From nobody Sat Jun 13 07:06:31 2026 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E7104372B31 for ; Sat, 9 May 2026 02:46:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.14 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778294778; cv=none; b=I1ZfZV5jENfQdeLCW2TxuFr/3+ZEZfMjfZ3PJnrup2Yp3pYdpHjdgK8YQw+JrJrMhXwUTFXv7LibaO6RT6eFQAXt3Gl1ZYV1dODidt9lPRdiDXNdyFtEy4AkgmgVTDPcdqzwtiOP3SlNm+N579Hy1NHFRpiB34n3YKN/CR8fO5s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778294778; c=relaxed/simple; bh=j2IZ8ftFcdseyJPG4Y3mCx8oB6Ve0Hj9MCGAsVr5CnE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=QnDXeA1vPqa2U4NCPeQaJqHa/IpTH7wbJbxHGf1q2iDw4Jf0gRlx8wyhh+LIz3XaS0CqoNbflMb98aoeWi2SuDnV6yMBuUJ1kwGur7o3UUnybqD3fCo1jaFHw7SST5GSnGBuPvMPgcz/GxUlB0Wwu8IwBJl9RdMb7Y98WnEfqho= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=ZkUBR8YQ; arc=none smtp.client-ip=198.175.65.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="ZkUBR8YQ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1778294777; x=1809830777; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=j2IZ8ftFcdseyJPG4Y3mCx8oB6Ve0Hj9MCGAsVr5CnE=; b=ZkUBR8YQQQ0FEQV3zeHhwO29W+iCxa5mc2F6ezmaAnvKOQrRltpsO1uP tUGpQ/LeOARmoOPaQKnRj7gY+QEkzXNre6d5UvpJsY5R2x9juxtLr4WfT UwaGLGHxtepyK59JdonFwVIj2vrati4Z3C7MW6E8pHWqg1BgjG/hE8tXu Nt7kd6u/E+wr2S8E15JjCslud8xAJ8QQ4LiUx8pLLnmbMJr+r90COxYyo eBcdEDSRQYSz6lmppXsDu29aDlh0PcUuOHXFeZ8975NwjqgK5mrBJmHli ExuXa7f/3IBJYzTz9DMjWWvz93Q7DwXH6GktnJiWle21YpNjj96I9C8c0 Q==; X-CSE-ConnectionGUID: fq7ADvTzRguwEk0uHPYQqw== X-CSE-MsgGUID: ny6EByO4QR24XR7GgynssA== X-IronPort-AV: E=McAfee;i="6800,10657,11780"; a="83142501" X-IronPort-AV: E=Sophos;i="6.23,224,1770624000"; d="scan'208";a="83142501" Received: from orviesa010.jf.intel.com ([10.64.159.150]) by orvoesa106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 May 2026 19:46:17 -0700 X-CSE-ConnectionGUID: QUvbCRx3SaurHUea2YZjWA== X-CSE-MsgGUID: LJKYb69YQAir1Gj1dHa6Vg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,224,1770624000"; d="scan'208";a="236103469" Received: from allen-box.sh.intel.com ([10.239.159.52]) by orviesa010.jf.intel.com with ESMTP; 08 May 2026 19:46:15 -0700 From: Lu Baolu To: Joerg Roedel Cc: Zhenzhong Duan , =?UTF-8?q?Naval=20Alcal=C3=A1?= , iommu@lists.linux.dev, linux-kernel@vger.kernel.org Subject: [PATCH 1/3] iommu/vt-d: Disable DMAR for Intel Q35 IGFX Date: Sat, 9 May 2026 10:43:44 +0800 Message-ID: <20260509024348.3516523-2-baolu.lu@linux.intel.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260509024348.3516523-1-baolu.lu@linux.intel.com> References: <20260509024348.3516523-1-baolu.lu@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Naval Alcal=C3=A1 Intel Q35 integrated graphics (8086:29b2) exhibits broken DMAR behaviour similar to other G4x/GM45 devices for which DMAR is already disabled via quirks. When DMAR is enabled, the system may hard lock up during boot or early device initialization, requiring a reset. Add the missing PCI ID to the existing quirk list to disable DMAR for this device. Fixes: 1f76249cc3be ("iommu/vt-d: Declare Broadwell igfx dmar support snafu= ") Cc: stable@vger.kernel.org Closes: https://bugzilla.kernel.org/show_bug.cgi?id=3D201185 Closes: https://bugzilla.kernel.org/show_bug.cgi?id=3D216064 Signed-off-by: Naval Alcal=C3=A1 Link: https://lore.kernel.org/r/20260410161622.13549-1-ari@naval.cat Signed-off-by: Lu Baolu --- drivers/iommu/intel/iommu.