Merged
Conversation
DemiMarie
requested review from
jiangliu,
jinankjain,
likebreath,
liuw,
rbradford,
russell-islam,
sameo and
sboeuf
as code owners
Collaborator
|
@DemiMarie can you please rebase and fix the clippy errors? |
DemiMarie
force-pushed
the
soundness
branch
2 times, most recently
from
18ba7db to
0819d25
Compare
jinankjain
approved these changes
Sep 26, 2025
Contributor
|
@DemiMarie should this be marked "Closes #100"? |
rbradford
approved these changes
Feb 3, 2026
Contributor
Author
Done |
Contributor
|
Looks like the tests need updated. |
DemiMarie
force-pushed
the
soundness
branch
2 times, most recently
from
377b889 to
1f30841
Compare
rbradford
reviewed
Feb 4, 2026
Contributor
rbradford
left a comment
rbradford
left a comment
There was a problem hiding this comment.
nit: I think the git commit summary should have a vfio-ioctls: prefix and then good to go.
likebreath
requested changes
Feb 4, 2026
Collaborator
likebreath
left a comment
likebreath
left a comment
There was a problem hiding this comment.
Thanks for the patience with the review. Overall look good. Some suggestions below
Mark it as "Request Changes" due to:
- Please fix the CHANGELOG changes (details below)
- Please fix the typo from commit message: "Some of its
internal APIstook a hosttook a host address cast to ..."
likebreath
reviewed
Feb 6, 2026
likebreath
reviewed
Feb 6, 2026
vfio_syscall::map_dma() accepts a u64 and tells the Linux kernel to make the corresponding address accessible for DMA by a device. Therefore, passing bad u64 values can result in memory corruption or disclosure. Change the u64 argument to a pointer to avoid confusion. To reflect that the caller must uphold invariants to prevent undefined behavior, mark the API as unsafe. I found this through a review of Cloud Hypervisor [1]. Some of its internal APIs took a host took a host address cast to u64 as an argument and accessed that address. In one case, the u64 was passed directly to vfio_syscall::map_dma(). [1]: cloud-hypervisor/cloud-hypervisor#7129 Fixes: rust-vmm#100 Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
likebreath
approved these changes
Feb 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary of the PR
vfio_syscall::map_dma causes the kernel to make an arbitrary address
accessible for DMA by a device the guest typically controls. This is
unsafe, as it can change memory that Rust assumes is immutable.
I found this through a review of Cloud Hypervisor, where I saw a
safe function that took a host address cast to u64 as an argument and
accessed that address. It turns out that this function was the source
of the unsoundness.
Requirements
Before submitting your PR, please make sure you addressed the following
requirements:
git commit -s), and the commit message has max 60 characters for thesummary and max 75 characters for each description line.
test.
Release" section of CHANGELOG.md (if no such section exists, please create one).
unsafecode is properly documented.