{"id":2224153,"url":"http://patchwork.ozlabs.org/api/patches/2224153/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-pci/patch/ca5ae5e05074f4dc9cd18e0ae06a9daac60a60f8.1776381841.git.nicolinc@nvidia.com/","project":{"id":28,"url":"http://patchwork.ozlabs.org/api/projects/28/?format=json","name":"Linux PCI development","link_name":"linux-pci","list_id":"linux-pci.vger.kernel.org","list_email":"linux-pci@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"","list_archive_url":null,"date":"2026-04-16T23:28:36","name":"[v3,07/11] iommu: Add iommu_report_device_broken() to quarantine a broken device","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"7decc5ce2831b9cfc1a8bca73e1adfa0331bf5f2","submitter":{"id":82183,"url":"http://patchwork.ozlabs.org/api/people/82183/?format=json","name":"Nicolin Chen","email":"nicolinc@nvidia.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linux-pci/patch/ca5ae5e05074f4dc9cd18e0ae06a9daac60a60f8.1776381841.git.nicolinc@nvidia.com/mbox/","series":[{"id":500217,"url":"http://patchwork.ozlabs.org/api/series/500217/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-pci/list/?series=500217","date":"2026-04-16T23:28:31","name":"iommu/arm-smmu-v3: Quarantine device upon ATC invalidation timeout","version":3,"mbox":"http://patchwork.ozlabs.org/series/500217/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2224153/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2224153/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-pci@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256\n header.s=selector2 header.b=hnsM1dNs;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=linux-pci+bounces-52667-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com\n header.b=\"hnsM1dNs\"","smtp.subspace.kernel.org;\n arc=fail smtp.client-ip=52.101.193.58","smtp.subspace.kernel.org;\n dmarc=pass (p=reject dis=none) header.from=nvidia.com","smtp.subspace.kernel.org;\n spf=fail smtp.mailfrom=nvidia.com"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fxZDS5NZPz1yDF\n\tfor ; Fri, 17 Apr 2026 09:37:12 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id CFA9A31CEE1E\n\tfor ; Thu, 16 Apr 2026 23:29:44 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 853293A168D;\n\tThu, 16 Apr 2026 23:29:43 +0000 (UTC)","from CH1PR05CU001.outbound.protection.outlook.com\n (mail-northcentralusazon11010058.outbound.protection.outlook.com\n [52.101.193.58])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id D5CF13A1696;\n\tThu, 16 Apr 2026 23:29:41 +0000 (UTC)","from SJ2PR07CA0022.namprd07.prod.outlook.com (2603:10b6:a03:505::24)\n by IA0PPF6E99B1BC1.namprd12.prod.outlook.com (2603:10b6:20f:fc04::bd1) with\n Microsoft SMTP Server (version=TLS1_2,\n cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9818.20; Thu, 16 Apr\n 2026 23:29:37 +0000","from SJ1PEPF00002315.namprd03.prod.outlook.com\n (2603:10b6:a03:505:cafe::fd) by SJ2PR07CA0022.outlook.office365.com\n (2603:10b6:a03:505::24) with Microsoft SMTP