[PATCH V4 0/5] fixes for virtual address update

[PATCH V4 0/5] fixes for virtual address update

[Steve Sistare]

Fix bugs in the interfaces that allow the underlying memory object of an
iova range to be mapped in a new address space.  They allow userland to
indefinitely block vfio mediated device kernel threads, and do not
propagate the locked_vm count to a new mm.

The fixes impose restrictions that eliminate waiting conditions, so
revert the dead code:
  commit 898b9eaeb3fe ("vfio/type1: block on invalid vaddr")
  commit 487ace134053 ("vfio/type1: implement notify callback")
  commit ec5e32940cc9 ("vfio: iommu driver notify callback")

Changes in V2 (thanks Alex):
  * do not allow group attach while vaddrs are invalid
  * add patches to delete dead code
  * add WARN_ON for never-should-happen conditions
  * check for changed mm in unmap.
  * check for vfio_lock_acct failure in remap

Changes in V3 (ditto!):
  * return errno at WARN_ON sites, and make it unique
  * correctly check for dma task mm change
  * change dma owner to current when vaddr is updated
  * add Fixes to commit messages
  * refactored new code in vfio_dma_do_map

Changes in V4:
  * misc cosmetic changes

Steve Sistare (5):
  vfio/type1: exclude mdevs from VFIO_UPDATE_VADDR
  vfio/type1: prevent locked_vm underflow
  vfio/type1: revert "block on invalid vaddr"
  vfio/type1: revert "implement notify callback"
  vfio: revert "iommu driver notify callback"

 drivers/vfio/container.c        |   5 -
 drivers/vfio/vfio.h             |   7 --
 drivers/vfio/vfio_iommu_type1.c | 199 +++++++++++++++++++---------------------
 include/uapi/linux/vfio.h       |  15 +--
 4 files changed, 103 insertions(+), 123 deletions(-)

-- 
1.8.3.1

[PATCH V4 1/5] vfio/type1: exclude mdevs from VFIO_UPDATE_VADDR

[Steve Sistare]

Disable the VFIO_UPDATE_VADDR capability if mediated devices are present.
Their kernel threads could be blocked indefinitely by a misbehaving
userland while trying to pin/unpin pages while vaddrs are being updated.

Do not allow groups to be added to the container while vaddr's are invalid,
so we never need to block user threads from pinning, and can delete the
vaddr-waiting code in a subsequent patch.

Fixes: c3cbab24db38 ("vfio/type1: implement interfaces to update vaddr")

Signed-off-by: Steve Sistare <steven.sistare@oracle.com>
---
 drivers/vfio/vfio_iommu_type1.c | 44 +++++++++++++++++++++++++++++++++++++++--
 include/uapi/linux/vfio.h       | 15 ++++++++------
 2 files changed, 51 insertions(+), 8 deletions(-)

diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
index 23c24fe..bdfc13c 100644
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -861,6 +861,12 @@ static int vfio_iommu_type1_pin_pages(void *iommu_data,
 
 	mutex_lock(&iommu->lock);
 
+	if (WARN_ONCE(iommu->vaddr_invalid_count,
+		      "mdev not allowed with VFIO_UPDATE_VADDR\n")) {
+		ret = -EBUSY;
+		goto pin_done;
+	}
+
 	/*
 	 * Wait for all necessary vaddr's to be valid so they can be used in
 	 * the main loop without dropping the lock, to avoid racing vs unmap.
@@ -1343,6 +1349,12 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
 
 	mutex_lock(&iommu->lock);
 
+	/* Cannot update vaddr if mdev is present. */
+	if (invalidate_vaddr && !list_empty(&iommu->emulated_iommu_groups)) {
+		ret = -EBUSY;
+		goto unlock;
+	}
+
 	pgshift = __ffs(iommu->pgsize_bitmap);
 	pgsize = (size_t)1 << pgshift;
 
@@ -2185,11 +2197,16 @@ static int vfio_iommu_type1_attach_group(void *iommu_data,
 	struct iommu_domain_geometry *geo;
 	LIST_HEAD(iova_copy);
 	LIST_HEAD(group_resv_regions);
-	int ret = -EINVAL;
+	int ret = -EBUSY;
 
 	mutex_lock(&iommu->lock);
 
+	/* Attach could require pinning, so disallow while vaddr is invalid. */
+	if (iommu->vaddr_invalid_count)
+		goto out_unlock;
+
 	/* Check for duplicates */
+	ret = -EINVAL;
 	if (vfio_iommu_find_iommu_group(iommu, iommu_group))
 		goto out_unlock;
 
@@ -2660,6 +2677,16 @@ static int vfio_domains_have_enforce_cache_coherency(struct vfio_iommu *iommu)
 	return ret;
 }
 
+static bool vfio_iommu_has_emulated(struct vfio_iommu *iommu)
+{
+	bool ret;
+
+	mutex_lock(&iommu->lock);
+	ret = !list_empty(&iommu->emulated_iommu_groups);
+	mutex_unlock(&iommu->lock);
+	return ret;
+}
+
 static int vfio_iommu_type1_check_extension(struct vfio_iommu *iommu,
 					    unsigned long arg)
 {
@@ -2668,8 +2695,13 @@ static int vfio_iommu_type1_check_extension(struct vfio_iommu *iommu,
 	case VFIO_TYPE1v2_IOMMU:
 	case VFIO_TYPE1_NESTING_IOMMU:
 	case VFIO_UNMAP_ALL:
-	case VFIO_UPDATE_VADDR:
 		return 1;
+	case VFIO_UPDATE_VADDR:
+		/*
+		 * Disable this feature if mdevs are present.  They cannot
+		 * safely pin/unpin while vaddrs are being updated.
+		 */
+		return iommu && !vfio_iommu_has_emulated(iommu);
 	case VFIO_DMA_CC_IOMMU:
 		if (!iommu)
 			return 0;
@@ -3138,6 +3170,13 @@ static int vfio_iommu_type1_dma_rw(void *iommu_data, dma_addr_t user_iova,
 	size_t done;
 
 	mutex_lock(&iommu->lock);
+
+	if (WARN_ONCE(iommu->vaddr_invalid_count,
+		      "mdev not allowed with VFIO_UPDATE_VADDR\n")) {
+		ret = -EBUSY;
+		goto out;
+	}
+
 	while (count > 0) {
 		ret = vfio_iommu_type1_dma_rw_chunk(iommu, user_iova, data,
 						    count, write, &done);
@@ -3149,6 +3188,7 @@ static int vfio_iommu_type1_dma_rw(void *iommu_data, dma_addr_t user_iova,
 		user_iova += done;
 	}
 
+out:
 	mutex_unlock(&iommu->lock);
 	return ret;
 }
diff --git a/include/uapi/linux/vfio.h b/include/uapi/linux/vfio.h
index d7d8e09..4e8d344 100644
--- a/include/uapi/linux/vfio.h
+++ b/include/uapi/linux/vfio.h
@@ -49,7 +49,11 @@
 /* Supports VFIO_DMA_UNMAP_FLAG_ALL */
 #define VFIO_UNMAP_ALL			9
 
