[PATCH v3 1/2] vfio: Fix unbalanced vfio_df_close call in no-iommu mode

[PATCH v3 1/2] vfio: Fix unbalanced vfio_df_close call in no-iommu mode

[Jacob Pan]

For devices with no-iommu enabled in IOMMUFD VFIO compat mode, the group open
path skips vfio_df_open(), leaving open_count at 0. This causes a warning in
vfio_assert_device_open(device) when vfio_df_close() is called during group
close.

The correct behavior is to skip only the IOMMUFD bind in the device open path
for no-iommu devices. Commit 6086efe73498 omitted vfio_df_open(), which was
too broad. This patch restores the previous behavior, ensuring
the vfio_df_open is called in the group open path.

Fixes: 6086efe73498 ("vfio-iommufd: Move noiommu compat validation out of vfio_iommufd_bind()")
Suggested-by: Alex Williamson <alex.williamson@redhat.com>
Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Jacob Pan <jacob.pan@linux.microsoft.com>
---
v3: Apply a concise fix from Alex
v2: Use a fix from Jason
---
 drivers/vfio/group.c   | 7 +++----
 drivers/vfio/iommufd.c | 4 ++++
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/vfio/group.c b/drivers/vfio/group.c
index c321d442f0da..c376a6279de0 100644
--- a/drivers/vfio/group.c
+++ b/drivers/vfio/group.c
@@ -192,11 +192,10 @@ static int vfio_df_group_open(struct vfio_device_file *df)
 		 * implies they expected translation to exist
 		 */
 		if (!capable(CAP_SYS_RAWIO) ||
-		    vfio_iommufd_device_has_compat_ioas(device, df->iommufd))
+		    vfio_iommufd_device_has_compat_ioas(device, df->iommufd)) {
 			ret = -EPERM;
-		else
-			ret = 0;
-		goto out_put_kvm;
+			goto out_put_kvm;
+		}
 	}
 
 	ret = vfio_df_open(df);
diff --git a/drivers/vfio/iommufd.c b/drivers/vfio/iommufd.c
index c8c3a2d53f86..a38d262c6028 100644
--- a/drivers/vfio/iommufd.c
+++ b/drivers/vfio/iommufd.c
@@ -25,6 +25,10 @@ int vfio_df_iommufd_bind(struct vfio_device_file *df)
 
 	lockdep_assert_held(&vdev->dev_set->lock);
 
+	/* Returns 0 to permit device opening under noiommu mode */
+	if (vfio_device_is_noiommu(vdev))
+		return 0;
+
 	return vdev->ops->bind_iommufd(vdev, ictx, &df->devid);
 }
 
-- 
2.34.1

[PATCH v3 2/2] vfio: Prevent open_count decrement to negative

[Jacob Pan]

When vfio_df_close() is called with open_count=0, it triggers a warning in
vfio_assert_device_open() but still decrements open_count to -1. This allows
a subsequent open to incorrectly pass the open_count == 0 check, leading to
unintended behavior, such as setting df->access_granted = true.

For example, running an IOMMUFD compat no-IOMMU device with VFIO tests
(https://github.com/awilliam/tests/blob/master/vfio-noiommu-pci-device-open.c)
results in a warning and a failed VFIO_GROUP_GET_DEVICE_FD ioctl on the first
run, but the second run succeeds incorrectly.

Add checks to avoid decrementing open_count below zero.
Fixes: 05f37e1c03b6 ("vfio: Pass struct vfio_device_file * to vfio_device_open/close()")
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Yi Liu <yi.l.liu@intel.com>
Signed-off-by: Jacob Pan <jacob.pan@linux.microsoft.com>
---
v3: Added Fixes tag
v2: Added Reviewed-by tags
---
 drivers/vfio/vfio_main.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/vfio/vfio_main.c b/drivers/vfio/vfio_main.c
index 1fd261efc582..5046cae05222 100644
--- a/drivers/vfio/vfio_main.c
+++ b/drivers/vfio/vfio_main.c
@@ -583,7 +583,8 @@ void vfio_df_close(struct vfio_device_file *df)
 
 	lockdep_assert_held(&device->dev_set->lock);
 
