On Wed, Nov 05, 2025 at 02:58:16PM -0400, Jason Gunthorpe wrote: > On Wed, Nov 05, 2025 at 10:33:08AM -0800, Nicolin Chen wrote: > > On Wed, Nov 05, 2025 at 02:10:49PM -0400, Jason Gunthorpe wrote: > > > On Wed, Nov 05, 2025 at 06:25:05PM +0100, Eric Auger wrote: > > > > if the guest doorbell address is wrong because not properly translated, > > > > vgic_msi_to_its() will fail to identify the ITS to inject the MSI in. > > > > See kernel kvm/vgic/vgic-its.c vgic_msi_to_its and > > > > vgic_its_inject_msi > > > > > > Which has been exactly my point to Nicolin. There is no way to > > > "properly translate" the vMSI address in a HW accelerated SMMU > > > emulation. > > > > Hmm, I still can't connect the dots here. QEMU knows where the > > guest CD table is to get the stage-1 translation table to walk > > through. We could choose to not let it walk through. Yet, why? > > You cannot walk any tables in guest memory without fully trapping all > invalidation on all command queues. Like real HW qemu needs to fence > its walks with any concurrent invalidate & sync to ensure it doesn't > walk into a UAF situation. > > Since we can't trap or mediate vCMDQ the walking simply cannot be > done. > > Thus, the general principle of the HW accelerated vSMMU is that it > NEVER walks any of these guest tables for any reason. > > Thus, we cannot do anything with vMSI address beyond program it > directly into a real PCI device so it undergoes real HW translation.
It's clear to me now. Thanks for the elaboration! Nicolin
