From: Jia He <justin.he@arm.com>
To: Alex Williamson <alex.williamson@redhat.com>,
Cornelia Huck <cohuck@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
Jia He <justin.he@arm.com>
Subject: [PATCH] vfio iommu type1: Bypass the vma permission check in vfio_pin_pages_remote()
Date: Thu, 19 Nov 2020 22:27:37 +0800 [thread overview]
Message-ID: <20201119142737.17574-1-justin.he@arm.com> (raw)
The permission of vfio iommu is different and incompatible with vma
permission. If the iotlb->perm is IOMMU_NONE (e.g. qemu side), qemu will
simply call unmap ioctl() instead of mapping. Hence vfio_dma_map() can't
map a dma region with NONE permission.
This corner case will be exposed in coming virtio_fs cache_size
commit [1]
- mmap(NULL, size, PROT_NONE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
memory_region_init_ram_ptr()
- re-mmap the above area with read/write authority.
- vfio_dma_map() will be invoked when vfio device is hotplug added.
qemu:
vfio_listener_region_add()
vfio_dma_map(..., readonly=false)
map.flags is set to VFIO_DMA_MAP_FLAG_READ|VFIO_..._WRITE
ioctl(VFIO_IOMMU_MAP_DMA)
kernel:
vfio_dma_do_map()
vfio_pin_map_dma()
vfio_pin_pages_remote()
vaddr_get_pfn()
...
check_vma_flags() failed! because
vm_flags hasn't VM_WRITE && gup_flags
has FOLL_WRITE
It will report error in qemu log when hotplug adding(vfio) a nvme disk
to qemu guest on an Ampere EMAG server:
"VFIO_MAP_DMA failed: Bad address"
[1] https://gitlab.com/virtio-fs/qemu/-/blob/virtio-fs-dev/hw/virtio/vhost-user-fs.c#L502
Signed-off-by: Jia He <justin.he@arm.com>
---
drivers/vfio/vfio_iommu_type1.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
index 67e827638995..33faa6b7dbd4 100644
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -453,7 +453,8 @@ static int vaddr_get_pfn(struct mm_struct *mm, unsigned long vaddr,
flags |= FOLL_WRITE;
mmap_read_lock(mm);
- ret = pin_user_pages_remote(mm, vaddr, 1, flags | FOLL_LONGTERM,
+ ret = pin_user_pages_remote(mm, vaddr, 1,
+ flags | FOLL_LONGTERM | FOLL_FORCE,
page, NULL, NULL);
if (ret == 1) {
*pfn = page_to_pfn(page[0]);
--
2.17.1
next reply other threads:[~2020-11-19 14:27 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-19 14:27 Jia He [this message]
2020-11-19 17:05 ` [PATCH] vfio iommu type1: Bypass the vma permission check in vfio_pin_pages_remote() Alex Williamson
2020-11-23 2:37 ` Justin He
2020-11-24 17:07 ` Alex Williamson
2020-11-24 18:12 ` Peter Xu
2020-11-25 1:05 ` Justin He
2020-11-25 15:57 ` Peter Xu
2020-12-02 14:33 ` Stefan Hajnoczi
2020-12-02 15:45 ` Peter Xu
2020-12-03 11:20 ` Stefan Hajnoczi
2020-12-03 15:43 ` Peter Xu
2020-12-03 15:55 ` Alex Williamson
2020-12-03 16:01 ` David Hildenbrand
2020-12-07 14:48 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201119142737.17574-1-justin.he@arm.com \
--to=justin.he@arm.com \
--cc=alex.williamson@redhat.com \
--cc=cohuck@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox