lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260109005440.GH545276@ziepe.ca>
Date: Thu, 8 Jan 2026 20:54:40 -0400
From: Jason Gunthorpe <jgg@...pe.ca>
To: David Matlack <dmatlack@...gle.com>
Cc: Alex Williamson <alex@...zbot.org>, Alex Mastro <amastro@...com>,
	Shuah Khan <shuah@...nel.org>, Peter Xu <peterx@...hat.com>,
	linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
	linux-kselftest@...r.kernel.org
Subject: Re: [PATCH] vfio: selftests: Add vfio_dma_mapping_mmio_test

On Fri, Jan 09, 2026 at 12:43:32AM +0000, David Matlack wrote:
> On 2026-01-08 08:36 PM, Jason Gunthorpe wrote:
> > On Thu, Jan 08, 2026 at 09:29:29PM +0000, David Matlack wrote:
> > > On 2026-01-08 02:33 PM, Jason Gunthorpe wrote:
> > > > On Thu, Jan 08, 2026 at 10:24:19AM -0800, David Matlack wrote:
> > > > > > > Oh, I was thinking about a compatability only flow only in the type 1
> > > > > > > emulation that internally magically converts a VMA to a dmabuf, but I
> > > > > > > haven't written anything.. It is a bit tricky and the type 1 emulation
> > > > > > > has not been as popular as I expected??
> > > > > >
> > > > > > In part because of this gap, I'd guess.  Thanks,
> > > > > 
> > > > > Lack of huge mappings in the IOMMU when using VFIO_TYPE1_IOMMU is
> > > > > another gap I'm aware of.
> > > > > vfio_dma_mapping_test.vfio_type1_iommu_anonymous_hugetlb_1gb.dma_map_unmap
> > > > > fails when IOMMUFD_VFIO_CONTAINER is enabled.
> > > > 
> > > > What is this? I'm not aware of it..
> > > 
> > > It's one of the test cases within
> > > tools/testing/selftests/vfio/vfio_dma_mapping_test.c.
> > > 
> > > Here's the output when running with CONFIG_IOMMUFD_VFIO_CONTAINER=y:
> > > 
> > >   #  RUN           vfio_dma_mapping_test.vfio_type1_iommu_anonymous_hugetlb_1gb.dma_map_unmap ...
> > >   Mapped HVA 0x7f0480000000 (size 0x40000000) at IOVA 0x0
> > >   Searching for IOVA 0x0 in /sys/kernel/debug/iommu/intel/0000:6a:01.0/domain_translation_struct
> > >   Found IOMMU mappings for IOVA 0x0:
> > >   PGD: 0x0000000203475027
> > >   P4D: 0x0000000203476027
> > >   PUD: 0x0000000203477027
> > >   PMD: 0x00000001e7562027
> > >   PTE: 0x00000041c0000067
> > >   # tools/testing/selftests/vfio/vfio_dma_mapping_test.c:188:dma_map_unmap:Expected 0 (0) == mapping.pte (282394099815)
> > >   # dma_map_unmap: Test terminated by assertion
> > >   #          FAIL  vfio_dma_mapping_test.vfio_type1_iommu_anonymous_hugetlb_1gb.dma_map_unmap
> > 
> > I can't think of any reason this would fail, I think your tests have
> > found a real bug?? Can you check into it, what kernel call fails and
> > where does the kernel code come from?
> 
> Oh I thought it was by design. This code in iommufd_vfio_set_iommu():
> 
> 	/*
> 	 * The difference between TYPE1 and TYPE1v2 is the ability to unmap in
> 	 * the middle of mapped ranges. This is complicated by huge page support
> 	 * which creates single large IOPTEs that cannot be split by the iommu
> 	 * driver. TYPE1 is very old at this point and likely nothing uses it,
> 	 * however it is simple enough to emulate by simply disabling the
> 	 * problematic large IOPTEs. Then we can safely unmap within any range.
> 	 */
> 	if (type == VFIO_TYPE1_IOMMU)
> 		rc = iopt_disable_large_pages(&ioas->iopt);
> 
> git-blame says some guy named Jason Gunthorpe wrote it :P

Er, maybe I mis understood the output then?

This is not a "failure" though, the map succeeded and gave a small
page mapping.

This is not reflecting a bug in iommufd but a bug in the TYPE1 support
in VFIO itself because it definitely cannot maintain the required
unmap anywhere semantic if it mapped in a 1G huge page like this.

Basically, if you are mapping with TYPE1 mode then this should be triggered:

        if (!strcmp(variant->iommu_mode, "iommufd_compat_type1"))
                mapping_size = SZ_4K;

And VFIO should be the one to fail, not iommufd.

If you really want to test TYPE1 you need to test what makes it
unique, which is that you can map any VMA and then unmap any slice of
it. Including within what should otherwise be a 1G page.

But I doubt anyone cares enough to fix this, so just exclude
VFIO_TYPE1_IOMMU from this test?

Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