From nobody Sun Dec 14 08:04:33 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	arc=fail (BodyHash is different from the expected one);
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1747341649917181.38437750430694;
 Thu, 15 May 2025 13:40:49 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id DED6E146D; Thu, 15 May 2025 16:40:48 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 2741B140C;
	Thu, 15 May 2025 16:37:37 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id B8B1A12ED; Thu, 15 May 2025 16:37:23 -0400 (EDT)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com
 (mail-bn8nam11on2052.outbound.protection.outlook.com [40.107.236.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 8EDB714A9
	for <devel@lists.libvirt.org>; Thu, 15 May 2025 16:37:07 -0400 (EDT)
Received: from SN7PR12MB6838.namprd12.prod.outlook.com (2603:10b6:806:266::18)
 by SJ2PR12MB8135.namprd12.prod.outlook.com (2603:10b6:a03:4f3::13) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8722.32; Thu, 15 May
 2025 20:37:05 +0000
Received: from SN7PR12MB6838.namprd12.prod.outlook.com
 ([fe80::529d:478:bc5d:b400]) by SN7PR12MB6838.namprd12.prod.outlook.com
 ([fe80::529d:478:bc5d:b400%3]) with mapi id 15.20.8722.027; Thu, 15 May 2025
 20:37:05 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	FORGED_SPF_HELO,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_PASS autolearn=no
	autolearn_force=no version=3.4.4
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=ZzqmbNHNLl4oEsgnil2PO5hyL3DY1xQ+1lO7otf34xIJobVtijMvjXAuzvayiN7iAAdnne5luw1ksdtpHSjtlT3aSy3AEtlK6JcxLQUiZBNIefXPYPdb5zEtpJkmIc2fEC2TJyfJpmU0b0uj8KQdTEL66jWe7jBBZvPqexswHhie8HXvfRL8Q2Wga0Ey1nDmyicC0DPjPA+MOw2cGFmD7ZLVNi4XevPi4utwCeJPyNuORXx0VjXV9VUKTBuqE8e5nb4Sd/v4YSXJ4LsF8vm2VhRVrzFGmLVqQ0/gLOT+XUUfVGOPlqnq198++dQLUjvHWqGM00pmHJmhWR/NRe/D5w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=Y9SS5T7Hrevpp5wvQ6NifOlG+soeXSEHniQBfJD4Bwc=;
 b=snCxaMj88y60DBMQTWyCnc/vDWbu/igpP/+k+ULRl7EF9StAYhBDxvSXG9fGLXVZ3VjAWW1ADvdBPra9owqXV0PiNrmTZCR7mbeOn+cS+e/k32jwYm08iOCyU1u5HIhbXb/VntPUlphB4ItNzYYQEs7BXuteW72YouIdjbk1kUOe6ktJwoae0TD8Sk5/eV68+Kt7rYnChFE2IrUVDzITdqpcgufiRzYE4ud08v35gzcvzvST9xxtO59HsfhaHhdY00Y44/FlrM6kwZFBIMC+tBmMKcM+7hx42KHa2B8f/HGoesYqN5W5EFSXtMPYD6W7mZr05OKrM0Sy2b/T9wN5tQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com;
