For serialization, I need to call function implemented in
> >>  vfio-pci before vfio core layer makes the actual ioctl to grab the
> >>  locks. Similarly, I need to release the lock once vfio core layer
> >>  finished the actual ioctl. I have mentioned about this problem in the
> >>  above point (point 4 in my earlier mail).
> >>  
> >>> A couple replies back there was some concern
> >>> about race scenarios with multiple user threads accessing the device.
> >>> The ones concerning non-deterministic behavior if a user is
> >>> concurrently changing power state and performing other accesses are a
> >>> non-issue, imo.      
> >>
> >>  What does non-deterministic behavior here mean.
> >>  Is it for user side that user will see different result
> >>  (failure or success) during race condition or in the kernel side
> >>  (as explained in point 3 above where physical config access
> >>  happens when the device in D3cold) ? My concern here is for later
> >>  part where this config space access in D3cold can cause fatal error
> >>  on the system side as we have seen for memory disablement.  
> > 
> > Yes, our only concern should be to prevent such an access.  The user
> > seeing non-deterministic behavior, such as during concurrent power
> > control and config space access, all combinations of success/failure
> > are possible, is par for the course when we decide to block accesses
> > across the life of the low power state.
> >    
> >>> I think our goal is only to expand the current
> >>> memory_lock to block accesses, including config space, while the device
> >>> is in low power, or some approximation bounded by the entry/exit ioctl.
> >>>
> >>> I think the remaining issues is how to do that relative to the fact
> >>> that config space access can change the memory enable state and would
> >>> therefore need to upgrade the memory_lock read-lock to a write-lock.
> >>> For that I think we can simply drop the read-lock, acquire the
> >>> write-lock, and re-test the low power state.  If it has changed, that
> >>> suggests the user has again raced changing power state with another
> >>> access and we can simply drop the lock and return -EIO.
> >>>     
> >>
> >>  Yes. This looks better option. So, just to confirm, I can take the
> >>  memory_lock read-lock at the starting of vfio_pci_config_rw() and
> >>  release it just before returning from vfio_pci_config_rw() and
> >>  for memory related config access, we will release this lock and
> >>  re-aquiring again write version of this. Once memory write happens,
> >>  then we can downgrade this write lock to read lock ?  
> > 
> > We only need to lock for the device access, so if you've finished that
> > access after acquiring the write-lock, there'd be no point to then
> > downgrade that to a read-lock.  The access should be finished by that
> > point.
> >  
> 
>  I was planning to take memory_lock read-lock at the beginning of
>  vfio_pci_config_rw() and release the same just before returning from
>  this function. If I don't downgrade it back to read-lock, then the
>  release in the end will be called for the lock which has not taken.
>  Also, user can specify count to any number of bytes and then the
>  vfio_config_do_rw() will be invoked multiple times and then in
>  the second call, it will be without lock.

Ok, yes, I can imagine how it might result in a cleaner exit path to do
a downgrade_write().

> >>  Also, what about IOCTLs. How can I take and release memory_lock for
> >>  ioctl. is it okay to go with Patch 7 where we call
> >>  pm_runtime_resume_and_get() before each ioctl or we need to do the
> >>  same low power check for ioctl also ?
> >>  In Later case, I am not sure how should I do the implementation so
> >>  that all other ioctl are covered from vfio core layer itself.  
> > 
> > Some ioctls clearly cannot occur while the device is in low power, such
> > as resets and interrupt control, but even less obvious things like
> > getting region info require device access.  Migration also provides a
> > channel to device access.  Do we want to manage a list of ioctls that
> > are allowed in low power, or do we only want to allow the ioctl to exit
> > low power?
> >   
> 
>  In previous version of this patch, you mentioned that maintaining the
>  safe ioctl list will be tough to maintain. So, currently we wanted to
>  allow the ioctl for low power exit.

Yes, I'm still conflicted in how that would work.
 
> > I'm also still curious how we're going to handle devices that cannot
> > return to low power such as the self-refresh mode on the GPU.  We can
> > potentially prevent any wake-ups from the vfio device interface, but
> > that doesn't preclude a wake-up via an external lspci.  I think we need
> > to understand how we're going to handle such devices before we can
> > really complete the design.  AIUI, we cannot disable the self-refresh
> > sleep mode without imposing unreasonable latency and memory
> > requirements on the guest and we cannot retrigger the self-refresh
> > low-power mode without non-trivial device specific code.  Thanks,
> > 
> > Alex
> >   
> 
>  I am working on adding support to notify guest through virtual PME
>  whenever there is any wake-up triggered by the host and the guest has
>  already put the device into runtime suspended state. This virtual PME
>  will be similar to physical PME. Normally, if PCI device need power
>  management transition, then it sends PME event which will be
>  ultimately handled by host OS. In virtual PME case, if host need power
>  management transition, then it sends event to guest and then guest OS
>  handles these virtual PME events. Following is summary:
> 
>  1. Add the support for one more event like VFIO_PCI_ERR_IRQ_INDEX
>     named VFIO_PCI_PME_IRQ_INDEX and add the required code for this
>     virtual PME event.
> 
>  2. From the guest side, when the PME_IRQ is enabled then we will
>     set event_fd for PME.
> 
>  3. In the vfio driver, the PME support bits are already
>     virtualized and currently set to 0. We can set PME capability support
>     for D3cold so that in guest, it looks like
> 
>      Capabilities: [60] Power Management version 3
>      Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA
>             PME(D0-,D1-,D2-,D3hot-,D3cold+)
> 
>  4. From the guest side, it can do PME enable (PME_En bit in Power
>     Management Control/Status Register) which will be again virtualized.
> 
>  5. When host gets request for resuming the device other than from
>     low power ioctl, then device pm usage count will be incremented, the
>     PME status (PME_Status bit in Power Management Control/Status Register)
>     will be set and then we can do the event_fd signal.
> 
>  6. In the PCIe, the PME events will be handled by root port. For
>     using low power D3cold feature, it is required to create virtual root
>     port in hypervisor side and when hypervisor receives this PME event,
>     then it can send virtual interrupt to root port.
> 
>  7. If we take example of Linux kernel, then pcie_pme_irq() will
>     handle this and then do the runtime resume on the guest side. Also, it
>     will clear the PME status bit here. Then guest can put the device
>     again into suspended state.
> 
>  8. I did prototype changes in QEMU for above logic and was getting wake-up
>     in the guest whenever I do lspci on the host side.
> 
>  9. Since currently only nvidia GPU has this limitation to require
>     driver interaction each time before going into D3cold so we can allow
>     the reentry for other device. We can have nvidia vendor (along with
>     VGA/3D controller class code). In future, if any other device also has
>     similar requirement then we can update this list. For other device
>     host can put the device into D3cold in case of any wake-up.
> 
>  10. In the vfio driver, we can put all these restriction for
>      enabling PME and return error if user tries to make low power entry
>      ioctl without enabling the PME related things.
> 
>  11. The virtual PME can help in handling physical PME also for all
>      the devices. The PME logic is not dependent upon nvidia GPU
>      restriction. If virtual PME is enabled by hypervisor, then when
>      physical PME wakes the device, then it will resume on the guest side
>      also.

So if host accesses through things like lspci are going to wake the
device and we can't prevent that, and the solution to that is to notify
the guest to put the device back to low power, then it seems a lot less
important to try to prevent the user from waking the device through
random accesses.  In that context, maybe we do simply wrap all accesses
with pm_runtime_get/put() put calls, which eliminates the problem of
maintaining a list of safe ioctls in low power.

I'd probably argue that whether to allow the kernel to put the device
back to low power directly is a policy decision and should therefore be
directed by userspace.  For example the low power entry ioctl would
have a flag to indicate the desired behavior and QEMU might have an
on/off/[auto] vfio-pci device option which allows configuration of that
behavior.  The default auto policy might direct for automatic low-power
re-entry except for NVIDIA VGA/3D class codes and other devices we
discover that need it.  This lets us have an immediate workaround for
devices requiring guest support without a new kernel.

