[PATCH v3 05/18] iommu: Implement IOMMU domain preservation
From: Samiullah Khawaja
Date: Sun Jun 14 2026 - 19:39:35 EST
Add IOMMU domain ops that can be implemented by the IOMMU drivers if
they support IOMMU domain preservation across liveupdate. The new IOMMU
domain preserve, unpreserve and restore APIs call these ops to perform
respective live update operations.
Reviewed-by: Pranjal Shrivastava <praan@xxxxxxxxxx>
Signed-off-by: Samiullah Khawaja <skhawaja@xxxxxxxxxx>
---
drivers/iommu/liveupdate.c | 104 +++++++++++++++++++++++++++++++
include/linux/iommu-liveupdate.h | 14 +++++
include/linux/iommu.h | 5 ++
3 files changed, 123 insertions(+)
diff --git a/drivers/iommu/liveupdate.c b/drivers/iommu/liveupdate.c
index 45fae91b43ba..16a0f75a98e3 100644
--- a/drivers/iommu/liveupdate.c
+++ b/drivers/iommu/liveupdate.c
@@ -8,11 +8,15 @@
#define pr_fmt(fmt) "iommu: liveupdate: " fmt
#include <linux/errno.h>
+#include <linux/generic_pt/iommu.h>
#include <linux/iommu-liveupdate.h>
#include <linux/iommu.h>
#include <linux/kexec_handover.h>
#include <linux/liveupdate.h>
+#define iommu_max_objs_per_page(_array) \
+ ((PAGE_SIZE - sizeof(struct iommu_array_hdr_ser)) / sizeof((_array)->objects[0]))
+
struct iommu_flb_obj {
struct mutex lock;
struct iommu_flb_ser *ser;
@@ -210,3 +214,103 @@ void iommu_liveupdate_unregister_flb(struct liveupdate_file_handler *handler)
liveupdate_unregister_flb(handler, &iommu_flb);
}
EXPORT_SYMBOL(iommu_liveupdate_unregister_flb);
+
+static int alloc_object_ser(void **curr_array_ptr, u64 max_objs)
+{
+ struct iommu_array_hdr_ser *curr_array = *curr_array_ptr;
+ struct iommu_array_hdr_ser *next_array;
+
+ /*
+ * The objects marked as deleted are not reused to avoid traversal of
+ * linked-list and arrays.
+ */
+ if (curr_array->nr_objects >= max_objs) {
+ next_array = kho_alloc_preserve(PAGE_SIZE);
+ if (IS_ERR(next_array))
+ return PTR_ERR(next_array);
+
+ curr_array->next_array_phys = virt_to_phys(next_array);
+ *curr_array_ptr = next_array;
+ curr_array = next_array;
+ }
+
+ return curr_array->nr_objects++;
+}
+
+static struct iommu_domain_ser *alloc_iommu_domain_ser(struct iommu_flb_obj *flb)
+{
+ int idx;
+
+ idx = alloc_object_ser((void **) &flb->curr_domain_array,
+ iommu_max_objs_per_page(flb->curr_domain_array));
+ if (idx < 0)
+ return ERR_PTR(idx);
+
+ flb->curr_domain_array->objects[idx].hdr.ref_count = 1;
+ return &flb->curr_domain_array->objects[idx];
+}
+
+int iommu_preserve_domain(struct iommu_domain *domain, struct iommu_domain_ser **ser)
+{
+ struct pt_iommu *pt = iommupt_from_domain(domain);
+ struct iommu_domain_ser *domain_ser;
+ struct iommu_flb_obj *flb_obj;
+ int ret;
+
+ if (!pt || !pt->ops->preserve || !pt->ops->unpreserve)
+ return -EOPNOTSUPP;
+
+ ret = liveupdate_flb_get_outgoing(&iommu_flb, (void **)&flb_obj);
+ if (ret)
+ return ret;
+
+ guard(mutex)(&flb_obj->lock);