 dkim=pass header.d=nvidia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=Y9SS5T7Hrevpp5wvQ6NifOlG+soeXSEHniQBfJD4Bwc=;
 b=CERvQhctDo/8Kqm0ZPfrbCN0AOr0ucSkfyDWDxOdMr0QjYq+ge41UfjnD1CyY39jNfsThUgPXHOrW1z9pbHsNMmrRQ+nVJUg+hJZ2TY/tTIat9avRYjCdM9qUhizcItPsajOQQA/eJlc+qwKmk45QCzwV+jadgHA2qNr/7yyA8++2rv46v06JMC8qhxD5nA0HQl8HAI8Qp28jD0S4+DzY2MtZuTFzIHa+rjsvDpZyBv4vh0sjLeXPOMMMRroRfhjadVy0HAHkwaDLhW2l5DN0lm+MTEd+y0BLavjdQDHVff2PpjLzJBWN9yiMtEj9RipbyTRfs2Mmg2sooPc1MGxpg==
Authentication-Results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=nvidia.com;
To: devel@lists.libvirt.org
Subject: [RFC PATCH 4/5] qemu: Update Cgroup and namespace for qemu to access
 iommufd paths
Date: Thu, 15 May 2025 13:36:42 -0700
Message-ID: <20250515203643.21109-5-nathanc@nvidia.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20250515203643.21109-1-nathanc@nvidia.com>
References: <20250515203643.21109-1-nathanc@nvidia.com>
X-ClientProxiedBy: SJ0PR05CA0065.namprd05.prod.outlook.com
 (2603:10b6:a03:332::10) To SN7PR12MB6838.namprd12.prod.outlook.com
 (2603:10b6:806:266::18)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SN7PR12MB6838:EE_|SJ2PR12MB8135:EE_
X-MS-Office365-Filtering-Correlation-Id: 553df518-2e52-4198-3975-08dd93f0412f
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|1800799024|366016;
X-Microsoft-Antispam-Message-Info: 
 =?us-ascii?Q?85VlOnGvd91iHC8Owkunkpyel0POehdI82khVelRW6lIFUjNHC7Pl0yVk+3g?=
 =?us-ascii?Q?JPkvb9Fn0HAt7EWxuBMk1+2A7qQ+tT1uMtGGDWykzmkA6JeXPqiKByxqACWV?=
 =?us-ascii?Q?B/TP3jnvHOxyDEpHQp4o/Fx/ILCq6NxwVSN8NvTwPGLlwgVdjkuHQlmu/8iS?=
 =?us-ascii?Q?1RSGwsEWPa0x+l3UbfVM27yGwj/uJXOu6hi/98Y9Zkdm8R9K0XiL9bScAOkU?=
 =?us-ascii?Q?fCcLRx0TRNhIVOHTNooqW3pjTGVsBBnFTuaShG/JG0eZAXYYj63qKBkkApsM?=
 =?us-ascii?Q?78E5LvGwBucEb1K7Sfpk5ATOaZno62XUac98JkmYA0cpA+sertjEAB9VqLiA?=
 =?us-ascii?Q?7puvzir9klVKcCnhtse/5nqzmYTqTRGXC8CuX1+fgMmXz7+VeKr6Ih1MZMvc?=
 =?us-ascii?Q?llB+wvnYtk2Rx+YqZegjbR8z+6+/YwTJqoiHGyTz/XVTNwCP0s8tdllGWbt+?=
 =?us-ascii?Q?2cKkBo86iO66daAKIc718FBwU/OFG6cOeWwg0+gbpM2QLsbPhIBzBYV7VQaP?=
 =?us-ascii?Q?Setw/MXffaczamqO3pBd38YSKPFUPtHWd454mGfrTmxrWNP7spR4PeNTc6TQ?=