-	vfio_assert_device_open(device);
+	if (!vfio_assert_device_open(device))
+		return;
 	if (device->open_count == 1)
 		vfio_df_device_last_close(df);
 	device->open_count--;
-- 
2.34.1

Re: [PATCH v3 1/2] vfio: Fix unbalanced vfio_df_close call in no-iommu mode

[Jason Gunthorpe]

On Wed, Jun 18, 2025 at 04:46:17PM -0700, Jacob Pan wrote:
> For devices with no-iommu enabled in IOMMUFD VFIO compat mode, the group open
> path skips vfio_df_open(), leaving open_count at 0. This causes a warning in
> vfio_assert_device_open(device) when vfio_df_close() is called during group
> close.
> 
> The correct behavior is to skip only the IOMMUFD bind in the device open path
> for no-iommu devices. Commit 6086efe73498 omitted vfio_df_open(), which was
> too broad. This patch restores the previous behavior, ensuring
> the vfio_df_open is called in the group open path.
> 
> Fixes: 6086efe73498 ("vfio-iommufd: Move noiommu compat validation out of vfio_iommufd_bind()")
> Suggested-by: Alex Williamson <alex.williamson@redhat.com>
> Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
> Signed-off-by: Jacob Pan <jacob.pan@linux.microsoft.com>
> ---
> v3: Apply a concise fix from Alex
> v2: Use a fix from Jason
> ---
>  drivers/vfio/group.c   | 7 +++----
>  drivers/vfio/iommufd.c | 4 ++++
>  2 files changed, 7 insertions(+), 4 deletions(-)

Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>

Jason

Re: [PATCH v3 1/2] vfio: Fix unbalanced vfio_df_close call in no-iommu mode

[Jacob Pan]

Hi Alex et al,

Just wondering if there are more comments?

Thanks,

Jacob

On Wed, 18 Jun 2025 16:46:17 -0700
Jacob Pan <jacob.pan@linux.microsoft.com> wrote:

> For devices with no-iommu enabled in IOMMUFD VFIO compat mode, the
> group open path skips vfio_df_open(), leaving open_count at 0. This
> causes a warning in vfio_assert_device_open(device) when
> vfio_df_close() is called during group close.
> 
> The correct behavior is to skip only the IOMMUFD bind in the device
> open path for no-iommu devices. Commit 6086efe73498 omitted
> vfio_df_open(), which was too broad. This patch restores the previous
> behavior, ensuring the vfio_df_open is called in the group open path.
> 
> Fixes: 6086efe73498 ("vfio-iommufd: Move noiommu compat validation
> out of vfio_iommufd_bind()") Suggested-by: Alex Williamson
> <alex.williamson@redhat.com> Suggested-by: Jason Gunthorpe
> <jgg@nvidia.com> Signed-off-by: Jacob Pan
> <jacob.pan@linux.microsoft.com> ---
> v3: Apply a concise fix from Alex
> v2: Use a fix from Jason
> ---
>  drivers/vfio/group.c   | 7 +++----
>  drivers/vfio/iommufd.c | 4 ++++
>  2 files changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/vfio/group.c b/drivers/vfio/group.c
> index c321d442f0da..c376a6279de0 100644
> --- a/drivers/vfio/group.c
> +++ b/drivers/vfio/group.c
> @@ -192,11 +192,10 @@ static int vfio_df_group_open(struct
> vfio_device_file *df)
>  		 * implies they expected translation to exist
>  		 */
>  		if (!capable(CAP_SYS_RAWIO) ||
> -		    vfio_iommufd_device_has_compat_ioas(device,
> df->iommufd))
> +		    vfio_iommufd_device_has_compat_ioas(device,
> df->iommufd)) { ret = -EPERM;
> -		else
> -			ret = 0;
> -		goto out_put_kvm;
> +			goto out_put_kvm;
> +		}
>  	}
>  
>  	ret = vfio_df_open(df);
> diff --git a/drivers/vfio/iommufd.c b/drivers/vfio/iommufd.c
> index c8c3a2d53f86..a38d262c6028 100644
> --- a/drivers/vfio/iommufd.c
> +++ b/drivers/vfio/iommufd.c
> @@ -25,6 +25,10 @@ int vfio_df_iommufd_bind(struct vfio_device_file
> *df) 
>  	lockdep_assert_held(&vdev->dev_set->lock);
>  
> +	/* Returns 0 to permit device opening under noiommu mode */
> +	if (vfio_device_is_noiommu(vdev))
> +		return 0;
> +
>  	return vdev->ops->bind_iommufd(vdev, ictx, &df->devid);
>  }
>  