Server (version=TLS1_3,\n cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.52 via Frontend Transport; Thu,\n 16 Apr 2026 23:29:36 +0000","from mail.nvidia.com (216.228.117.160) by\n SJ1PEPF00002315.mail.protection.outlook.com (10.167.242.169) with Microsoft\n SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id\n 15.20.9769.17 via Frontend Transport; Thu, 16 Apr 2026 23:29:36 +0000","from rnnvmail202.nvidia.com (10.129.68.7) by mail.nvidia.com\n (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2,\n cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Thu, 16 Apr\n 2026 16:29:16 -0700","from rnnvmail203.nvidia.com (10.129.68.9) by rnnvmail202.nvidia.com\n (10.129.68.7) with Microsoft SMTP Server (version=TLS1_2,\n cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.20; Thu, 16 Apr\n 2026 16:29:15 -0700","from Asurada-Nvidia.nvidia.com (10.127.8.11) by mail.nvidia.com\n (10.129.68.9) with Microsoft SMTP Server id 15.2.2562.20 via Frontend\n Transport; Thu, 16 Apr 2026 16:29:12 -0700"],"ARC-Seal":["i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776382183; cv=fail;\n b=AZOlcwzWYHfZ5YA0r5VKV2AHD8oqTN9ID4Uv9ZfjbM+W6SQTwrOdTLwaTw1YLJ7S8v5EzzsJVhoPq9Oqg43E+XR+n5eT5ahMaKJJ3C25bgXZos3mUZTyMHvJsJOW21q1n5h4fE63x+/Y55sdXDYw3SP276FJ9tVEQap77B2HX6U=","i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;\n b=fsa+xu4BeqgcxG+71f3PH4RpjeZqmaJG5CguJCbhPo1nSiERuWpX12iOhhm5pOtPqMbRIAu9aco/ipWxZi6DIwsUDpNFfreo7ruf+800Fh7HtqQcjonwSGE4phHHPRepsLz0waiDNQUnMETycgrFtnvZvsxWuTTyLexEtlv804gpYo7uLV2uhk3QwqKy03OJUTX4dw70DvyiWB/KxSlQQ6MZlWDVULWypQ2Nq5fr6i2A0viQ5cyEqsY5QtqO5d0qIsuPHFFZiSKXBsRUhJ7b1SgFvK86EA21Wyytc/nDJo2RXvXBfnbpigutueD5WePhwBLMnTzrk+H+7bHXGLbvuQ=="],"ARC-Message-Signature":["i=2; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776382183; c=relaxed/simple;\n\tbh=fACbtkdCSgfnooGjGBCwZnes0C+wGyrC0KOX8hiZFk8=;\n\th=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version:Content-Type;\n b=AwUrIe1SXTsXwnpQFgN6zgs5e/YTho2wbpxWYQsNwQGjlMCLsnezSeGi622XBst/i0oYyueT91jrA30wGTX1NLrHVfThqzu/zKI24aHAuG5aVWnTiEhhC3Yqtu/LI9KwWngPgvBc3BeJHR3jMBqaJxyRcicEQjCJt9xmEMET4xE=","i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;\n s=arcselector10001;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;\n bh=cB8bN0zJMDTblGL66bdwTjTFEs7xuo2jBrOt2TU5/n0=;\n b=krZJG/N649ldQ8lDW/bOo7jwXumVzqBDJ+8Rndw7yd/HQJIyvBhITx3G44xRSe++EpbcIWwg36zlw2FPuFtEWS+5o5P7c483/eDFC2qiQdSjD6TNFsAqkcal61IFLz+rtUa0Vd47CeN1blCNxSDCqkBRNYg2WUOB/W0xP2kaym9zwzx+sQBd6LeBX6G/aUY0GpJZ287GgLy2xzoUfxloQf77hXYi/B4Y/eW3WJCpwH+exspKJFm1073BPPiJAY3AfaqpkrsSuLQHjPFnYuBraQ6RklU4AZ13F8dM+PAOfzD+ZWLWOyqawr/uAG4nWdL3PWPy/hef7pEdSc5j6qRh1A=="],"ARC-Authentication-Results":["i=2; smtp.subspace.kernel.org;\n dmarc=pass (p=reject dis=none) header.from=nvidia.com;\n spf=fail smtp.mailfrom=nvidia.com;\n dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com\n header.b=hnsM1dNs; arc=fail smtp.client-ip=52.101.193.58","i=1; mx.microsoft.com 1; spf=pass (sender ip is\n 