 =?us-ascii?Q?gI30L0czuEiWT+gqjo94knSTKJzBYs0ybj60sdxCXK8X8My5DFkWPnvHb2Nu?=
 =?us-ascii?Q?YMMaN8EY+DVPDaGJaTLuM2BWdzqbHSEQLDQkj+xpwR2ze0RqknVrxptPK0nh?=
 =?us-ascii?Q?ILCYG3BQTnnbm1buoR2nVqF0PwN5Dajk816ftu19lOKuSPF/Muzzqnj2WlL6?=
 =?us-ascii?Q?dtB1usVJf1QN06JsiDrEcIfRtLZrW8nh6z0wsF/MzIXAJPvxBre30awli/dK?=
 =?us-ascii?Q?nF0d4RBlY1d/vekD2zTRATBhDWr6Aof1Kpx9Da65PHhcKnOpijX+uTmW6xkI?=
 =?us-ascii?Q?94pPBkTDqpK04dUE8D+kUr7wlombHcUp0mymY1OOe2yGkuN18/o+/uLahWsk?=
 =?us-ascii?Q?PrRTCPoxesl3X6TpUjHn8iuoYiTOmIfMnrmOmAtRMQyWIS0YUF9nB4WyAdKn?=
 =?us-ascii?Q?kD7DNcNg8OVskX6hZf7qJKFzDTvgx9H5BoZGa9zZf0+dDGfTr/UXWUbHgUoG?=
 =?us-ascii?Q?85fZpcgT1CDCmYnd4wdpyH0eZZJXgVOtkMMaQc8JlGM+rXrM/EVGItNK/DkD?=
 =?us-ascii?Q?ItuuBn/7KIFa7m6HI2oo9q8MQt4pT7AZg4dinRuRF3YbgAuJFpck5Sqmk+9d?=
 =?us-ascii?Q?13DObR6HwGc1oJA6Dm9Qyvb4tm1MEdXDjmy26IGrF9LLPUV3J5euV1qeyP5I?=
 =?us-ascii?Q?EA7g3BBpBFNg2azrkfXQxjKDiyiL6S/NhoVjqMQCatI+foi8ZVnlBiaMx4bf?=
 =?us-ascii?Q?n089+LNJOlpkBvu3FT9XSVgmcKeEogvSbgHNANeFnQ3Q1rXc89BO5MMHbsDo?=
 =?us-ascii?Q?U7ypcvxtS5HIkCKqDwhrtgkCIJXsX1dF6oMopAKVDIewuPoSDw=3D=3D?=
X-Forefront-Antispam-Report: 
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN7PR12MB6838.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 =?us-ascii?Q?N4mfxJsP6qTgPj3kCkqUM/WiihuDTvjp2DhIPvCRXi/jRNmxKCbYLUveavOu?=
 =?us-ascii?Q?zXxVpCBmsnteaY1CWx/e9GPgPC3tnTVAcCPkAaxlnZ3e4L1DQ1IHSF/lHTUh?=
 =?us-ascii?Q?6XSIkDSN9rTDBU+hA8KjyZTdOEdQaEhf9cA2SrC2BucIq9JO43uhk4xvoAGX?=
 =?us-ascii?Q?KGKTof0OR8+HlOoXebjojEvwfThLDCOs5PczOK4uROyUXAH0TEkr8Cxw4V8+?=
 =?us-ascii?Q?atlzJtVAFCGv/NZ6uAgO/AM0HYRBqBK3gd5fOAjQ17i9atzjOKpmU25qlOwU?=
 =?us-ascii?Q?cpJc44NGAtucDfkY53EI1HCR5gdQTzDOqPnVdN0S7jxjilD2CNqCPL6iRI/g?=
 =?us-ascii?Q?mkMKhLZ3dA54oxDSDfOWCdtnAHdzPjh75tbOvgZ70P9MgtRy9kwvGB6zZo/H?=
 =?us-ascii?Q?w4TfYABx9i4nxD5qUF1+ZHdIndGqqE4glf/PZRgdf3aEnsEEChq5GfOgX8vk?=
 =?us-ascii?Q?JX0xkUNX/9TY5xSw20fRSICZ6az+Kaemb/FsgewvM1q5I0iGuw/RHbcb22Fy?=
 =?us-ascii?Q?6BGOAc9UdCqlRDodnFVjWYKDac3q7yjtGynkaqI1mRIvTcxN2GQns4CuV+om?=
 =?us-ascii?Q?wrLrXkqef9Ifc3j570+eoIIk5ucuNTk4vSl0C2/na60wBjYR8c34DFCNZ8TT?=
 =?us-ascii?Q?t/+33p1isInvZPSaPQaHAVcjb1xxvo6c/heS8wMuetp8yejExHoPg5sONj0w?=
 =?us-ascii?Q?z1Uie7lPWam+gWpdKiF/+2KGoy9/pPG2s4dS5lly1l9CFnEWKCH0CiDTrm6V?=
