From nobody Fri Apr 17 09:19:30 2026
Received: from mail-qt1-f169.google.com (mail-qt1-f169.google.com
 [209.85.160.169])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 860D612CDA5
	for <linux-kernel@vger.kernel.org>; Sat, 21 Feb 2026 06:53:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=pass smtp.client-ip=209.85.160.169
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1771656829; cv=pass;
 b=uN3mGxKpj9CCAddOSXN93+piszcShTF9QP7dnTA991QtrBwyslaOUTSoLa4XCisXMC5zsNAblHPfQUKVLCJtoZyVEHxPE2315F+igT5RjbKoWWHVp0BJW4dIDVNezQtM76ybTTQlOb0WcUZnEwzD4u4hBoGj5ts3ugdIeaHv6Nc=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1771656829; c=relaxed/simple;
	bh=54Zw0WZ+xPTTc/dvrxevnJu2iCmKu1ICvQCjX7Nci+A=;
	h=MIME-Version:From:Date:Message-ID:Subject:To:Cc:Content-Type;
 b=K8jUIktCZRupfXqERODkEbvCAhOCWDHkJefSZmfV+NKp7kAgeJjY++PZSaxWqYEp4PU+qctTtJO7GF8h9FGA3ijlq/qJ6QyWUTHNVVKozXVgkjXoQwSyJWR0qCwiyFVlX4d29skOQ415z9X3KuoAvGG/9DKrXqGv6vjnt6Zuyxs=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=JJ0FgKjk; arc=pass smtp.client-ip=209.85.160.169
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="JJ0FgKjk"
Received: by mail-qt1-f169.google.com with SMTP id
 d75a77b69052e-50334dd44d2so31957901cf.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 20 Feb 2026 22:53:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1771656826; cv=none;
        d=google.com; s=arc-20240605;
        b=Mqx76AUbwLL8o3isDI1FSdt/cUZo0aOzbw7SdzUsBzewKSL+JpzyLsw9TRxaon4wV/
         JGKFZ+Hs9bcTFOxvI0yrXR+JyEs5yV5ryXUk3m7pSdv+se3Y2HfdE3n7z3uGDHbHnZOi
         exmqa8DddhtAIypJpR08b1yVxMxiCQFAhO6umZsPDF6y69hMzrzx/9HuahcHls04n4gp
         oEYH3zzM4uDwWLEzZWghJfUeu4GHOf9BD+8niL+If2MAzkaD6BqRurT6rAOyB7sJ1E0B
         70u99RhvK1rELh6LyDgxKB9CXubehLpFdqhzUStcJ7ZTwumJriNq0th/Kn6Dk5u3gchu
         vP3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=cc:to:subject:message-id:date:from:mime-version:dkim-signature;
        bh=1rxStf/qGHQ1EaSTPNj6R4aztKDomE5LRiMOyJoecnQ=;
        fh=T/5iVuga1pl7EFVbUNH/wFM0OBrOfSPetfpXzyvqlmY=;
        b=K8Wo9GSqnGIe3qvimR6Z8jwxCx6BIj/EzYtP3pKBfv6b77qjL9WtZLxRLQskS4Kz74
         aaS1+rBBGzCpPW53PMEU+u0w4ZHq89V+K9a8C26hdIUYsojL+yhEey5lHPdEXUG1bqxM
         uUImAOfyJN9qqXn42rUrjAmwu70d7ZMgogM31khUmHVqg1YAm2pW/UYnOygMmk4+F8IN
         BUiXaWA1FLz52ZERKbi0MFu3r3ZqoGI9TvM74o9HER+MH4SwFA6mM8hv3eystK9e2WSF
         kXj/Ev3pdoGPbgA4Mm9c/WsLh2J61Yg0m9n03ECjPJzZqDz9pbPawJWmG4RZvSZ/Oid2
         3sWw==;
        darn=vger.kernel.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1771656826; x=1772261626;
 darn=vger.kernel.org;
