From nobody Tue Jun 16 20:38:23 2026 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5C89F2EBB84 for ; Tue, 21 Apr 2026 03:14:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.9 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776741243; cv=none; b=X0LFHIElepFjerxoKqqIHsSVVYIB2UQQP2zrT7etxq9c5e8zd3WC59bJRtqEjE8h5kvSJJhRjqt/xWryJQt4sY6H+kdw1pqTMdwbcmFMuctM1yfJLPcpNVY57TEWsUn8DMDAopGCRLX6RfYwl8HYDazDBvgkDBCYZt6Lj3iODNo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776741243; c=relaxed/simple; bh=AO7OUSIeGh+bUJgfFEqZZCgGEDGjrmomo5Rbqsn4B2s=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=IEcSuZcMjmIXZy8JnsfBeY0ltO7qpg1/OM4D3PCGYKqFFzoxKyTiD3XxNNBw5raDYqgWnkd6cUb07gxxMOdZK4/COV7h4/8/2DPjII/bM+afrsVOLR4DSRoxbOWRbgcNiXQRnnqBtvZQznvhSd+Yb3+XrKnnZkGgcZZ64abe2Fw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=CaZXufLF; arc=none smtp.client-ip=192.198.163.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="CaZXufLF" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1776741240; x=1808277240; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=AO7OUSIeGh+bUJgfFEqZZCgGEDGjrmomo5Rbqsn4B2s=; b=CaZXufLFWcIIthoh7RrZ4Oa4bop22ZyfUL0vRwhqCg04ASO0FFd6vynZ NYXtzjTx2en+GvNMEOHwRl7sA5ZkjrRF0OzkYFkHDDwHXVKBH8jgo+0FH /tgNDNSWTMmx6Xu6q+UbfNzh/TPr6dpUNJgAYXAKPxmCZzx2KqO7b82qb dIxaG2C+pApvjDsk/pccGkCkPF04ZTxwh3gkt2vTOao4wuui0RPN3/lFn IhGXr3YHcv1Npbr1nb+2607kB79YugRiNChXTvkhWBH9ODS6t07Nx9AfY To5TNqG67y6clf8o5HHFkk3ivMQDxXdqMbms8JaOKO5nAFxEdM+TUHLBQ A==; X-CSE-ConnectionGUID: 8NvxLd7nSYm5CNAtkTmeMQ== X-CSE-MsgGUID: bMPrRiA0Tt+l2UVCH59/Qw== X-IronPort-AV: E=McAfee;i="6800,10657,11762"; a="88365688" X-IronPort-AV: E=Sophos;i="6.23,190,1770624000"; d="scan'208";a="88365688" Received: from orviesa006.jf.intel.com ([10.64.159.146]) by fmvoesa103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Apr 2026 20:13:59 -0700 X-CSE-ConnectionGUID: eoqWj4EOSNe2bmFa6U+e7g== X-CSE-MsgGUID: 5uDfAP29SSCZV93RHGKK5A== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,190,1770624000"; d="scan'208";a="230863062" Received: from unknown (HELO gnr-sp-2s-612.sh.intel.com) ([10.112.230.229]) by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Apr 2026 20:13:56 -0700 From: Zhenzhong Duan To: iommu@lists.linux.dev, linux-kernel@vger.kernel.org Cc: dwmw2@infradead.org, baolu.lu@linux.intel.com, joro@8bytes.org, will@kernel.org, robin.murphy@arm.com, kevin.tian@intel.com, Zhenzhong Duan , Jacob Pan , Joerg Roedel Subject: [PATCH] iommu/vt-d: Fix oops due to out of scope access Date: Mon, 20 Apr 2026 23:13:47 -0400 Message-ID: <20260421031347.1408890-1-zhenzhong.duan@intel.com> X-Mailer: git-send-email 2.47.3 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Below oops triggers when kill QEMU process: Oops: general protection fault, probably for non-canonical address 0x7fff= ffff844eaaa7: 0000 [#1] SMP NOPTI Call Trace: do_raw_spin_lock+0xaa/0xc0 _raw_spin_lock_irqsave+0x21/0x40 domain_remove_dev_pasid+0x52/0x160 intel_nested_set_dev_pasid+0x1b9/0x1e0 __iommu_set_group_pasid+0x56/0x120 pci_dev_reset_iommu_done+0xe3/0x180 pcie_flr+0x65/0x160 __pci_reset_function_locked+0x5b/0x120 vfio_pci_core_close_device+0x63/0xe0 [vfio_pci_core] vfio_df_close+0x4f/0xa0 vfio_df_unbind_iommufd+0x2d/0x60 vfio_device_fops_release+0x3e/0x40 __fput+0xe5/0x2c0 task_work_run+0x58/0xa0 do_exit+0x2c8/0x600 do_group_exit+0x2f/0xa0 get_signal+0x863/0x8c0 arch_do_signal_or_restart+0x24/0x100 exit_to_user_mode_loop+0x87/0x380 do_syscall_64+0x2ff/0x11e0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The global static blocked domain is a dummy domain without corresponding dmar_domain structure, accessing beyond iommu_domain structure triggers oops easily. Fix it by return early in domain_remove_dev_pasid() like identity domain. Fixes: 7d0c9da6c150 ("iommu/vt-d: Add set_dev_pasid callback for dma domain= ") Signed-off-by: Zhenzhong Duan Reviewed-by: Kevin Tian --- drivers/iommu/intel/iommu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c index c3d18cd77d2f..52aa12dbeea1 100644 --- a/drivers/iommu/intel/iommu.c +++ b/drivers/iommu/intel/iommu.c @@ -3530,8 +3530,8 @@ void domain_remove_dev_pasid(struct iommu_domain *dom= ain, if (!domain) return; =20 - /* Identity domain has no meta data for pasid. */ - if (domain->type =3D=3D IOMMU_DOMAIN_IDENTITY) + /* Identity domain and blocked domain have no meta data for pasid. */ + if (domain->type =3D=3D IOMMU_DOMAIN_IDENTITY || domain->type =3D=3D IOMM= U_DOMAIN_BLOCKED) return; =20 dmar_domain =3D to_dmar_domain(domain); --=20 2.47.3