This PME notification to the guest is really something that needs to be
part of the base specification for user managed low power access due to
these sorts of design decisions.  Thanks,

Alex
Abhishek Sahu June 3, 2022, 10:19 a.m. UTC | #17
On 6/2/2022 11:14 PM, Alex Williamson wrote:
> On Thu, 2 Jun 2022 17:22:03 +0530
> Abhishek Sahu <abhsahu@nvidia.com> wrote:
> 
>> On 6/1/2022 9:51 PM, Alex Williamson wrote:
>>> On Wed, 1 Jun 2022 15:19:07 +0530
>>> Abhishek Sahu <abhsahu@nvidia.com> wrote:
>>>   
>>>> On 6/1/2022 4:22 AM, Alex Williamson wrote:  
>>>>> On Tue, 31 May 2022 16:43:04 -0300
>>>>> Jason Gunthorpe <jgg@nvidia.com> wrote:
>>>>>     
>>>>>> On Tue, May 31, 2022 at 05:44:11PM +0530, Abhishek Sahu wrote:    
>>>>>>> On 5/30/2022 5:55 PM, Jason Gunthorpe wrote:      
>>>>>>>> On Mon, May 30, 2022 at 04:45:59PM +0530, Abhishek Sahu wrote:
>>>>>>>>       
>>>>>>>>>  1. In real use case, config or any other ioctl should not come along
>>>>>>>>>     with VFIO_DEVICE_FEATURE_POWER_MANAGEMENT ioctl request.
>>>>>>>>>  
>>>>>>>>>  2. Maintain some 'access_count' which will be incremented when we
>>>>>>>>>     do any config space access or ioctl.      
>>>>>>>>
>>>>>>>> Please don't open code locks - if you need a lock then write a proper
>>>>>>>> lock. You can use the 'try' variants to bail out in cases where that
>>>>>>>> is appropriate.
>>>>>>>>
>>>>>>>> Jason      
>>>>>>>
>>>>>>>  Thanks Jason for providing your inputs.
>>>>>>>
>>>>>>>  In that case, should I introduce new rw_semaphore (For example
>>>>>>>  power_lock) and move ‘platform_pm_engaged’ under ‘power_lock’ ?      
>>>>>>
>>>>>> Possibly, this is better than an atomic at least
>>>>>>    
>>>>>>>  1. At the beginning of config space access or ioctl, we can take the
>>>>>>>     lock
>>>>>>>  
>>>>>>>      down_read(&vdev->power_lock);      
>>>>>>
>>>>>> You can also do down_read_trylock() here and bail out as you were
>>>>>> suggesting with the atomic.
>>>>>>
>>>>>> trylock doesn't have lock odering rules because it can't sleep so it
>>>>>> gives a bit more flexability when designing the lock ordering.
>>>>>>
>>>>>> Though userspace has to be able to tolerate the failure, or never make
>>>>>> the request.
>>>>>>    
>>>>
>>>>  Thanks Alex and Jason for providing your inputs.
>>>>
>>>>  Using down_read_trylock() along with Alex suggestion seems fine.
>>>>  In real use case, config space access should not happen when the
>>>>  device is in low power state so returning error should not
>>>>  cause any issue in this case.
>>>>  
>>>>>>>          down_write(&vdev->power_lock);
>>>>>>>          ...
>>>>>>>          switch (vfio_pm.low_power_state) {
>>>>>>>          case VFIO_DEVICE_LOW_POWER_STATE_ENTER:
>>>>>>>                  ...
>>>>>>>                          vfio_pci_zap_and_down_write_memory_lock(vdev);
>>>>>>>                          vdev->power_state_d3 = true;
>>>>>>>                          up_write(&vdev->memory_lock);
>>>>>>>
>>>>>>>          ...
>>>>>>>          up_write(&vdev->power_lock);      
>>>>>>
>>>>>> And something checks the power lock before allowing the memor to be
>>>>>> re-enabled?
>>>>>>    
>>>>>>>  4.  For ioctl access, as mentioned previously I need to add two
>>>>>>>      callbacks functions (one for start and one for end) in the struct
>>>>>>>      vfio_device_ops and call the same at start and end of ioctl from
>>>>>>>      vfio_device_fops_unl_ioctl().      
>>>>>>
>>>>>> Not sure I followed this..    
>>>>>
>>>>> I'm kinda lost here too.    
>>>>
>>>>
>>>>  I have summarized the things below
>>>>
>>>>  1. In the current patch (v3 8/8), if config space access or ioctl was
>>>>     being made by the user when the device is already in low power state,
>>>>     then it was waking the device. This wake up was happening with
>>>>     pm_runtime_resume_and_get() API in vfio_pci_config_rw() and
>>>>     vfio_device_fops_unl_ioctl() (with patch v3 7/8 in this patch series).
>>>>
>>>>  2. Now, it has been decided to return error instead of waking the
>>>>     device if the device is already in low power state.
>>>>
>>>>  3. Initially I thought to add following code in config space path
>>>>     (and similar in ioctl)
>>>>
>>>>         vfio_pci_config_rw() {
>>>>             ...
>>>>             down_read(&vdev->memory_lock);
>>>>             if (vdev->platform_pm_engaged)
>>>>             {
>>>>                 up_read(&vdev->memory_lock);
>>>>                 return -EIO;
>>>>             }
>>>>             ...
>>>>         }
>>>>
>>>>      And then there was a possibility that the physical config happens
>>>>      when the device in D3cold in case of race condition.
>>>>
>>>>  4.  So, I wanted to add some mechanism so that the low power entry
>>>>      ioctl will be serialized with other ioctl or config space. With this
>>>>      if low power entry gets scheduled first then config/other ioctls will
>>>>      get failure, otherwise low power entry will wait.
>>>>
>>>>  5.  For serializing this access, I need to ensure that lock is held
>>>>      throughout the operation. For config space I can add the code in
>>>>      vfio_pci_config_rw(). But for ioctls, I was not sure what is the best
>>>>      way since few ioctls (VFIO_DEVICE_FEATURE_MIGRATION,
>>>>      VFIO_DEVICE_FEATURE_MIG_DEVICE_STATE etc.) are being handled in the
>>>>      vfio core layer itself.
>>>>
>>>>  The memory_lock and the variables to track low power in specific to
>>>>  vfio-pci so I need some mechanism by which I add low power check for
>>>>  each ioctl. For serialization, I need to call function implemented in
>>>>  vfio-pci before vfio core layer makes the actual ioctl to grab the
>>>>  locks. Similarly, I need to release the lock once vfio core layer
>>>>  finished the actual ioctl. I have mentioned about this problem in the
>>>>  above point (point 4 in my earlier mail).
>>>>  
>>>>> A couple replies back there was some concern
>>>>> about race scenarios with multiple user threads accessing the device.
>>>>> The ones concerning non-deterministic behavior if a user is
>>>>> concurrently changing power state and performing other accesses are a
>>>>> non-issue, imo.      
>>>>
>>>>  What does non-deterministic behavior here mean.
>>>>  Is it for user side that user will see different result
>>>>  (failure or success) during race condition or in the kernel side
>>>>  (as explained in point 3 above where physical config access
>>>>  happens when the device in D3cold) ? My concern here is for later
>>>>  part where this config space access in D3cold can cause fatal error
>>>>  on the system side as we have seen for memory disablement.  
>>>
>>> Yes, our only concern should be to prevent such an access.  The user
>>> seeing non-deterministic behavior, such as during concurrent power
>>> control and config space access, all combinations of success/failure
>>> are possible, is par for the course when we decide to block accesses
>>> across the life of the low power state.
>>>    
>>>>> I think our goal is only to expand the current
>>>>> memory_lock to block accesses, including config space, while the device
>>>>> is in low power, or some approximation bounded by the entry/exit ioctl.
>>>>>
>>>>> I think the remaining issues is how to do that relative to the fact
>>>>> that config space access can change the memory enable state and would
>>>>> therefore need to upgrade the memory_lock read-lock to a write-lock.
>>>>> For that I think we can simply drop the read-lock, acquire the
>>>>> write-lock, and re-test the low power state.  If it has changed, that
>>>>> suggests the user has again raced changing power state with another
>>>>> access and we can simply drop the lock and return -EIO.
>>>>>     
>>>>
>>>>  Yes. This looks better option. So, just to confirm, I can take the
>>>>  memory_lock read-lock at the starting of vfio_pci_config_rw() and
>>>>  release it just before returning from vfio_pci_config_rw() and
>>>>  for memory related config access, we will release this lock and
>>>>  re-aquiring again write version of this. Once memory write happens,
>>>>  then we can downgrade this write lock to read lock ?  
>>>
>>> We only need to lock for the device access, so if you've finished that
>>> access after acquiring the write-lock, there'd be no point to then
>>> downgrade that to a read-lock.  The access should be finished by that
>>> point.
>>>  
>>
>>  I was planning to take memory_lock read-lock at the beginning of
>>  vfio_pci_config_rw() and release the same just before returning from
>>  this function. If I don't downgrade it back to read-lock, then the
>>  release in the end will be called for the lock which has not taken.
>>  Also, user can specify count to any number of bytes and then the
>>  vfio_config_do_rw() will be invoked multiple times and then in
>>  the second call, it will be without lock.
> 
> Ok, yes, I can imagine how it might result in a cleaner exit path to do
> a downgrade_write().
> 
>>>>  Also, what about IOCTLs. How can I take and release memory_lock for
>>>>  ioctl. is it okay to go with Patch 7 where we call
>>>>  pm_runtime_resume_and_get() before each ioctl or we need to do the
>>>>  same low power check for ioctl also ?
>>>>  In Later case, I am not sure how should I do the implementation so
>>>>  that all other ioctl are covered from vfio core layer itself.  
>>>
>>> Some ioctls clearly cannot occur while the device is in low power, such
>>> as resets and interrupt control, but even less obvious things like
>>> getting region info require device access.  Migration also provides a
>>> channel to device access.  Do we want to manage a list of ioctls that
>>> are allowed in low power, or do we only want to allow the ioctl to exit
>>> low power?
>>>   
>>
>>  In previous version of this patch, you mentioned that maintaining the
>>  safe ioctl list will be tough to maintain. So, currently we wanted to
>>  allow the ioctl for low power exit.
> 
> Yes, I'm still conflicted in how that would work.
>  
>>> I'm also still curious how we're going to handle devices that cannot
>>> return to low power such as the self-refresh mode on the GPU.  We can
>>> potentially prevent any wake-ups from the vfio device interface, but
>>> that doesn't preclude a wake-up via an external lspci.  I think we need
>>> to understand how we're going to handle such devices before we can
>>> really complete the design.  AIUI, we cannot disable the self-refresh
>>> sleep mode without imposing unreasonable latency and memory
>>> requirements on the guest and we cannot retrigger the self-refresh
>>> low-power mode without non-trivial device specific code.  Thanks,
>>>
>>> Alex
>>>   
>>
>>  I am working on adding support to notify guest through virtual PME
>>  whenever there is any wake-up triggered by the host and the guest has
>>  already put the device into runtime suspended state. This virtual PME
>>  will be similar to physical PME. Normally, if PCI device need power
>>  management transition, then it sends PME event which will be
>>  ultimately handled by host OS. In virtual PME case, if host need power
>>  management transition, then it sends event to guest and then guest OS
>>  handles these virtual PME events. Following is summary:
>>
>>  1. Add the support for one more event like VFIO_PCI_ERR_IRQ_INDEX
>>     named VFIO_PCI_PME_IRQ_INDEX and add the required code for this
>>     virtual PME event.
>>
>>  2. From the guest side, when the PME_IRQ is enabled then we will
>>     set event_fd for PME.
>>
>>  3. In the vfio driver, the PME support bits are already
>>     virtualized and currently set to 0. We can set PME capability support
>>     for D3cold so that in guest, it looks like
>>
>>      Capabilities: [60] Power Management version 3
>>      Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA
>>             PME(D0-,D1-,D2-,D3hot-,D3cold+)
>>
>>  4. From the guest side, it can do PME enable (PME_En bit in Power
>>     Management Control/Status Register) which will be again virtualized.
>>
>>  5. When host gets request for resuming the device other than from
>>     low power ioctl, then device pm usage count will be incremented, the
>>     PME status (PME_Status bit in Power Management Control/Status Register)
>>     will be set and then we can do the event_fd signal.
>>
>>  6. In the PCIe, the PME events will be handled by root port. For
>>     using low power D3cold feature, it is required to create virtual root
>>     port in hypervisor side and when hypervisor receives this PME event,
>>     then it can send virtual interrupt to root port.
>>
>>  7. If we take example of Linux kernel, then pcie_pme_irq() will
>>     handle this and then do the runtime resume on the guest side. Also, it
>>     will clear the PME status bit here. Then guest can put the device
>>     again into suspended state.
>>
>>  8. I did prototype changes in QEMU for above logic and was getting wake-up
>>     in the guest whenever I do lspci on the host side.
>>
>>  9. Since currently only nvidia GPU has this limitation to require
>>     driver interaction each time before going into D3cold so we can allow
>>     the reentry for other device. We can have nvidia vendor (along with
>>     VGA/3D controller class code). In future, if any other device also has
>>     similar requirement then we can update this list. For other device
>>     host can put the device into D3cold in case of any wake-up.
>>
>>  10. In the vfio driver, we can put all these restriction for
>>      enabling PME and return error if user tries to make low power entry
>>      ioctl without enabling the PME related things.
>>
>>  11. The virtual PME can help in handling physical PME also for all
>>      the devices. The PME logic is not dependent upon nvidia GPU
>>      restriction. If virtual PME is enabled by hypervisor, then when
>>      physical PME wakes the device, then it will resume on the guest side
>>      also.
> 
> So if host accesses through things like lspci are going to wake the
> device and we can't prevent that, and the solution to that is to notify
> the guest to put the device back to low power, then it seems a lot less
> important to try to prevent the user from waking the device through
> random accesses.  In that context, maybe we do simply wrap all accesses
> with pm_runtime_get/put() put calls, which eliminates the problem of
> maintaining a list of safe ioctls in low power.
> 