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c index c3d18cd77d2f..2a6b6813a78d 100644 --- a/drivers/iommu/intel/iommu.c +++ b/drivers/iommu/intel/iommu.c @@ -3937,6 +3937,9 @@ static void quirk_iommu_igfx(struct pci_dev *dev) disable_igfx_iommu =3D 1; } =20 +/* Q35 integrated gfx dmar support is totally busted. */ +DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x29b2, quirk_iommu_igfx); + /* G4x/GM45 integrated gfx dmar support is totally busted. */ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2a40, quirk_iommu_igfx); DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e00, quirk_iommu_igfx); --=20 2.43.0 From nobody Sat Jun 13 07:06:31 2026 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A0B62374728 for ; Sat, 9 May 2026 02:46:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.14 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778294779; cv=none; b=l6AxYOAOpLCmr0ibIbQUOzn0IBazcn45osr9EGNFjLVpvS6B5nJDkVdhpgLwiXo94Tm7rrOJMjPvE3Es2VvBHMxoLz0JccpS0ka29RtMXLTR/Ok+pWIGHcemVdUBbuh6GEobtrKGlyg1RrvcK662LHs9bY1C8l3iPUu4EOMgkgc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778294779; c=relaxed/simple; bh=1CHe541rwMR755+XYhpWBe67FbEViElGc6eo0PqtuIs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=okvPOvQsJty3bEp9MIuSvJOigHiaUsOVKkn37HKnz7MirdiRLNVYk4ryMHMoY8W1HLLVcJGw55Mj0noHjNJ9lCrWSXL9vwdPF9Js8RveZobQmCt1b0N6Zxq37LEplNlqaC1LfsZHJ1LnIRqtYWkJM7UCNFmdYGMMnCegBrG8AvI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=A5SKEJP7; arc=none smtp.client-ip=198.175.65.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="A5SKEJP7" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1778294779; x=1809830779; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=1CHe541rwMR755+XYhpWBe67FbEViElGc6eo0PqtuIs=; b=A5SKEJP7KzD3QHG0qZ0eq6rFWT8yvhl2VxM4sNb+QaMdr8VsjTslp+aG MDUKb/zDjucivt17QDyaXmzY+PLDlXSRNYDJFHo2kV9EaeuoEDXXu+E6O LQBnGDUY1ny7rOyqXHMgiZbLybJqV+eM+mGHXa51TgQZwRzgETOYODH5k qrM7aIZUAUcOKvWw2OMR7V5Xt++HfhKnPYrS2Chdl5rJITyXugco2nTbF X7bDLn3bjLC47l0PjvnDtXlFUzPV78+bNQr4kQIVvN7kK6eyHgAfBW9Bt j4YZPPqm/EY1ecat1CfWFe3d2MDsp8G/9zdL31tezT0WFAwZfLKUOeENW Q==; X-CSE-ConnectionGUID: npZnEsorSJ+l610vAlodZw== X-CSE-MsgGUID: Z1VEP/CgRDmkzVYiZGQvyA== X-IronPort-AV: E=McAfee;i="6800,10657,11780"; a="83142510" X-IronPort-AV: E=Sophos;i="6.23,224,1770624000"; d="scan'208";a="83142510" Received: from orviesa010.jf.intel.com ([10.64.159.150]) by orvoesa106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 May 2026 19:46:18 -0700 X-CSE-ConnectionGUID: trXECWAXT0egADMzpnLivA== X-CSE-MsgGUID: PCzU8mnQRWuoKNNKnOWH0w== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,224,1770624000"; d="scan'208";a="236103472" Received: from allen-box.sh.intel.com ([10.239.159.52]) by orviesa010.jf.intel.com with ESMTP; 08 May 2026 19:46:17 -0700 From: Lu Baolu To: Joerg Roedel Cc: Zhenzhong Duan , =?UTF-8?q?Naval=20Alcal=C3=A1?= , iommu@lists.linux.dev, linux-kernel@vger.kernel.org Subject: [PATCH 2/3] iommu/vt-d: Fix oops due to out of scope access Date: Sat, 9 May 2026 10:43:45 +0800 Message-ID: <20260509024348.3516523-3-baolu.lu@linux.intel.