Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.2/patches/2219887/?format=api
{ "id": 2219887, "url": "http://patchwork.ozlabs.org/api/1.2/patches/2219887/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260405072857.66484-8-scottjgo@gmail.com/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/1.2/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260405072857.66484-8-scottjgo@gmail.com>", "list_archive_url": null, "date": "2026-04-05T07:28:51", "name": "[RFC,07/10] vfio/apple: Add DriverKit dext client library", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "f7932fd748c57fb8151c51c72e605466474c6d33", "submitter": { "id": 93060, "url": "http://patchwork.ozlabs.org/api/1.2/people/93060/?format=api", "name": "Scott J. Goldman", "email": "scottjgo@gmail.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260405072857.66484-8-scottjgo@gmail.com/mbox/", "series": [ { "id": 498765, "url": "http://patchwork.ozlabs.org/api/1.2/series/498765/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=498765", "date": "2026-04-05T07:28:44", "name": "vfio: PCI device passthrough on Apple Silicon Macs", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/498765/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2219887/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2219887/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=NB8bg2WY;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fpPJv5w6lz1y2d\n\tfor <incoming@patchwork.ozlabs.org>; Sun, 05 Apr 2026 17:31:11 +1000 (AEST)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1w9HvT-0003yA-0N; Sun, 05 Apr 2026 03:29:43 -0400", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <scottjgo@gmail.com>)\n id 1w9HvQ-0003xj-Mo\n for qemu-devel@nongnu.org; Sun, 05 Apr 2026 03:29:40 -0400", "from mail-dy1-x1330.google.com ([2607:f8b0:4864:20::1330])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from <scottjgo@gmail.com>)\n id 1w9HvN-0007Nf-QK\n for qemu-devel@nongnu.org; Sun, 05 Apr 2026 03:29:40 -0400", "by mail-dy1-x1330.google.com with SMTP id\n 5a478bee46e88-2c156c4a9efso3546438eec.1\n for <qemu-devel@nongnu.org>; Sun, 05 Apr 2026 00:29:37 -0700 (PDT)", "from localhost.localdomain ([2601:645:8200:47:41e4:ff2b:ff70:4d75])\n by smtp.gmail.com with ESMTPSA id\n 5a478bee46e88-2cb92ea0ef1sm7636502eec.21.2026.04.05.00.29.34\n (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);\n Sun, 05 Apr 2026 00:29:35 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1775374176; x=1775978976; darn=nongnu.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=zxfini/03ZCMwgjgBQ4pisEMx2q4rGRX8zkQlXe0tR4=;\n b=NB8bg2WYH+z/AmCtJCvRXkos/w/gGzR/p8f4znh4dQsYnSWEU66n7Vu6oSknX9iSWf\n 74fv6g01TFcAk/fh2N1yjSNNLNisdlpO6e7aoKgKJ/aFoWe5zg5rwoKCSKy/PkxS04C9\n gyCFgP00D5JehrGqcOTwzLdpiUE+CMKP5R+7bPxbHfDn1fIWUbvN/9rhFhSkmnEP9H70\n WtZZCDgVNd2duPPDeCRExel0icXuGTAd09jqjXyQ93eQWWOoAsELkn5eM4Rc7s90V6ns\n yyEToP3N/pPObSesmhDS0kgq+IOoAiwQSNRLph7ScLBNOh3n0+lpo532VU0K/gwAq2YB\n H7pg==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775374176; x=1775978976;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=zxfini/03ZCMwgjgBQ4pisEMx2q4rGRX8zkQlXe0tR4=;\n b=VV1NTNLPXOdjIGJk+WMnicuiokkaXwulKFCzW1+8kCbvooif0Y2R6oPNwc8qoMqSxJ\n +hvD1OR86Wt2oEyaQB1efXrRY+uyR/RjyEG6Eo4g4en6UqLhr5MqHXRSA/LnRO+Mhtn9\n Lf4RLNEvh3Iy4YG2vINvkynCIwYWYXC9VTEyZIhKBSRU8hm79GEQOIRw/gpCMmDaGhj/\n hjyFp1LheOMGzPqB94fXIGwy71K9DdL7qFM4NiI2B9S+qAeCeS1X22ZrB8MD0C9JKNiR\n xkk5OYR7DQLqNtCkGIBSY2F5qRkGS7PQkEtLTW+5/brzShtBcaMzm399OPcj3L5ZOnd5\n S8ug==", "X-Gm-Message-State": "AOJu0YweX1qPYYIZTiu1m6aBJfGWc9NXGGpPqty+kGakmmOsJpn6LtgY\n