216.228.117.160) smtp.rcpttodomain=kernel.org smtp.mailfrom=nvidia.com;\n dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;\n dkim=none (message not signed); arc=none (0)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;\n s=selector2;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;\n bh=cB8bN0zJMDTblGL66bdwTjTFEs7xuo2jBrOt2TU5/n0=;\n b=hnsM1dNs19/9frUJ8VpAhuMzyQcpOxNiwSMm5y5V/JdMqqN5OJQUYUtSOz4K/QLCYizKcAvjPsagS94iYj+tCJ2z5JLqsrvjuoDGz74gp7TgAqaQ5qR3DtoiAfQrqVnzOY0U430FYKl6WPfc1RByVmQw5hZ8pN4wH4zVXPGr8HiknczuAlaEn6eBt/C1koUqPlFqSaEfY0UySsOPOL3FBvu12X5mHYYiQpnqKKE4EsqHh9rzRCza8O/it+mH2P9AXLp6xyGYcb8Y+pcJEeXd3c4gxqqCUBOu0k3wIP/mlRHTuAgY//x18FgDMOsqvtdroAswmszDUvSxIjvsr7CSuQ==","X-MS-Exchange-Authentication-Results":"spf=pass (sender IP is 216.228.117.160)\n smtp.mailfrom=nvidia.com; dkim=none (message not signed)\n header.d=none;dmarc=pass action=none header.from=nvidia.com;","Received-SPF":"Pass (protection.outlook.com: domain of nvidia.com designates\n 216.228.117.160 as permitted sender) receiver=protection.outlook.com;\n client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C","From":"Nicolin Chen ","To":"Will Deacon , Robin Murphy , \"Joerg\n Roedel\" , Bjorn Helgaas , \"Jason\n Gunthorpe\" ","CC":"\"Rafael J . Wysocki\" , Len Brown ,\n\tPranjal Shrivastava , Mostafa Saleh ,\n\tLu Baolu , Kevin Tian ,\n\t, ,\n\t, ,\n\t, , Shuai Xue\n\t","Subject":"[PATCH v3 07/11] iommu: Add iommu_report_device_broken() to\n quarantine a broken device","Date":"Thu, 16 Apr 2026 16:28:36 -0700","Message-ID":"\n ","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"","References":"","Precedence":"bulk","X-Mailing-List":"linux-pci@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Content-Type":"text/plain","X-NV-OnPremToCloud":"ExternallySecured","X-EOPAttributedMessage":"0","X-MS-PublicTrafficType":"Email","X-MS-TrafficTypeDiagnostic":"SJ1PEPF00002315:EE_|IA0PPF6E99B1BC1:EE_","X-MS-Office365-Filtering-Correlation-Id":"8618dd01-c63a-4e6c-7376-08de9c100619","X-MS-Exchange-SenderADCheck":"1","X-MS-Exchange-AntiSpam-Relay":"0","X-Microsoft-Antispam":"\n\tBCL:0;ARA:13230040|1800799024|7416014|376014|82310400026|36860700016|56012099003|22082099003|18002099003;","X-Microsoft-Antispam-Message-Info":"\n\txuEZ/xjei20z1r8h+Foy+1MUO0fFp+rHt8txtfmEWv5AlTqfQ4EBCNclIddtS/y/f8wt8QaoZf7dIoeRA60rBGzHFO91pm984aoBpnUZX5K2xsQIDNqE78uMvaBSts/Ev5F/AK+EmcPx2CwoivKZWB7UhKc7+MBGOKa1JlCrI6Rrp37Qtrk8SFVSSEMK03MA5QBxjbHwT8olGTx2rABezxtt/NsAg09sr/5IHDKnjNdzsZTEiQcXL679rgzcak5rOCayeE+0dRQXZnDlOwMjzbtW5PW7dKAL/nsZBN7UZPuHCaho+slt9Y7ryeR00gJUI2B0mDb2i+BpTcUB1rLcjgGNLfEKj6xr6r3mOsYnxZsukXZraFob7UPUpj5CoJL9LmgyLiCAzSEF3Ki6bvxzGd0VektlUK99EW+Nf4jcE6oI9p8rvbCMKh4mih4qw+1c3O5YPdq8lep+aLJdZVPW15QRTTvj5tAh3awy2YnqCiT08eXvPjV+heMHyhg3m20oP5TcDrTq7PgwsP863Zy2PxV3FyL1LvlGhvWX+51Vr+dmPoO/DgxouVcCKeaQduxkYNRtG71V70+/HEl90s2UKa4P8dugVwc/ua2wci6ocsXwfzBa0T919RIkCsiqiz/rrcUj4sL0eYkJYkjPjCxu8nGPPuurwPS114oT1j/65TYntCVHA0q1cdTuUBe31kzoSWLkCFInrT4IkFrS1BMLPX3dfG4O3vibnMc5bJWwys/HcRNljYfB