On Wed, Nov 05, 2025 at 10:33:08AM -0800, Nicolin Chen wrote: > On Wed, Nov 05, 2025 at 02:10:49PM -0400, Jason Gunthorpe wrote: > > On Wed, Nov 05, 2025 at 06:25:05PM +0100, Eric Auger wrote: > > > if the guest doorbell address is wrong because not properly translated, > > > vgic_msi_to_its() will fail to identify the ITS to inject the MSI in. > > > See kernel kvm/vgic/vgic-its.c vgic_msi_to_its and > > > vgic_its_inject_msi > > > > Which has been exactly my point to Nicolin. There is no way to > > "properly translate" the vMSI address in a HW accelerated SMMU > > emulation. > > Hmm, I still can't connect the dots here. QEMU knows where the > guest CD table is to get the stage-1 translation table to walk > through. We could choose to not let it walk through. Yet, why?
You cannot walk any tables in guest memory without fully trapping all invalidation on all command queues. Like real HW qemu needs to fence its walks with any concurrent invalidate & sync to ensure it doesn't walk into a UAF situation. Since we can't trap or mediate vCMDQ the walking simply cannot be done. Thus, the general principle of the HW accelerated vSMMU is that it NEVER walks any of these guest tables for any reason. Thus, we cannot do anything with vMSI address beyond program it directly into a real PCI device so it undergoes real HW translation. Jason