sWiBIbxfW1HFuCosSzZhh7UzNoF1ws4ZLxJqyEagszgLmsI8RamnjWFEF8ALkhyNy2c=", "X-Gm-Gg": "AeBDietDqHRNB86d8jEc4skl6er5lAkiOkv/e9tOr3EwYO6ttIrPMKWbQTocmFaEsw9\n MndWujHnceNtZMqrZYS1aXiVmgKjPFyNRtF9kzLNEnGxpkNoildu40+enpToSdCcdFDPBZ2hwYA\n Wqug7NqhzTj1V+j8wjSnWsCWgeJWwunrknvAs1dqZoC3Q2kf60ipM5oLBG+ki6j1r2GXOVwF2pW\n 4LsNXBnr/7E8CtTsXj/4q17KqGZb8EbCxX/B+2i2Ss8MCdF/7+pwQtaqtlQ9FVMlGzPqkLj52tT\n sVJi5XnvswGrp9rkQX94R7tRA2W5aKozTxNEEVwvM76F4J3otTZvFUJwg7YDdFn3KSmVRso9wxK\n SIIbYd99imKFhSl1jJwJUYi0zmcQToCzSnfudpOKUF6NVJjF5E9VyKoEOIZU7+MtKehGddRx8y7\n 9+ZL/g/t29Pet8PB1j1nhLfm6PpqW/uoZC89wngB7wZ6u1aXXVBjQdORtLcx0kP97S+MvoRjY3e\n ZW39jN2U3/L/QcxiOmIANWrmqo=", "X-Received": "by 2002:a05:7301:3f0f:b0:2c8:7172:3b88 with SMTP id\n 5a478bee46e88-2cbfc16ec3bmr3959627eec.28.1775374175786;\n Sun, 05 Apr 2026 00:29:35 -0700 (PDT)", "From": "\"Scott J. Goldman\" <scottjgo@gmail.com>", "To": "qemu-devel@nongnu.org", "Cc": "alex@shazbot.org, clg@redhat.com, pbonzini@redhat.com, rbolshakov@ddn.com,\n phil@philjordan.eu, mst@redhat.com, john.levon@nutanix.com,\n thanos.makatos@nutanix.com, qemu-s390x@nongnu.org,\n \"Scott J. Goldman\" <scottjg@umich.edu>,\n \"Scott J. Goldman\" <scottjgo@gmail.com>", "Subject": "[RFC PATCH 07/10] vfio/apple: Add DriverKit dext client library", "Date": "Sun, 5 Apr 2026 00:28:51 -0700", "Message-ID": "<20260405072857.66484-8-scottjgo@gmail.com>", "X-Mailer": "git-send-email 2.50.1", "In-Reply-To": "<20260405072857.66484-1-scottjgo@gmail.com>", "References": "<20260405072857.66484-1-scottjgo@gmail.com>", "MIME-Version": "1.0", "Content-Type": "text/plain; charset=UTF-8", "Content-Transfer-Encoding": "8bit", "Received-SPF": "pass client-ip=2607:f8b0:4864:20::1330;\n envelope-from=scottjgo@gmail.com; helo=mail-dy1-x1330.google.com", "X-Spam_score_int": "-20", "X-Spam_score": "-2.1", "X-Spam_bar": "--", "X-Spam_report": "(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no", "X-Spam_action": "no action", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "From: \"Scott J. Goldman\" <scottjg@umich.edu>\n\nAdd the C client library for communicating with the VFIOUserPCIDriver\nDriverKit extension (dext) on macOS. This provides the low-level\nIOUserClient wrappers that the Apple VFIO backend will use:\n\n- Connection management (connect, disconnect, claim)\n- PCI config space read/write (individual and block)\n- BAR info queries, BAR mapping/unmapping, MMIO read/write\n- DMA region registration and unregistration\n- Interrupt setup, pending IRQ polling, async notification\n- Device reset (FLR with hot-reset fallback)\n\nAll calls go through IOKit's IOConnectCallScalarMethod /\nIOConnectMapMemory64 to the dext, which mediates access to the\nphysical PCI device via PCIDriverKit.\n\nSigned-off-by: Scott J. Goldman <scottjgo@gmail.com>\n---\n hw/vfio/apple-dext-client.c | 681 ++++++++++++++++++++++++++++++++++++\n hw/vfio/apple-dext-client.h | 253 ++++++++++++++\n hw/vfio/meson.build | 7 +\n 3 files changed, 941 insertions(+)\n create mode 100644 hw/vfio/apple-dext-client.c\n create mode 100644 hw/vfio/apple-dext-client.h", "diff": "diff --git a/hw/vfio/apple-dext-client.c b/hw/vfio/apple-dext-client.c\nnew file mode 100644\nindex 0000000000..7ba03fc6e9\n--- /dev/null\n+++ b/hw/vfio/apple-dext-client.c\n@@ -0,0 +1,681 @@\n+/*\n+ * SPDX-License-Identifier: GPL-2.0-or-later\n+ *\n+ * C client implementation for communicating with the VFIOUserPCIDriver dext\n+ * via IOKit IOUserClient.