 =?us-ascii?Q?kdffa1TivKBaNHgOAqLn8a9vv/bD7nFPqkYXOEm3j1Dc/E0I1HYafNOiHs4a?=
 =?us-ascii?Q?TMKlZf/4I3DZsF9DjpCX8i2xfkn9DE16DL8Kzjz/JAGRYs02Fy/hGcX1rBDV?=
 =?us-ascii?Q?iNnmk3GBKwzaBtk3n7hHPKgfpvXIMoFRcOVhgWXfliM+Qwq3NcjnVhB40d3h?=
 =?us-ascii?Q?GyW+tngoxltwzOF5OwePSWvzpDUbOT2hKy0dgPNogK9jmJfkQ3v41ojF7ys9?=
 =?us-ascii?Q?WOqXQjo/jVyBGljSsZyXcq9ac7qKiSu3hkkS5kz9KccMhwb7lGNP9x3/u/Vs?=
 =?us-ascii?Q?QNk3vxFjqbgQKWBW1lhxXX5kb+E6uHM7rgqu9kUpDwPTIcaSGfjoSBCbbjkT?=
 =?us-ascii?Q?0VJ7Vxv280CmOZdr/l+nJdGlPTlWD55vZToCVwpb4ru7NdNztlw7RZutNvu+?=
 =?us-ascii?Q?zcKCgNEjlgKThK5GbDdp341kVnBf4lb6A4/OsZ7uRky6FcbiQ4mKRBIdRfl6?=
 =?us-ascii?Q?VoYf/t2it4UQpBU7Tnpc0RRaEAreaw1hurgQthFUVcXQwWRpcYWoECXYyryM?=
 =?us-ascii?Q?kE8YcyVH/i1bMyPaSeYxWLq1CHRJISBYgh0ftscLsue2TXl1fJsuPvIx+GkB?=
 =?us-ascii?Q?ntYV5eJGT8v9/Ovs2UdLfaCticdHA1R+bY1Caar2kUL8Sbl/kEuT8Fa+9Kbq?=
 =?us-ascii?Q?UyPaJbjS4K0HwYlS2JMxCrZLPylXaNjT+drLKiwSlYiPPu73zlv1qFJTf6MA?=
 =?us-ascii?Q?IlXOQ6K2A9G5EOxsqTa8Yzy1gxdbuiohV5LMhV4OD2Znl9KdvMmM9ZFSatcb?=
 =?us-ascii?Q?rXNe+b9KqcgDqpwWIm1m7xlMMeME/YHWChW6diaV?=
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 553df518-2e52-4198-3975-08dd93f0412f
X-MS-Exchange-CrossTenant-AuthSource: SN7PR12MB6838.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 May 2025 20:37:05.2715
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 5zNEw5uLtQpdvJKwsXdjCKVG+QVFiQXVwmdCdF9UU4BckjbFEjNqaqVptsgmG5O+lbM5irPCn5fJibeUivSj5Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR12MB8135
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: QZHJUZFOZ2N4SVLWJHCKSPU4ZMFEEGNX
X-Message-ID-Hash: QZHJUZFOZ2N4SVLWJHCKSPU4ZMFEEGNX
X-MailFrom: nathanc@nvidia.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
CC: shameerali.kolothum.thodi@huawei.com, nicolinc@nvidia.com,
 Nathan Chen <nathanc@nvidia.com>
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/QZHJUZFOZ2N4SVLWJHCKSPU4ZMFEEGNX/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Nathan Chen via Devel <devel@lists.libvirt.org>
Reply-To: Nathan Chen <nathanc@nvidia.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1747341650462116600
Content-Type: text/plain; charset="utf-8"

Allow access to /dev/iommu and /dev/vfio/devices/vfio* when launching a qemu
VM with iommufd feature enabled.

