From: Vasant Hegde <vasant.hegde@amd.com>
To: Joe Damato <joe@dama.to>,
iommu@lists.linux.dev, Joerg Roedel <joro@8bytes.org>,
Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>,
Will Deacon <will@kernel.org>,
Robin Murphy <robin.murphy@arm.com>,
Kevin Tian <kevin.tian@intel.com>, Jason Gunthorpe <jgg@ziepe.ca>
Cc: linux-kernel@vger.kernel.org, Joerg Roedel <jroedel@suse.de>
Subject: Re: [PATCH] iommu/amd: Block identity domain when SNP enabled
Date: Wed, 11 Mar 2026 21:40:51 +0530 [thread overview]
Message-ID: <ee56caa0-770e-4bcb-89c2-5f21cd8498a8@amd.com> (raw)
In-Reply-To: <20260309235234.3367768-1-joe@dama.to>
On 3/10/2026 5:22 AM, Joe Damato wrote:
>
> Previously, commit 8388f7df936b ("iommu/amd: Do not support
> IOMMU_DOMAIN_IDENTITY after SNP is enabled") prevented users from
> changing the IOMMU domain to identity if SNP was enabled.
>
> This resulted in an error when writing to sysfs:
>
> # echo "identity" > /sys/kernel/iommu_groups/50/type
> -bash: echo: write error: Cannot allocate memory
>
> However, commit 4402f2627d30 ("iommu/amd: Implement global identity
> domain") changed the flow of the code, skipping the SNP guard and
> allowing users to change the IOMMU domain to identity after a machine
> has booted.
>
> Once the user does that, they will probably try to bind and the
> device/driver will start to do DMA which will trigger errors:
>
> iommu ivhd3: AMD-Vi: Event logged [ILLEGAL_DEV_TABLE_ENTRY device=0000:43:00.0 pasid=0x00000 address=0x3737b01000 flags=0x0020]
> iommu ivhd3: AMD-Vi: Control Reg : 0xc22000142148d
> AMD-Vi: DTE[0]: 6000000000000003
> AMD-Vi: DTE[1]: 0000000000000001
> AMD-Vi: DTE[2]: 2000003088b3e013
> AMD-Vi: DTE[3]: 0000000000000000
> bnxt_en 0000:43:00.0 (unnamed net_device) (uninitialized): Error (timeout: 500015) msg {0x0 0x0} len:0
> iommu ivhd3: AMD-Vi: Event logged [ILLEGAL_DEV_TABLE_ENTRY device=0000:43:00.0 pasid=0x00000 address=0x3737b01000 flags=0x0020]
> iommu ivhd3: AMD-Vi: Control Reg : 0xc22000142148d
> AMD-Vi: DTE[0]: 6000000000000003
> AMD-Vi: DTE[1]: 0000000000000001
> AMD-Vi: DTE[2]: 2000003088b3e013
> AMD-Vi: DTE[3]: 0000000000000000
> bnxt_en 0000:43:00.0: probe with driver bnxt_en failed with error -16
>
> To prevent this from happening, create an attach wrapper for
> identity_domain_ops which returns EINVAL if amd_iommu_snp_en is true.
>
> With this commit applied:
>
> # echo "identity" > /sys/kernel/iommu_groups/62/type
> -bash: echo: write error: Invalid argument
>
> Fixes: 4402f2627d30 ("iommu/amd: Implement global identity domain")
> Signed-off-by: Joe Damato <joe@dama.to>
Thanks for the fix.
Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
-Vasant
next prev parent reply other threads:[~2026-03-11 16:11 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-09 23:52 [PATCH] iommu/amd: Block identity domain when SNP enabled Joe Damato
2026-03-10 0:35 ` Jason Gunthorpe
2026-03-11 16:10 ` Vasant Hegde [this message]
2026-03-17 13:02 ` Joerg Roedel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ee56caa0-770e-4bcb-89c2-5f21cd8498a8@amd.com \
--to=vasant.hegde@amd.com \
--cc=iommu@lists.linux.dev \
--cc=jgg@ziepe.ca \
--cc=joe@dama.to \
--cc=joro@8bytes.org \
--cc=jroedel@suse.de \
--cc=kevin.tian@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=robin.murphy@arm.com \
--cc=suravee.suthikulpanit@amd.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.