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260509024348.3516523-1-baolu.lu@linux.intel.com> References: <20260509024348.3516523-1-baolu.lu@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zhenzhong Duan Below oops triggers when kill QEMU process: Oops: general protection fault, probably for non-canonical address 0x7fff= ffff844eaaa7: 0000 [#1] SMP NOPTI Call Trace: do_raw_spin_lock+0xaa/0xc0 _raw_spin_lock_irqsave+0x21/0x40 domain_remove_dev_pasid+0x52/0x160 intel_nested_set_dev_pasid+0x1b9/0x1e0 __iommu_set_group_pasid+0x56/0x120 pci_dev_reset_iommu_done+0xe3/0x180 pcie_flr+0x65/0x160 __pci_reset_function_locked+0x5b/0x120 vfio_pci_core_close_device+0x63/0xe0 [vfio_pci_core] vfio_df_close+0x4f/0xa0 vfio_df_unbind_iommufd+0x2d/0x60 vfio_device_fops_release+0x3e/0x40 __fput+0xe5/0x2c0 task_work_run+0x58/0xa0 do_exit+0x2c8/0x600 do_group_exit+0x2f/0xa0 get_signal+0x863/0x8c0 arch_do_signal_or_restart+0x24/0x100 exit_to_user_mode_loop+0x87/0x380 do_syscall_64+0x2ff/0x11e0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The global static blocked domain is a dummy domain without corresponding dmar_domain structure, accessing beyond iommu_domain structure triggers oops easily. Fix it by return early in domain_remove_dev_pasid() like identity domain. Fixes: 7d0c9da6c150 ("iommu/vt-d: Add set_dev_pasid callback for dma domain= ") Cc: stable@vger.kernel.org Signed-off-by: Zhenzhong Duan Reviewed-by: Kevin Tian Link: https://lore.kernel.org/r/20260421031347.1408890-1-zhenzhong.duan@int= el.com Signed-off-by: Lu Baolu --- drivers/iommu/intel/iommu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c index 2a6b6813a78d..a4b123c33022 100644 --- a/drivers/iommu/intel/iommu.c +++ b/drivers/iommu/intel/iommu.c @@ -3530,8 +3530,8 @@ void domain_remove_dev_pasid(struct iommu_domain *dom= ain, if (!domain) return; =20 - /* Identity domain has no meta data for pasid. */ - if (domain->type =3D=3D IOMMU_DOMAIN_IDENTITY) + /* Identity domain and blocked domain have no meta data for pasid. */ + if (domain->type =3D=3D IOMMU_DOMAIN_IDENTITY || domain->type =3D=3D IOMM= U_DOMAIN_BLOCKED) return; =20 dmar_domain =3D to_dmar_domain(domain); --=20 2.43.0 From nobody Sat Jun 13 07:06:31 2026 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0B46A375AB2 for ; Sat, 9 May 2026 02:46:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.14 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778294781; cv=none; b=iKx9X+JpV2WkbKfJjlgNB5dAiCiUYtdpanbJ+zlAL0WZ9PXcjBkCJjd1SKroU61AfhACbE5YpvxhdlX0k3TNtjjznx4swLbXekrmss7pKVci2xJx8CQDIeZZzy6cohME73Yf/p78adZeVE5unlYRtwNYNC3j+eIqQ7Jli3a1oTQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778294781; c=relaxed/simple; bh=2lQvI3eWTzyJtAFOoLPchUt7vjSHRyjNBxvcylCdAgA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Pn6EKVJ0CKr9Vvy2uY4biP0zSXJQV5dgdkQuvwURwfoQ9JgVsxMwTFKlU9lO8uzQx4Z3lJ/+SfnFFc7prOvpJmcIM8Mkek93fZ6ktGgnyxKo7Vhh3gQ7q2gBU5xB0GfR+4MMO8Xv8nB0QbGMy0bQ77RQVQODPdM1HTqBNR75flg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=DKKQ1Dht; arc=none smtp.client-ip=198.175.65.