qemu/block
Philippe Mathieu-Daudé 15a730e7a3 block/nvme: Fix VFIO_MAP_DMA failed: No space left on device
When the NVMe block driver was introduced (see commit bdd6a90a9e,
January 2018), Linux VFIO_IOMMU_MAP_DMA ioctl was only returning
-ENOMEM in case of error. The driver was correctly handling the
error path to recycle its volatile IOVA mappings.

To fix CVE-2019-3882, Linux commit 492855939bdb ("vfio/type1: Limit
DMA mappings per container", April 2019) added the -ENOSPC error to
signal the user exhausted the DMA mappings available for a container.

The block driver started to mis-behave:

  qemu-system-x86_64: VFIO_MAP_DMA failed: No space left on device
  (qemu)
  (qemu) info status
  VM status: paused (io-error)
  (qemu) c
  VFIO_MAP_DMA failed: No space left on device
  (qemu) c
  VFIO_MAP_DMA failed: No space left on device

(The VM is not resumable from here, hence stuck.)

Fix by handling the new -ENOSPC error (when DMA mappings are
exhausted) without any distinction to the current -ENOMEM error,
so we don't change the behavior on old kernels where the CVE-2019-3882
fix is not present.

An easy way to reproduce this bug is to restrict the DMA mapping
limit (65535 by default) when loading the VFIO IOMMU module:

