[PATCH v2 2/5] iommu/vt-d: Clear Present bit before tearing down scalable-mode context entry

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Lu Baolu <baolu.lu@linux.intel.com>
To: Joerg Roedel <joro@8bytes.org>
Cc: "Pranjal Shrivastava" <praan@google.com>,
	"Guanghui Feng" <guanghuifeng@linux.alibaba.com>,
	"Michał Grzelak" <michal.grzelak@intel.com>,
	"Michael Bommarito" <michael.bommarito@gmail.com>,
	iommu@lists.linux.dev, linux-kernel@vger.kernel.org
Subject: [PATCH v2 2/5] iommu/vt-d: Clear Present bit before tearing down scalable-mode context entry
Date: Thu,  4 Jun 2026 14:03:07 +0800	[thread overview]
Message-ID: <20260604060311.365074-3-baolu.lu@linux.intel.com> (raw)
In-Reply-To: <20260604060311.365074-1-baolu.lu@linux.intel.com>

From: Michael Bommarito <michael.bommarito@gmail.com>

device_pasid_table_teardown() zeroes the 128-bit scalable-mode context
entry with context_clear_entry() while the Present bit is still set. This
creates a window where the hardware can fetch a torn entry, with some
fields already zeroed while Present is still set, leading to unpredictable
behavior or spurious faults. The context-cache invalidation is issued only
after the entry has been zeroed, and intel_pasid_free_table() then frees
the PASID directory pages, so the IOMMU can keep walking a stale Present=1
entry that points at freed memory.

While x86 provides strong write ordering, the compiler may reorder the two
64-bit writes to the entry, and the hardware fetch is not guaranteed to be
atomic with respect to multiple CPU writes.

Commit c1e4f1dccbe9d ("iommu/vt-d: Clear Present bit before tearing down
context entry") fixed this exact pattern in domain_context_clear_one() and
the copied-context path, but device_pasid_table_teardown() was not
converted.

Align it with the "Guidance to Software for Invalidations" in the VT-d
spec, Section 6.5.3.3, using the same ownership handshake as the sibling
fix: clear only the Present bit, flush it to the IOMMU, perform the
context-cache invalidation, and only then zero the rest of the entry.

Fixes: 81e921fd32161 ("iommu/vt-d: Fix NULL domain on device release")
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Assisted-by: Claude:claude-opus-4-7
Link: https://lore.kernel.org/r/20260528025557.3209367-1-michael.bommarito@gmail.com
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
---
 drivers/iommu/intel/pasid.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/iommu/intel/pasid.c b/drivers/iommu/intel/pasid.c
index 89541b74ab8c..40910dc7363b 100644
--- a/drivers/iommu/intel/pasid.c
+++ b/drivers/iommu/intel/pasid.c
@@ -748,10 +748,12 @@ static void device_pasid_table_teardown(struct device *dev, u8 bus, u8 devfn)
 	}

 	did = context_domain_id(context);
-	context_clear_entry(context);
+	context_clear_present(context);
 	__iommu_flush_cache(iommu, context, sizeof(*context));
 	spin_unlock(&iommu->lock);
 	intel_context_flush_no_pasid(info, context, did);
+	context_clear_entry(context);
+	__iommu_flush_cache(iommu, context, sizeof(*context));
 }

 static int pci_pasid_table_teardown(struct pci_dev *pdev, u16 alias, void *data)
-- 
2.43.0

next prev parent reply	other threads:[~2026-06-04  6:05 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-04  6:03 [PATCH v2 0/5] [PULL REQUEST] Intel IOMMU updates for v7.2 Lu Baolu
2026-06-04  6:03 ` [PATCH v2 1/5] iommu/vt-d: Avoid WARNING in sva unbind path Lu Baolu
2026-06-04  6:03 ` Lu Baolu [this message]
2026-06-04  6:03 ` [PATCH v2 3/5] iommu/vt-d: Remove typo from pasid_pte_config_nested() Lu Baolu
2026-06-04  6:03 ` [PATCH v2 4/5] iommu/vt-d: Improve IOMMU fault information Lu Baolu
2026-06-04  6:03 ` [PATCH v2 5/5] iommu/vt-d: Fix RB-tree corruption in probe error path Lu Baolu
2026-06-04 10:02 ` [PATCH v2 0/5] [PULL REQUEST] Intel IOMMU updates for v7.2 Joerg Roedel

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:89541b74ab8 dfblob:40910dc7363 )
 OR (
bs:"[PATCH v2 2/5] iommu/vt-d: Clear Present bit before tearing down scalable-mode context entry" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260604060311.365074-3-baolu.lu@linux.intel.com \
    --to=baolu.lu@linux.intel.com \
    --cc=guanghuifeng@linux.alibaba.com \
    --cc=iommu@lists.linux.dev \
    --cc=joro@8bytes.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=michael.bommarito@gmail.com \
    --cc=michal.grzelak@intel.com \
    --cc=praan@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.