[Intel-gfx] [PATCH v11 19/23] vfio: Add VFIO_DEVICE_BIND_IOMMUFD

Liu, Yi L yi.l.liu at intel.com
Wed May 24 08:31:48 UTC 2023


> From: Liu, Yi L <yi.l.liu at intel.com>
> Sent: Wednesday, May 24, 2023 10:41 AM
> 
> > From: Tian, Kevin <kevin.tian at intel.com>
> > Sent: Wednesday, May 24, 2023 10:39 AM
> >
> > > From: Liu, Yi L <yi.l.liu at intel.com>
> > > Sent: Wednesday, May 24, 2023 10:21 AM
> > >
> > > > >
> > > > > vfio_device_open_file()
> > > > > {
> > > > > 	dev_warn(device->dev, "vfio-noiommu device opened by user "
> > > > > 		   "(%s:%d)\n", current->comm, task_pid_nr(current));
> > > > > }
> > > >
> > > > There needs to be a taint when VFIO_GROUP is disabled.  Thanks,
> > > I see. I misunderstood you. You are asking for a taint. 😊
> > >
> > > Actually, I've considered it. But it appears to me the taint in
> > > vfio_group_find_or_alloc() is due to vfio allocates fake iommu_group.
> > > This seems to be a taint to kernel. But now, you are suggesting to add
> > > a taint as long as noiommu device is registered to vfio. Is it? If so,
> >
> > taint is required because the kernel is exposed to user DMA attack
> > due to lacking of IOMMU protection.
> >
> > fake iommu_group is just to meet vfio_group requirement.
> 
> Got it. thanks.

Please refer to the proposed change in [1]. The noiommu taint is
moved to the end of __vfio_register_dev() rely on the noiommu
flag set by vfio_device_set_noiommu().

[1] https://lore.kernel.org/kvm/DS0PR11MB752907D211E3703145503A12C3419@DS0PR11MB7529.namprd11.prod.outlook.com/

Regards,
Yi Liu


More information about the Intel-gfx mailing list