        h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=1rxStf/qGHQ1EaSTPNj6R4aztKDomE5LRiMOyJoecnQ=;
        b=JJ0FgKjkFAe36sNtwVIajms66W8rSdYOmNNnGksfH3fwtdBdvlcYERgAhSzjsQgX+W
         YYGeDQqLlFCDtpAaxdS37VlhIrACuFOvk7HO3vAM+vN3WeChU1zUbY7k1XVERf2/wIe1
         MP2xcWViyqGhI/rNTBUBkSvrB2qSQwXnU+tAK1yp2qKOirsUe+HGkcdUx92RmulecKkp
         xSJOB9LZ9e3RmRbM9nkIX2fO+72RkagqtYh9I2zzZb78q1bSGhvhXfGz4UNokVpog/0P
         atkSDsr+5CV0r20/qwVtMM5X8d7R5ol43TpMrij3cDI+uULH5feVR8ROoGK6LytWhaJf
         e5YQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1771656826; x=1772261626;
        h=cc:to:subject:message-id:date:from:mime-version:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=1rxStf/qGHQ1EaSTPNj6R4aztKDomE5LRiMOyJoecnQ=;
        b=qWoiPxYrFNBp+q7wAjfO2TtM5GYxqS/qqDCnKzKstzPMikR87IilJKwhzDmVqeM0FA
         zGJKfwmWDiYpqeYzUSn92s2w7VCH5hJGvVnZs1l5DoKaR5cwShxAO9wSNsLZjW9wnS8h
         30X2SwfLGkafzTiyzamheeugt0CFDh2yCAd6c7W7o2q2A2UUfKZvRepInsOn45NuN8Qo
         0b+vmzTeCVcAFNZKNjPMSBqtBnthNPjUKFAavsa17auIv+Ohg6h0Q3zjvWPkNK/5Qi6R
         1xRjN/2zfTdWLMsG/JBCq1jtib0hHGoz5qJQpKo2T7lALVAre2KkdQFFQXyeQbsliyIo
         QmIg==
X-Forwarded-Encrypted: i=1;
 AJvYcCUQRgjOOg+jaOzAHRxMTQIolwkftINbgnUnN8QLR0pNVpE0MeYwROIqmm8dNAmPdtWUsyuWJMUT2F3Oxuw=@vger.kernel.org
X-Gm-Message-State: AOJu0Yxg//BSfuQR2nQE+x0r4EexnlI+nM3gKhSJdyWrCxv4zlf7p9Yf
	rwCVU7TJBN+tTvW7Pz1V5m2AsQkE/nh1HV1+VMoE9+QRWlDS2Wfupk4acY7oUOlpW3JOXBEud7y
	EBEuDwDpAW1wndNDnd6zBncW/xJ6PlBA=
X-Gm-Gg: AZuq6aKP5niSau2dBL3suHubRaqZGoqT3oy7fVnhx6e78276Uua+nBdlS+o+iukK9xp
	cnzJ8BGkEn7iFiOygLO21sfaJzWq5Ct7dxFC+xhaNHa/40pb1fkkXJ4opOMo8m3rPPvilVvQ2hN
	QZTzeh752xWcDKyZ//Q06VjM5h2srdWYpv6myrK/Kl6nUVSu74nfv0QyPJRp+9//WPNnAJi61gR
	MRDCwGWP3PKsZxaza/thUfhNF6ydpx+ZZT0gzdnLDEdBhqKB6Qv8Gml5JwKr0ORRXnEe5JLBGrK
	slbnMJc4
X-Received: by 2002:a05:622a:181b:b0:501:4c45:b206 with SMTP id
 d75a77b69052e-5070bcd0a7dmr36878421cf.64.1771656826080; Fri, 20 Feb 2026
 22:53:46 -0800 (PST)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
From: Sam Sun <samsun1006219@gmail.com>
Date: Sat, 21 Feb 2026 14:53:35 +0800
X-Gm-Features: AaiRm52pLIKi1yWhJwzxslXRfRAqHMzP7jJpGocHWTXnN4K8iNUA-X3CcJ_Mn9Y
Message-ID: 
 <CAEkJfYMQrwrhK133NCkzhyOa=1Gj1ME5H1g1d15qWxXUdzNhsA@mail.gmail.com>
Subject: [Bug] WARNING in pt_iommu_amdv1_init
To: jgg@ziepe.ca, kevin.tian@intel.com, joro@8bytes.org, will@kernel.org,
	robin.murphy@arm.com, iommu@lists.linux.dev, linux-kernel@vger.kernel.org
Cc: syzkaller@googlegroups.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Dear developers and maintainers,