-/* Supports the vaddr flag for DMA map and unmap */
+/*
+ * Supports the vaddr flag for DMA map and unmap.  Not supported for mediated
+ * devices, so this capability is subject to change as groups are added or
+ * removed.
+ */
 #define VFIO_UPDATE_VADDR		10
 
 /*
@@ -1215,8 +1219,7 @@ struct vfio_iommu_type1_info_dma_avail {
  * Map process virtual addresses to IO virtual addresses using the
  * provided struct vfio_dma_map. Caller sets argsz. READ &/ WRITE required.
  *
- * If flags & VFIO_DMA_MAP_FLAG_VADDR, update the base vaddr for iova, and
- * unblock translation of host virtual addresses in the iova range.  The vaddr
+ * If flags & VFIO_DMA_MAP_FLAG_VADDR, update the base vaddr for iova. The vaddr
  * must have previously been invalidated with VFIO_DMA_UNMAP_FLAG_VADDR.  To
  * maintain memory consistency within the user application, the updated vaddr
  * must address the same memory object as originally mapped.  Failure to do so
@@ -1267,9 +1270,9 @@ struct vfio_bitmap {
  * must be 0.  This cannot be combined with the get-dirty-bitmap flag.
  *
  * If flags & VFIO_DMA_UNMAP_FLAG_VADDR, do not unmap, but invalidate host
- * virtual addresses in the iova range.  Tasks that attempt to translate an
- * iova's vaddr will block.  DMA to already-mapped pages continues.  This
- * cannot be combined with the get-dirty-bitmap flag.
+ * virtual addresses in the iova range.  DMA to already-mapped pages continues.
+ * Groups may not be added to the container while any addresses are invalid.
+ * This cannot be combined with the get-dirty-bitmap flag.
  */
 struct vfio_iommu_type1_dma_unmap {
 	__u32	argsz;
-- 
1.8.3.1

RE: [PATCH V4 1/5] vfio/type1: exclude mdevs from VFIO_UPDATE_VADDR

[Tian, Kevin]

> From: Steve Sistare <steven.sistare@oracle.com>
> Sent: Thursday, December 15, 2022 5:25 AM
> 
> @@ -861,6 +861,12 @@ static int vfio_iommu_type1_pin_pages(void
> *iommu_data,
> 
>  	mutex_lock(&iommu->lock);
> 
> +	if (WARN_ONCE(iommu->vaddr_invalid_count,
> +		      "mdev not allowed with VFIO_UPDATE_VADDR\n")) {

let's be specific on the operation i.e. pin_pages not allowed...

same for the latter dma_rw.

> +	case VFIO_UPDATE_VADDR:
> +		/*
> +		 * Disable this feature if mdevs are present.  They cannot
> +		 * safely pin/unpin while vaddrs are being updated.

only 'pin' is disallowed?

Except those nits:

Reviewed-by: Kevin Tian <kevin.tian@intel.com>

Re: [PATCH V4 1/5] vfio/type1: exclude mdevs from VFIO_UPDATE_VADDR

[Steven Sistare]

On 12/14/2022 11:34 PM, Tian, Kevin wrote:
>> From: Steve Sistare <steven.sistare@oracle.com>
>> Sent: Thursday, December 15, 2022 5:25 AM
>>
>> @@ -861,6 +861,12 @@ static int vfio_iommu_type1_pin_pages(void
>> *iommu_data,
>>
>>  	mutex_lock(&iommu->lock);
>>
>> +	if (WARN_ONCE(iommu->vaddr_invalid_count,
>> +		      "mdev not allowed with VFIO_UPDATE_VADDR\n")) {
> 
> let's be specific on the operation i.e. pin_pages not allowed...
> 
> same for the latter dma_rw.

Sure:
  "vfio_pin_pages not allowed with VFIO_UPDATE_VADDR"
  "vfio_dma_rw not allowed with VFIO_UPDATE_VADDR"

>> +	case VFIO_UPDATE_VADDR:
>> +		/*
>> +		 * Disable this feature if mdevs are present.  They cannot
>> +		 * safely pin/unpin while vaddrs are being updated.
> 
> only 'pin' is disallowed?

Will edit:
  pin/unpin -> pin/unpin/rw

> Except those nits:
> 
> Reviewed-by: Kevin Tian <kevin.tian@intel.com>

Thanks! - steve

[PATCH V4 2/5] vfio/type1: prevent locked_vm underflow

[Steve Sistare]

When a vfio container is preserved across exec using the VFIO_UPDATE_VADDR
interfaces, locked_vm of the new mm becomes 0.  If the user later unmaps a
dma mapping, locked_vm underflows to a large unsigned value, and a
subsequent dma map request fails with ENOMEM in __account_locked_vm.

To avoid underflow, do not decrement locked_vm during unmap if the
dma's mm has changed.  To restore the correct locked_vm count, when
VFIO_DMA_MAP_FLAG_VADDR is used and the dma's mm has changed, add
the mapping's pinned page count to the new mm->locked_vm, subject
to the rlimit.  Now that mediated devices are excluded when using
VFIO_UPDATE_VADDR, the amount of pinned memory equals the size of
the mapping.

Fixes: c3cbab24db38 ("vfio/type1: implement interfaces to update vaddr")

Signed-off-by: Steve Sistare <steven.sistare@oracle.com>
---
 drivers/vfio/vfio_iommu_type1.c | 50 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 49 insertions(+), 1 deletion(-)

diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
index bdfc13c..33dc8ec 100644
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -100,6 +100,7 @@ struct vfio_dma {
 	struct task_struct	*task;
 	struct rb_root		pfn_list;	/* Ex-user pinned pfn list */
 	unsigned long		*bitmap;
+	struct mm_struct	*mm;
 };
 
 struct vfio_batch {
@@ -415,7 +416,7 @@ static int vfio_iova_put_vfio_pfn(struct vfio_dma *dma, struct vfio_pfn *vpfn)
 static int vfio_lock_acct(struct vfio_dma *dma, long npage, bool async)
 {
 	struct mm_struct *mm;
-	int ret;
+	int ret = 0;
 
 	if (!npage)
 		return 0;
@@ -424,6 +425,10 @@ static int vfio_lock_acct(struct vfio_dma *dma, long npage, bool async)
 	if (!mm)
 		return -ESRCH; /* process exited */
 
+	/* Avoid locked_vm underflow */
+	if (dma->mm != mm && npage < 0)
+		goto out;
+
 	ret = mmap_write_lock_killable(mm);
 	if (!ret) {
 		ret = __account_locked_vm(mm, abs(npage), npage > 0, dma->task,
@@ -431,6 +436,7 @@ static int vfio_lock_acct(struct vfio_dma *dma, long npage, bool async)
 		mmap_write_unlock(mm);
 	}
 
+out:
 	if (async)
 		mmput(mm);
 