 So wrap all access with pm_runtime_get()/put() will only be applicable
 for IOCTLs. Correct ?
 For config space, we can go with the approach discussed earlier in which
 we return error ?
 
> I'd probably argue that whether to allow the kernel to put the device
> back to low power directly is a policy decision and should therefore be
> directed by userspace.  For example the low power entry ioctl would
> have a flag to indicate the desired behavior and QEMU might have an
> on/off/[auto] vfio-pci device option which allows configuration of that
> behavior.  The default auto policy might direct for automatic low-power
> re-entry except for NVIDIA VGA/3D class codes and other devices we
> discover that need it.  This lets us have an immediate workaround for
> devices requiring guest support without a new kernel.
> 

 Yes. That is better option.
 I will do the changes.
 
> This PME notification to the guest is really something that needs to be
> part of the base specification for user managed low power access due to
> these sorts of design decisions.  Thanks,
> 
> Alex
> 

 Yes. I will include this in my next patch series.

 Regards,
 Abhishek
Alex Williamson June 7, 2022, 9:50 p.m. UTC | #18
On Fri, 3 Jun 2022 15:49:27 +0530
Abhishek Sahu <abhsahu@nvidia.com> wrote:

> On 6/2/2022 11:14 PM, Alex Williamson wrote:
> > On Thu, 2 Jun 2022 17:22:03 +0530
> > Abhishek Sahu <abhsahu@nvidia.com> wrote:
> >   
> >> On 6/1/2022 9:51 PM, Alex Williamson wrote:  
> >>> On Wed, 1 Jun 2022 15:19:07 +0530
> >>> Abhishek Sahu <abhsahu@nvidia.com> wrote:
> >>>     
> >>>> On 6/1/2022 4:22 AM, Alex Williamson wrote:    
> >>>>> On Tue, 31 May 2022 16:43:04 -0300
> >>>>> Jason Gunthorpe <jgg@nvidia.com> wrote:
> >>>>>       
> >>>>>> On Tue, May 31, 2022 at 05:44:11PM +0530, Abhishek Sahu wrote:      
> >>>>>>> On 5/30/2022 5:55 PM, Jason Gunthorpe wrote:        
> >>>>>>>> On Mon, May 30, 2022 at 04:45:59PM +0530, Abhishek Sahu wrote:
> >>>>>>>>         
> >>>>>>>>>  1. In real use case, config or any other ioctl should not come along
> >>>>>>>>>     with VFIO_DEVICE_FEATURE_POWER_MANAGEMENT ioctl request.
> >>>>>>>>>  
> >>>>>>>>>  2. Maintain some 'access_count' which will be incremented when we
> >>>>>>>>>     do any config space access or ioctl.        
> >>>>>>>>
> >>>>>>>> Please don't open code locks - if you need a lock then write a proper
> >>>>>>>> lock. You can use the 'try' variants to bail out in cases where that
> >>>>>>>> is appropriate.
> >>>>>>>>
> >>>>>>>> Jason        
> >>>>>>>
> >>>>>>>  Thanks Jason for providing your inputs.
> >>>>>>>
> >>>>>>>  In that case, should I introduce new rw_semaphore (For example
> >>>>>>>  power_lock) and move ‘platform_pm_engaged’ under ‘power_lock’ ?        
> >>>>>>
> >>>>>> Possibly, this is better than an atomic at least
> >>>>>>      
> >>>>>>>  1. At the beginning of config space access or ioctl, we can take the
> >>>>>>>     lock
> >>>>>>>  
> >>>>>>>      down_read(&vdev->power_lock);        
> >>>>>>
> >>>>>> You can also do down_read_trylock() here and bail out as you were
> >>>>>> suggesting with the atomic.
> >>>>>>
> >>>>>> trylock doesn't have lock odering rules because it can't sleep so it
> >>>>>> gives a bit more flexability when designing the lock ordering.
> >>>>>>
> >>>>>> Though userspace has to be able to tolerate the failure, or never make
> >>>>>> the request.
> >>>>>>      
> >>>>
> >>>>  Thanks Alex and Jason for providing your inputs.
> >>>>
> >>>>  Using down_read_trylock() along with Alex suggestion seems fine.
> >>>>  In real use case, config space access should not happen when the
> >>>>  device is in low power state so returning error should not
> >>>>  cause any issue in this case.
> >>>>    
> >>>>>>>          down_write(&vdev->power_lock);
> >>>>>>>          ...
> >>>>>>>          switch (vfio_pm.low_power_state) {
> >>>>>>>          case VFIO_DEVICE_LOW_POWER_STATE_ENTER:
> >>>>>>>                  ...
> >>>>>>>                          vfio_pci_zap_and_down_write_memory_lock(vdev);
> >>>>>>>                          vdev->power_state_d3 = true;
> >>>>>>>                          up_write(&vdev->memory_lock);
> >>>>>>>
> >>>>>>>          ...
> >>>>>>>          up_write(&vdev->power_lock);        
> >>>>>>
> >>>>>> And something checks the power lock before allowing the memor to be
> >>>>>> re-enabled?
> >>>>>>      
> >>>>>>>  4.  For ioctl access, as mentioned previously I need to add two
> >>>>>>>      callbacks functions (one for start and one for end) in the struct
> >>>>>>>      vfio_device_ops and call the same at start and end of ioctl from
> >>>>>>>      vfio_device_fops_unl_ioctl().        
> >>>>>>
> >>>>>> Not sure I followed this..      
> >>>>>
> >>>>> I'm kinda lost here too.      
> >>>>
> >>>>
> >>>>  I have summarized the things below
> >>>>
> >>>>  1. In the current patch (v3 8/8), if config space access or ioctl was
> >>>>     being made by the user when the device is already in low power state,
> >>>>     then it was waking the device. This wake up was happening with
> >>>>     pm_runtime_resume_and_get() API in vfio_pci_config_rw() and
> >>>>     vfio_device_fops_unl_ioctl() (with patch v3 7/8 in this patch series).
> >>>>
> >>>>  2. Now, it has been decided to return error instead of waking the
> >>>>     device if the device is already in low power state.
> >>>>
> >>>>  3. Initially I thought to add following code in config space path
> >>>>     (and similar in ioctl)
> >>>>
> >>>>         vfio_pci_config_rw() {
> >>>>             ...
> >>>>             down_read(&vdev->memory_lock);
> >>>>             if (vdev->platform_pm_engaged)
> >>>>             {
> >>>>                 up_read(&vdev->memory_lock);
> >>>>                 return -EIO;
> >>>>             }
> >>>>             ...
> >>>>         }
> >>>>
> >>>>      And then there was a possibility that the physical config happens
> >>>>      when the device in D3cold in case of race condition.
> >>>>
> >>>>  4.  So, I wanted to add some mechanism so that the low power entry
> >>>>      ioctl will be serialized with other ioctl or config space. With this
> >>>>      if low power entry gets scheduled first then config/other ioctls will
> >>>>      get failure, otherwise low power entry will wait.
> >>>>
> >>>>  5.  For serializing this access, I need to ensure that lock is held
> >>>>      throughout the operation. For config space I can add the code in
> >>>>      vfio_pci_config_rw(). But for ioctls, I was not sure what is the best
> >>>>      way since few ioctls (VFIO_DEVICE_FEATURE_MIGRATION,
> >>>>      VFIO_DEVICE_FEATURE_MIG_DEVICE_STATE etc.) are being handled in the
> >>>>      vfio core layer itself.
> >>>>
> >>>>  The memory_lock and the variables to track low power in specific to
> >>>>  vfio-pci so I need some mechanism by which I add low power check for
> >>>>  each ioctl. For serialization, I need to call function implemented in
> >>>>  vfio-pci before vfio core layer makes the actual ioctl to grab the
> >>>>  locks. Similarly, I need to release the lock once vfio core layer
> >>>>  finished the actual ioctl. I have mentioned about this problem in the
> >>>>  above point (point 4 in my earlier mail).
> >>>>    
> >>>>> A couple replies back there was some concern
> >>>>> about race scenarios with multiple user threads accessing the device.
> >>>>> The ones concerning non-deterministic behavior if a user is
> >>>>> concurrently changing power state and performing other accesses are a
> >>>>> non-issue, imo.        
> >>>>
> >>>>  What does non-deterministic behavior here mean.
> >>>>  Is it for user side that user will see different result
> >>>>  (failure or success) during race condition or in the kernel side
> >>>>  (as explained in point 3 above where physical config access
> >>>>  happens when the device in D3cold) ? My concern here is for later
> >>>>  part where this config space access in D3cold can cause fatal error
> >>>>  on the system side as we have seen for memory disablement.    
> >>>
> >>> Yes, our only concern should be to prevent such an access.  The user
> >>> seeing non-deterministic behavior, such as during concurrent power