We encountered a bug in the iommufd selftest framework that triggers a
kernel warning, which can lead to a kernel panic when panic_on_warn is
enabled. The issue was observed on kernel version 6.19.0 (commit
2961f841b025), using syzbot kernel config to compile
(https://syzkaller.appspot.com/text?tag=3DKernelConfig&x=3De2f061f80b102378=
).

We analyzed the root cause of this bug. In
drivers/iommu/iommufd/selftest.c, the mock_domain_alloc_pgtable()
function configures the mock AMDv1 domain with the PT_FEAT_DYNAMIC_TOP
feature flag. However, the generic page table framework strictly
requires any driver requesting this feature to implement specific
hardware callbacks in driver_ops (specifically change_top and
get_top_lock).

Since the mock driver is only for testing and does not provide these
driver_ops callbacks, the sanity check in pt_iommu_amdv1_init fails
and triggers the warning. A possible fix for this issue is that the
PT_FEAT_DYNAMIC_TOP flag should simply be removed from its
configuration.

Here is the proposed patch to fix the issue:

--- a/drivers/iommu/iommufd/selftest.c
+++ b/drivers/iommu/iommufd/selftest.c
@@ -483,8 +483,7 @@ mock_domain_alloc_pgtable(struct device *dev,

         cfg.common.hw_max_vasz_lg2 =3D 64;
         cfg.common.hw_max_oasz_lg2 =3D 52;
- cfg.common.features =3D BIT(PT_FEAT_DYNAMIC_TOP) |
-      BIT(PT_FEAT_AMDV1_ENCRYPT_TABLES) |
+ cfg.common.features =3D BIT(PT_FEAT_AMDV1_ENCRYPT_TABLES) |
                       BIT(PT_FEAT_AMDV1_FORCE_COHERENCE);
         cfg.starting_level =3D 2;
         mock->domain.ops =3D &amdv1_ops;

Reproducer:
The issue can be reproduced using the following syzkaller program:

# {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1
Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false
NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false
KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false
Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false
HandleSegv:false Trace:false CallComments:true
LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}
open_by_handle_at(0xffffffffffffffff,
&(0x7f0000000240)=3D@reiserfs_2=3D{0x8, 0x2, {0xb, 0xb}}, 0x0)
r0 =3D openat$iommufd(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0)
ioctl$IOMMU_IOAS_ALLOC(r0, 0x3b81, &(0x7f00000000c0)=3D{0xc, 0x0, <r1=3D>0x=
0})
ioctl$IOMMU_TEST_OP_MOCK_DOMAIN(r0, 0x3ba0, &(0x7f0000000100)=3D{0x48,
0x2, r1, 0x0, 0x0, 0x0, <r2=3D>0x0})
ioctl$IOMMU_HWPT_ALLOC$TEST(r0, 0x3b89, &(0x7f0000000200)=3D{0x28, 0x2,
r2, r1, 0x0, 0x0, 0xdead, 0x8, &(0x7f0000000240)})

C reproducer:
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

uint64_t r[3] =3D {0xffffffffffffffff, 0x0, 0x0};

int main(void)
{
    syscall(__NR_mmap, /*addr=3D*/0x1ffffffff000ul, /*len=3D*/0x1000ul,
/*prot=3D*/0ul, /*flags=3DMAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul,
/*fd=3D*/(intptr_t)-1, /*offset=3D*/0ul);
    syscall(__NR_mmap, /*addr=3D*/0x200000000000ul, /*len=3D*/0x1000000ul,
/*prot=3DPROT_WRITE|PROT_READ|PROT_EXEC*/7ul,
/*flags=3DMAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul,
/*fd=3D*/(intptr_t)-1, /*offset=3D*/0ul);
    syscall(__NR_mmap, /*addr=3D*/0x200001000000ul, /*len=3D*/0x1000ul,
/*prot=3D*/0ul, /*flags=3DMAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul,
/*fd=3D*/(intptr_t)-1, /*offset=3D*/0ul);
    const char* reason;
    (void)reason;
    intptr_t res =3D 0;
    if (write(1, "executing program\n", sizeof("executing program\n") - 1))=
 {}
    *(uint32_t*)0x200000000240 =3D 8;
    *(uint32_t*)0x200000000244 =3D 2;
    *(uint32_t*)0x200000000248 =3D 0xb;
    *(uint32_t*)0x20000000024c =3D 0xb;
    syscall(__NR_open_by_handle_at, /*mountdirfd=3D*/(intptr_t)-1,
/*handle=3D*/0x200000000240ul, /*flags=3D*/0ul);
    memcpy((void*)0x200000000080, "/dev/iommu\000", 11);
    res =3D syscall(__NR_openat, /*fd=3D*/0xffffffffffffff9cul,
/*file=3D*/0x200000000080ul, /*flags=3D*/0, /*mode=3D*/0);
    if (res !=3D -1)
        r[0] =3D res;
    *(uint32_t*)0x2000000000c0 =3D 0xc;
    *(uint32_t*)0x2000000000c4 =3D 0;
    res =3D syscall(__NR_ioctl, /*fd=3D*/r[0], /*cmd=3D*/0x3b81,
/*arg=3D*/0x2000000000c0ul);
    if (res !=3D -1)
        r[1] =3D *(uint32_t*)0x2000000000c8;
    *(uint32_t*)0x200000000100 =3D 0x48;
    *(uint32_t*)0x200000000104 =3D 2;
    *(uint32_t*)0x200000000108 =3D r[1];
    *(uint32_t*)0x20000000010c =3D 0;
    res =3D syscall(__NR_ioctl, /*fd=3D*/r[0], /*cmd=3D*/0x3ba0,
/*arg=3D*/0x200000000100ul);
    if (res !=3D -1)
        r[2] =3D *(uint32_t*)0x200000000118;
    *(uint32_t*)0x200000000200 =3D 0x28;
    *(uint32_t*)0x200000000204 =3D 2;
    *(uint32_t*)0x200000000208 =3D r[2];
    *(uint32_t*)0x20000000020c =3D r[1];
    *(uint32_t*)0x200000000214 =3D 0;
    *(uint32_t*)0x200000000218 =3D 0xdead;
    *(uint32_t*)0x20000000021c =3D 8;
    *(uint64_t*)0x200000000220 =3D 0x200000000240;
    *(uint32_t*)0x200000000240 =3D 0xbadbeef;
    syscall(__NR_ioctl, /*fd=3D*/r[0], /*cmd=3D*/0x3b89, /*arg=3D*/0x200000=
000200ul);
    return 0;
}

If you have any other questions, please let me know.

Best regards,
Yue