From nobody Sun Feb 8 17:36:47 2026 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 53730361DDF for ; Thu, 29 Jan 2026 21:25:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769721953; cv=none; b=B2Z6Ji5Z6sf2eAljwo5SO8HQFF8xgbv5XkfcjJGcRPtDqahu6XOYO7F8tqikassGyRNEY0uuon/YjtiFJkJtdjkp+HB5sMpbsIL0kx06cU7G6Co6JQs9rwdNQ9uqguIQyPR39hnTkf1lsTxDke4Z1B05S/FZj4qEklQfyFRSD70= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769721953; c=relaxed/simple; bh=PH5iGzvJjXTHpagZy3PRNHKNaI45nyOejtuOEQ4Vpv0=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=jWgs9Zjbd8Us/WXLmMYNvBMUgZJog4hALyhMXBiCIhTXfqEwUlySclrdpFnmrRGP9Ufz3qcvy1AzVVQGxv3VjNV/qa6G4r5H1Q49aHyO8Rf1Apj0CfGFx+kaJc4aq6khAI2cv8aPxtmc++pEI+/1U+aTeeYPnUYPa6Sv0mwxn24= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--dmatlack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=C8e2Ortj; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--dmatlack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="C8e2Ortj" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-2a871c32cdbso13762805ad.2 for ; Thu, 29 Jan 2026 13:25:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1769721951; x=1770326751; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=3umikqL/So8idv3VwvFYaIe6+4TeFw4VgnmENinGbaA=; b=C8e2OrtjW0pK6NU4+4pA7apan1abQ64W9AU73v+5MLSgoxU3PFLcQ35UnxyjSkvxW/ jHGFZ0Sly19gY9qnHYAz8wYk5VaqCdHZM2Cics4NzJGADMN6HvBtPJacvT1eGdo2suwt ZRhpTHioWcJ/pWkH0ykH2wBZy2qfsg2XW+OMkV0yYJMVLWQKMlkq16WIsS6txca3VotJ /nsOLnywSf0t5LPsRcB/2fTdZdo82Z7dYxby8mo6zDWAS6vlF4PYmOhwl6or4V/1gc9D hPaf+DOmaNpeQvVe1RnN7NwGGMG7zJ7jnVbWavgGDvg2WFb4KxJJzZQJx5nEe3d+Yclm xQTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769721951; x=1770326751; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3umikqL/So8idv3VwvFYaIe6+4TeFw4VgnmENinGbaA=; b=BiGtDurIMH+fYrYnS/6Y0BDHFOv1Eh/Hbwi/YWMOBgkh1y4FPGKjYa7jaJD1EA9kkA 6J/wn90C448eghXFCOzs0+BLnQIhH4Kfrh/xfmdI4xgTuyY2Gry+ErhAcmLqUQmGFMVz FvtJ7qTzgSZVLbp0Wb8RQLBb/S5FrpREEN06tPvaoaiG8p7Wt8n2lIyYXLvzVe4lGbId MhT6V9LIRu7msdvJynNJgwZV5ERYwtgjldD0HYgpKLyIS27RskUPlJAFO/2b1mH3sW+L WLt7EoRrFFq4R/ka+BaRvIvDwKgHZxj25/UPnwi1uCWIx7ATK3JI9Y70WPCX9ke1/CjF hYpg== X-Forwarded-Encrypted: i=1; AJvYcCUFiQpZ4ECQjlWj0ZpsA8PgBsTP0GMdiI6gl2rjoPq8aa9bceisKGvxDateB+eZtud6GcpKCTXAc3BMxY0=@vger.kernel.org X-Gm-Message-State: AOJu0YyzyE7auVPdfW8z1V9d2diGu3RHW4IEKguzsCGJGNwtn5uSIrbt xaU2tC2L+AOXeEyaY0GLT9zrrakPnzYXc+PmpXuIZvfhBSm8H5/zhrhFwzpPNJpjDZZ9gsErQLs 1lyqP4O3TnFbxCg== X-Received: from plrf5.prod.google.com ([2002:a17:902:ab85:b0:2a7:6c0c:5916]) (user=dmatlack job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:c952:b0:295:3584:1bbd with SMTP id d9443c01a7336-2a8d8176d76mr6976645ad.41.1769721950767; Thu, 29 Jan 2026 13:25:50 -0800 (PST) Date: Thu, 29 Jan 2026 21:24:55 +0000 In-Reply-To: <20260129212510.967611-1-dmatlack@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260129212510.967611-1-dmatlack@google.com> X-Mailer: git-send-email 2.53.0.rc1.225.gd81095ad13-goog Message-ID: <20260129212510.967611-9-dmatlack@google.com> Subject: [PATCH v2 08/22] vfio: Enforce preserved devices are retrieved via LIVEUPDATE_SESSION_RETRIEVE_FD From: David Matlack To: Alex Williamson Cc: Adithya Jayachandran , Alexander Graf , Alex Mastro , Alistair Popple , Andrew Morton , Ankit Agrawal , Bjorn Helgaas , Chris Li , David Matlack , David Rientjes , Jacob Pan , Jason Gunthorpe , Jason Gunthorpe , Jonathan Corbet , Josh Hilke , Kevin Tian , kexec@lists.infradead.org, kvm@vger.kernel.org, Leon Romanovsky , Leon Romanovsky , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, linux-pci@vger.kernel.org, Lukas Wunner , "=?UTF-8?q?Micha=C5=82=20Winiarski?