Commit 567d7d3e authored by Alex Williamson's avatar Alex Williamson
Browse files

vfio/common: Work around kernel overflow bug in DMA unmap 

A kernel bug was introduced in v4.15 via commit 71a7d3d78e3c which
adds a test for address space wrap-around in the vfio DMA unmap path.
Unfortunately due to overflow, the kernel detects an unmap of the last
page in the 64-bit address space as a wrap-around.  In QEMU, a Q35
guest with VT-d emulation and guest IOMMU enabled will attempt to make
such an unmap request during VM system reset, triggering an error:

  qemu-kvm: VFIO_UNMAP_DMA: -22
  qemu-kvm: vfio_dma_unmap(0x561f059948f0, 0xfef00000, 0xffffffff01100000) = -22 (Invalid argument)

Here the IOVA start address (0xfef00000) and the size parameter
(0xffffffff01100000) add to exactly 2^64, triggering the bug.  A
kernel fix is queued for the Linux v5.0 release to address this.

This patch implements a workaround to retry the unmap, excluding the
final page of the range when we detect an unmap failing which matches
the requirements for this issue.  This is expected to be a safe and
complete workaround as the VT-d address space does not extend to the
full 64-bit space and therefore the last page should never be mapped.

This workaround can be removed once all kernels with this bug are
sufficiently deprecated.

Link: https://bugzilla.redhat.com/show_bug.cgi?id=1662291


Reported-by: default avatarPei Zhang <pezhang@redhat.com>
Debugged-by: default avatarPeter Xu <peterx@redhat.com>
Reviewed-by: default avatarPeter Xu <peterx@redhat.com>
Reviewed-by: default avatarCornelia Huck <cohuck@redhat.com>
Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
parent fc3dbb90

hw/vfio/common.c

+19 −1
Original line number Diff line number Diff line
@@ -220,7 +220,25 @@ static int vfio_dma_unmap(VFIOContainer *container, 
        .size = size,

    };



    if (ioctl(container->fd, VFIO_IOMMU_UNMAP_DMA, &unmap)) {

    while (ioctl(container->fd, VFIO_IOMMU_UNMAP_DMA, &unmap)) {

        /*

         * The type1 backend has an off-by-one bug in the kernel (71a7d3d78e3c

         * v4.15) where an overflow in its wrap-around check prevents us from

         * unmapping the last page of the address space.  Test for the error

         * condition and re-try the unmap excluding the last page.  The

         * expectation is that we've never mapped the last page anyway and this

         * unmap request comes via vIOMMU support which also makes it unlikely

         * that this page is used.  This bug was introduced well after type1 v2

         * support was introduced, so we shouldn't need to test for v1.  A fix

         * is queued for kernel v5.0 so this workaround can be removed once

         * affected kernels are sufficiently deprecated.

         */

        if (errno == EINVAL && unmap.size && !(unmap.iova + unmap.size) &&

            container->iommu_type == VFIO_TYPE1v2_IOMMU) {

            trace_vfio_dma_unmap_overflow_workaround();

            unmap.size -= 1ULL << ctz64(container->pgsizes);

            continue;

        }

        error_report("VFIO_UNMAP_DMA: %d", -errno);

        return -errno;

    }

hw/vfio/trace-events

+1 −0
Original line number Diff line number Diff line
@@ -110,6 +110,7 @@ vfio_region_mmaps_set_enabled(const char *name, bool enabled) "Region %s mmaps e 
vfio_region_sparse_mmap_header(const char *name, int index, int nr_areas) "Device %s region %d: %d sparse mmap entries"

vfio_region_sparse_mmap_entry(int i, unsigned long start, unsigned long end) "sparse entry %d [0x%lx - 0x%lx]"

vfio_get_dev_region(const char *name, int index, uint32_t type, uint32_t subtype) "%s index %d, %08x/%0x8"

vfio_dma_unmap_overflow_workaround(void) ""



# hw/vfio/platform.c

vfio_platform_base_device_init(char *name, int groupid) "%s belongs to group #%d"