@@ -1180,6 +1186,7 @@ static void vfio_remove_dma(struct vfio_iommu *iommu, struct vfio_dma *dma)
 	vfio_unmap_unpin(iommu, dma, true);
 	vfio_unlink_dma(iommu, dma);
 	put_task_struct(dma->task);
+	mmdrop(dma->mm);
 	vfio_dma_bitmap_free(dma);
 	if (dma->vaddr_invalid) {
 		iommu->vaddr_invalid_count--;
@@ -1578,6 +1585,42 @@ static bool vfio_iommu_iova_dma_valid(struct vfio_iommu *iommu,
 	return list_empty(iova);
 }
 
+static int vfio_change_dma_owner(struct vfio_dma *dma)
+{
+	int ret = 0;
+	struct mm_struct *mm = get_task_mm(dma->task);
+
+	if (dma->mm != mm) {
+		long npage = dma->size >> PAGE_SHIFT;
+		bool new_lock_cap = capable(CAP_IPC_LOCK);
+		struct task_struct *new_task = current->group_leader;
+
+		ret = mmap_write_lock_killable(new_task->mm);
+		if (ret)
+			goto out;
+
+		ret = __account_locked_vm(new_task->mm, npage, true,
+					  new_task, new_lock_cap);
+		mmap_write_unlock(new_task->mm);
+		if (ret)
+			goto out;
+
+		if (dma->task != new_task) {
+			vfio_lock_acct(dma, -npage, 0);
+			put_task_struct(dma->task);
+			dma->task = get_task_struct(new_task);
+		}
+		mmdrop(dma->mm);
+		dma->mm = new_task->mm;
+		mmgrab(dma->mm);
+		dma->lock_cap = new_lock_cap;
+	}
+out:
+	if (mm)
+		mmput(mm);
+	return ret;
+}
+
 static int vfio_dma_do_map(struct vfio_iommu *iommu,
 			   struct vfio_iommu_type1_dma_map *map)
 {
@@ -1627,6 +1670,9 @@ static int vfio_dma_do_map(struct vfio_iommu *iommu,
 			   dma->size != size) {
 			ret = -EINVAL;
 		} else {
+			ret = vfio_change_dma_owner(dma);
+			if (ret)
+				goto out_unlock;
 			dma->vaddr = vaddr;
 			dma->vaddr_invalid = false;
 			iommu->vaddr_invalid_count--;
@@ -1687,6 +1733,8 @@ static int vfio_dma_do_map(struct vfio_iommu *iommu,
 	get_task_struct(current->group_leader);
 	dma->task = current->group_leader;
 	dma->lock_cap = capable(CAP_IPC_LOCK);
+	dma->mm = dma->task->mm;
+	mmgrab(dma->mm);
 
 	dma->pfn_list = RB_ROOT;
 
-- 
1.8.3.1

RE: [PATCH V4 2/5] vfio/type1: prevent locked_vm underflow

[Tian, Kevin]

> From: Steve Sistare <steven.sistare@oracle.com>
> Sent: Thursday, December 15, 2022 5:25 AM
> 
> When a vfio container is preserved across exec using the
> VFIO_UPDATE_VADDR
> interfaces, locked_vm of the new mm becomes 0.  If the user later unmaps a
> dma mapping, locked_vm underflows to a large unsigned value, and a
> subsequent dma map request fails with ENOMEM in __account_locked_vm.

Isn't it the problem more than underflow? w/o copying locked_vm to the
new mm it means rlimit of the new mm could be exceeded since only
newly pinned pages after exec are counted.

> @@ -424,6 +425,10 @@ static int vfio_lock_acct(struct vfio_dma *dma, long
> npage, bool async)
>  	if (!mm)
>  		return -ESRCH; /* process exited */
> 
> +	/* Avoid locked_vm underflow */
> +	if (dma->mm != mm && npage < 0)
> +		goto out;
> +

the comment is unclear why the condition will lead to underflow.

It's also unclear why the guard is only for exec case but not fork-exec.

According to this patch locked_vm was not copied to the new mm in
both cases before this fix. Then why would underflow only happen
in one but not in the other?

Anyway more explanation is appreciated here.

> +static int vfio_change_dma_owner(struct vfio_dma *dma)
> +{
> +	int ret = 0;
> +	struct mm_struct *mm = get_task_mm(dma->task);

should this be current->group_leader? otherwise in fork-exec case
dma->mm is still equal to dma->task->mm.

> +
> +	if (dma->mm != mm) {
> +		long npage = dma->size >> PAGE_SHIFT;
> +		bool new_lock_cap = capable(CAP_IPC_LOCK);
> +		struct task_struct *new_task = current->group_leader;
> +
> +		ret = mmap_write_lock_killable(new_task->mm);
> +		if (ret)
> +			goto out;
> +
> +		ret = __account_locked_vm(new_task->mm, npage, true,
> +					  new_task, new_lock_cap);
> +		mmap_write_unlock(new_task->mm);
> +		if (ret)
> +			goto out;
> +
> +		if (dma->task != new_task) {
> +			vfio_lock_acct(dma, -npage, 0);

Presumably this should be always done on the old mm, even in exec case.

Re: [PATCH V4 2/5] vfio/type1: prevent locked_vm underflow

[Steven Sistare]

On 12/14/2022 11:52 PM, Tian, Kevin wrote:
>> From: Steve Sistare <steven.sistare@oracle.com>
>> Sent: Thursday, December 15, 2022 5:25 AM
>>
>> When a vfio container is preserved across exec using the
>> VFIO_UPDATE_VADDR
>> interfaces, locked_vm of the new mm becomes 0.  If the user later unmaps a
>> dma mapping, locked_vm underflows to a large unsigned value, and a
>> subsequent dma map request fails with ENOMEM in __account_locked_vm.
> 
> Isn't it the problem more than underflow? w/o copying locked_vm to the
> new mm it means rlimit of the new mm could be exceeded since only
> newly pinned pages after exec are counted.

Yes.  I focused on underflow, because that will even cause an app that has
no limit to fail, but I will add rlimit to the commit message.

>> @@ -424,6 +425,10 @@ static int vfio_lock_acct(struct vfio_dma *dma, long
>> npage, bool async)
>>  	if (!mm)
>>  		return -ESRCH; /* process exited */
>>
>> +	/* Avoid locked_vm underflow */
>> +	if (dma->mm != mm && npage < 0)
>> +		goto out;
>> +
> 
> the comment is unclear why the condition will lead to underflow.
> 
> It's also unclear why the guard is only for exec case but not fork-exec.
> According to this patch locked_vm was not copied to the new mm in
> both cases before this fix. 

Correct.

> Then why would underflow only happen
> in one but not in the other?

Underflow does not occur for fork-exec.  I was wrong when I said so in email.

For fork-exec, if the original process has exited, then we return ESRCH.
If the original process is alive, then dma->mm == mm, and we proceed to 
decrement its locked_vm.

> Anyway more explanation is appreciated here.

How about:
   /* If task exec'd, the old mm is dead.  Avoid locked_mm underflow. */

>> +static int vfio_change_dma_owner(struct vfio_dma *dma)
>> +{
>> +	int ret = 0;
>> +	struct mm_struct *mm = get_task_mm(dma->task);
> 
> should this be current->group_leader? otherwise in fork-exec case
> dma->mm is still equal to dma->task->mm.