Signed-off-by: Nathan Chen <nathanc@nvidia.com>
---
 src/qemu/qemu_cgroup.c    | 47 +++++++++++++++++++++++++++++++++++++++
 src/qemu/qemu_cgroup.h    |  1 +
 src/qemu/qemu_namespace.c | 36 ++++++++++++++++++++++++++++++
 3 files changed, 84 insertions(+)

diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 48af467bf9..df4e73ad15 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -462,6 +462,47 @@ qemuTeardownInputCgroup(virDomainObj *vm,
 }
=20
=20
+int
+qemuSetupIommufdCgroup(virDomainObj *vm)
+{
+    qemuDomainObjPrivate *priv =3D vm->privateData;
+    g_autoptr(DIR) dir =3D NULL;
+    struct dirent *dent;
+    g_autofree char *path =3D NULL;
+
+    if (vm->def->iommu && vm->def->niommus > 0 &&
+        /* Check if iommufd is enabled */
+        vm->def->iommu[0]->iommufd) {
+        if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DE=
VICES))
+            return 0;
+        if (virDirOpen(&dir, "/dev/vfio/devices") < 0) {
+            if (errno =3D=3D ENOENT)
+                return 0;
+            return -1;
+        }
+        while (virDirRead(dir, &dent, "/dev/vfio/devices") > 0) {
+            if (STRPREFIX(dent->d_name, "vfio")) {
+                path =3D g_strdup_printf("/dev/vfio/devices/%s", dent->d_n=
ame);
+            }
+            if (path &&
+                qemuCgroupAllowDevicePath(vm, path,
+                                          VIR_CGROUP_DEVICE_RW, false) < 0=
) {
+                return -1;
+            }
+            path =3D NULL;
+        }
+        if (virFileExists("/dev/iommu"))
+            path =3D g_strdup("/dev/iommu");
+        if (path &&
+            qemuCgroupAllowDevicePath(vm, path,
+                                      VIR_CGROUP_DEVICE_RW, false) < 0) {
+            return -1;
+        }
+    }
+    return 0;
+}
+
+
 /**
  * qemuSetupHostdevCgroup:
  * vm: domain object
@@ -830,6 +871,12 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
             return -1;
     }
=20
+    if (vm->def->iommu && vm->def->niommus > 0 &&
+        vm->def->iommu[0]->iommufd) {
+        if (qemuSetupIommufdCgroup(vm) < 0)
+            return -1;
+    }
+
     for (i =3D 0; i < vm->def->nmems; i++) {
         if (qemuSetupMemoryDevicesCgroup(vm, vm->def->mems[i]) < 0)
             return -1;
diff --git a/src/qemu/qemu_cgroup.h b/src/qemu/qemu_cgroup.h
index 3668034cde..bea677ba3c 100644
--- a/src/qemu/qemu_cgroup.h
+++ b/src/qemu/qemu_cgroup.h
@@ -42,6 +42,7 @@ int qemuSetupHostdevCgroup(virDomainObj *vm,
 int qemuTeardownHostdevCgroup(virDomainObj *vm,
                               virDomainHostdevDef *dev)
    G_GNUC_WARN_UNUSED_RESULT;
+int qemuSetupIommufdCgroup(virDomainObj *vm);
 int qemuSetupMemoryDevicesCgroup(virDomainObj *vm,
                                  virDomainMemoryDef *mem);
 int qemuTeardownMemoryDevicesCgroup(virDomainObj *vm,
diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
index 59421ec9d1..150c6ceae3 100644
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@@ -676,6 +676,39 @@ qemuDomainSetupLaunchSecurity(virDomainObj *vm,
 }
=20
=20
+static int
+qemuDomainSetupIommufd(virDomainObj *vm,
+                       GSList **paths)
+{
+    g_autoptr(DIR) dir =3D NULL;
+    struct dirent *dent;
+    g_autofree char *path =3D NULL;
+
+    /* Check if iommufd is enabled */
+    if (vm->def->iommu && vm->def->niommus > 0 &&
+        vm->def->iommu[0]->iommufd) {
+        if (virDirOpen(&dir, "/dev/vfio/devices") < 0) {
+            if (errno =3D=3D ENOENT)
+                return 0;
+            return -1;
+        }
+        while (virDirRead(dir, &dent, "/dev/vfio/devices") > 0) {
+            if (STRPREFIX(dent->d_name, "vfio")) {
+                path =3D g_strdup_printf("/dev/vfio/devices/%s", dent->d_n=
ame);
+                *paths =3D g_slist_prepend(*paths, g_steal_pointer(&path));
+            }
+        }
+        path =3D NULL;
+        if (virFileExists("/dev/iommu"))
+            path =3D g_strdup("/dev/iommu");
+        if (path)
+            *paths =3D g_slist_prepend(*paths, g_steal_pointer(&path));
+    }
+
+    return 0;
+}
+
+
 static int
 qemuNamespaceMknodPaths(virDomainObj *vm,
                         GSList *paths,
@@ -699,6 +732,9 @@ qemuDomainBuildNamespace(virQEMUDriverConfig *cfg,
     if (qemuDomainSetupAllDisks(vm, &paths) < 0)
         return -1;
=20
+    if (qemuDomainSetupIommufd(vm, &paths) < 0)
+        return -1;
+
     if (qemuDomainSetupAllHostdevs(vm, &paths) < 0)
         return -1;
=20
--=20
2.43.0