> >>> control and config space access, all combinations of success/failure
> >>> are possible, is par for the course when we decide to block accesses
> >>> across the life of the low power state.
> >>>      
> >>>>> I think our goal is only to expand the current
> >>>>> memory_lock to block accesses, including config space, while the device
> >>>>> is in low power, or some approximation bounded by the entry/exit ioctl.
> >>>>>
> >>>>> I think the remaining issues is how to do that relative to the fact
> >>>>> that config space access can change the memory enable state and would
> >>>>> therefore need to upgrade the memory_lock read-lock to a write-lock.
> >>>>> For that I think we can simply drop the read-lock, acquire the
> >>>>> write-lock, and re-test the low power state.  If it has changed, that
> >>>>> suggests the user has again raced changing power state with another
> >>>>> access and we can simply drop the lock and return -EIO.
> >>>>>       
> >>>>
> >>>>  Yes. This looks better option. So, just to confirm, I can take the
> >>>>  memory_lock read-lock at the starting of vfio_pci_config_rw() and
> >>>>  release it just before returning from vfio_pci_config_rw() and
> >>>>  for memory related config access, we will release this lock and
> >>>>  re-aquiring again write version of this. Once memory write happens,
> >>>>  then we can downgrade this write lock to read lock ?    
> >>>
> >>> We only need to lock for the device access, so if you've finished that
> >>> access after acquiring the write-lock, there'd be no point to then
> >>> downgrade that to a read-lock.  The access should be finished by that
> >>> point.
> >>>    
> >>
> >>  I was planning to take memory_lock read-lock at the beginning of
> >>  vfio_pci_config_rw() and release the same just before returning from
> >>  this function. If I don't downgrade it back to read-lock, then the
> >>  release in the end will be called for the lock which has not taken.
> >>  Also, user can specify count to any number of bytes and then the
> >>  vfio_config_do_rw() will be invoked multiple times and then in
> >>  the second call, it will be without lock.  
> > 
> > Ok, yes, I can imagine how it might result in a cleaner exit path to do
> > a downgrade_write().
> >   
> >>>>  Also, what about IOCTLs. How can I take and release memory_lock for
> >>>>  ioctl. is it okay to go with Patch 7 where we call
> >>>>  pm_runtime_resume_and_get() before each ioctl or we need to do the
> >>>>  same low power check for ioctl also ?
> >>>>  In Later case, I am not sure how should I do the implementation so
> >>>>  that all other ioctl are covered from vfio core layer itself.    
> >>>
> >>> Some ioctls clearly cannot occur while the device is in low power, such
> >>> as resets and interrupt control, but even less obvious things like
> >>> getting region info require device access.  Migration also provides a
> >>> channel to device access.  Do we want to manage a list of ioctls that
> >>> are allowed in low power, or do we only want to allow the ioctl to exit
> >>> low power?
> >>>     
> >>
> >>  In previous version of this patch, you mentioned that maintaining the
> >>  safe ioctl list will be tough to maintain. So, currently we wanted to
> >>  allow the ioctl for low power exit.  
> > 
> > Yes, I'm still conflicted in how that would work.
> >    
> >>> I'm also still curious how we're going to handle devices that cannot
> >>> return to low power such as the self-refresh mode on the GPU.  We can
> >>> potentially prevent any wake-ups from the vfio device interface, but
> >>> that doesn't preclude a wake-up via an external lspci.  I think we need
> >>> to understand how we're going to handle such devices before we can
> >>> really complete the design.  AIUI, we cannot disable the self-refresh
> >>> sleep mode without imposing unreasonable latency and memory
> >>> requirements on the guest and we cannot retrigger the self-refresh
> >>> low-power mode without non-trivial device specific code.  Thanks,
> >>>
> >>> Alex
> >>>     
> >>
> >>  I am working on adding support to notify guest through virtual PME
> >>  whenever there is any wake-up triggered by the host and the guest has
> >>  already put the device into runtime suspended state. This virtual PME
> >>  will be similar to physical PME. Normally, if PCI device need power
> >>  management transition, then it sends PME event which will be
> >>  ultimately handled by host OS. In virtual PME case, if host need power
> >>  management transition, then it sends event to guest and then guest OS
> >>  handles these virtual PME events. Following is summary:
> >>
> >>  1. Add the support for one more event like VFIO_PCI_ERR_IRQ_INDEX
> >>     named VFIO_PCI_PME_IRQ_INDEX and add the required code for this
> >>     virtual PME event.
> >>
> >>  2. From the guest side, when the PME_IRQ is enabled then we will
> >>     set event_fd for PME.
> >>
> >>  3. In the vfio driver, the PME support bits are already
> >>     virtualized and currently set to 0. We can set PME capability support
> >>     for D3cold so that in guest, it looks like
> >>
> >>      Capabilities: [60] Power Management version 3
> >>      Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA
> >>             PME(D0-,D1-,D2-,D3hot-,D3cold+)
> >>
> >>  4. From the guest side, it can do PME enable (PME_En bit in Power
> >>     Management Control/Status Register) which will be again virtualized.
> >>
> >>  5. When host gets request for resuming the device other than from
> >>     low power ioctl, then device pm usage count will be incremented, the
> >>     PME status (PME_Status bit in Power Management Control/Status Register)
> >>     will be set and then we can do the event_fd signal.
> >>
> >>  6. In the PCIe, the PME events will be handled by root port. For
> >>     using low power D3cold feature, it is required to create virtual root
> >>     port in hypervisor side and when hypervisor receives this PME event,
> >>     then it can send virtual interrupt to root port.
> >>
> >>  7. If we take example of Linux kernel, then pcie_pme_irq() will
> >>     handle this and then do the runtime resume on the guest side. Also, it
> >>     will clear the PME status bit here. Then guest can put the device
> >>     again into suspended state.
> >>
> >>  8. I did prototype changes in QEMU for above logic and was getting wake-up
> >>     in the guest whenever I do lspci on the host side.
> >>
> >>  9. Since currently only nvidia GPU has this limitation to require
> >>     driver interaction each time before going into D3cold so we can allow
> >>     the reentry for other device. We can have nvidia vendor (along with
> >>     VGA/3D controller class code). In future, if any other device also has
> >>     similar requirement then we can update this list. For other device
> >>     host can put the device into D3cold in case of any wake-up.
> >>
> >>  10. In the vfio driver, we can put all these restriction for
> >>      enabling PME and return error if user tries to make low power entry
> >>      ioctl without enabling the PME related things.
> >>
> >>  11. The virtual PME can help in handling physical PME also for all
> >>      the devices. The PME logic is not dependent upon nvidia GPU
> >>      restriction. If virtual PME is enabled by hypervisor, then when
> >>      physical PME wakes the device, then it will resume on the guest side
> >>      also.  
> > 
> > So if host accesses through things like lspci are going to wake the
> > device and we can't prevent that, and the solution to that is to notify
> > the guest to put the device back to low power, then it seems a lot less
> > important to try to prevent the user from waking the device through
> > random accesses.  In that context, maybe we do simply wrap all accesses
> > with pm_runtime_get/put() put calls, which eliminates the problem of
> > maintaining a list of safe ioctls in low power.
> >   
> 
>  So wrap all access with pm_runtime_get()/put() will only be applicable
>  for IOCTLs. Correct ?
>  For config space, we can go with the approach discussed earlier in which
>  we return error ?