=" , Mike Rapoport , Parav Pandit , Pasha Tatashin , Pranjal Shrivastava , Pratyush Yadav , Raghavendra Rao Ananta , Rodrigo Vivi , Saeed Mahameed , Samiullah Khawaja , Shuah Khan , "=?UTF-8?q?Thomas=20Hellstr=C3=B6m?=" , Tomita Moeko , Vipin Sharma , Vivek Kasireddy , William Tu , Yi Liu , Zhu Yanjun Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Enforce that files for incoming (preserved by previous kernel) VFIO devices are retrieved via LIVEUPDATE_SESSION_RETRIEVE_FD rather than by opening the corresponding VFIO character device or via VFIO_GROUP_GET_DEVICE_FD. Both of these methods would result in VFIO initializing the device without access to the preserved state of the device passed by the previous kernel. Signed-off-by: David Matlack --- drivers/vfio/device_cdev.c | 4 ++++ drivers/vfio/group.c | 9 +++++++++ include/linux/vfio.h | 18 ++++++++++++++++++ 3 files changed, 31 insertions(+) diff --git a/drivers/vfio/device_cdev.c b/drivers/vfio/device_cdev.c index 935f84a35875..355447e2add3 100644 --- a/drivers/vfio/device_cdev.c +++ b/drivers/vfio/device_cdev.c @@ -57,6 +57,10 @@ int vfio_device_fops_cdev_open(struct inode *inode, stru= ct file *filep) struct vfio_device *device =3D container_of(inode->i_cdev, struct vfio_device, cdev); =20 + /* Device file must be retrieved via LIVEUPDATE_SESSION_RETRIEVE_FD */ + if (vfio_liveupdate_incoming_is_preserved(device)) + return -EBUSY; + return __vfio_device_fops_cdev_open(device, filep); } =20 diff --git a/drivers/vfio/group.c b/drivers/vfio/group.c index d47ffada6912..63fc4d656215 100644 --- a/drivers/vfio/group.c +++ b/drivers/vfio/group.c @@ -311,6 +311,15 @@ static int vfio_group_ioctl_get_device_fd(struct vfio_= group *group, if (IS_ERR(device)) return PTR_ERR(device); =20 + /* + * This device was preserved across a Live Update. Accessing it via + * VFIO_GROUP_GET_DEVICE_FD is not allowed. + */ + if (vfio_liveupdate_incoming_is_preserved(device)) { + vfio_device_put_registration(device); + return -EBUSY; + } + fd =3D FD_ADD(O_CLOEXEC, vfio_device_open_file(device)); if (fd < 0) vfio_device_put_registration(device); diff --git a/include/linux/vfio.h b/include/linux/vfio.h index dc592dc00f89..0921847b18b5 100644 --- a/include/linux/vfio.h +++ b/include/linux/vfio.h @@ -16,6 +16,7 @@ #include #include #include +#include =20 struct kvm; struct iommufd_ctx; @@ -431,4 +432,21 @@ static inline int __vfio_device_fops_cdev_open(struct = vfio_device *device, =20 struct vfio_device *vfio_find_device(const void *data, device_match_t matc= h); =20 +#ifdef CONFIG_LIVEUPDATE +static inline bool vfio_liveupdate_incoming_is_preserved(struct vfio_devic= e *device) +{ + struct device *d =3D device->dev; + + if (dev_is_pci(d)) + return to_pci_dev(d)->liveupdate_incoming; + + return false; +} +#else +static inline bool vfio_liveupdate_incoming_is_preserved(struct vfio_devic= e *device) +{ + return false; +} +#endif + #endif /* VFIO_H */ --=20 2.53.0.rc1.225.gd81095ad13-goog