Thanks, that is a bug.  The code works if the original process exited, but
not if it persists.  The test should be:

        if (dma->mm != mm || new_task != dma->task) {

>> +
>> +	if (dma->mm != mm) {
>> +		long npage = dma->size >> PAGE_SHIFT;
>> +		bool new_lock_cap = capable(CAP_IPC_LOCK);
>> +		struct task_struct *new_task = current->group_leader;
>> +
>> +		ret = mmap_write_lock_killable(new_task->mm);
>> +		if (ret)
>> +			goto out;
>> +
>> +		ret = __account_locked_vm(new_task->mm, npage, true,
>> +					  new_task, new_lock_cap);
>> +		mmap_write_unlock(new_task->mm);
>> +		if (ret)
>> +			goto out;
>> +
>> +		if (dma->task != new_task) {
>> +			vfio_lock_acct(dma, -npage, 0);
> 
> Presumably this should be always done on the old mm, even in exec case.

No, for exec, the old mm is a zombie.  

- Steve

Re: [PATCH V4 2/5] vfio/type1: prevent locked_vm underflow

[Jason Gunthorpe]

On Wed, Dec 14, 2022 at 01:24:54PM -0800, Steve Sistare wrote:
> When a vfio container is preserved across exec using the VFIO_UPDATE_VADDR
> interfaces, locked_vm of the new mm becomes 0.  If the user later unmaps a
> dma mapping, locked_vm underflows to a large unsigned value, and a
> subsequent dma map request fails with ENOMEM in __account_locked_vm.
> 
> To avoid underflow, do not decrement locked_vm during unmap if the
> dma's mm has changed.  To restore the correct locked_vm count, when
> VFIO_DMA_MAP_FLAG_VADDR is used and the dma's mm has changed, add
> the mapping's pinned page count to the new mm->locked_vm, subject
> to the rlimit.  Now that mediated devices are excluded when using
> VFIO_UPDATE_VADDR, the amount of pinned memory equals the size of
> the mapping.
> 
> Fixes: c3cbab24db38 ("vfio/type1: implement interfaces to update vaddr")
> 
> Signed-off-by: Steve Sistare <steven.sistare@oracle.com>
> ---
>  drivers/vfio/vfio_iommu_type1.c | 50 ++++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 49 insertions(+), 1 deletion(-)

> diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
> index bdfc13c..33dc8ec 100644
> --- a/drivers/vfio/vfio_iommu_type1.c
> +++ b/drivers/vfio/vfio_iommu_type1.c
> @@ -100,6 +100,7 @@ struct vfio_dma {
>  	struct task_struct	*task;
>  	struct rb_root		pfn_list;	/* Ex-user pinned pfn list */
>  	unsigned long		*bitmap;
> +	struct mm_struct	*mm;
>  };

I'm not sure this is quite, right, or at least the comment isn't quite
right..

The issue is that the vfio_dma does not store the mm that provided the
pages. By going through the task every time it allows the mm to change
under its feet which of course can corrupt the assumed accounting in
various ways.

To fix this, the mm should be kept, as you did above. All the code
that is touching the task to get the mm should be dropped. The only
purpose of the task is to check the rlimit.

That in of itself should be a single patch with a clear description
that is the change.

Beyond that you want a second patch that make the vaddr stuff to
transfer the pin accounting from one mm to another in the process of
updating the dma to have a new task and mm.

There is no "underflow" here, only that the current code is using the
wrong mm in some case because it gets it through the task.

Jason

Re: [PATCH V4 2/5] vfio/type1: prevent locked_vm underflow

[Steven Sistare]

On 12/15/2022 9:20 AM, Jason Gunthorpe wrote:
> On Wed, Dec 14, 2022 at 01:24:54PM -0800, Steve Sistare wrote:
>> When a vfio container is preserved across exec using the VFIO_UPDATE_VADDR
>> interfaces, locked_vm of the new mm becomes 0.  If the user later unmaps a
>> dma mapping, locked_vm underflows to a large unsigned value, and a
>> subsequent dma map request fails with ENOMEM in __account_locked_vm.
>>
>> To avoid underflow, do not decrement locked_vm during unmap if the
>> dma's mm has changed.  To restore the correct locked_vm count, when
>> VFIO_DMA_MAP_FLAG_VADDR is used and the dma's mm has changed, add
>> the mapping's pinned page count to the new mm->locked_vm, subject
>> to the rlimit.  Now that mediated devices are excluded when using
>> VFIO_UPDATE_VADDR, the amount of pinned memory equals the size of
>> the mapping.
>>
>> Fixes: c3cbab24db38 ("vfio/type1: implement interfaces to update vaddr")
>>
>> Signed-off-by: Steve Sistare <steven.sistare@oracle.com>
>> ---
>>  drivers/vfio/vfio_iommu_type1.c | 50 ++++++++++++++++++++++++++++++++++++++++-
>>  1 file changed, 49 insertions(+), 1 deletion(-)
> 
>> diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
>> index bdfc13c..33dc8ec 100644
>> --- a/drivers/vfio/vfio_iommu_type1.c
>> +++ b/drivers/vfio/vfio_iommu_type1.c
>> @@ -100,6 +100,7 @@ struct vfio_dma {
>>  	struct task_struct	*task;
>>  	struct rb_root		pfn_list;	/* Ex-user pinned pfn list */
>>  	unsigned long		*bitmap;
>> +	struct mm_struct	*mm;
>>  };
> 
> I'm not sure this is quite, right, or at least the comment isn't quite
> right..
> 
> The issue is that the vfio_dma does not store the mm that provided the
> pages. By going through the task every time it allows the mm to change
> under its feet which of course can corrupt the assumed accounting in
> various ways.
> 
> To fix this, the mm should be kept, as you did above. All the code
> that is touching the task to get the mm should be dropped. The only
> purpose of the task is to check the rlimit.

Yes.  While developing my "redo" series I tried it that way, but did not post
that version.  Functionally it should be equivalent to this series, but I can
code it again to see if it looks cleaner.

- Steve

> That in of itself should be a single patch with a clear description
> that is the change.
> 
> Beyond that you want a second patch that make the vaddr stuff to
> transfer the pin accounting from one mm to another in the process of
> updating the dma to have a new task and mm.
> 
> There is no "underflow" here, only that the current code is using the
> wrong mm in some case because it gets it through the task.
> 
> Jason

Re: [PATCH V4 2/5] vfio/type1: prevent locked_vm underflow

[Jason Gunthorpe]

On Thu, Dec 15, 2022 at 09:38:42AM -0500, Steven Sistare wrote:

> > I'm not sure this is quite, right, or at least the comment isn't quite
> > right..
> > 
> > The issue is that the vfio_dma does not store the mm that provided the
> > pages. By going through the task every time it allows the mm to change
> > under its feet which of course can corrupt the assumed accounting in
> > various ways.
> > 
> > To fix this, the mm should be kept, as you did above. All the code
> > that is touching the task to get the mm should be dropped. The only
> > purpose of the task is to check the rlimit.
> 
> Yes.  While developing my "redo" series I tried it that way, but did not post
> that version.  Functionally it should be equivalent to this series, but I can
> code it again to see if it looks cleaner.