If we need to handle arbitrarily induced wakes from the host, it
doesn't make much sense to restrict those same sort of accesses by the
user through the vfio-device.  It also seems a lot easier to simply do
a pm_get/put() around not only ioctls, but all region accesses to avoid
the sorts of races you previously identified.  Access through mmap
should still arguably fault given that there is no discrete end to such
an access like we have for read/write operations.  Thanks,

Alex
Abhishek Sahu June 8, 2022, 10:12 a.m. UTC | #19
On 6/8/2022 3:20 AM, Alex Williamson wrote:
> On Fri, 3 Jun 2022 15:49:27 +0530
> Abhishek Sahu <abhsahu@nvidia.com> wrote:
> 
>> On 6/2/2022 11:14 PM, Alex Williamson wrote:
>>> On Thu, 2 Jun 2022 17:22:03 +0530
>>> Abhishek Sahu <abhsahu@nvidia.com> wrote:
>>>   
>>>> On 6/1/2022 9:51 PM, Alex Williamson wrote:  
>>>>> On Wed, 1 Jun 2022 15:19:07 +0530
>>>>> Abhishek Sahu <abhsahu@nvidia.com> wrote:
>>>>>     
>>>>>> On 6/1/2022 4:22 AM, Alex Williamson wrote:    
>>>>>>> On Tue, 31 May 2022 16:43:04 -0300
>>>>>>> Jason Gunthorpe <jgg@nvidia.com> wrote:
>>>>>>>       
>>>>>>>> On Tue, May 31, 2022 at 05:44:11PM +0530, Abhishek Sahu wrote:      
>>>>>>>>> On 5/30/2022 5:55 PM, Jason Gunthorpe wrote:        
>>>>>>>>>> On Mon, May 30, 2022 at 04:45:59PM +0530, Abhishek Sahu wrote:
>>>>>>>>>>         
>>>>>>>>>>>  1. In real use case, config or any other ioctl should not come along
>>>>>>>>>>>     with VFIO_DEVICE_FEATURE_POWER_MANAGEMENT ioctl request.
>>>>>>>>>>>  
>>>>>>>>>>>  2. Maintain some 'access_count' which will be incremented when we
>>>>>>>>>>>     do any config space access or ioctl.        
>>>>>>>>>>
>>>>>>>>>> Please don't open code locks - if you need a lock then write a proper
>>>>>>>>>> lock. You can use the 'try' variants to bail out in cases where that
>>>>>>>>>> is appropriate.
>>>>>>>>>>
>>>>>>>>>> Jason        
>>>>>>>>>
>>>>>>>>>  Thanks Jason for providing your inputs.
>>>>>>>>>
>>>>>>>>>  In that case, should I introduce new rw_semaphore (For example
>>>>>>>>>  power_lock) and move ‘platform_pm_engaged’ under ‘power_lock’ ?        
>>>>>>>>
>>>>>>>> Possibly, this is better than an atomic at least
>>>>>>>>      
>>>>>>>>>  1. At the beginning of config space access or ioctl, we can take the
>>>>>>>>>     lock
>>>>>>>>>  
>>>>>>>>>      down_read(&vdev->power_lock);        
>>>>>>>>
>>>>>>>> You can also do down_read_trylock() here and bail out as you were
>>>>>>>> suggesting with the atomic.
>>>>>>>>
>>>>>>>> trylock doesn't have lock odering rules because it can't sleep so it
>>>>>>>> gives a bit more flexability when designing the lock ordering.
>>>>>>>>
>>>>>>>> Though userspace has to be able to tolerate the failure, or never make
>>>>>>>> the request.
>>>>>>>>      
>>>>>>
>>>>>>  Thanks Alex and Jason for providing your inputs.
>>>>>>
>>>>>>  Using down_read_trylock() along with Alex suggestion seems fine.
>>>>>>  In real use case, config space access should not happen when the
>>>>>>  device is in low power state so returning error should not
>>>>>>  cause any issue in this case.
>>>>>>    
>>>>>>>>>          down_write(&vdev->power_lock);
>>>>>>>>>          ...
>>>>>>>>>          switch (vfio_pm.low_power_state) {
>>>>>>>>>          case VFIO_DEVICE_LOW_POWER_STATE_ENTER:
>>>>>>>>>                  ...
>>>>>>>>>                          vfio_pci_zap_and_down_write_memory_lock(vdev);
>>>>>>>>>                          vdev->power_state_d3 = true;
>>>>>>>>>                          up_write(&vdev->memory_lock);
>>>>>>>>>
>>>>>>>>>          ...
>>>>>>>>>          up_write(&vdev->power_lock);        
>>>>>>>>
>>>>>>>> And something checks the power lock before allowing the memor to be
>>>>>>>> re-enabled?
>>>>>>>>      
>>>>>>>>>  4.  For ioctl access, as mentioned previously I need to add two
>>>>>>>>>      callbacks functions (one for start and one for end) in the struct
>>>>>>>>>      vfio_device_ops and call the same at start and end of ioctl from
>>>>>>>>>      vfio_device_fops_unl_ioctl().        
>>>>>>>>
>>>>>>>> Not sure I followed this..      
>>>>>>>
>>>>>>> I'm kinda lost here too.      
>>>>>>
>>>>>>
>>>>>>  I have summarized the things below
>>>>>>
>>>>>>  1. In the current patch (v3 8/8), if config space access or ioctl was
>>>>>>     being made by the user when the device is already in low power state,
>>>>>>     then it was waking the device. This wake up was happening with
>>>>>>     pm_runtime_resume_and_get() API in vfio_pci_config_rw() and
>>>>>>     vfio_device_fops_unl_ioctl() (with patch v3 7/8 in this patch series).
>>>>>>
>>>>>>  2. Now, it has been decided to return error instead of waking the
>>>>>>     device if the device is already in low power state.
>>>>>>
>>>>>>  3. Initially I thought to add following code in config space path
>>>>>>     (and similar in ioctl)
>>>>>>
>>>>>>         vfio_pci_config_rw() {
>>>>>>             ...
>>>>>>             down_read(&vdev->memory_lock);
>>>>>>             if (vdev->platform_pm_engaged)
>>>>>>             {
>>>>>>                 up_read(&vdev->memory_lock);
>>>>>>                 return -EIO;
>>>>>>             }
>>>>>>             ...
>>>>>>         }
>>>>>>
>>>>>>      And then there was a possibility that the physical config happens
>>>>>>      when the device in D3cold in case of race condition.
>>>>>>
>>>>>>  4.  So, I wanted to add some mechanism so that the low power entry
>>>>>>      ioctl will be serialized with other ioctl or config space. With this
>>>>>>      if low power entry gets scheduled first then config/other ioctls will
>>>>>>      get failure, otherwise low power entry will wait.
>>>>>>
>>>>>>  5.  For serializing this access, I need to ensure that lock is held
>>>>>>      throughout the operation. For config space I can add the code in
>>>>>>      vfio_pci_config_rw(). But for ioctls, I was not sure what is the best
>>>>>>      way since few ioctls (VFIO_DEVICE_FEATURE_MIGRATION,
>>>>>>      VFIO_DEVICE_FEATURE_MIG_DEVICE_STATE etc.) are being handled in the
>>>>>>      vfio core layer itself.
>>>>>>
>>>>>>  The memory_lock and the variables to track low power in specific to
>>>>>>  vfio-pci so I need some mechanism by which I add low power check for
>>>>>>  each ioctl. For serialization, I need to call function implemented in
>>>>>>  vfio-pci before vfio core layer makes the actual ioctl to grab the
>>>>>>  locks. Similarly, I need to release the lock once vfio core layer
>>>>>>  finished the actual ioctl. I have mentioned about this problem in the
>>>>>>  above point (point 4 in my earlier mail).
>>>>>>    
>>>>>>> A couple replies back there was some concern
>>>>>>> about race scenarios with multiple user threads accessing the device.
>>>>>>> The ones concerning non-deterministic behavior if a user is
>>>>>>> concurrently changing power state and performing other accesses are a
>>>>>>> non-issue, imo.        
>>>>>>
>>>>>>  What does non-deterministic behavior here mean.
>>>>>>  Is it for user side that user will see different result
>>>>>>  (failure or success) during race condition or in the kernel side
>>>>>>  (as explained in point 3 above where physical config access
>>>>>>  happens when the device in D3cold) ? My concern here is for later
>>>>>>  part where this config space access in D3cold can cause fatal error
>>>>>>  on the system side as we have seen for memory disablement.    
>>>>>
>>>>> Yes, our only concern should be to prevent such an access.  The user
>>>>> seeing non-deterministic behavior, such as during concurrent power
>>>>> control and config space access, all combinations of success/failure
>>>>> are possible, is par for the course when we decide to block accesses
>>>>> across the life of the low power state.
>>>>>      
>>>>>>> I think our goal is only to expand the current
>>>>>>> memory_lock to block accesses, including config space, while the device
>>>>>>> is in low power, or some approximation bounded by the entry/exit ioctl.
>>>>>>>
>>>>>>> I think the remaining issues is how to do that relative to the fact
>>>>>>> that config space access can change the memory enable state and would