0KFM6m3aSJUKY7cfTvZzbiJF4kOq35f4/A==","X-Forefront-Antispam-Report":"\n\tCIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230040)(1800799024)(7416014)(376014)(82310400026)(36860700016)(56012099003)(22082099003)(18002099003);DIR:OUT;SFP:1101;","X-MS-Exchange-AntiSpam-MessageData-ChunkCount":"1","X-MS-Exchange-AntiSpam-MessageData-0":"\n\tq62D9gFUg/o7cdyZnFcx0MQPKHN+aI+aEyKjlzWxk/BiY7nk0kA6Z0U1HfjKeJ16vj/wJpQoT4rTM+Sn+jIYO2aWpjVNxuldmWYFmsZvXynAU0VLiXjhDEw7/J9Y8MqxO24ox2pTfA+K/zK2H3DrlyWV2pwKpgwfVUSvd3BXYih/Fk/65kb0xcSWrcKp5mpO6jhyvlJvIVLfp8hmIeF4ZfzvHTFDuvqocBw+8mRz+TqEh2QyiRW1eeRqHKagrQfxbNohbkapKTRhKhzjXwPWw/bVpLQPDbYFQD46kqYmdF9Cj466OnyJSNIIx/mkiHAE6sS3QghQgDmM975oa6ikm7eWab2LajgUFVLghAf539Pgj/E70APM2Xpq6yQ9boRKuSJf5qOJWyLeEZhKTHcArlPaE7Xzowt+pF102uE8JxFvFxFednwz0GPFkO4afG86","X-OriginatorOrg":"Nvidia.com","X-MS-Exchange-CrossTenant-OriginalArrivalTime":"16 Apr 2026 23:29:36.7630\n (UTC)","X-MS-Exchange-CrossTenant-Network-Message-Id":"\n 8618dd01-c63a-4e6c-7376-08de9c100619","X-MS-Exchange-CrossTenant-Id":"43083d15-7273-40c1-b7db-39efd9ccc17a","X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp":"\n TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com]","X-MS-Exchange-CrossTenant-AuthSource":"\n\tSJ1PEPF00002315.namprd03.prod.outlook.com","X-MS-Exchange-CrossTenant-AuthAs":"Anonymous","X-MS-Exchange-CrossTenant-FromEntityHeader":"HybridOnPrem","X-MS-Exchange-Transport-CrossTenantHeadersStamped":"IA0PPF6E99B1BC1"},"content":"When an IOMMU hardware detects an error due to a faulty device (e.g. an ATS\ninvalidation timeout), IOMMU drivers may quarantine the device by disabling\nspecific hardware features or dropping translation capabilities.\n\nHowever, the core-level states of the faulty device are out of sync, as the\ndevice can be still attached to a translation domain or even potentially be\nmoved to a new domain that might overwrite the driver-level quarantine.\n\nGiven that such an error can likely be triggered from an ISR, introduce an\nasynchronous broken_work per group_device, and provide a helper function to\nallow driver initiate a quarantine in the core.\n\nNote that the worker function must not use dev->iommu_group that is NULLed\nby iommu_deinit_device() holding group->mutex. The cancel_work_sync() only\ngets called afterwards outside the mutex. So, this would be a NULL pointer\ndereference. Add a stable group backpointer to struct group_device instead.\n\nSigned-off-by: Nicolin Chen \n---\n include/linux/iommu.h | 6 +++\n drivers/iommu/iommu.c | 100 ++++++++++++++++++++++++++++++++++++++++++\n 2 files changed, 106 insertions(+)","diff":"diff --git a/include/linux/iommu.h b/include/linux/iommu.h\nindex 3c5c5fa5cdc6a..97d0e5b90c58f 100644\n--- a/include/linux/iommu.h\n+++ b/include/linux/iommu.h\n@@ -893,6 +893,8 @@ static inline struct iommu_device *__iommu_get_iommu_dev(struct device *dev)\n #define iommu_get_iommu_dev(dev, type, member) \\\n \tcontainer_of(__iommu_get_iommu_dev(dev), type, member)\n \n+void iommu_report_device_broken(struct device *dev);\n+\n static inline void iommu_iotlb_gather_init(struct iommu_iotlb_gather *gather)\n {\n \t*gather = (struct iommu_iotlb_gather) {\n@@ -1207,6 +1209,10 @@ struct iommu_iotlb_gather {};\n struct iommu_dirty_bitmap {};\n struct iommu_dirty_ops {};\n \n+static inline void iommu_report_device_broken(struct device *dev)\n+{\n+}\n+\n static inline bool device_iommu_capable(struct device *dev, enum iommu_cap cap)\n {\n \treturn false;\ndiff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c\nindex 810e7b94a1ae2..bb00918e1b70d 100644\n--- a/drivers/iommu/iommu.c\n+++ b/drivers/iommu/iommu.c\n@@ -73,6 +73,7 @@ struct iommu_group {\n };\n \n struct group_device {\n+\tstruct iommu_group *group;\n \tstruct list_head list;\n \tstruct device *dev;\n \tchar *name;\n@@ -81,10 +82,12 @@ struct group_device {\n \t * retained. This can happen when:\n \t * - Device is undergoing a reset\n \t * - Device failed the last reset\n+\t * - Device is broken and quarantined\n \t */\n \tbool blocked;\n \tunsigned int reset_depth;\n \tstruct rcu_head rcu;\n+\tstruct work_struct broken_work;\n };\n \n /* Iterate over each struct group_device in a struct iommu_group */\n@@ -170,6 +173,7 @@ static struct group_device *iommu_group_alloc_device(struct iommu_group *group,\n \t\t\t\t\t\t struct device *dev);\n static void __iommu_group_free_device(struct iommu_group *group,\n \t\t\t\t struct group_device *grp_dev);\n+static void iommu_group_broken_worker(struct work_struct *work);\n static void iommu_domain_init(struct iommu_domain *domain, unsigned int type,\n \t\t\t const struct iommu_ops *ops);\n \n@@ -752,6 +756,8 @@ static void __iommu_group_free_device(struct iommu_group *group,\n \tsysfs_remove_link(group->devices_kobj, grp_dev->name);\n \tsysfs_remove_link(&dev->kobj, \"iommu_group\");\n \n+\t/* Must wait for broken_work to prevent UAF */\n+\tcancel_work_sync(&grp_dev->broken_work);\n \ttrace_remove_device_from_group(group->id, dev);\n \n \tkfree(grp_dev->name);\n@@ -1284,6 +1290,8 @@ static struct group_device *iommu_group_alloc_device(struct iommu_group *group,\n \t\treturn ERR_PTR(-ENOMEM);\n \n \tdevice->dev = dev;\n+\tdevice->group = group;\n+\tINIT_WORK(&device->broken_work, iommu_group_broken_worker);\n \n \tret = sysfs_create_link(&dev->kobj, &group->kobj, \"iommu_group\");\n \tif (ret)\n@@ -4178,6 +4186,98 @@ void pci_dev_reset_iommu_done(struct pci_dev *pdev, bool reset_succeeds)\n }\n EXPORT_SYMBOL_GPL(pci_dev_reset_iommu_done);\n \n+static void iommu_group_broken_worker(struct work_struct *work)\n+{\n+\tstruct group_device *gdev =\n+\t\tcontainer_of(work, struct group_device, broken_work);\n+\tstruct iommu_group *group = gdev->group;\n+\tstruct device *dev = gdev->dev;\n+\n+\tmutex_lock(&group->mutex);\n+\n+\t/*\n+\t * iommu_deinit_device() frees dev->iommu under group->mutex. Bail\n+\t * out if the device has already been removed from IOMMU handling.