Re: [PATCH] iommu/amd: Block identity domain when SNP enabled
From: Vasant Hegde
Date: Wed Mar 11 2026 - 12:16:06 EST
On 3/10/2026 5:22 AM, Joe Damato wrote:
>
> Previously, commit 8388f7df936b ("iommu/amd: Do not support
> IOMMU_DOMAIN_IDENTITY after SNP is enabled") prevented users from
> changing the IOMMU domain to identity if SNP was enabled.
>
> This resulted in an error when writing to sysfs:
>
> # echo "identity" > /sys/kernel/iommu_groups/50/type
> -bash: echo: write error: Cannot allocate memory
>
> However, commit 4402f2627d30 ("iommu/amd: Implement global identity
> domain") changed the flow of the code, skipping the SNP guard and
> allowing users to change the IOMMU domain to identity after a machine
> has booted.
>
> Once the user does that, they will probably try to bind and the
> device/driver will start to do DMA which will trigger errors:
>
> iommu ivhd3: AMD-Vi: Event logged [ILLEGAL_DEV_TABLE_ENTRY device=0000:43:00.0 pasid=0x00000 address=0x3737b01000 flags=0x0020]
> iommu ivhd3: AMD-Vi: Control Reg : 0xc22000142148d
> AMD-Vi: DTE[0]: 6000000000000003
> AMD-Vi: DTE[1]: 0000000000000001
> AMD-Vi: DTE[2]: 2000003088b3e013
> AMD-Vi: DTE[3]: 0000000000000000
> bnxt_en 0000:43:00.0 (unnamed net_device) (uninitialized): Error (timeout: 500015) msg {0x0 0x0} len:0
> iommu ivhd3: AMD-Vi: Event logged [ILLEGAL_DEV_TABLE_ENTRY device=0000:43:00.0 pasid=0x00000 address=0x3737b01000 flags=0x0020]
> iommu ivhd3: AMD-Vi: Control Reg : 0xc22000142148d
> AMD-Vi: DTE[0]: 6000000000000003
> AMD-Vi: DTE[1]: 0000000000000001
> AMD-Vi: DTE[2]: 2000003088b3e013
> AMD-Vi: DTE[3]: 0000000000000000
> bnxt_en 0000:43:00.0: probe with driver bnxt_en failed with error -16
>
> To prevent this from happening, create an attach wrapper for
> identity_domain_ops which returns EINVAL if amd_iommu_snp_en is true.
>
> With this commit applied:
>
> # echo "identity" > /sys/kernel/iommu_groups/62/type
> -bash: echo: write error: Invalid argument
>
> Fixes: 4402f2627d30 ("iommu/amd: Implement global identity domain")
> Signed-off-by: Joe Damato <joe@xxxxxxx>
Thanks for the fix.
Reviewed-by: Vasant Hegde <vasant.hegde@xxxxxxx>
-Vasant