[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/2] iommu/amd-vi: do not zero IOMMU MMIO region

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Wed, 6 May 2026 10:58:07 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=T1bIEWEl09txaJq9NaXywCmuWvzukYda6goVbTYM4oI=; b=c0iesZzn/cPne/agN0nm19tdrL/QJvO0po7FeJq/bJHInwni4+Q1IOVL/PyEkYyOG07wx26YS8FkE/2Dkc/T4/HwGMQ9MEPnY90xchwgjXqNc1ZvWztNsV4HbmqO4CrGVJAt/ig3kmQWos260NZwMW8BLCjyMWSfZerq1IPTfE0PgO8kWo2SnnpjDikuOQj1Eo9t/ghcs4REcQXtL6zk8DJpfwFq4tGDk50A1FcJjOm1XIFd9+P7tSxw1xFANunqviYHAEaxGFJ+wJ0bzcK/y7ZEPjc+ITd7cxgtZ9WSLt38uQlp0zn1amAjwtxMsKYBXPyFAld6hpO3k8jVbljH7w==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=gLsRfbpiN6+6haQ15mjdG+ylwRsdoG9mVL2hsVw0hFSHyHgomP1WxusuhSXNt1Laf+P506vCBxKHPAP76k5bgKuhv86ag8cU+Rgu3XqltnOy6KaBNnA5UbRq3TSbyoZUpgs4NVQDPkrQvEy9HMKakPoiWEjwwcgNbD3J2JYjXfgc1HG6OiG0zOtyGBSV7FyIbDrNzk6GA4GheC46YKgFaJ4Nh/2BHS9ohlM5lG+LfleZzV+2I39Prp2ZF6CAFbUAQuo/4/V5pZiH8ltQhwnkhl1gMFD8xkceVme9mcZPU928SynB8H3XXn1WfMmtAd/4KB/Z2iL4YN5FH4bK8Prhtg==
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=citrix.com header.i="@citrix.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Jan Beulich <jbeulich@xxxxxxxx>, Jason Andryuk <jason.andryuk@xxxxxxx>, Teddy Astie <teddy.astie@xxxxxxxxxx>
  • Delivery-date: Wed, 06 May 2026 08:58:24 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Wed, May 06, 2026 at 09:20:07AM +0100, Andrew Cooper wrote:
> On 06/05/2026 8:37 am, Roger Pau Monne wrote:
> > Attempting to memset the whole IOMMU MMIO region to zero is dangerous to
> > say the least.  We don't know what registers might be there, neither what
> > values might be safe for those registers.
> 
> Minor grammar.  "there, nor which values".
> 
> > On a forthcoming platform doing
> > the zeroing of the MMIO region can put the IOMMU in a broken state,
> 
> "does put"
> 
> > which is not recovered by the IOMMU initialization procedure in Xen.
> 
> "recoverable".
> 
> > diff --git a/xen/drivers/passthrough/amd/iommu_init.c 
> > b/xen/drivers/passthrough/amd/iommu_init.c
> > index 76ae78e5ea53..8bf5ca4de18f 100644
> > --- a/xen/drivers/passthrough/amd/iommu_init.c
> > +++ b/xen/drivers/passthrough/amd/iommu_init.c
> > @@ -1367,11 +1355,14 @@ static int __init amd_iommu_prepare_one(struct 
> > amd_iommu *iommu)
> >  {
> >      int rc = alloc_ivrs_mappings(iommu->sbdf.seg);
> >  
> > -    if ( !rc )
> > -        rc = map_iommu_mmio_region(iommu);
> >      if ( rc )
> >          return rc;
> >  
> > +    iommu->mmio_base = ioremap(iommu->mmio_base_phys,
> > +                               IOMMU_MMIO_REGION_LENGTH);
> > +    if ( !iommu->mmio_base )
> > +        return -ENOMEM;
> > +
> >      get_iommu_features(iommu);
> >  
> >      /*
> > @@ -1381,6 +1372,11 @@ static int __init amd_iommu_prepare_one(struct 
> > amd_iommu *iommu)
> >      if ( amd_iommu_max_paging_mode < amd_iommu_min_paging_mode )
> >          return -ERANGE;
> >  
> > +    /* Read current control register and forcefully disable the IOMMU. */
> > +    iommu->ctrl.raw = readq(iommu->mmio_base + IOMMU_CONTROL_MMIO_OFFSET);
> > +    disable_iommu(iommu, true);
> > +    iommu->ctrl.raw = 0;
> > +
> >      return 0;
> >  } 
> 
> These two things are unrelated at want splitting into separate patches
> at a minimum.  The removal of memset() critically needs backporting.

But is it safe to backport the memset without also backporting the
disabling side?  We might then be dealing with an enabled IOMMU which
could lead to all sorts of fun.

> As for disabling the IOMMU, I'm not certain it's wise.
> 
> Linux can already "bring up" an already-live IOMMU and Xen needs to gain
> this ability in due course.  This is mainly for supporting PreBoot DMA
> Protection, but also for things like the kexec environment.

Note that Linux (when not booted from kdump) will do a similar sequence of
what I'm attempting to do here for Xen and will call iommu_disable()
ahead of attempting to enable the IOMMU.

I understand that when Xen supports kdump or preboot DMA protection we
would need to be more careful there, but going from zeroing the whole
MMIO area (which disables everything) to not doing any kind of
disabling is IMO a dangerous approach, and I would rather backport a
change that at least attempts to make sure the IOMMU is disabled.

Thanks, Roger.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.