On 2023/4/21 20:04, Jason Gunthorpe wrote:
@@ -2210,6 +2213,22 @@ static int __iommu_device_set_domain(struct iommu_group *group, { int ret;+ /*+ * If the driver has requested IOMMU_RESV_DIRECT then we cannot allow + * the blocking domain to be attached as it does not contain the + * required 1:1 mapping. This test effectively exclusive the device from + * being used with iommu_group_claim_dma_owner() which will block vfio + * and iommufd as well. + */ + if (dev->iommu->requires_direct && + (new_domain->type == IOMMU_DOMAIN_BLOCKED || + new_domain == group->blocking_domain)) { + dev_warn( + dev, + "Firmware has requested this device have a 1:1 IOMMU mapping, rejecting configuring the device without a 1:1 mapping. Contact your platform vendor."); + return -EINVAL; + } + if (dev->iommu->attach_deferred) { if (new_domain == group->default_domain) return 0;
How about enforcing this in iommu_group_claim_dma_owner() and change the iommu drivers to use "atomic replacement" instead of blocking translation transition when switching to a new domain? Assuming that the kernel drivers should always use the default domain, or handle the IOMMU_RESV_DIRECT by themselves if they decide to use its own unmanaged domain for kernel DMA. Best regards, baolu
