Re: [PATCH] iommu/iommufd: Require write access for writable MAP_FILE mappings

Next message: C&#xE1;ssio Gabriel: "[PATCH 0/3] ASoC: use scoped OF node handling in manual cleanup paths"
Previous message: Rafael J. Wysocki: "Re: [PATCH] PM: hibernate: Fix kernel-doc comment for add_rtree_block()"
Next in thread: Jason Gunthorpe: "Re: [PATCH] iommu/iommufd: Require write access for writable MAP_FILE mappings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Hildenbrand (Arm)

Date: Mon Jun 08 2026 - 09:39:50 EST

On 6/7/26 14:09, Jason Gunthorpe wrote:
> On Sun, Jun 07, 2026 at 08:53:18AM +0000, Yiming Qian wrote:
>> IOMMU_IOAS_MAP_FILE pins folios from a shmem/tmpfs or hugetlb file and
>> uses them as the backing storage for an IOAS mapping. When userspace sets
>> IOMMU_IOAS_MAP_WRITEABLE, the resulting IOMMU PTEs allow DMA writes to the
>> file-backed folios.
>
> This looks like an issue with the API design in memfd_pin_folios(),
> all users would have a similar bug I think.

Agreed.

Not sure if it should be part of memfd_pin_folios() itself.

>
> I don't know much about memfd but this seems like a legitimate issue.
>
> Add those involved with gup.c and the patch adding memfd_pin_folios()
>
>> {
>> struct iopt_pages *pages;
>> + int rc;
>> +
>> + if (writable) {
>> + if (!(file->f_mode & FMODE_WRITE))
>> + return ERR_PTR(-EPERM);
>> +
>> + rc = mapping_map_writable(file->f_mapping);
>> + if (rc)
>> + return ERR_PTR(rc);
>> + }
>
> We probably need some kind of companion API for memfd_pin_folios(), a
> start/pin/destroy kind of thing to manage this?
>
> It should not be open coded like this.

The permission check is one thing that's clearly missing.

Not sure about the mapping_map_writable() handling ... it's weird to rely on
that when we are not actually mmaping.

Assume we GUP a page and then munmap, mapping_unmap_writable() would be called
while we still have a writable GUP reference. Hm.

--
Cheers,

David