Re: [PATCH] iommu/vt-d: Fix UCTP context table slot when copying root entries

[Samiullah Khawaja]

On Mon, Jun 22, 2026 at 10:35:40AM -0300, Desnes Nunes wrote:
> When translation is already enabled at boot (e.g. kdump), the vt-d driver
> copies context tables from the previous kernel's root table. In scalable
> mode, buses that only populate the upper root half (UCTP, devfn >= 0x80)
> should be written to ctxt_tbls[tbl_idx + 1] through copy_context_table().
> However, the current copy path always uses tbl[tbl_idx + 0] in this situa-
> tion. Since idx wraps to 0 at devfn 0x80 due to a zeroed LCTP, new_ce for
> LCTP will be NULL and keep pos equals to 0. Thus, UCTP entries will be co-
> pied into tbl[tbl_idx + 0] instead of tbl[tbl_idx + 1], and written after-
> wards to root_entry[bus].lo instead of .hi in copy_translation_tables().
>
> As consequence, devices on bus 0x80 with devfn >= 0x80 fail DMA with
> fault 0x39, which breaks drivers running in kernels with translation
> pre-enabled. This fixes NO_PASID DMAR faults for UCTP-only buses such as:
>
> DMAR: [DMA Read NO_PASID] Request device [80:14.0] fault addr 0xe81759000 [fault reason 0x39] SM: Present bit in Root Entry is clear
>
> Fixes: 091d42e43d21 ("iommu/vt-d: Copy translation tables from old kernel")
> Signed-off-by: Desnes Nunes <desnesn@xxxxxxxxxx>
> ---
> drivers/iommu/intel/iommu.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
> index 4d0e65bc131d..737936f942a0 100644
> --- a/drivers/iommu/intel/iommu.c
> +++ b/drivers/iommu/intel/iommu.c
> @@ -1443,7 +1443,7 @@ static int copy_context_table(struct intel_iommu *iommu,
> 			      struct context_entry **tbl,
> 			      int bus, bool ext)
> {
> -	int tbl_idx, pos = 0, idx, devfn, ret = 0, did;
> +	int tbl_idx, tbl_slot = 0, idx, devfn, ret = 0, did;
> 	struct context_entry *new_ce = NULL, ce;
> 	struct context_entry *old_ce = NULL;
> 	struct root_entry re;
> @@ -1459,10 +1459,9 @@ static int copy_context_table(struct intel_iommu *iommu,
> 		if (idx == 0) {
> 			/* First save what we may have and clean up */
> 			if (new_ce) {
> -				tbl[tbl_idx] = new_ce;
> +				tbl[tbl_idx + tbl_slot] = new_ce;
> 				__iommu_flush_cache(iommu, new_ce,
> 						    VTD_PAGE_SIZE);
> -				pos = 1;
> 			}
>
> 			if (old_ce)
> @@ -1484,6 +1483,9 @@ static int copy_context_table(struct intel_iommu *iommu,
> 				}
> 			}
>
> +			/* Track if saving UCTP or LCTP entries in scalable mode */
> +			tbl_slot = ext && devfn >= 0x80 ? 1 : 0;
> +
> 			ret = -ENOMEM;
> 			old_ce = memremap(old_ce_phys, PAGE_SIZE,
> 					MEMREMAP_WB);
> @@ -1512,7 +1514,7 @@ static int copy_context_table(struct intel_iommu *iommu,
> 		new_ce[idx] = ce;
> 	}
>
> -	tbl[tbl_idx + pos] = new_ce;
> +	tbl[tbl_idx + tbl_slot] = new_ce;
>
> 	__iommu_flush_cache(iommu, new_ce, VTD_PAGE_SIZE);
>
> --
> 2.54.0

Reviewed-by: Samiullah Khawaja <skhawaja@xxxxxxxxxx>