From nobody Sat May 30 17:31:50 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass header.i=@intel.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1779876713; cv=none; d=zohomail.com; s=zohoarc; b=lfl6LGiqS+AOfqj7s//SyrO0BvPF6BgAVFw1LP+zf7lm91Zh5mUY5jTNnyzzdkF7uRuddxV3ygKUz62EPFRn2c70ZtWGzmtEdASPBkyeryaemeIsYy6WZWaAIoIBXEhJ0qZ6VhL15W5URQxCWPCnuseBP0oC7ADK985i2fqlNp4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779876713; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=Ze1ZlphzjJqU3kEwCJhdLKe3d3tnRi4DfMKFoT2M8M0=; b=ZoQmJGp88+VZ1vRZQdDQuFtH96SyinZEObY8vxn/z4Vx4yj9+COjBUtPdqIyu3mQtodF4sroPc9sKjh0vehmjXq3kpzoiinnhlx5fOmnRiQoRHGxhQLFKexGYeYnT2BniNGEuJmGeRfU/zxcmU8dN6tKWSpF+vkLDQSatAdrJG4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=@intel.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1779876713809915.7697638338624; Wed, 27 May 2026 03:11:53 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wSBER-0008N0-BW; Wed, 27 May 2026 06:11:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wSBEP-0008Ms-HH for qemu-devel@nongnu.org; Wed, 27 May 2026 06:11:21 -0400 Received: from mgamail.intel.com ([192.198.163.14]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wSBEM-0002FQ-Hs for qemu-devel@nongnu.org; Wed, 27 May 2026 06:11:20 -0400 Received: from orviesa008.jf.intel.com ([10.64.159.148]) by fmvoesa108.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 May 2026 03:11:15 -0700 Received: from emr-bkc.sh.intel.com ([10.112.230.82]) by orviesa008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 May 2026 03:11:14 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1779876678; x=1811412678; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=5Qs0fSoeWBWtTSgQel0fitElOMXhmSCxeifi2T0AA/g=; b=jMmigcmpJCnJ1PNE7iEB/7+KG7rKtrXInMOWWu/WK0OUYdblHjKBWtwH MoY+CvhgtEaTLeyE2S7hFmoakcFZycvhJWP45KiUqA6E7SAqSivmBmvlH LuI63hdljeYNygRH63UyoBMKOY3SdLBFQz1VzVxqMSdK4iLlxcqy47XXl YrAbOWoEgnfywQ68cQRiD38x7uGWgCO/8BPoP38Vzod+qWQlfOCwcmMbs bO2B4BYrHpOQ7oDEN8OZcA0MSVTf0dkKKvoKoK34Zw+dzoSBDTvhvHtOR 6IiZuPWeYr15CUzLkvbf2gOC2TV4T9oxojEzkpkcS5dYy0CPxqmjLRMXW w==; X-CSE-ConnectionGUID: Ive9cDNdS8ec71V6Q3ly/Q== X-CSE-MsgGUID: LKUnP34yQTK2lj+uNTyP7Q== X-IronPort-AV: E=McAfee;i="6800,10657,11798"; a="80734774" X-IronPort-AV: E=Sophos;i="6.24,171,1774335600"; d="scan'208";a="80734774" X-CSE-ConnectionGUID: 9iPQaZAvTtCHwn6/fYMdiw== X-CSE-MsgGUID: hx4dgs6cRiyOqU/71fl7hw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.24,171,1774335600"; d="scan'208";a="242026667" From: Chenyi Qiang To: qemu-devel@nongnu.org Cc: Chenyi Qiang , Alex Williamson , =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= , Zhenzhong Duan , Farrah Chen Subject: [PATCH v2] vfio/container: Restrict dma_map_file() to shared RAM or RAM devices Date: Wed, 27 May 2026 18:11:08 +0800 Message-ID: <20260527101109.71781-1-chenyi.qiang@intel.com> X-Mailer: git-send-email 2.43.5 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=192.198.163.14; envelope-from=chenyi.qiang@intel.com; helo=mgamail.intel.com X-Spam_score_int: -47 X-Spam_score: -4.8 X-Spam_bar: ---- X-Spam_report: (-4.8 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.445, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @intel.com) X-ZM-MESSAGEID: 1779876716287154100 vfio_container_dma_map() uses dma_map_file() whenever a RAMBlock has an fd and the VFIO IOMMU backend supports file-based DMA mapping. That is not correct for private file-backed guest RAM. dma_map_file() resolves PFNs from the backing file, but private guest RAM mappings (MAP_PRIVATE) can run on different PFNs than the file because they are subject to copy-on-write (COW) anomalies. As a result, using dma_map_file() on a privately mapped RAMBlock can program DMA against pages that do not back QEMU's actual guest memory. Fix this by using dma_map_file() only for shared mapped RAMBlocks (MAP_SHARED) or RAM device regions. Fixes: fb32965b6dd8 ("vfio/iommufd: use IOMMU_IOAS_MAP_FILE") Reported-by: Farrah Chen Closes: https://bugzilla.kernel.org/show_bug.cgi?id=3D220776 Reviewed-by: Zhenzhong Duan Suggested-by: C=C3=A9dric Le Goater Signed-off-by: Chenyi Qiang Reviewed-by: C=C3=A9dric Le Goater --- Changes in v2: - Extract the dma_map_file check into a helper. - Add the missing RAM device case which is also allowed by dma_map_file. --- hw/vfio/container.c | 34 +++++++++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/hw/vfio/container.c b/hw/vfio/container.c index 4c2816b574..56bd9ac009 100644 --- a/hw/vfio/container.c +++ b/hw/vfio/container.c @@ -74,15 +74,43 @@ void vfio_address_space_insert(VFIOAddressSpace *space, bcontainer->space =3D space; } =20 +static bool vfio_container_can_dma_map_file(VFIOContainer *bcontainer, + MemoryRegion *mr, int *fd) +{ + VFIOIOMMUClass *vioc =3D VFIO_IOMMU_GET_CLASS(bcontainer); + RAMBlock *rb =3D mr->ram_block; + + if (!vioc->dma_map_file || !rb) { + return false; + } + + *fd =3D qemu_ram_get_fd(rb); + if (*fd < 0) { + return false; + } + + /* + * We can use IOMMU DMA mapping (IOMMU_IOAS_MAP_FILE) for : + * + * 1) Guest RAM blocks explicitly configured as shared (MAP_SHARED) + * 2) RAM device sub-regions (MMIO BARs) + * + * Private RAM mappings (MAP_PRIVATE) are strictly excluded. Because + * they are subject to copy-on-write (COW) anomalies, their underlying + * PFNs can permanently diverge from the backing file + */ + return qemu_ram_is_shared(rb) || memory_region_is_ram_device(mr); +} + int vfio_container_dma_map(VFIOContainer *bcontainer, hwaddr iova, uint64_t size, void *vaddr, bool readonly, MemoryRegion *mr) { VFIOIOMMUClass *vioc =3D VFIO_IOMMU_GET_CLASS(bcontainer); - RAMBlock *rb =3D mr->ram_block; - int mfd =3D rb ? qemu_ram_get_fd(rb) : -1; + int mfd; =20 - if (mfd >=3D 0 && vioc->dma_map_file) { + if (vfio_container_can_dma_map_file(bcontainer, mr, &mfd)) { + RAMBlock *rb =3D mr->ram_block; unsigned long start =3D vaddr - qemu_ram_get_host_addr(rb); unsigned long offset =3D qemu_ram_get_fd_offset(rb); =20 --=20 2.43.5