+ domain_ser = alloc_iommu_domain_ser(flb_obj);
+ if (IS_ERR(domain_ser))
+ return PTR_ERR(domain_ser);
+
+ ret = pt->ops->preserve(pt, domain_ser);
+ if (ret) {
+ domain_ser->hdr.flags |= IOMMU_SER_FLAG_DELETED;
+ return ret;
+ }
+
+ domain->preserved_state = domain_ser;
+ *ser = domain_ser;
+ return 0;
+}
+EXPORT_SYMBOL_GPL(iommu_preserve_domain);
+
+void iommu_unpreserve_domain(struct iommu_domain *domain)
+{
+ struct pt_iommu *pt = iommupt_from_domain(domain);
+ struct iommu_domain_ser *domain_ser;
+ struct iommu_flb_obj *flb_obj;
+ int ret;
+
+ if (WARN_ON(!pt || !pt->ops->unpreserve))
+ return;
+
+ ret = liveupdate_flb_get_outgoing(&iommu_flb, (void **)&flb_obj);
+ if (WARN_ON(ret))
+ return;
+
+ guard(mutex)(&flb_obj->lock);
+
+ if (!domain->preserved_state)
+ return;
+
+ /*
+ * There is no check for attached devices here. The correctness relies
+ * on the Live Update Orchestrator's session lifecycle. All resources
+ * (iommufd, vfio devices) are preserved within a single session. If the
+ * session is torn down, the .unpreserve callbacks for all files will be
+ * invoked, ensuring a consistent cleanup without needing explicit
+ * refcounting for the serialized objects here.
+ */
+ domain_ser = domain->preserved_state;
+ pt->ops->unpreserve(pt, domain_ser);
+ domain_ser->hdr.flags |= IOMMU_SER_FLAG_DELETED;
+ domain->preserved_state = NULL;
+}
+EXPORT_SYMBOL_GPL(iommu_unpreserve_domain);
diff --git a/include/linux/iommu-liveupdate.h b/include/linux/iommu-liveupdate.h
index 3d1c65ed76fa..0204e17996b0 100644
--- a/include/linux/iommu-liveupdate.h
+++ b/include/linux/iommu-liveupdate.h
@@ -12,6 +12,20 @@
#include <linux/liveupdate.h>
#include <linux/kho/abi/iommu.h>
+#ifdef CONFIG_IOMMU_LIVEUPDATE
+int iommu_preserve_domain(struct iommu_domain *domain, struct iommu_domain_ser **ser);
+void iommu_unpreserve_domain(struct iommu_domain *domain);
+#else
+static inline int iommu_preserve_domain(struct iommu_domain *domain, struct iommu_domain_ser **ser)
+{
+ return -EOPNOTSUPP;
+}
+
+static inline void iommu_unpreserve_domain(struct iommu_domain *domain)
+{
+}
+#endif
+
int iommu_liveupdate_register_flb(struct liveupdate_file_handler *handler);
void iommu_liveupdate_unregister_flb(struct liveupdate_file_handler *handler);
diff --git a/include/linux/iommu.h b/include/linux/iommu.h
index e587d4ac4d33..0bea1a57f4be 100644
--- a/include/linux/iommu.h
+++ b/include/linux/iommu.h
@@ -14,6 +14,7 @@
#include <linux/err.h>
#include <linux/of.h>
#include <linux/iova_bitmap.h>
+#include <linux/kho/abi/iommu.h>
#include <uapi/linux/iommufd.h>
#define IOMMU_READ (1 << 0)
@@ -249,6 +250,10 @@ struct iommu_domain {
struct list_head next;
};
};
+
+#ifdef CONFIG_IOMMU_LIVEUPDATE
+ struct iommu_domain_ser *preserved_state;
+#endif
};
static inline bool iommu_is_dma_domain(struct iommu_domain *domain)
--
2.54.0.1136.gdb2ca164c4-goog