>>>>>>> therefore need to upgrade the memory_lock read-lock to a write-lock.
>>>>>>> For that I think we can simply drop the read-lock, acquire the
>>>>>>> write-lock, and re-test the low power state.  If it has changed, that
>>>>>>> suggests the user has again raced changing power state with another
>>>>>>> access and we can simply drop the lock and return -EIO.
>>>>>>>       
>>>>>>
>>>>>>  Yes. This looks better option. So, just to confirm, I can take the
>>>>>>  memory_lock read-lock at the starting of vfio_pci_config_rw() and
>>>>>>  release it just before returning from vfio_pci_config_rw() and
>>>>>>  for memory related config access, we will release this lock and
>>>>>>  re-aquiring again write version of this. Once memory write happens,
>>>>>>  then we can downgrade this write lock to read lock ?    
>>>>>
>>>>> We only need to lock for the device access, so if you've finished that
>>>>> access after acquiring the write-lock, there'd be no point to then
>>>>> downgrade that to a read-lock.  The access should be finished by that
>>>>> point.
>>>>>    
>>>>
>>>>  I was planning to take memory_lock read-lock at the beginning of
>>>>  vfio_pci_config_rw() and release the same just before returning from
>>>>  this function. If I don't downgrade it back to read-lock, then the
>>>>  release in the end will be called for the lock which has not taken.
>>>>  Also, user can specify count to any number of bytes and then the
>>>>  vfio_config_do_rw() will be invoked multiple times and then in
>>>>  the second call, it will be without lock.  
>>>
>>> Ok, yes, I can imagine how it might result in a cleaner exit path to do
>>> a downgrade_write().
>>>   
>>>>>>  Also, what about IOCTLs. How can I take and release memory_lock for
>>>>>>  ioctl. is it okay to go with Patch 7 where we call
>>>>>>  pm_runtime_resume_and_get() before each ioctl or we need to do the
>>>>>>  same low power check for ioctl also ?
>>>>>>  In Later case, I am not sure how should I do the implementation so
>>>>>>  that all other ioctl are covered from vfio core layer itself.    
>>>>>
>>>>> Some ioctls clearly cannot occur while the device is in low power, such
>>>>> as resets and interrupt control, but even less obvious things like
>>>>> getting region info require device access.  Migration also provides a
>>>>> channel to device access.  Do we want to manage a list of ioctls that
>>>>> are allowed in low power, or do we only want to allow the ioctl to exit
>>>>> low power?
>>>>>     
>>>>
>>>>  In previous version of this patch, you mentioned that maintaining the
>>>>  safe ioctl list will be tough to maintain. So, currently we wanted to
>>>>  allow the ioctl for low power exit.  
>>>
>>> Yes, I'm still conflicted in how that would work.
>>>    
>>>>> I'm also still curious how we're going to handle devices that cannot
>>>>> return to low power such as the self-refresh mode on the GPU.  We can
>>>>> potentially prevent any wake-ups from the vfio device interface, but
>>>>> that doesn't preclude a wake-up via an external lspci.  I think we need
>>>>> to understand how we're going to handle such devices before we can
>>>>> really complete the design.  AIUI, we cannot disable the self-refresh
>>>>> sleep mode without imposing unreasonable latency and memory
>>>>> requirements on the guest and we cannot retrigger the self-refresh
>>>>> low-power mode without non-trivial device specific code.  Thanks,
>>>>>
>>>>> Alex
>>>>>     
>>>>
>>>>  I am working on adding support to notify guest through virtual PME
>>>>  whenever there is any wake-up triggered by the host and the guest has
>>>>  already put the device into runtime suspended state. This virtual PME
>>>>  will be similar to physical PME. Normally, if PCI device need power
>>>>  management transition, then it sends PME event which will be
>>>>  ultimately handled by host OS. In virtual PME case, if host need power
>>>>  management transition, then it sends event to guest and then guest OS
>>>>  handles these virtual PME events. Following is summary:
>>>>
>>>>  1. Add the support for one more event like VFIO_PCI_ERR_IRQ_INDEX
>>>>     named VFIO_PCI_PME_IRQ_INDEX and add the required code for this
>>>>     virtual PME event.
>>>>
>>>>  2. From the guest side, when the PME_IRQ is enabled then we will
>>>>     set event_fd for PME.
>>>>
>>>>  3. In the vfio driver, the PME support bits are already
>>>>     virtualized and currently set to 0. We can set PME capability support
>>>>     for D3cold so that in guest, it looks like
>>>>
>>>>      Capabilities: [60] Power Management version 3
>>>>      Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA
>>>>             PME(D0-,D1-,D2-,D3hot-,D3cold+)
>>>>
>>>>  4. From the guest side, it can do PME enable (PME_En bit in Power
>>>>     Management Control/Status Register) which will be again virtualized.
>>>>
>>>>  5. When host gets request for resuming the device other than from
>>>>     low power ioctl, then device pm usage count will be incremented, the
>>>>     PME status (PME_Status bit in Power Management Control/Status Register)
>>>>     will be set and then we can do the event_fd signal.
>>>>
>>>>  6. In the PCIe, the PME events will be handled by root port. For
>>>>     using low power D3cold feature, it is required to create virtual root
>>>>     port in hypervisor side and when hypervisor receives this PME event,
>>>>     then it can send virtual interrupt to root port.
>>>>
>>>>  7. If we take example of Linux kernel, then pcie_pme_irq() will
>>>>     handle this and then do the runtime resume on the guest side. Also, it
>>>>     will clear the PME status bit here. Then guest can put the device
>>>>     again into suspended state.
>>>>
>>>>  8. I did prototype changes in QEMU for above logic and was getting wake-up
>>>>     in the guest whenever I do lspci on the host side.
>>>>
>>>>  9. Since currently only nvidia GPU has this limitation to require
>>>>     driver interaction each time before going into D3cold so we can allow
>>>>     the reentry for other device. We can have nvidia vendor (along with
>>>>     VGA/3D controller class code). In future, if any other device also has
>>>>     similar requirement then we can update this list. For other device
>>>>     host can put the device into D3cold in case of any wake-up.
>>>>
>>>>  10. In the vfio driver, we can put all these restriction for
>>>>      enabling PME and return error if user tries to make low power entry
>>>>      ioctl without enabling the PME related things.
>>>>
>>>>  11. The virtual PME can help in handling physical PME also for all
>>>>      the devices. The PME logic is not dependent upon nvidia GPU
>>>>      restriction. If virtual PME is enabled by hypervisor, then when
>>>>      physical PME wakes the device, then it will resume on the guest side
>>>>      also.  
>>>
>>> So if host accesses through things like lspci are going to wake the
>>> device and we can't prevent that, and the solution to that is to notify
>>> the guest to put the device back to low power, then it seems a lot less
>>> important to try to prevent the user from waking the device through
>>> random accesses.  In that context, maybe we do simply wrap all accesses
>>> with pm_runtime_get/put() put calls, which eliminates the problem of
>>> maintaining a list of safe ioctls in low power.
>>>   
>>
>>  So wrap all access with pm_runtime_get()/put() will only be applicable
>>  for IOCTLs. Correct ?
>>  For config space, we can go with the approach discussed earlier in which
>>  we return error ?
> 
> If we need to handle arbitrarily induced wakes from the host, it
> doesn't make much sense to restrict those same sort of accesses by the
> user through the vfio-device.  It also seems a lot easier to simply do
> a pm_get/put() around not only ioctls, but all region accesses to avoid
> the sorts of races you previously identified.  Access through mmap
> should still arguably fault given that there is no discrete end to such
> an access like we have for read/write operations.  Thanks,
> 
> Alex
> 

