Re: [syzbot] [iommu?] WARNING in pt_iommu_amdv1_init

[Pranjal Shrivastava <praan@google.com>]

On Mon, Mar 23, 2026 at 05:04:27PM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    0e4f8f1a3d08 Merge tag 'parisc-for-7.0-rc5' of git://git.k..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=176df352580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=5a3e5e8c17cc174e
> dashboard link: https://syzkaller.appspot.com/bug?extid=453eb7add07c3767adab
> compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> 
> Unfortunately, I don't have any reproducer for this issue yet.
> 
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-0e4f8f1a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/838ecdb7b55f/vmlinux-0e4f8f1a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/3742378914db/bzImage-0e4f8f1a.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+453eb7add07c3767adab@syzkaller.appspotmail.com
> 
> iommufd_mock iommufd_mock1: Adding to iommu group 10
> ------------[ cut here ]------------
> !iommu_table->driver_ops || !iommu_table->driver_ops->change_top || !iommu_table->driver_ops->get_top_lock
> WARNING: drivers/iommu/generic_pt/fmt/../iommu_pt.h:1249 at pt_iommu_amdv1_init+0xa10/0xb20 drivers/iommu/generic_pt/iommu_pt.h:1249, CPU#1: syz.0.1303/9714
> Modules linked in:
> CPU: 1 UID: 0 PID: 9714 Comm: syz.0.1303 Tainted: G             L      syzkaller #0 PREEMPT(full) 
> Tainted: [L]=SOFTLOCKUP
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> RIP: 0010:pt_iommu_amdv1_init+0xa10/0xb20 drivers/iommu/generic_pt/iommu_pt.h:1249
> Code: e8 95 a4 e7 fc e9 aa f6 ff ff e8 db 18 7b fc 89 ab 94 00 00 00 e9 15 ff ff ff e8 cb 18 7b fc e9 e4 fd ff ff e8 c1 18 7b fc 90 <0f> 0b 90 e9 19 ff ff ff bd a1 ff ff ff e9 cc fd ff ff 4c 89 cf 4c
> RSP: 0018:ffffc90003747a68 EFLAGS: 00010287
> RAX: 00000000000007ee RBX: ffff88802bb03500 RCX: ffffc9000407a000
> RDX: 0000000000080000 RSI: ffffffff858db73f RDI: ffff888026f94980
> RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
> R10: 0000000000000034 R11: 0000000000000000 R12: 0000000000000034
> R13: 0000000000000040 R14: 0000000000000000 R15: 0000000000000034
> FS:  00007f29a60136c0(0000) GS:ffff8880d6442000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000110c3f39c7 CR3: 000000003d1d7000 CR4: 0000000000352ef0
> Call Trace:
>  <TASK>
>  mock_domain_alloc_pgtable drivers/iommu/iommufd/selftest.c:491 [inline]
>  mock_domain_alloc_paging_flags+0x29b/0x680 drivers/iommu/iommufd/selftest.c:548
>  iommufd_hwpt_paging_alloc+0x393/0xb20 drivers/iommu/iommufd/hw_pagetable.c:149
>  iommufd_hwpt_alloc+0xb46/0x1af0 drivers/iommu/iommufd/hw_pagetable.c:369
>  iommufd_fops_ioctl+0x358/0x520 drivers/iommu/iommufd/main.c:533
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:597 [inline]
>  __se_sys_ioctl fs/ioctl.c:583 [inline]
>  __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>  do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f29a519c799
> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f29a6013028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007f29a5415fa0 RCX: 00007f29a519c799
> RDX: 0000200000000200 RSI: 0000000000003b89 RDI: 0000000000000009
> RBP: 00007f29a5232c99 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007f29a5416038 R14: 00007f29a5415fa0 R15: 00007ffedd2b95c8
>  </TASK>
> 
> 

I believe this is because we don't populate struct pt_iommu_driver_ops
for the "mock" iommu / selftest? Would defining mock ops help fix this?

I have a patch that seems to fix the WARN_ON:

diff --git a/drivers/iommu/iommufd/selftest.c b/drivers/iommu/iommufd/selftest.c
index 9607416f8069..1599eb737d2a 100644
--- a/drivers/iommu/iommufd/selftest.c
+++ b/drivers/iommu/iommufd/selftest.c
@@ -119,6 +119,7 @@ struct mock_iommu_domain {
 		struct pt_iommu_amdv1 amdv1;
 	};
 	unsigned long flags;
+	spinlock_t lock;
 };
 PT_IOMMU_CHECK_DOMAIN(struct mock_iommu_domain, iommu, domain);
 PT_IOMMU_CHECK_DOMAIN(struct mock_iommu_domain, amdv1.iommu, domain);
@@ -129,6 +130,29 @@ to_mock_domain(struct iommu_domain *domain)
 	return container_of(domain, struct mock_iommu_domain, domain);
 }
 
+static void mock_domain_change_top(struct pt_iommu *iommu_table,
+				   phys_addr_t top_paddr,
+				   unsigned int top_level)
+{
+	/*
+	 * The selftest doesn't have real hardware, so there is no need to
+	 * perform any root table moves.
+	 */
+}
+
+static spinlock_t *mock_domain_get_top_lock(struct pt_iommu *iommu_table)
+{
+	struct mock_iommu_domain *mock =
+		container_of(iommu_table, struct mock_iommu_domain, iommu);
+
+	return &mock->lock;
+}
+
+static const struct pt_iommu_driver_ops mock_driver_ops = {
+	.change_top = &mock_domain_change_top,
+	.get_top_lock = &mock_domain_get_top_lock,
+};
+
 struct mock_iommu_domain_nested {
 	struct iommu_domain domain;
 	struct mock_viommu *mock_viommu;
@@ -445,6 +469,8 @@ mock_domain_alloc_pgtable(struct device *dev,
 	if (!mock)
 		return ERR_PTR(-ENOMEM);
 	mock->domain.type = IOMMU_DOMAIN_UNMANAGED;
+	spin_lock_init(&mock->lock);
+	mock->amdv1.iommu.driver_ops = &mock_driver_ops;
 
 	mock->amdv1.iommu.nid = NUMA_NO_NODE;
 

LMK, if I shall send this as a separate patch?

Thanks,
Praan