\n+\t */\n+\tif (!dev_has_iommu(dev))\n+\t\tgoto out_unlock;\n+\n+\tif (gdev->blocked) {\n+\t\tdev_dbg(dev, \"IOMMU has already quarantined the device\\n\");\n+\t\tgoto out_unlock;\n+\t}\n+\n+\t/*\n+\t * Quarantine the device completely. For a PCI device, it will be lifted\n+\t * upon a pci_dev_reset_iommu_done(pdev, succeeds=true) call indicating\n+\t * a device recovery.\n+\t *\n+\t * For a non-PCI device, currently it has no recovery framework tied to\n+\t * the IOMMU subsystem. Quarantine it indefinitely until a recovery path\n+\t * is introduced.\n+\t */\n+\tif (!WARN_ON(__iommu_group_block_device(group, gdev)))\n+\t\tdev_warn(dev, \"IOMMU has quarantined the device\\n\");\n+\n+out_unlock:\n+\tmutex_unlock(&group->mutex);\n+\tiommu_group_put(group);\n+}\n+\n+/**\n+ * iommu_report_device_broken() - Report a broken device to quarantine it\n+ * @dev: Device that has encountered an unrecoverable IOMMU-related error\n+ *\n+ * When an IOMMU driver detects a critical error caused by a device (e.g. an ATC\n+ * invalidation timeout), this function should be used to quarantine the device\n+ * at the IOMMU core level.\n+ *\n+ * The quarantine moves the device's RID and PASIDs to group->blocking_domain to\n+ * prevent any further DMA/ATS activity that can potentially corrupt the system\n+ * memory due to stale device cache entries.\n+ *\n+ * This function is safe to call from any context, including interrupt handlers,\n+ * as it schedules the actual quarantine work asynchronously. The caller should\n+ * have already taken driver-level measures (e.g., disabling ATS in hardware) to\n+ * contain the fault immediately, before calling this function.\n+ *\n+ * For PCI devices, the quarantine will be lifted by a successful device reset\n+ * via pci_dev_reset_iommu_done(). For non-PCI devices, the quarantine remains\n+ * in effect indefinitely until a recovery mechanism is introduced.\n+ *\n+ * If the device is concurrently being removed or has already been removed from\n+ * the IOMMU subsystem, this function will silently return without any action.\n+ */\n+void iommu_report_device_broken(struct device *dev)\n+{\n+\tstruct iommu_group *group = iommu_group_get(dev);\n+\tstruct group_device *gdev;\n+\tbool scheduled = false;\n+\n+\tif (!group)\n+\t\treturn;\n+\tif (!dev_has_iommu(dev))\n+\t\tgoto out;\n+\n+\trcu_read_lock();\n+\t/*\n+\t * Note the device might have been concurrently removed from the group\n+\t * (list_del_rcu) before iommu_deinit_device() cleared the dev->iommu.\n+\t */\n+\tlist_for_each_entry_rcu(gdev, &group->devices, list) {\n+\t\tif (gdev->dev != dev)\n+\t\t\tcontinue;\n+\t\t/* iommu_group_broken_worker() must put the group ref */\n+\t\tscheduled = schedule_work(&gdev->broken_work);\n+\t\tbreak;\n+\t}\n+\trcu_read_unlock();\n+out:\n+\tif (!scheduled)\n+\t\tiommu_group_put(group);\n+}\n+EXPORT_SYMBOL_GPL(iommu_report_device_broken);\n+\n #if IS_ENABLED(CONFIG_IRQ_MSI_IOMMU)\n /**\n * iommu_dma_prepare_msi() - Map the MSI page in the IOMMU domain\n","prefixes":["v3","07/11"]}