 Thanks Alex for confirming.
 I will do the same.

 Regards,
 Abhishek
diff mbox series

Patch

diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
index af0ae80ef324..65b1bc9586ab 100644
--- a/drivers/vfio/pci/vfio_pci_config.c
+++ b/drivers/vfio/pci/vfio_pci_config.c
@@ -25,6 +25,7 @@ 
 #include <linux/uaccess.h>
 #include <linux/vfio.h>
 #include <linux/slab.h>
+#include <linux/pm_runtime.h>
 
 #include <linux/vfio_pci_core.h>
 
@@ -1936,16 +1937,23 @@  static ssize_t vfio_config_do_rw(struct vfio_pci_core_device *vdev, char __user
 ssize_t vfio_pci_config_rw(struct vfio_pci_core_device *vdev, char __user *buf,
 			   size_t count, loff_t *ppos, bool iswrite)
 {
+	struct device *dev = &vdev->pdev->dev;
 	size_t done = 0;
 	int ret = 0;
 	loff_t pos = *ppos;
 
 	pos &= VFIO_PCI_OFFSET_MASK;
 
+	ret = pm_runtime_resume_and_get(dev);
+	if (ret < 0)
+		return ret;
+
 	while (count) {
 		ret = vfio_config_do_rw(vdev, buf, count, &pos, iswrite);
-		if (ret < 0)
+		if (ret < 0) {
+			pm_runtime_put(dev);
 			return ret;
+		}
 
 		count -= ret;
 		done += ret;
@@ -1953,6 +1961,7 @@  ssize_t vfio_pci_config_rw(struct vfio_pci_core_device *vdev, char __user *buf,
 		pos += ret;
 	}
 
+	pm_runtime_put(dev);
 	*ppos += done;
 
 	return done;
diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
index 05a68ca9d9e7..beac6e05f97f 100644
--- a/drivers/vfio/pci/vfio_pci_core.c
+++ b/drivers/vfio/pci/vfio_pci_core.c
@@ -234,7 +234,14 @@  int vfio_pci_set_power_state(struct vfio_pci_core_device *vdev, pci_power_t stat
 	ret = pci_set_power_state(pdev, state);
 
 	if (!ret) {
-		vdev->power_state_d3 = (pdev->current_state >= PCI_D3hot);
+		/*
+		 * If 'platform_pm_engaged' is true then 'power_state_d3' can
+		 * be cleared only when user makes the explicit request to
+		 * move out of low power state by using power management ioctl.
+		 */
+		if (!vdev->platform_pm_engaged)
+			vdev->power_state_d3 =
+				(pdev->current_state >= PCI_D3hot);
 
 		/* D3 might be unsupported via quirk, skip unless in D3 */
 		if (needs_save && pdev->current_state >= PCI_D3hot) {
@@ -266,6 +273,25 @@  static int vfio_pci_core_runtime_suspend(struct device *dev)
 {
 	struct vfio_pci_core_device *vdev = dev_get_drvdata(dev);
 