The big reason to split is that this existing bug pre-dates the vaddr
work and should probably be backported further. It can be triggered
just by doing exec..

Jason

[PATCH V4 3/5] vfio/type1: revert "block on invalid vaddr"

[Steve Sistare]

Revert this dead code:
  commit 898b9eaeb3fe ("vfio/type1: block on invalid vaddr")

Signed-off-by: Steve Sistare <steven.sistare@oracle.com>
---
 drivers/vfio/vfio_iommu_type1.c | 94 +++--------------------------------------
 1 file changed, 5 insertions(+), 89 deletions(-)

diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
index 33dc8ec..0ed78a6 100644
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -72,7 +72,6 @@ struct vfio_iommu {
 	unsigned int		vaddr_invalid_count;
 	uint64_t		pgsize_bitmap;
 	uint64_t		num_non_pinned_groups;
-	wait_queue_head_t	vaddr_wait;
 	bool			v2;
 	bool			nesting;
 	bool			dirty_page_tracking;
@@ -153,8 +152,6 @@ struct vfio_regions {
 #define DIRTY_BITMAP_PAGES_MAX	 ((u64)INT_MAX)
 #define DIRTY_BITMAP_SIZE_MAX	 DIRTY_BITMAP_BYTES(DIRTY_BITMAP_PAGES_MAX)
 
-#define WAITED 1
-
 static int put_pfn(unsigned long pfn, int prot);
 
 static struct vfio_iommu_group*
@@ -601,61 +598,6 @@ static int vaddr_get_pfns(struct mm_struct *mm, unsigned long vaddr,
 	return ret;
 }
 
-static int vfio_wait(struct vfio_iommu *iommu)
-{
-	DEFINE_WAIT(wait);
-
-	prepare_to_wait(&iommu->vaddr_wait, &wait, TASK_KILLABLE);
-	mutex_unlock(&iommu->lock);
-	schedule();
-	mutex_lock(&iommu->lock);
-	finish_wait(&iommu->vaddr_wait, &wait);
-	if (kthread_should_stop() || !iommu->container_open ||
-	    fatal_signal_pending(current)) {
-		return -EFAULT;
-	}
-	return WAITED;
-}
-
-/*
- * Find dma struct and wait for its vaddr to be valid.  iommu lock is dropped
- * if the task waits, but is re-locked on return.  Return result in *dma_p.
- * Return 0 on success with no waiting, WAITED on success if waited, and -errno
- * on error.
- */
-static int vfio_find_dma_valid(struct vfio_iommu *iommu, dma_addr_t start,
-			       size_t size, struct vfio_dma **dma_p)
-{
-	int ret = 0;
-
-	do {
-		*dma_p = vfio_find_dma(iommu, start, size);
-		if (!*dma_p)
-			return -EINVAL;
-		else if (!(*dma_p)->vaddr_invalid)
-			return ret;
-		else
-			ret = vfio_wait(iommu);
-	} while (ret == WAITED);
-
-	return ret;
-}
-
-/*
- * Wait for all vaddr in the dma_list to become valid.  iommu lock is dropped
- * if the task waits, but is re-locked on return.  Return 0 on success with no
- * waiting, WAITED on success if waited, and -errno on error.
- */
-static int vfio_wait_all_valid(struct vfio_iommu *iommu)
-{
-	int ret = 0;
-
-	while (iommu->vaddr_invalid_count && ret >= 0)
-		ret = vfio_wait(iommu);
-
-	return ret;
-}
-
 /*
  * Attempt to pin pages.  We really don't want to track all the pfns and
  * the iommu can only map chunks of consecutive pfns anyway, so get the
@@ -856,7 +798,6 @@ static int vfio_iommu_type1_pin_pages(void *iommu_data,
 	unsigned long remote_vaddr;
 	struct vfio_dma *dma;
 	bool do_accounting;
-	dma_addr_t iova;
 
 	if (!iommu || !pages)
 		return -EINVAL;
@@ -873,22 +814,6 @@ static int vfio_iommu_type1_pin_pages(void *iommu_data,
 		goto pin_done;
 	}
 
-	/*
-	 * Wait for all necessary vaddr's to be valid so they can be used in
-	 * the main loop without dropping the lock, to avoid racing vs unmap.
-	 */
-again:
-	if (iommu->vaddr_invalid_count) {
-		for (i = 0; i < npage; i++) {
-			iova = user_iova + PAGE_SIZE * i;
-			ret = vfio_find_dma_valid(iommu, iova, PAGE_SIZE, &dma);
-			if (ret < 0)
-				goto pin_done;
-			if (ret == WAITED)
-				goto again;
-		}
-	}
-
 	/* Fail if no dma_umap notifier is registered */
 	if (list_empty(&iommu->device_list)) {
 		ret = -EINVAL;
@@ -904,6 +829,7 @@ static int vfio_iommu_type1_pin_pages(void *iommu_data,
 
 	for (i = 0; i < npage; i++) {
 		unsigned long phys_pfn;
+		dma_addr_t iova;
 		struct vfio_pfn *vpfn;
 
 		iova = user_iova + PAGE_SIZE * i;
@@ -1188,10 +1114,8 @@ static void vfio_remove_dma(struct vfio_iommu *iommu, struct vfio_dma *dma)
 	put_task_struct(dma->task);
 	mmdrop(dma->mm);
 	vfio_dma_bitmap_free(dma);
-	if (dma->vaddr_invalid) {
+	if (dma->vaddr_invalid)
 		iommu->vaddr_invalid_count--;
-		wake_up_all(&iommu->vaddr_wait);
-	}
 	kfree(dma);
 	iommu->dma_avail++;
 }
@@ -1676,7 +1600,6 @@ static int vfio_dma_do_map(struct vfio_iommu *iommu,
 			dma->vaddr = vaddr;
 			dma->vaddr_invalid = false;
 			iommu->vaddr_invalid_count--;
-			wake_up_all(&iommu->vaddr_wait);
 		}
 		goto out_unlock;
 	} else if (dma) {
@@ -1767,10 +1690,6 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu,
 	unsigned long limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
 	int ret;
 
-	ret = vfio_wait_all_valid(iommu);
-	if (ret < 0)
-		return ret;
-
 	/* Arbitrarily pick the first domain in the list for lookups */
 	if (!list_empty(&iommu->domain_list))
 		d = list_first_entry(&iommu->domain_list,
@@ -2661,7 +2580,6 @@ static void *vfio_iommu_type1_open(unsigned long arg)
 	mutex_init(&iommu->lock);
 	mutex_init(&iommu->device_list_lock);
 	INIT_LIST_HEAD(&iommu->device_list);
-	init_waitqueue_head(&iommu->vaddr_wait);
 	iommu->pgsize_bitmap = PAGE_MASK;
 	INIT_LIST_HEAD(&iommu->emulated_iommu_groups);
 
@@ -3158,13 +3076,12 @@ static int vfio_iommu_type1_dma_rw_chunk(struct vfio_iommu *iommu,
 	struct vfio_dma *dma;
 	bool kthread = current->mm == NULL;
 	size_t offset;
-	int ret;
 