  # modprobe vfio_iommu_type1 dma_entry_limit=666

Cc: qemu-stable@nongnu.org
Cc: Fam Zheng <fam@euphon.net>
Cc: Maxim Levitsky <mlevitsk@redhat.com>
Cc: Alex Williamson <alex.williamson@redhat.com>
Reported-by: Michal Prívozník <mprivozn@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20210723195843.1032825-1-philmd@redhat.com
Fixes: bdd6a90a9e ("block: Add VFIO based NVMe driver")
Buglink: https://bugs.launchpad.net/qemu/+bug/1863333
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/65
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2021-07-26 09:38:12 +01:00
..
export block/export: Conditionally ignore set-context error 2021-07-20 16:49:31 +02:00
monitor monitor: hmp_qemu_io: acquire aio contex, fix crash 2021-05-14 16:14:10 +02:00
accounting.c block/accounting: Use lock guard macros 2020-12-11 17:52:39 +01:00
aio_task.c
amend.c
backup-top.c block/backup-top: drop .active 2021-04-30 12:27:48 +02:00
backup-top.h qapi: backup: add perf.use-copy-range parameter 2021-01-26 14:36:37 +01:00
backup.c mirror: stop cancelling in-flight requests on non-force cancel in READY 2021-05-14 16:14:10 +02:00
blkdebug.c blkdebug: protect rules and suspended_reqs with a lock 2021-07-19 17:38:38 +02:00
blklogwrites.c block: check return value of bdrv_open_child and drop error propagation 2021-03-08 15:07:09 -06:00
blkreplay.c block: check return value of bdrv_open_child and drop error propagation 2021-03-08 15:07:09 -06:00
blkverify.c block: check return value of bdrv_open_child and drop error propagation 2021-03-08 15:07:09 -06:00
block-backend.c block: add max_hw_transfer to BlockLimits 2021-06-25 10:54:13 +02:00
block-copy.c block-copy: atomic .cancelled and .finished fields in BlockCopyCallState 2021-06-25 14:33:51 +03:00
block-gen.h scripts: add block-coroutine-wrapper.py 2020-10-05 10:59:06 +01:00
bochs.c
cloop.c
commit.c block/commit: use QEMU_AUTO_VFREE 2021-06-29 16:51:21 +02:00
copy-on-read.c block/copy-on-read: use bdrv_drop_filter() and drop s->active 2021-05-14 16:14:10 +02:00
copy-on-read.h copy-on-read: add filter drop function 2021-01-26 11:26:54 +01:00
coroutines.h block/nbd: reuse nbd_co_do_establish_connection() in nbd_open() 2021-06-18 12:21:22 -05:00
create.c
crypto.c block: add bdrv_co_delete_file_noerr 2021-02-15 15:10:14 +01:00
crypto.h nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
curl.c curl: Disconnect sockets from CURLState 2021-03-19 10:15:06 +01:00
dirty-bitmap.c iotests: Improve and rename test 291 to qemu-img-bitmap 2021-07-21 14:14:41 -05:00
dmg-bz2.c
dmg-lzfse.c block: Remove unused include 2020-11-09 15:44:21 +01:00
dmg.c block: Fix some code style problems, "foo* bar" should be "foo *bar" 2020-11-09 18:42:47 +01:00
dmg.h
file-posix.c block/file-posix: Optimize for macOS 2021-07-06 14:28:55 +01:00
file-win32.c block/file: switch to use qemu_open/qemu_create for improved errors 2020-09-16 10:33:48 +01:00
filter-compress.c block: Inline bdrv_co_block_status_from_*() 2020-09-07 12:31:31 +02:00
gluster.c qapi: More complex uses of QAPI_LIST_APPEND 2021-01-28 08:08:45 +01:00
io_uring.c io_uring: do not use pointer after free 2020-11-17 12:26:48 +01:00
io.c block/io: Merge discard request alignments 2021-07-06 14:28:55 +01:00
iscsi-opts.c modules: add block module annotations 2021-07-09 18:20:27 +02:00
iscsi.c Remove superfluous timer_del() calls 2021-01-08 15:13:38 +00:00
linux-aio.c linux-aio: limit the batch size using aio-max-batch parameter 2021-07-21 13:47:50 +01:00
meson.build meson: fix missing preprocessor symbols 2021-07-09 18:19:00 +02:00
mirror.c block/mirror: fix active mirror dead-lock in mirror_wait_on_conflicts 2021-07-20 13:14:45 +02:00
nbd.c nbd: register yank function earlier 2021-07-12 11:24:00 -05:00
nfs.c util/uri: do not check argument of uri_free() 2021-07-09 12:26:05 +02:00
null.c block/null: Implement bdrv_get_allocated_file_size 2020-09-07 12:31:31 +02:00
nvme.c block/nvme: Fix VFIO_MAP_DMA failed: No space left on device 2021-07-26 09:38:12 +01:00
parallels-ext.c parallels: support bitmap extension for read-only mode 2021-03-08 14:56:55 +01:00
parallels.c parallels: support bitmap extension for read-only mode 2021-03-08 14:56:55 +01:00
parallels.h parallels: support bitmap extension for read-only mode 2021-03-08 14:56:55 +01:00
preallocate.c block: introduce preallocate filter 2020-12-18 12:35:55 +01:00
progress_meter.c progressmeter: protect with a mutex 2021-06-25 14:24:24 +03:00
qapi-sysemu.c
qapi.c block: use GDateTime for formatting timestamp when dumping snapshot info 2021-06-14 13:28:50 +01:00
qcow2-bitmap.c nbd patches for 2021-03-09 2021-03-11 13:57:08 +00:00
qcow2-cache.c
qcow2-cluster.c qcow2: Fix corruption on write_zeroes with MAY_UNMAP 2020-11-24 11:29:41 +01:00
qcow2-refcount.c qcow2: Make qcow2_free_any_clusters() free only one cluster 2020-09-15 11:05:13 +02:00
qcow2-snapshot.c block: consistently use bdrv_is_read_only() 2021-06-02 14:23:20 +02:00
qcow2-threads.c
qcow2.c qcow2: Fix dangling pointer after reopen for 'file' 2021-07-09 13:19:11 +02:00
qcow2.h block/qcow2-bitmap: return status from qcow2_store_persistent_dirty_bitmaps 2021-03-08 16:03:21 -06:00
qcow.c block/qcow: remove runtime opts 2020-09-15 11:05:13 +02:00
qed-check.c
qed-cluster.c
qed-l2-cache.c
qed-table.c
qed.c block/qed: bdrv_qed_do_open: deal with errp 2021-03-08 16:03:32 -06:00
qed.h
quorum.c block/quorum: Provide .bdrv_co_flush instead of .bdrv_co_flush_to_disk 2021-06-02 14:23:20 +02:00
raw-format.c block/raw-format: implement .bdrv_cancel_in_flight handler 2021-02-12 09:45:18 -06:00
rbd.c block/rbd: fix type of task->complete 2021-07-09 12:26:05 +02:00
replication.c replication: Remove workaround 2021-07-20 16:11:53 +02:00
snapshot.c block/snapshot: Clarify goto fallback behavior 2021-06-24 09:49:04 +02:00
ssh.c util/uri: do not check argument of uri_free() 2021-07-09 12:26:05 +02:00
stream.c stream: Don't crash when node permission is denied 2021-03-19 10:15:06 +01:00
throttle-groups.c block/throttle-groups: throttle_group_co_io_limits_intercept(): 64bit bytes 2021-02-03 08:14:00 -06:00
throttle.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
trace-events block: add trace point when fdatasync fails 2021-06-14 13:28:50 +01:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
vdi.c block/vdi: Don't assume that blocks are larger than VdiHeader 2021-03-31 10:44:21 +01:00
vhdx-endian.c
vhdx-log.c block: consistently use bdrv_is_read_only() 2021-06-02 14:23:20 +02:00
vhdx.c block/vhdx: Support vhdx image only with 512 bytes logical sector size 2020-09-15 11:05:13 +02:00
vhdx.h
vmdk.c qapi: Use QAPI_LIST_APPEND in trivial cases 2021-01-28 08:08:45 +01:00
vpc.c block/vpc: Use sizeof() instead of HEADER_SIZE for footer size 2020-12-18 12:43:30 +01:00
vvfat.c block/vvfat: fix: drop backing 2021-07-20 16:30:20 +02:00
win32-aio.c
write-threshold.c write-threshold: deal with includes 2021-05-14 16:14:10 +02:00