Re: [PATCH v3 1/2] vfio: Fix unbalanced vfio_df_close call in no-iommu mode

[Alex Williamson]

On Thu, 10 Jul 2025 11:40:25 -0700
Jacob Pan <jacob.pan@linux.microsoft.com> wrote:

> Hi Alex et al,
> 
> Just wondering if there are more comments?

Seems not.  Sorry for the delay, these just fell early in the cycle and
other patches are going through various re-spins.  Applied to vfio next
branch for v6.17.  Thanks,

Alex
 
> On Wed, 18 Jun 2025 16:46:17 -0700
> Jacob Pan <jacob.pan@linux.microsoft.com> wrote:
> 
> > For devices with no-iommu enabled in IOMMUFD VFIO compat mode, the
> > group open path skips vfio_df_open(), leaving open_count at 0. This
> > causes a warning in vfio_assert_device_open(device) when
> > vfio_df_close() is called during group close.
> > 
> > The correct behavior is to skip only the IOMMUFD bind in the device
> > open path for no-iommu devices. Commit 6086efe73498 omitted
> > vfio_df_open(), which was too broad. This patch restores the previous
> > behavior, ensuring the vfio_df_open is called in the group open path.
> > 
> > Fixes: 6086efe73498 ("vfio-iommufd: Move noiommu compat validation
> > out of vfio_iommufd_bind()") Suggested-by: Alex Williamson
> > <alex.williamson@redhat.com> Suggested-by: Jason Gunthorpe
> > <jgg@nvidia.com> Signed-off-by: Jacob Pan
> > <jacob.pan@linux.microsoft.com> ---
> > v3: Apply a concise fix from Alex
> > v2: Use a fix from Jason
> > ---
> >  drivers/vfio/group.c   | 7 +++----
> >  drivers/vfio/iommufd.c | 4 ++++
> >  2 files changed, 7 insertions(+), 4 deletions(-)
> > 
> > diff --git a/drivers/vfio/group.c b/drivers/vfio/group.c
> > index c321d442f0da..c376a6279de0 100644
> > --- a/drivers/vfio/group.c
> > +++ b/drivers/vfio/group.c
> > @@ -192,11 +192,10 @@ static int vfio_df_group_open(struct
> > vfio_device_file *df)
> >  		 * implies they expected translation to exist
> >  		 */
> >  		if (!capable(CAP_SYS_RAWIO) ||
> > -		    vfio_iommufd_device_has_compat_ioas(device,
> > df->iommufd))
> > +		    vfio_iommufd_device_has_compat_ioas(device,
> > df->iommufd)) { ret = -EPERM;
> > -		else
> > -			ret = 0;
> > -		goto out_put_kvm;
> > +			goto out_put_kvm;
> > +		}
> >  	}
> >  
> >  	ret = vfio_df_open(df);
> > diff --git a/drivers/vfio/iommufd.c b/drivers/vfio/iommufd.c
> > index c8c3a2d53f86..a38d262c6028 100644
> > --- a/drivers/vfio/iommufd.c
> > +++ b/drivers/vfio/iommufd.c
> > @@ -25,6 +25,10 @@ int vfio_df_iommufd_bind(struct vfio_device_file
> > *df) 
> >  	lockdep_assert_held(&vdev->dev_set->lock);
> >  
> > +	/* Returns 0 to permit device opening under noiommu mode */
> > +	if (vfio_device_is_noiommu(vdev))
> > +		return 0;
> > +
> >  	return vdev->ops->bind_iommufd(vdev, ictx, &df->devid);
> >  }
> >    
>