 	*copied = 0;
 
-	ret = vfio_find_dma_valid(iommu, user_iova, 1, &dma);
-	if (ret < 0)
-		return ret;
+	dma = vfio_find_dma(iommu, user_iova, 1);
+	if (!dma)
+		return -EINVAL;
 
 	if ((write && !(dma->prot & IOMMU_WRITE)) ||
 			!(dma->prot & IOMMU_READ))
@@ -3274,7 +3191,6 @@ static void vfio_iommu_type1_notify(void *iommu_data,
 	mutex_lock(&iommu->lock);
 	iommu->container_open = false;
 	mutex_unlock(&iommu->lock);
-	wake_up_all(&iommu->vaddr_wait);
 }
 
 static const struct vfio_iommu_driver_ops vfio_iommu_driver_ops_type1 = {
-- 
1.8.3.1

[PATCH V4 4/5] vfio/type1: revert "implement notify callback"

[Steve Sistare]

This is dead code.  Revert it.
  commit 487ace134053 ("vfio/type1: implement notify callback")

Signed-off-by: Steve Sistare <steven.sistare@oracle.com>
---
 drivers/vfio/vfio_iommu_type1.c | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
index 0ed78a6..41fbdf6 100644
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -75,7 +75,6 @@ struct vfio_iommu {
 	bool			v2;
 	bool			nesting;
 	bool			dirty_page_tracking;
-	bool			container_open;
 	struct list_head	emulated_iommu_groups;
 };
 
@@ -2576,7 +2575,6 @@ static void *vfio_iommu_type1_open(unsigned long arg)
 	INIT_LIST_HEAD(&iommu->iova_list);
 	iommu->dma_list = RB_ROOT;
 	iommu->dma_avail = dma_entry_limit;
-	iommu->container_open = true;
 	mutex_init(&iommu->lock);
 	mutex_init(&iommu->device_list_lock);
 	INIT_LIST_HEAD(&iommu->device_list);
@@ -3181,18 +3179,6 @@ static int vfio_iommu_type1_dma_rw(void *iommu_data, dma_addr_t user_iova,
 	return domain;
 }
 
-static void vfio_iommu_type1_notify(void *iommu_data,
-				    enum vfio_iommu_notify_type event)
-{
-	struct vfio_iommu *iommu = iommu_data;
-
-	if (event != VFIO_IOMMU_CONTAINER_CLOSE)
-		return;
-	mutex_lock(&iommu->lock);
-	iommu->container_open = false;
-	mutex_unlock(&iommu->lock);
-}
-
 static const struct vfio_iommu_driver_ops vfio_iommu_driver_ops_type1 = {
 	.name			= "vfio-iommu-type1",
 	.owner			= THIS_MODULE,
@@ -3207,7 +3193,6 @@ static void vfio_iommu_type1_notify(void *iommu_data,
 	.unregister_device	= vfio_iommu_type1_unregister_device,
 	.dma_rw			= vfio_iommu_type1_dma_rw,
 	.group_iommu_domain	= vfio_iommu_type1_group_iommu_domain,
-	.notify			= vfio_iommu_type1_notify,
 };
 
 static int __init vfio_iommu_type1_init(void)
-- 
1.8.3.1

[PATCH V4 5/5] vfio: revert "iommu driver notify callback"

[Steve Sistare]

Revert this dead code:
  commit ec5e32940cc9 ("vfio: iommu driver notify callback")

Signed-off-by: Steve Sistare <steven.sistare@oracle.com>
---
 drivers/vfio/container.c | 5 -----
 drivers/vfio/vfio.h      | 7 -------
 2 files changed, 12 deletions(-)

diff --git a/drivers/vfio/container.c b/drivers/vfio/container.c
index d74164a..5bfd10d 100644
--- a/drivers/vfio/container.c
+++ b/drivers/vfio/container.c
@@ -382,11 +382,6 @@ static int vfio_fops_open(struct inode *inode, struct file *filep)
 static int vfio_fops_release(struct inode *inode, struct file *filep)
 {
 	struct vfio_container *container = filep->private_data;
-	struct vfio_iommu_driver *driver = container->iommu_driver;
-
-	if (driver && driver->ops->notify)
-		driver->ops->notify(container->iommu_data,
-				    VFIO_IOMMU_CONTAINER_CLOSE);
 
 	filep->private_data = NULL;
 
diff --git a/drivers/vfio/vfio.h b/drivers/vfio/vfio.h
index bcad54b..8a439c6 100644
--- a/drivers/vfio/vfio.h
+++ b/drivers/vfio/vfio.h
@@ -62,11 +62,6 @@ struct vfio_group {
 	struct blocking_notifier_head	notifier;
 };
 
-/* events for the backend driver notify callback */
-enum vfio_iommu_notify_type {
-	VFIO_IOMMU_CONTAINER_CLOSE = 0,
-};
-
 /**
  * struct vfio_iommu_driver_ops - VFIO IOMMU driver callbacks
  */
@@ -97,8 +92,6 @@ struct vfio_iommu_driver_ops {
 				  void *data, size_t count, bool write);
 	struct iommu_domain *(*group_iommu_domain)(void *iommu_data,
 						   struct iommu_group *group);
-	void		(*notify)(void *iommu_data,
-				  enum vfio_iommu_notify_type event);
 };
 
 struct vfio_iommu_driver {
-- 
1.8.3.1

Re: [PATCH V4 0/5] fixes for virtual address update

[Alex Williamson]

On Wed, 14 Dec 2022 13:24:52 -0800
Steve Sistare <steven.sistare@oracle.com> wrote:

> Fix bugs in the interfaces that allow the underlying memory object of an
> iova range to be mapped in a new address space.  They allow userland to
> indefinitely block vfio mediated device kernel threads, and do not
> propagate the locked_vm count to a new mm.
> 
> The fixes impose restrictions that eliminate waiting conditions, so
> revert the dead code:
>   commit 898b9eaeb3fe ("vfio/type1: block on invalid vaddr")
>   commit 487ace134053 ("vfio/type1: implement notify callback")
>   commit ec5e32940cc9 ("vfio: iommu driver notify callback")
> 
> Changes in V2 (thanks Alex):
>   * do not allow group attach while vaddrs are invalid
>   * add patches to delete dead code
>   * add WARN_ON for never-should-happen conditions
>   * check for changed mm in unmap.
>   * check for vfio_lock_acct failure in remap
> 
> Changes in V3 (ditto!):
>   * return errno at WARN_ON sites, and make it unique
>   * correctly check for dma task mm change
>   * change dma owner to current when vaddr is updated
>   * add Fixes to commit messages
>   * refactored new code in vfio_dma_do_map
> 
> Changes in V4:
>   * misc cosmetic changes
> 
> Steve Sistare (5):
>   vfio/type1: exclude mdevs from VFIO_UPDATE_VADDR
>   vfio/type1: prevent locked_vm underflow
>   vfio/type1: revert "block on invalid vaddr"
>   vfio/type1: revert "implement notify callback"
>   vfio: revert "iommu driver notify callback"
> 
>  drivers/vfio/container.c        |   5 -
>  drivers/vfio/vfio.h             |   7 --
>  drivers/vfio/vfio_iommu_type1.c | 199 +++++++++++++++++++---------------------
>  include/uapi/linux/vfio.h       |  15 +--
>  4 files changed, 103 insertions(+), 123 deletions(-)
> 

Looks ok to me.  Jason, Kevin, I'd appreciate your reviews regarding
whether this sufficiently addresses the outstanding issues to keep this
interface around until we have a re-implementation in iommufd.  Thanks,

Alex

Re: [PATCH V4 0/5] fixes for virtual address update

[Jason Gunthorpe]

On Wed, Dec 14, 2022 at 02:42:29PM -0700, Alex Williamson wrote:
> On Wed, 14 Dec 2022 13:24:52 -0800
> Steve Sistare <steven.sistare@oracle.com> wrote:
> 
> > Fix bugs in the interfaces that allow the underlying memory object of an
> > iova range to be mapped in a new address space.  They allow userland to
> > indefinitely block vfio mediated device kernel threads, and do not
> > propagate the locked_vm count to a new mm.
> > 
> > The fixes impose restrictions that eliminate waiting conditions, so
> > revert the dead code:
> >   commit 898b9eaeb3fe ("vfio/type1: block on invalid vaddr")
> >   commit 487ace134053 ("vfio/type1: implement notify callback")
> >   commit ec5e32940cc9 ("vfio: iommu driver notify callback")
> > 
> > Changes in V2 (thanks Alex):
> >   * do not allow group attach while vaddrs are invalid
> >   * add patches to delete dead code
> >   * add WARN_ON for never-should-happen conditions
> >   * check for changed mm in unmap.
> >   * check for vfio_lock_acct failure in remap
> > 
> > Changes in V3 (ditto!):
> >   * return errno at WARN_ON sites, and make it unique
> >   * correctly check for dma task mm change
> >   * change dma owner to current when vaddr is updated
> >   * add Fixes to commit messages
> >   * refactored new code in vfio_dma_do_map
> > 
> > Changes in V4:
> >   * misc cosmetic changes
> > 
> > Steve Sistare (5):
> >   vfio/type1: exclude mdevs from VFIO_UPDATE_VADDR
> >   vfio/type1: prevent locked_vm underflow
> >   vfio/type1: revert "block on invalid vaddr"
> >   vfio/type1: revert "implement notify callback"
> >   vfio: revert "iommu driver notify callback"
> > 
> >  drivers/vfio/container.c        |   5 -
> >  drivers/vfio/vfio.h             |   7 --
> >  drivers/vfio/vfio_iommu_type1.c | 199 +++++++++++++++++++---------------------
> >  include/uapi/linux/vfio.h       |  15 +--
> >  4 files changed, 103 insertions(+), 123 deletions(-)
> > 
> 
> Looks ok to me.  Jason, Kevin, I'd appreciate your reviews regarding
> whether this sufficiently addresses the outstanding issues to keep this
> interface around until we have a re-implementation in iommufd.  Thanks,

Well, patch 3 undeniably solves the deadlock problem.

I still don't like that we are keeping this, an interface that doesn't
support mdevs has no future and can't really be used in any general
purpose way.

Can we at least protect it with a kconfig && CONFIG_EXPERIMENTAL so it
is disabled in most builds?

Jason

Re: [PATCH V4 0/5] fixes for virtual address update

[Alex Williamson]

On Thu, 15 Dec 2022 10:25:11 -0400
Jason Gunthorpe <jgg@nvidia.com> wrote:

> On Wed, Dec 14, 2022 at 02:42:29PM -0700, Alex Williamson wrote:
> > On Wed, 14 Dec 2022 13:24:52 -0800
> > Steve Sistare <steven.sistare@oracle.com> wrote:
> >   
> > > Fix bugs in the interfaces that allow the underlying memory object of an
> > > iova range to be mapped in a new address space.  They allow userland to
> > > indefinitely block vfio mediated device kernel threads, and do not
> > > propagate the locked_vm count to a new mm.
> > > 
> > > The fixes impose restrictions that eliminate waiting conditions, so
> > > revert the dead code:
> > >   commit 898b9eaeb3fe ("vfio/type1: block on invalid vaddr")
> > >   commit 487ace134053 ("vfio/type1: implement notify callback")
> > >   commit ec5e32940cc9 ("vfio: iommu driver notify callback")
> > > 
> > > Changes in V2 (thanks Alex):
> > >   * do not allow group attach while vaddrs are invalid
> > >   * add patches to delete dead code
> > >   * add WARN_ON for never-should-happen conditions
> > >   * check for changed mm in unmap.
> > >   * check for vfio_lock_acct failure in remap
> > > 
> > > Changes in V3 (ditto!):
> > >   * return errno at WARN_ON sites, and make it unique
> > >   * correctly check for dma task mm change
> > >   * change dma owner to current when vaddr is updated
> > >   * add Fixes to commit messages
> > >   * refactored new code in vfio_dma_do_map
> > > 
> > > Changes in V4:
> > >   * misc cosmetic changes
> > > 
> > > Steve Sistare (5):
> > >   vfio/type1: exclude mdevs from VFIO_UPDATE_VADDR
> > >   vfio/type1: prevent locked_vm underflow
> > >   vfio/type1: revert "block on invalid vaddr"
> > >   vfio/type1: revert "implement notify callback"
> > >   vfio: revert "iommu driver notify callback"
> > > 
> > >  drivers/vfio/container.c        |   5 -
> > >  drivers/vfio/vfio.h             |   7 --
> > >  drivers/vfio/vfio_iommu_type1.c | 199 +++++++++++++++++++---------------------
> > >  include/uapi/linux/vfio.h       |  15 +--
> > >  4 files changed, 103 insertions(+), 123 deletions(-)
> > >   
> > 
> > Looks ok to me.  Jason, Kevin, I'd appreciate your reviews regarding
> > whether this sufficiently addresses the outstanding issues to keep this
> > interface around until we have a re-implementation in iommufd.  Thanks,  
> 
> Well, patch 3 undeniably solves the deadlock problem.
> 
> I still don't like that we are keeping this, an interface that doesn't
> support mdevs has no future and can't really be used in any general
> purpose way.
> 
> Can we at least protect it with a kconfig && CONFIG_EXPERIMENTAL so it
> is disabled in most builds?

We no longer have that tool, CONFIG_EXPERIMENTAL hasn't existed for
almost a decade.

I don't think anyone would argue this as a perfect solution, but at the
same time we're putting Steve in a position where we want to remove the
vulnerabilities, we're divesting development in type1 with the
introduction of iommufd, and there's clearly some utility remaining in
the interface, even without mdev support.

It's not that different from migration in fact.  In order to migrate a
VM with vfio devices, all those devices need to support migration.  In
order to live update a VM, all the device need to support live update,
where we have an implementation of generic support here for non-mdev
devices.