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="DKKQ1Dht" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1778294780; x=1809830780; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=2lQvI3eWTzyJtAFOoLPchUt7vjSHRyjNBxvcylCdAgA=; b=DKKQ1DhtckacUUo/2GDRA/R4fa5MlBCC4pU14OlKMDGyp0lj/diEIEF+ guEXhgsiRB68R7JNrDouJwYF3Ud0LrVxaLb4sq5NYuRN89OZLOUgHNmdr SOkJ3xM5jbeHTTBvTXnH5Ce8O1j9AXLk5qzz7P4NLMeqk3nihi9Y4D9pY +N7tx1gA+fWzTL6Fko5zlzXczJ8Pfq76/5a++sv7OkWVuGvqWez1kABWk Qoz1vY8PO7SHS9vOjl/kz6XHmHwqt5snpMMhy5vEmh1VN5e8CRm2xi8gE YLufwM2srxD5EeVv2DseDZMfB5lhfKRsRKHvDgJd7gmOOQ97ueKI4FuSl Q==; X-CSE-ConnectionGUID: 2AsSmztiTZm1ReB6pngtGA== X-CSE-MsgGUID: Z7jHVvPrRteqZ2A0mHtv3A== X-IronPort-AV: E=McAfee;i="6800,10657,11780"; a="83142517" X-IronPort-AV: E=Sophos;i="6.23,224,1770624000"; d="scan'208";a="83142517" Received: from orviesa010.jf.intel.com ([10.64.159.150]) by orvoesa106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 May 2026 19:46:20 -0700 X-CSE-ConnectionGUID: ZORUAAIgSbacym5ZotVoXA== X-CSE-MsgGUID: ym1tPgqCQ4urfGMkOcFsJw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,224,1770624000"; d="scan'208";a="236103475" Received: from allen-box.sh.intel.com ([10.239.159.52]) by orviesa010.jf.intel.com with ESMTP; 08 May 2026 19:46:18 -0700 From: Lu Baolu To: Joerg Roedel Cc: Zhenzhong Duan , =?UTF-8?q?Naval=20Alcal=C3=A1?= , iommu@lists.linux.dev, linux-kernel@vger.kernel.org Subject: [PATCH 3/3] iommu/vt-d: Avoid NULL pointer dereference or refcount corruption Date: Sat, 9 May 2026 10:43:46 +0800 Message-ID: <20260509024348.3516523-4-baolu.lu@linux.intel.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260509024348.3516523-1-baolu.lu@linux.intel.com> References: <20260509024348.3516523-1-baolu.lu@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zhenzhong Duan Commit 60f030f7418d ("iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE") fixed a NULL pointer dereference in an unlikely situation partly. If dev_pasid is not found in the dev_pasids list, it remains NULL. However, the teardown operations are executed unconditionally, this lead to a NULL pointer dereference or refcount corruption. If the domain was never attached to this IOMMU, info will be NULL, which would cause an immediate dereference when checking --info->refcnt. Even if info is not NULL, decrementing the refcount without having removed a valid PASID might unbalance the count. This could lead to premature dropping of the refcount to 0, potentially causing a use-after-free for the remaining active devices sharing the domain. Fix it by returning early if dev_pasid is NULL, before executing the teardown operations. Issue found by AI review and suggested by Kevin Tian. https://sashiko.dev/#/patchset/20260421031347.1408890-1-zhenzhong.duan%40in= tel.com Fixes: 60f030f7418d ("iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE") Cc: stable@vger.kernel.org Suggested-by: Kevin Tian Signed-off-by: Zhenzhong Duan Reviewed-by: Kevin Tian Link: https://lore.kernel.org/r/20260422033538.95000-1-zhenzhong.duan@intel= .com Signed-off-by: Lu Baolu --- drivers/iommu/intel/iommu.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c index a4b123c33022..4d0e65bc131d 100644 --- a/drivers/iommu/intel/iommu.c +++ b/drivers/iommu/intel/iommu.c @@ -3545,12 +3545,13 @@ void domain_remove_dev_pasid(struct iommu_domain *d= omain, } spin_unlock_irqrestore(&dmar_domain->lock, flags); =20 + if (WARN_ON_ONCE(!dev_pasid)) + return; + cache_tag_unassign_domain(dmar_domain, dev, pasid); domain_detach_iommu(dmar_domain, iommu); - if (!WARN_ON_ONCE(!dev_pasid)) { - intel_iommu_debugfs_remove_dev_pasid(dev_pasid); - kfree(dev_pasid); - } + intel_iommu_debugfs_remove_dev_pasid(dev_pasid); + kfree(dev_pasid); } =20 static int blocking_domain_set_dev_pasid(struct iommu_domain *domain, --=20 2.43.0