+	down_read(&vdev->memory_lock);
+
+	/* 'platform_pm_engaged' will be false if there are no users. */
+	if (!vdev->platform_pm_engaged) {
+		up_read(&vdev->memory_lock);
+		return 0;
+	}
+
+	/*
+	 * The user will move the device into D3hot state first before invoking
+	 * power management ioctl. Move the device into D0 state here and then
+	 * the pci-driver core runtime PM suspend will move the device into
+	 * low power state. Also, for the devices which have NoSoftRst-,
+	 * it will help in restoring the original state (saved locally in
+	 * 'vdev->pm_save').
+	 */
+	vfio_pci_set_power_state(vdev, PCI_D0);
+	up_read(&vdev->memory_lock);
+
 	/*
 	 * If INTx is enabled, then mask INTx before going into runtime
 	 * suspended state and unmask the same in the runtime resume.
@@ -395,6 +421,19 @@  void vfio_pci_core_disable(struct vfio_pci_core_device *vdev)
 
 	/*
 	 * This function can be invoked while the power state is non-D0.
+	 * This non-D0 power state can be with or without runtime PM.
+	 * Increment the usage count corresponding to pm_runtime_put()
+	 * called during setting of 'platform_pm_engaged'. The device will
+	 * wake up if it has already went into suspended state. Otherwise,
+	 * the next vfio_pci_set_power_state() will change the
+	 * device power state to D0.
+	 */
+	if (vdev->platform_pm_engaged) {
+		pm_runtime_resume_and_get(&pdev->dev);
+		vdev->platform_pm_engaged = false;
+	}
+
+	/*
 	 * This function calls __pci_reset_function_locked() which internally
 	 * can use pci_pm_reset() for the function reset. pci_pm_reset() will
 	 * fail if the power state is non-D0. Also, for the devices which
@@ -1192,6 +1231,80 @@  long vfio_pci_core_ioctl(struct vfio_device *core_vdev, unsigned int cmd,
 }
 EXPORT_SYMBOL_GPL(vfio_pci_core_ioctl);
 
+#ifdef CONFIG_PM
+static int vfio_pci_core_feature_pm(struct vfio_device *device, u32 flags,
+				    void __user *arg, size_t argsz)
+{
+	struct vfio_pci_core_device *vdev =
+		container_of(device, struct vfio_pci_core_device, vdev);
+	struct pci_dev *pdev = vdev->pdev;
+	struct vfio_device_feature_power_management vfio_pm = { 0 };
+	int ret = 0;
+
+	ret = vfio_check_feature(flags, argsz,
+				 VFIO_DEVICE_FEATURE_SET |
+				 VFIO_DEVICE_FEATURE_GET,
+				 sizeof(vfio_pm));
+	if (ret != 1)
+		return ret;
+
+	if (flags & VFIO_DEVICE_FEATURE_GET) {
+		down_read(&vdev->memory_lock);
+		vfio_pm.low_power_state = vdev->platform_pm_engaged ?
+				VFIO_DEVICE_LOW_POWER_STATE_ENTER :
+				VFIO_DEVICE_LOW_POWER_STATE_EXIT;
+		up_read(&vdev->memory_lock);
+		if (copy_to_user(arg, &vfio_pm, sizeof(vfio_pm)))
+			return -EFAULT;
+		return 0;
+	}
+
+	if (copy_from_user(&vfio_pm, arg, sizeof(vfio_pm)))
+		return -EFAULT;
+
+	/*
+	 * The vdev power related fields are protected with memory_lock
+	 * semaphore.
+	 */
+	down_write(&vdev->memory_lock);
+	switch (vfio_pm.low_power_state) {
+	case VFIO_DEVICE_LOW_POWER_STATE_ENTER:
+		if (!vdev->power_state_d3 || vdev->platform_pm_engaged) {
+			ret = EINVAL;
+			break;
+		}
+
+		vdev->platform_pm_engaged = true;
+
+		/*
+		 * The pm_runtime_put() will be called again while returning
+		 * from ioctl after which the device can go into runtime
+		 * suspended.
+		 */
+		pm_runtime_put_noidle(&pdev->dev);
+		break;
+
+	case VFIO_DEVICE_LOW_POWER_STATE_EXIT:
+		if (!vdev->platform_pm_engaged) {
+			ret = EINVAL;
+			break;
+		}
+
+		vdev->platform_pm_engaged = false;
+		vdev->power_state_d3 = false;
+		pm_runtime_get_noresume(&pdev->dev);
+		break;
+
+	default:
+		ret = EINVAL;
+		break;
+	}
+
+	up_write(&vdev->memory_lock);
+	return ret;
+}
+#endif
+
 static int vfio_pci_core_feature_token(struct vfio_device *device, u32 flags,
 				       void __user *arg, size_t argsz)
 {
@@ -1226,6 +1339,10 @@  int vfio_pci_core_ioctl_feature(struct vfio_device *device, u32 flags,
 	switch (flags & VFIO_DEVICE_FEATURE_MASK) {
 	case VFIO_DEVICE_FEATURE_PCI_VF_TOKEN:
 		return vfio_pci_core_feature_token(device, flags, arg, argsz);
+#ifdef CONFIG_PM
+	case VFIO_DEVICE_FEATURE_POWER_MANAGEMENT:
+		return vfio_pci_core_feature_pm(device, flags, arg, argsz);
+#endif
 	default:
 		return -ENOTTY;
 	}
@@ -2189,6 +2306,15 @@  static int vfio_pci_dev_set_hot_reset(struct vfio_device_set *dev_set,
 		goto err_unlock;
 	}
 
+	/*
+	 * Some of the devices in the dev_set can be in the runtime suspended
+	 * state. Increment the usage count for all the devices in the dev_set
+	 * before reset and decrement the same after reset.
+	 */
+	ret = vfio_pci_dev_set_pm_runtime_get(dev_set);
+	if (ret)
+		goto err_unlock;
+
 	list_for_each_entry(cur_vma, &dev_set->device_list, vdev.dev_set_list) {
 		/*
 		 * Test whether all the affected devices are contained by the
@@ -2244,6 +2370,9 @@  static int vfio_pci_dev_set_hot_reset(struct vfio_device_set *dev_set,
 		else
 			mutex_unlock(&cur->vma_lock);
 	}
+
+	list_for_each_entry(cur, &dev_set->device_list, vdev.dev_set_list)
+		pm_runtime_put(&cur->pdev->dev);
 err_unlock:
 	mutex_unlock(&dev_set->lock);
 	return ret;
diff --git a/include/linux/vfio_pci_core.h b/include/linux/vfio_pci_core.h
index e84f31e44238..337983a877d6 100644
--- a/include/linux/vfio_pci_core.h
+++ b/include/linux/vfio_pci_core.h
@@ -126,6 +126,7 @@  struct vfio_pci_core_device {
 	bool			needs_pm_restore;
 	bool			power_state_d3;
 	bool			pm_intx_masked;
+	bool			platform_pm_engaged;
 	struct pci_saved_state	*pci_saved_state;
 	struct pci_saved_state	*pm_save;
 	int			ioeventfds_nr;
diff --git a/include/uapi/linux/vfio.h b/include/uapi/linux/vfio.h
index fea86061b44e..53ff890dbd27 100644
--- a/include/uapi/linux/vfio.h
+++ b/include/uapi/linux/vfio.h
@@ -986,6 +986,24 @@  enum vfio_device_mig_state {
 	VFIO_DEVICE_STATE_RUNNING_P2P = 5,
 };
 
+/*
+ * Use platform-based power management for moving the device into low power
+ * state.  This low power state is device specific.
+ *
+ * For PCI, this low power state is D3cold.  The native PCI power management
+ * does not support the D3cold power state.  For moving the device into D3cold
+ * state, change the PCI state to D3hot with standard configuration registers
+ * and then call this IOCTL to setting the D3cold state.  Similarly, if the
+ * device in D3cold state, then call this IOCTL to exit from D3cold state.
+ */
+struct vfio_device_feature_power_management {
+#define VFIO_DEVICE_LOW_POWER_STATE_EXIT	0x0
+#define VFIO_DEVICE_LOW_POWER_STATE_ENTER	0x1
+	__u64	low_power_state;
+};
+
+#define VFIO_DEVICE_FEATURE_POWER_MANAGEMENT	3
+
 /* -------- API for Type1 VFIO IOMMU -------- */
 
 /**