\n+ *\n+ * Copyright (c) 2026 Scott J. Goldman\n+ */\n+\n+#include \"qemu/osdep.h\"\n+\n+#include \"apple-dext-client.h\"\n+\n+#include <CoreFoundation/CoreFoundation.h>\n+#include <IOKit/IOKitLib.h>\n+#include <dispatch/dispatch.h>\n+#include <string.h>\n+\n+enum {\n+ kSelectorGetIdentity = 0,\n+ kSelectorClaim = 1,\n+ kSelectorTerminate = 2,\n+ kSelectorAllocateDMABuffer = 3,\n+ kSelectorFreeDMABuffer = 4,\n+ kSelectorRegisterDMARegion = 5,\n+ kSelectorUnregisterDMARegion = 6,\n+ kSelectorProbeDMARegion = 7,\n+ kSelectorConfigRead = 8,\n+ kSelectorConfigWrite = 9,\n+ kSelectorGetBARInfo = 10,\n+ kSelectorMMIORead = 11,\n+ kSelectorMMIOWrite = 12,\n+ kSelectorSetupInterrupts = 13,\n+ kSelectorCheckInterrupt = 14,\n+ kSelectorWaitInterrupt = 15,\n+ kSelectorSetIRQMask = 16,\n+ kSelectorResetDevice = 17,\n+};\n+\n+/*\n+ * Keep this in sync with PCIDriverKit BAR type encoding. Bit 3 indicates\n+ * prefetchability for memory BARs.\n+ */\n+#define APPLE_DEXT_BAR_PREFETCHABLE_MASK 0x08\n+#ifndef kIOMapWriteCombineCache\n+#define kIOMapWriteCombineCache 0x00000400\n+#endif\n+\n+static bool\n+dext_service_matches_class(io_service_t service, const char *className)\n+{\n+ bool match = false;\n+ CFTypeRef ref;\n+\n+ ref = IORegistryEntryCreateCFProperty(service, CFSTR(\"IOUserClass\"),\n+ kCFAllocatorDefault, 0);\n+ if (ref == NULL) {\n+ return false;\n+ }\n+\n+ if (CFGetTypeID(ref) == CFStringGetTypeID()) {\n+ CFStringRef expected = CFStringCreateWithCString(\n+ kCFAllocatorDefault, className, kCFStringEncodingUTF8);\n+ if (expected != NULL) {\n+ match = CFStringCompare((CFStringRef)ref, expected, 0)\n+ == kCFCompareEqualTo;\n+ CFRelease(expected);\n+ }\n+ }\n+ CFRelease(ref);\n+ return match;\n+}\n+\n+static bool\n+dext_connection_matches_bdf(io_connect_t connection,\n+ uint8_t bus, uint8_t device, uint8_t function)\n+{\n+ uint64_t output[6] = {0};\n+ uint32_t outputCount = 6;\n+ kern_return_t kr;\n+\n+ kr = IOConnectCallMethod(connection, kSelectorGetIdentity,\n+ NULL, 0, NULL, 0,\n+ output, &outputCount,\n+ NULL, NULL);\n+ if (kr != KERN_SUCCESS || outputCount < 3) {\n+ return false;\n+ }\n+\n+ return (uint8_t)output[0] == bus &&\n+ (uint8_t)output[1] == device &&\n+ (uint8_t)output[2] == function;\n+}\n+\n+io_connect_t\n+apple_dext_connect(uint8_t bus, uint8_t device, uint8_t function)\n+{\n+ CFMutableDictionaryRef matching;\n+ io_iterator_t iterator = IO_OBJECT_NULL;\n+ io_connect_t result = IO_OBJECT_NULL;\n+ io_service_t service;\n+ kern_return_t kr;\n+\n+ matching = IOServiceMatching(\"IOUserService\");\n+ if (matching == NULL) {\n+ return IO_OBJECT_NULL;\n+ }\n+\n+ kr = IOServiceGetMatchingServices(kIOMainPortDefault, matching, &iterator);\n+ if (kr != KERN_SUCCESS) {\n+ return IO_OBJECT_NULL;\n+ }\n+\n+ while ((service = IOIteratorNext(iterator)) != IO_OBJECT_NULL) {\n+ io_connect_t connection = IO_OBJECT_NULL;\n+\n+ if (!dext_service_matches_class(service, \"VFIOUserPCIDriver\")) {\n+ IOObjectRelease(service);\n+ continue;\n+ }\n+\n+ kr = IOServiceOpen(service, mach_task_self(), 0, &connection);\n+ IOObjectRelease(service);\n+\n+ if (kr != KERN_SUCCESS) {\n+ continue;\n+ }\n+\n+ if (dext_connection_matches_bdf(connection, bus, device, function)) {\n+ result = connection;\n+ break;\n+ }\n+\n+ IOServiceClose(connection);\n+ }\n+\n+ IOObjectRelease(iterator);\n+ return result;\n+}\n+\n+void\n+apple_dext_disconnect(io_connect_t connection)\n+{\n+ if (connection != IO_OBJECT_NULL) {\n+ IOServiceClose(connection);\n+ }\n+}\n+\n+kern_return_t\n+apple_dext_claim(io_connect_t connection)\n+{\n+ if (connection == IO_OBJECT_NULL) {\n+ return kIOReturnBadArgument;\n+ }\n+\n+ return IOConnectCallMethod(connection,\n+ kSelectorClaim,\n+ NULL, 0, NULL, 0,\n+ NULL, NULL, NULL, NULL);\n+}\n+\n+kern_return_t\n+apple_dext_register_dma(io_connect_t connection,\n+ uint64_t iova,\n+ uint64_t client_va,\n+ uint64_t size,\n+ uint64_t *out_bus_addr,\n+ uint64_t *out_bus_len)\n+{\n+ uint64_t input[3] = { iova, client_va, size };\n+ uint64_t output[3] = {0};\n+ uint32_t outputCount = 3;\n+ kern_return_t kr;\n+\n+ if (connection == IO_OBJECT_NULL) {\n+ return kIOReturnBadArgument;\n+ }\n+\n+ kr = IOConnectCallMethod(connection,\n+ kSelectorRegisterDMARegion,\n+ input, 3,\n+ NULL, 0,\n+ output, &outputCount,\n+ NULL, NULL);\n+ if (kr != KERN_SUCCESS) {\n+ return kr;\n+ }\n+\n+ if (out_bus_addr != NULL && outputCount >= 2) {\n+ *out_bus_addr = output[1];\n+ }\n+ if (out_bus_len != NULL && outputCount >= 3) {\n+ *out_bus_len = output[2];\n+ }\n+\n+ return kIOReturnSuccess;\n+}\n+\n+kern_return_t\n+apple_dext_unregister_dma(io_connect_t connection,\n+ uint64_t iova)\n+{\n+ uint64_t input[1] = { iova };\n+\n+ if (connection == IO_OBJECT_NULL) {\n+ return kIOReturnBadArgument;\n+ }\n+\n+ return IOConnectCallMethod(connection,\n+ kSelectorUnregisterDMARegion,\n+ input, 1,\n+ NULL, 0,\n+ NULL, NULL,\n+ NULL, NULL);\n+}\n+\n+kern_return_t\n+apple_dext_probe_dma(io_connect_t connection,\n+ uint64_t iova,\n+ uint64_t offset,\n+ uint64_t *out_word)\n+{\n+ uint64_t input[2] = { iova, offset };\n+ uint64_t output[1] = {0};\n+ uint32_t outputCount = 1;\n+ kern_return_t kr;\n+\n+ if (connection == IO_OBJECT_NULL || out_word == NULL) {\n+ return kIOReturnBadArgument;\n+ }\n+\n+ kr = IOConnectCallMethod(connection,\n+ kSelectorProbeDMARegion,\n+ input, 2,\n+ NULL, 0,\n+ output, &outputCount,\n+ NULL, NULL);\n+ if (kr != KERN_SUCCESS) {\n+ return kr;\n+ }\n+\n+ *out_word = output[0];\n+ return kIOReturnSuccess;\n+}\n+\n+kern_return_t\n+apple_dext_config_read(io_connect_t connection,\n+ uint64_t offset,\n+ uint64_t width,\n+ uint64_t *out_value)\n+{\n+ uint64_t input[2] = { offset, width };\n+ uint64_t output[1] = {0};\n+ uint32_t outputCount = 1;\n+ kern_return_t kr;\n+\n+ if (connection == IO_OBJECT_NULL || out_value == NULL) {\n+ return kIOReturnBadArgument;\n+ }\n+\n+ kr = IOConnectCallMethod(connection,\n+ kSelectorConfigRead,\n+ input, 2,\n+ NULL, 0,\n+ output, &outputCount,\n+ NULL, NULL);\n+ if (kr != KERN_SUCCESS) {\n+ return kr;\n+ }\n+\n+ *out_value = output[0];\n+ return kIOReturnSuccess;\n+}\n+\n+kern_return_t\n+apple_dext_config_write(io_connect_t connection,\n+ uint64_t offset,\n+ uint64_t width,\n+ uint64_t value)\n+{\n+ uint64_t input[3] = { offset, width, value };\n+\n+ if (connection == IO_OBJECT_NULL) {\n+ return kIOReturnBadArgument;\n+ }\n+\n+ return IOConnectCallMethod(connection,\n+ kSelectorConfigWrite,\n+ input, 3,\n+ NULL, 0,\n+ NULL, NULL,\n+ NULL, NULL);\n+}\n+\n+kern_return_t\n+apple_dext_config_read_block(io_connect_t connection,\n+ uint64_t offset,\n+ void *buf,\n+ size_t len)\n+{\n+ uint8_t *dst = (uint8_t *)buf;\n+ uint64_t pos = offset;\n+ size_t remaining = len;\n+\n+ if (connection == IO_OBJECT_NULL || buf == NULL) {\n+ return kIOReturnBadArgument;\n+ }\n+\n+ while (remaining >= 4) {\n+ uint64_t val = 0;\n+ uint32_t dword;\n+ kern_return_t kr;\n+\n+ kr = apple_dext_config_read(connection, pos, 4, &val);\n+ if (kr != KERN_SUCCESS) {\n+ return kr;\n+ }\n+ dword = (uint32_t)val;\n+ memcpy(dst, &dword, 4);\n+ dst += 4;\n+ pos += 4;\n+ remaining -= 4;\n+ }\n+\n+ while (remaining > 0) {\n+ uint64_t val = 0;\n+ kern_return_t kr;\n+\n+ kr = apple_dext_config_read(connection, pos, 1, &val);\n+ if (kr != KERN_SUCCESS) {\n+ return kr;\n+ }\n+ *dst = (uint8_t)val;\n+ dst++;\n+ pos++;\n+ remaining--;\n+ }\n+\n+ return kIOReturnSuccess;\n+}\n+\n+kern_return_t\n+apple_dext_get_bar_info(io_connect_t connection,\n+ uint8_t bar,\n+ uint8_t *out_mem_idx,\n+ uint64_t *out_size,\n+ uint8_t *out_type)\n+{\n+ uint64_t input[1] = { bar };\n+ uint64_t output[3] = {0};\n+ uint32_t outputCount = 3;\n+ kern_return_t kr;\n+\n+ if (connection == IO_OBJECT_NULL) {\n+ return kIOReturnBadArgument;\n+ }\n+\n+ kr = IOConnectCallMethod(connection,\n+ kSelectorGetBARInfo,\n+ input, 1,\n+ NULL, 0,\n+ output, &outputCount,\n+ NULL, NULL);\n+ if (kr != KERN_SUCCESS) {\n+ return kr;\n+ }\n+\n+ if (out_mem_idx != NULL) {\n+ *out_mem_idx = (uint8_t)output[0];\n+ }\n+ if (out_size != NULL) {\n+ *out_size = output[1];\n+ }\n+ if (out_type != NULL) {\n+ *out_type = (uint8_t)output[2];\n+ }\n+\n+ return kIOReturnSuccess;\n+}\n+\n+kern_return_t\n+apple_dext_map_bar(io_connect_t connection,\n+ uint8_t bar,\n+ mach_vm_address_t *out_addr,\n+ mach_vm_size_t *out_size,\n+ uint8_t *out_type)\n+{\n+ uint64_t bar_size = 0;\n+ uint8_t bar_type = 0;\n+ uint32_t mem_type;\n+ mach_vm_address_t addr = 0;\n+ mach_vm_size_t size = 0;\n+ IOOptionBits opts = kIOMapAnywhere;\n+ kern_return_t kr;\n+\n+ if (connection == IO_OBJECT_NULL || out_addr == NULL || out_size == NULL) {\n+ return kIOReturnBadArgument;\n+ }\n+\n+ kr = apple_dext_get_bar_info(connection, bar, NULL,\n+ &bar_size, &bar_type);\n+ if (kr != KERN_SUCCESS) {\n+ return kr;\n+ }\n+\n+ /*\n+ * The memory type for IOConnectMapMemory64 must match the dext's\n+ * CopyClientMemoryForType expectation:\n+ * kVFIOUserPCIDriverUserClientMemoryTypeBAR0 (= 1) plus the BAR index.\n+ * This is NOT the same as the PCIDriverKit internal memoryIndex returned\n+ * by GetBARInfo.\n+ */\n+ mem_type = 1 + (uint32_t)bar;\n+\n+ if (bar_type & APPLE_DEXT_BAR_PREFETCHABLE_MASK) {\n+ opts |= kIOMapWriteCombineCache;\n+ }\n+\n+ kr = IOConnectMapMemory64(connection, mem_type, mach_task_self(),\n+ &addr, &size, opts);\n+ if (kr != KERN_SUCCESS) {\n+ return kr;\n+ }\n+\n+ *out_addr = addr;\n+ *out_size = size;\n+ if (out_type != NULL) {\n+ *out_type = bar_type;\n+ }\n+ return kIOReturnSuccess;\n+}\n+\n+kern_return_t\n+apple_dext_unmap_bar(io_connect_t connection,\n+ uint8_t bar,\n+ mach_vm_address_t addr)\n+{\n+ uint32_t mem_type = 1 + (uint32_t)bar;\n+\n+ if (connection == IO_OBJECT_NULL || addr == 0) {\n+ return kIOReturnBadArgument;\n+ }\n+\n+ return IOConnectUnmapMemory64(connection, mem_type, mach_task_self(), addr);\n+}\n+\n+kern_return_t\n+apple_dext_mmio_read(io_connect_t connection,\n+ uint8_t mem_idx,\n+ uint64_t offset,\n+ uint64_t width,\n+ uint64_t *out_value)\n+{\n+ uint64_t input[3] = { mem_idx, offset, width };\n+ uint64_t output[1] = {0};\n+ uint32_t outputCount = 1;\n+ kern_return_t kr;\n+\n+ if (connection == IO_OBJECT_NULL || out_value == NULL) {\n+ return kIOReturnBadArgument;\n+ }\n+\n+ kr = IOConnectCallMethod(connection,\n+ kSelectorMMIORead,\n+ input, 3,\n+ NULL, 0,\n+ output, &outputCount,\n+ NULL, NULL);\n+ if (kr != KERN_SUCCESS) {\n+ return kr;\n+ }\n+\n+ *out_value = output[0];\n+ return kIOReturnSuccess;\n+}\n+\n+kern_return_t\n+apple_dext_mmio_write(io_connect_t connection,\n+ uint8_t mem_idx,\n+ uint64_t offset,\n+ uint64_t width,\n+ uint64_t value)\n+{\n+ uint64_t input[4] = { mem_idx, offset, width, value };\n+\n+ if (connection == IO_OBJECT_NULL) {\n+ return kIOReturnBadArgument;\n+ }\n+\n+ return IOConnectCallMethod(connection,\n+ kSelectorMMIOWrite,\n+ input, 4,\n+ NULL, 0,\n+ NULL, NULL,\n+ NULL, NULL);\n+}\n+\n+kern_return_t\n+apple_dext_setup_interrupts(io_connect_t connection,\n+ uint32_t *out_num_vectors)\n+{\n+ uint64_t output[1] = {0};\n+ uint32_t outputCount = 1;\n+ kern_return_t kr;\n+\n+ if (connection == IO_OBJECT_NULL) {\n+ return kIOReturnBadArgument;\n+ }\n+\n+ kr = IOConnectCallMethod(connection,\n+ kSelectorSetupInterrupts,\n+ NULL, 0,\n+ NULL, 0,\n+ output, &outputCount,\n+ NULL, NULL);\n+ if (kr != KERN_SUCCESS) {\n+ return kr;\n+ }\n+\n+ if (out_num_vectors != NULL && outputCount >= 1) {\n+ *out_num_vectors = (uint32_t)output[0];\n+ }\n+\n+ return kIOReturnSuccess;\n+}\n+\n+kern_return_t\n+apple_dext_reset_device(io_connect_t connection)\n+{\n+ if (connection == IO_OBJECT_NULL) {\n+ return kIOReturnBadArgument;\n+ }\n+\n+ return IOConnectCallMethod(connection,\n+ kSelectorResetDevice,\n+ NULL, 0, NULL, 0,\n+ NULL, NULL, NULL, NULL);\n+}\n+\n+kern_return_t\n+apple_dext_set_irq_mask(io_connect_t connection, const uint64_t mask[4])\n+{\n+ if (connection == IO_OBJECT_NULL || mask == NULL) {\n+ return kIOReturnBadArgument;\n+ }\n+\n+ return IOConnectCallMethod(connection,\n+ kSelectorSetIRQMask,\n+ mask, 4,\n+ NULL, 0,\n+ NULL, NULL,\n+ NULL, NULL);\n+}\n+\n+kern_return_t\n+apple_dext_read_pending_irqs(io_connect_t connection, uint64_t pending[4])\n+{\n+ uint64_t output[4] = {0};\n+ uint32_t outputCount = 4;\n+ kern_return_t kr;\n+ uint32_t i;\n+\n+ if (connection == IO_OBJECT_NULL || pending == NULL) {\n+ return kIOReturnBadArgument;\n+ }\n+\n+ kr = IOConnectCallMethod(connection,\n+ kSelectorCheckInterrupt,\n+ NULL, 0,\n+ NULL, 0,\n+ output, &outputCount,\n+ NULL, NULL);\n+ if (kr != KERN_SUCCESS) {\n+ return kr;\n+ }\n+\n+ for (i = 0; i < 4; i++) {\n+ pending[i] = (i < outputCount) ? output[i] : 0;\n+ }\n+\n+ return kIOReturnSuccess;\n+}\n+\n+struct AppleDextInterruptNotify {\n+ io_connect_t connection;\n+ IONotificationPortRef notifyPort;\n+ mach_port_t machPort;\n+ dispatch_queue_t dispatchQueue;\n+ void (*handler_fn)(void *opaque);\n+ void *opaque;\n+};\n+\n+static void\n+apple_dext_async_callback(void *refcon, IOReturn result,\n+ void **args, uint32_t numArgs)\n+{\n+ AppleDextInterruptNotify *notify = refcon;\n+\n+ if (result == kIOReturnSuccess && notify->handler_fn) {\n+ notify->handler_fn(notify->opaque);\n+ }\n+}\n+\n+static kern_return_t\n+apple_dext_interrupt_notify_arm(AppleDextInterruptNotify *notify)\n+{\n+ uint64_t asyncRef[kIOAsyncCalloutCount];\n+\n+ asyncRef[kIOAsyncCalloutFuncIndex] =\n+ (uint64_t)(uintptr_t)apple_dext_async_callback;\n+ asyncRef[kIOAsyncCalloutRefconIndex] =\n+ (uint64_t)(uintptr_t)notify;\n+\n+ return IOConnectCallAsyncMethod(notify->connection,\n+ kSelectorWaitInterrupt,\n+ notify->machPort,\n+ asyncRef, kIOAsyncCalloutCount,\n+ NULL, 0, NULL, 0,\n+ NULL, NULL, NULL, NULL);\n+}\n+\n+AppleDextInterruptNotify *\n+apple_dext_interrupt_notify_create(io_connect_t connection,\n+ void (*handler_fn)(void *opaque),\n+ void *opaque)\n+{\n+ AppleDextInterruptNotify *notify;\n+ kern_return_t kr;\n+\n+ if (connection == IO_OBJECT_NULL || handler_fn == NULL) {\n+ return NULL;\n+ }\n+\n+ notify = g_new0(AppleDextInterruptNotify, 1);\n+ notify->connection = connection;\n+ notify->handler_fn = handler_fn;\n+ notify->opaque = opaque;\n+\n+ notify->notifyPort = IONotificationPortCreate(kIOMainPortDefault);\n+ if (!notify->notifyPort) {\n+ g_free(notify);\n+ return NULL;\n+ }\n+\n+ notify->dispatchQueue = dispatch_queue_create(\n+ \"org.qemu.vfio-apple.irq-notify\", DISPATCH_QUEUE_SERIAL);\n+ IONotificationPortSetDispatchQueue(notify->notifyPort,\n+ notify->dispatchQueue);\n+ notify->machPort = IONotificationPortGetMachPort(notify->notifyPort);\n+\n+ kr = apple_dext_interrupt_notify_arm(notify);\n+ if (kr != KERN_SUCCESS) {\n+ IONotificationPortDestroy(notify->notifyPort);\n+ dispatch_release(notify->dispatchQueue);\n+ g_free(notify);\n+ return NULL;\n+ }\n+\n+ return notify;\n+}\n+\n+kern_return_t\n+apple_dext_interrupt_notify_rearm(AppleDextInterruptNotify *notify)\n+{\n+ if (!notify) {\n+ return kIOReturnBadArgument;\n+ }\n+ return apple_dext_interrupt_notify_arm(notify);\n+}\n+\n+void\n+apple_dext_interrupt_notify_destroy(AppleDextInterruptNotify *notify)\n+{\n+ if (!notify) {\n+ return;\n+ }\n+\n+ IONotificationPortDestroy(notify->notifyPort);\n+ dispatch_release(notify->dispatchQueue);\n+ g_free(notify);\n+}\ndiff --git a/hw/vfio/apple-dext-client.h b/hw/vfio/apple-dext-client.h\nnew file mode 100644\nindex 0000000000..07574493e6\n--- /dev/null\n+++ b/hw/vfio/apple-dext-client.h\n@@ -0,0 +1,253 @@\n+/*\n+ * SPDX-License-Identifier: GPL-2.0-or-later\n+ *\n+ * C API for connecting to the VFIOUserPCIDriver DriverKit extension.\n+ *\n+ * The vfio-user server process uses this to:\n+ * 1. Find and open an IOUserClient to the dext for a given PCI BDF.\n+ * 2. Claim the device so the dext opens its IOPCIDevice provider.\n+ * 3. Register client-owned memory (QEMU guest RAM mapped via shared file)\n+ * for DMA by the physical PCI device.\n+ * 4. Unregister DMA regions when QEMU removes them.\n+ *\n+ * Integration with libvfio-user:\n+ * vfu_dma_register_cb_t -> apple_dext_register_dma()\n+ * vfu_dma_unregister_cb_t -> apple_dext_unregister_dma()\n+ *\n+ * Copyright (c) 2026 Scott J. Goldman\n+ */\n+\n+#ifndef HW_VFIO_APPLE_DEXT_CLIENT_H\n+#define HW_VFIO_APPLE_DEXT_CLIENT_H\n+\n+#include <IOKit/IOKitLib.h>\n+#include <stdint.h>\n+\n+/*\n+ * Find the VFIOUserPCIDriver dext instance matching the given PCI BDF\n+ * and open an IOUserClient connection to it.\n+ * Returns IO_OBJECT_NULL on failure.\n+ */\n+io_connect_t apple_dext_connect(uint8_t bus, uint8_t device,\n+ uint8_t function);\n+\n+/*\n+ * Close a previously opened connection.\n+ */\n+void apple_dext_disconnect(io_connect_t connection);\n+\n+/*\n+ * Claim the PCI device through the dext (opens the IOPCIDevice provider).\n+ * Must be called before registering DMA regions.\n+ */\n+kern_return_t apple_dext_claim(io_connect_t connection);\n+\n+/*\n+ * Register a region of this process's address space for DMA.\n+ *\n+ * @iova: guest IOVA (device-visible DMA address)\n+ * @client_va: virtual address of the memory in this process\n+ * @size: region size in bytes\n+ * @out_bus_addr: receives first DMA bus address segment (may be NULL)\n+ * @out_bus_len: receives first DMA bus address segment length (may be NULL)\n+ *\n+ * The memory at client_va must remain valid and mapped until the region\n+ * is unregistered.\n+ */\n+kern_return_t apple_dext_register_dma(io_connect_t connection,\n+ uint64_t iova,\n+ uint64_t client_va,\n+ uint64_t size,\n+ uint64_t *out_bus_addr,\n+ uint64_t *out_bus_len);\n+\n+/*\n+ * Unregister a previously registered DMA region identified by its IOVA.\n+ */\n+kern_return_t apple_dext_unregister_dma(io_connect_t connection,\n+ uint64_t iova);\n+\n+/*\n+ * Read 8 bytes from a registered DMA region's IOMemoryDescriptor.\n+ * Used to verify the descriptor references the same physical pages\n+ * as the client's virtual mapping.\n+ *\n+ * @iova: base IOVA of the registered region\n+ * @offset: byte offset within the region to read from\n+ * @out_word: receives the 8-byte value read from the descriptor\n+ */\n+kern_return_t apple_dext_probe_dma(io_connect_t connection,\n+ uint64_t iova,\n+ uint64_t offset,\n+ uint64_t *out_word);\n+\n+/*\n+ * Read from PCI configuration space.