It looks like we need some more refinement of the patches, but I think
there's enough here to show there's an interim, restricted use case
solution short of reverting the feature entirely.  Thanks,

Alex

[PATCH V4 0/5] fixes for virtual address update

[Steve Sistare]

Fix bugs in the interfaces that allow the underlying memory object of an
iova range to be mapped in a new address space.  They allow userland to
indefinitely block vfio mediated device kernel threads, and do not
propagate the locked_vm count to a new mm.

The fixes impose restrictions that eliminate waiting conditions, so
revert the dead code:
  commit 898b9eaeb3fe ("vfio/type1: block on invalid vaddr")
  commit 487ace134053 ("vfio/type1: implement notify callback")
  commit ec5e32940cc9 ("vfio: iommu driver notify callback")

Changes in V2 (thanks Alex):
  * do not allow group attach while vaddrs are invalid
  * add patches to delete dead code
  * add WARN_ON for never-should-happen conditions
  * check for changed mm in unmap.
  * check for vfio_lock_acct failure in remap

Changes in V3 (ditto!):
  * return errno at WARN_ON sites, and make it unique
  * correctly check for dma task mm change
  * change dma owner to current when vaddr is updated
  * add Fixes to commit messages
  * refactored new code in vfio_dma_do_map

Changes in V4:
  * misc cosmetic changes

Steve Sistare (5):
  vfio/type1: exclude mdevs from VFIO_UPDATE_VADDR
  vfio/type1: prevent locked_vm underflow
  vfio/type1: revert "block on invalid vaddr"
  vfio/type1: revert "implement notify callback"
  vfio: revert "iommu driver notify callback"

 drivers/vfio/container.c        |   5 -
 drivers/vfio/vfio.h             |   7 --
 drivers/vfio/vfio_iommu_type1.c | 199 +++++++++++++++++++---------------------
 include/uapi/linux/vfio.h       |  15 +--
 4 files changed, 103 insertions(+), 123 deletions(-)

-- 
1.8.3.1

[PATCH V4 2/5] vfio/type1: prevent locked_vm underflow

[Steve Sistare]

When a vfio container is preserved across exec using the VFIO_UPDATE_VADDR
interfaces, locked_vm of the new mm becomes 0.  If the user later unmaps a
dma mapping, locked_vm underflows to a large unsigned value, and a
subsequent dma map request fails with ENOMEM in __account_locked_vm.

To avoid underflow, do not decrement locked_vm during unmap if the
dma's mm has changed.  To restore the correct locked_vm count, when
VFIO_DMA_MAP_FLAG_VADDR is used and the dma's mm has changed, add
the mapping's pinned page count to the new mm->locked_vm, subject
to the rlimit.  Now that mediated devices are excluded when using
VFIO_UPDATE_VADDR, the amount of pinned memory equals the size of
the mapping.

Fixes: c3cbab24db38 ("vfio/type1: implement interfaces to update vaddr")

Signed-off-by: Steve Sistare <steven.sistare@oracle.com>
---
 drivers/vfio/vfio_iommu_type1.c | 50 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 49 insertions(+), 1 deletion(-)

diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
index bdfc13c..33dc8ec 100644
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -100,6 +100,7 @@ struct vfio_dma {
 	struct task_struct	*task;
 	struct rb_root		pfn_list;	/* Ex-user pinned pfn list */
 	unsigned long		*bitmap;
+	struct mm_struct	*mm;
 };
 
 struct vfio_batch {
@@ -415,7 +416,7 @@ static int vfio_iova_put_vfio_pfn(struct vfio_dma *dma, struct vfio_pfn *vpfn)
 static int vfio_lock_acct(struct vfio_dma *dma, long npage, bool async)
 {
 	struct mm_struct *mm;
-	int ret;
+	int ret = 0;
 
 	if (!npage)
 		return 0;
@@ -424,6 +425,10 @@ static int vfio_lock_acct(struct vfio_dma *dma, long npage, bool async)
 	if (!mm)
 		return -ESRCH; /* process exited */
 
+	/* Avoid locked_vm underflow */
+	if (dma->mm != mm && npage < 0)
+		goto out;
+
 	ret = mmap_write_lock_killable(mm);
 	if (!ret) {
 		ret = __account_locked_vm(mm, abs(npage), npage > 0, dma->task,
@@ -431,6 +436,7 @@ static int vfio_lock_acct(struct vfio_dma *dma, long npage, bool async)
 		mmap_write_unlock(mm);
 	}
 
+out:
 	if (async)
 		mmput(mm);
 
@@ -1180,6 +1186,7 @@ static void vfio_remove_dma(struct vfio_iommu *iommu, struct vfio_dma *dma)
 	vfio_unmap_unpin(iommu, dma, true);
 	vfio_unlink_dma(iommu, dma);
 	put_task_struct(dma->task);
+	mmdrop(dma->mm);
 	vfio_dma_bitmap_free(dma);
 	if (dma->vaddr_invalid) {
 		iommu->vaddr_invalid_count--;
@@ -1578,6 +1585,42 @@ static bool vfio_iommu_iova_dma_valid(struct vfio_iommu *iommu,
 	return list_empty(iova);
 }
 
+static int vfio_change_dma_owner(struct vfio_dma *dma)
+{
+	int ret = 0;
+	struct mm_struct *mm = get_task_mm(dma->task);
+
+	if (dma->mm != mm) {
+		long npage = dma->size >> PAGE_SHIFT;
+		bool new_lock_cap = capable(CAP_IPC_LOCK);
+		struct task_struct *new_task = current->group_leader;
+
+		ret = mmap_write_lock_killable(new_task->mm);
+		if (ret)
+			goto out;
+
+		ret = __account_locked_vm(new_task->mm, npage, true,
+					  new_task, new_lock_cap);
+		mmap_write_unlock(new_task->mm);
+		if (ret)
+			goto out;
+
+		if (dma->task != new_task) {
+			vfio_lock_acct(dma, -npage, 0);
+			put_task_struct(dma->task);
+			dma->task = get_task_struct(new_task);
+		}
+		mmdrop(dma->mm);
+		dma->mm = new_task->mm;
+		mmgrab(dma->mm);
+		dma->lock_cap = new_lock_cap;
+	}
+out:
+	if (mm)
+		mmput(mm);
+	return ret;
+}
+
 static int vfio_dma_do_map(struct vfio_iommu *iommu,
 			   struct vfio_iommu_type1_dma_map *map)
 {
@@ -1627,6 +1670,9 @@ static int vfio_dma_do_map(struct vfio_iommu *iommu,
 			   dma->size != size) {
 			ret = -EINVAL;
 		} else {
+			ret = vfio_change_dma_owner(dma);
+			if (ret)
+				goto out_unlock;
 			dma->vaddr = vaddr;
 			dma->vaddr_invalid = false;
 			iommu->vaddr_invalid_count--;
@@ -1687,6 +1733,8 @@ static int vfio_dma_do_map(struct vfio_iommu *iommu,
 	get_task_struct(current->group_leader);
 	dma->task = current->group_leader;
 	dma->lock_cap = capable(CAP_IPC_LOCK);
+	dma->mm = dma->task->mm;
+	mmgrab(dma->mm);
 
 	dma->pfn_list = RB_ROOT;
 
-- 
1.8.3.1