From: Wei Wang <wei.w.wang@hotmail.com>
To: bhelgaas@google.com, jgg@nvidia.com, jonathan.cameron@huawei.com,
dan.carpenter@linaro.org, akpm@linux-foundation.org,
bp@alien8.de, rdunlap@infradead.org, alex@shazbot.org,
kevin.tian@intel.com, manivannan.sadhasivam@oss.qualcomm.com
Cc: linux-kernel@vger.kernel.org, linux-pci@vger.kernel.org,
wei.w.wang@hotmail.com
Subject: [PATCH v7 0/6] PCI: Add support for ACS Enhanced Capability
Date: Wed, 6 May 2026 22:10:28 +0800 [thread overview]
Message-ID: <SI2PR01MB439385689A32A1DDA9CEABE1DC3F2@SI2PR01MB4393.apcprd01.prod.exchangelabs.com> (raw)
This patchset improves the core ACS implementation and adds support for
the Access Control Services (ACS) Enhanced Capability, introduced with
PCIe Gen 5.
Improvements to the core ACS implementation include:
- Validating ACS enable flags against device-specific capabilities rather
than generic kernel masks. This ensures only supported features are
enabled while safely ignoring attempts to disable unsupported bits.
- Consolidating delimiter parsing into pci_dev_str_match() and returning
-ENODEV when no further entries can be parsed. This removes duplicated
logic in callers.
- Refactoring ACS parameter handling by splitting the intertwined
disable_acs_redir and config_acs param logic into dedicated functions.
This improves maintainability and robustness while optimizing parsing
with better validation and readability.
- Updating the config_acs kernel parameter documentation to include an
example of multi-device configuration with distinct settings and
advising users to quote the parameter to avoid bootloader parsing
issues with the semicolon separator.
Support for the ACS Enhanced Capability is built on top of this improved
implementation. This capability provides additional access control
features that improve device isolation — particularly important in
virtualization scenarios where devices are passed through to different
virtual machines (VMs). Strong isolation is critical to ensure security
between devices assigned to different VMs and the host.
In Linux, device grouping assumes that devices in separate IOMMU groups
are properly isolated. To uphold this assumption, the enhanced ACS
controls are enabled by default on hardware that supports the PCI_ACS_ECAP
capability. As with other basic ACS access controls, these new controls
can be configured via the config_acs= boot parameter.
Support for checking the enhanced ACS controls on Root and Downstream
Ports has been added to pci_acs_enabled(). On devices that support
PCI_ACS_ECAP, these controls must be properly enabled. To maintain
compatibility with legacy devices that lack PCI_ACS_ECAP support,
pci_acs_enabled() simply skips the check.
v6->v7 changes:
- Rebased onto next-20260506 (based on v7.1-rc2)
- Picked up Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
- No functional changes
v6 Link: https://lore.kernel.org/all/SEZPR01MB439931D7320F6C476D181C1EDC44A@SEZPR01MB4399.apcprd01.prod.exchangelabs.com/
v5->v6 changes:
- Patch 3: In pci_dev_str_match(), explicitly set `ret = 0` when no
matching string is found. This resolves a smatch warning that `ret`
returned from sscanf() may be 2 or 4 even though no matching string
is found later comparison.
v5 Link: https://lore.kernel.org/all/SI2PR01MB439326AF08A79D1C5661C29BDC6CA@SI2PR01MB4393.apcprd01.prod.exchangelabs.com/
v4->v5 changes:
- Added significant refactoring of the core ACS implementation (Patches
1-4) to improve validation, safety, and readability;
- For USP and DSP Memory Target Access Control, added masks and enum
values for the encodings and explicitly rejected the reserved encoding
(0b11);
- In pci_acs_ecap_enabled(), removed the use of 'is_dsp' variable.
v4 Link: https://lore.kernel.org/all/SI2PR01MB43932C799AE9111C7D2C319FDC65A@SI2PR01MB4393.apcprd01.prod.exchangelabs.com/
v3->v4 changes:
- In pci_acs_ecap_enabled(): Check the pcie type for
PCI_EXP_TYPE_DOWNSTREAM explicitly.
