Re: [PATCH] iommu/iommufd: Require write access for writable MAP_FILE mappings

Next message: syzbot: "Forwarded: Re: [syzbot] [bridge?] KASAN: use-after-free Read in qdisc_pkt_len_segs_init"
Previous message: Ronald Warsow: "Re: [PATCH 7.0 000/332] 7.0.12-rc1 review"
In reply to: Yiming Qian: "[PATCH] iommu/iommufd: Require write access for writable MAP_FILE mappings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jason Gunthorpe

Date: Sun Jun 07 2026 - 08:09:56 EST

On Sun, Jun 07, 2026 at 08:53:18AM +0000, Yiming Qian wrote:
> IOMMU_IOAS_MAP_FILE pins folios from a shmem/tmpfs or hugetlb file and
> uses them as the backing storage for an IOAS mapping. When userspace sets
> IOMMU_IOAS_MAP_WRITEABLE, the resulting IOMMU PTEs allow DMA writes to the
> file-backed folios.

This looks like an issue with the API design in memfd_pin_folios(),
all users would have a similar bug I think.

I don't know much about memfd but this seems like a legitimate issue.

Add those involved with gup.c and the patch adding memfd_pin_folios()

> {
> struct iopt_pages *pages;
> + int rc;
> +
> + if (writable) {
> + if (!(file->f_mode & FMODE_WRITE))
> + return ERR_PTR(-EPERM);
> +
> + rc = mapping_map_writable(file->f_mapping);
> + if (rc)
> + return ERR_PTR(rc);
> + }

We probably need some kind of companion API for memfd_pin_folios(), a
start/pin/destroy kind of thing to manage this?

It should not be open coded like this.

Jason