v3 Link: https://lore.kernel.org/all/SI2PR01MB439325B4E44D5A39F34A4015DC9AA@SI2PR01MB4393.apcprd01.prod.exchangelabs.com/
v2->v3 changes:
- Drop the warning when a device has no support for the enhanced
capability.
v2 Link: https://lore.kernel.org/all/SI2PR01MB4393B836EA4FEDD1823483BADC94A@SI2PR01MB4393.apcprd01.prod.exchangelabs.com/
v1->v2 changes:
- Enabled all enhanced ACS controls by default, rather than just Unclaimed
Request Redirect (which addressed the primary issue we encountered);
- Added checks for enhanced ACS controls on Root and Downstream Ports in
pci_acs_enabled() to ensure proper enablement when grouping devices or
enabling features such as IOMMU PASID.
v1 Link: https://lore.kernel.org/all/SI2PR01MB43931A911357962A5E986FFEDC8CA@SI2PR01MB4393.apcprd01.prod.exchangelabs.com/
Thanks to Jason Gunthorpe, Jonathan Cameron and Dan Carpenter for reviewing the patchset.
Patches on github: https://github.com/wei-w-wang/linux/tree/v7-acs-enhanced-cap-and-refactor
Wei Wang (6):
PCI: Validate ACS enable flags against device-specific ACS
capabilities
Documentation/kernel-parameters: Add multi-device config_acs example
PCI: Consolidate delimiter handling into pci_dev_str_match()
PCI: Refactor disable_acs_redir and config_acs param handling
PCI: Enable the enhanced ACS controls introduced by PCI_ACS_ECAP
PCI: Add the enhanced ACS controls check to pci_acs_flags_enabled()
.../admin-guide/kernel-parameters.txt | 32 +-
drivers/pci/pci.c | 274 ++++++++++++------
include/uapi/linux/pci_regs.h | 13 +
3 files changed, 224 insertions(+), 95 deletions(-)
base-commit: 735d2f48cadaa9a87e7c7601667878de70c771c5
--
2.51.0
next reply other threads:[~2026-05-06 14:10 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-06 14:10 Wei Wang [this message]
2026-05-06 14:10 ` [PATCH v7 1/6] PCI: Validate ACS enable flags against device-specific ACS capabilities Wei Wang
2026-05-06 20:01 ` sashiko-bot
2026-05-06 14:10 ` [PATCH v7 2/6] Documentation/kernel-parameters: Add multi-device config_acs example Wei Wang
2026-05-06 20:12 ` sashiko-bot
2026-05-06 22:06 ` Randy Dunlap
2026-05-07 13:45 ` Wei Wang
2026-05-06 14:10 ` [PATCH v7 3/6] PCI: Consolidate delimiter handling into pci_dev_str_match() Wei Wang
2026-05-06 16:13 ` Wei Wang
2026-05-06 20:37 ` sashiko-bot
2026-05-06 14:10 ` [PATCH v7 4/6] PCI: Refactor disable_acs_redir and config_acs param handling Wei Wang
2026-05-06 21:07 ` sashiko-bot
2026-05-13 10:09 ` Wei Wang
2026-05-06 14:10 ` [PATCH v7 5/6] PCI: Enable the enhanced ACS controls introduced by PCI_ACS_ECAP Wei Wang
2026-05-06 21:32 ` sashiko-bot
2026-05-06 14:10 ` [PATCH v7 6/6] PCI: Add the enhanced ACS controls check to pci_acs_flags_enabled() Wei Wang
2026-05-06 21:57 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=SI2PR01MB439385689A32A1DDA9CEABE1DC3F2@SI2PR01MB4393.apcprd01.prod.exchangelabs.com \
--to=wei.w.wang@hotmail.com \
--cc=akpm@linux-foundation.org \
--cc=alex@shazbot.org \
--cc=bhelgaas@google.com \
--cc=bp@alien8.de \
--cc=dan.carpenter@linaro.org \
--cc=jgg@nvidia.com \
--cc=jonathan.cameron@huawei.com \
--cc=kevin.tian@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=manivannan.sadhasivam@oss.qualcomm.com \
--cc=rdunlap@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).