\n+ *\n+ * @offset: byte offset into config space\n+ * @width: access width in bytes (1, 2, or 4)\n+ * @out_value: receives the value read\n+ */\n+kern_return_t apple_dext_config_read(io_connect_t connection,\n+ uint64_t offset,\n+ uint64_t width,\n+ uint64_t *out_value);\n+\n+/*\n+ * Write to PCI configuration space.\n+ *\n+ * @offset: byte offset into config space\n+ * @width: access width in bytes (1, 2, or 4)\n+ * @value: value to write\n+ */\n+kern_return_t apple_dext_config_write(io_connect_t connection,\n+ uint64_t offset,\n+ uint64_t width,\n+ uint64_t value);\n+\n+/*\n+ * Read a contiguous block of PCI configuration space.\n+ * Internally issues repeated 32-bit reads, with a final\n+ * narrower read for any trailing bytes.\n+ *\n+ * @offset: starting byte offset\n+ * @buf: destination buffer\n+ * @len: number of bytes to read\n+ */\n+kern_return_t apple_dext_config_read_block(io_connect_t connection,\n+ uint64_t offset,\n+ void *buf,\n+ size_t len);\n+\n+/*\n+ * Query BAR information from the PCI device.\n+ *\n+ * @bar: BAR index (0-5)\n+ * @out_mem_idx: receives the memory index for MemoryRead/Write calls\n+ * @out_size: receives the BAR size in bytes\n+ * @out_type: receives the BAR type (mem32, mem64, io, etc.)\n+ */\n+kern_return_t apple_dext_get_bar_info(io_connect_t connection,\n+ uint8_t bar,\n+ uint8_t *out_mem_idx,\n+ uint64_t *out_size,\n+ uint8_t *out_type);\n+\n+/*\n+ * Map a PCI BAR directly into this process through the dext.\n+ *\n+ * The dext supplies the BAR's IOMemoryDescriptor and IOKit applies the\n+ * appropriate cache mode for the BAR type (default-cache for BAR0 style\n+ * register windows, write-combine for prefetchable apertures).\n+ *\n+ * @bar: BAR index (0-5)\n+ * @out_addr: receives the mapped virtual address\n+ * @out_size: receives the mapped size\n+ * @out_type: receives the BAR type (may be NULL)\n+ */\n+kern_return_t apple_dext_map_bar(io_connect_t connection,\n+ uint8_t bar,\n+ mach_vm_address_t *out_addr,\n+ mach_vm_size_t *out_size,\n+ uint8_t *out_type);\n+\n+/*\n+ * Unmap a BAR previously mapped with apple_dext_map_bar().\n+ */\n+kern_return_t apple_dext_unmap_bar(io_connect_t connection,\n+ uint8_t bar,\n+ mach_vm_address_t addr);\n+\n+/*\n+ * Read from a PCI BAR (MMIO).\n+ *\n+ * @mem_idx: memory index from apple_dext_get_bar_info\n+ * @offset: byte offset within the BAR\n+ * @width: access width in bytes (1, 2, 4, or 8)\n+ * @out_value: receives the value read\n+ */\n+kern_return_t apple_dext_mmio_read(io_connect_t connection,\n+ uint8_t mem_idx,\n+ uint64_t offset,\n+ uint64_t width,\n+ uint64_t *out_value);\n+\n+/*\n+ * Write to a PCI BAR (MMIO).\n+ *\n+ * @mem_idx: memory index from apple_dext_get_bar_info\n+ * @offset: byte offset within the BAR\n+ * @width: access width in bytes (1, 2, 4, or 8)\n+ * @value: value to write\n+ */\n+kern_return_t apple_dext_mmio_write(io_connect_t connection,\n+ uint8_t mem_idx,\n+ uint64_t offset,\n+ uint64_t width,\n+ uint64_t value);\n+\n+/*\n+ * Set up interrupt forwarding for the PCI device.\n+ * Creates IOInterruptDispatchSource handlers for all available\n+ * MSI/MSI-X vectors in the dext. Interrupts are queued in a ring\n+ * buffer and retrieved via apple_dext_check_interrupt().\n+ *\n+ * @out_num_vectors: receives the number of interrupt vectors registered\n+ */\n+kern_return_t apple_dext_setup_interrupts(io_connect_t connection,\n+ uint32_t *out_num_vectors);\n+\n+/*\n+ * Reset the PCI device via the dext. Tries FLR first, then falls\n+ * back to PM reset (D3hot → D0 transition).\n+ */\n+kern_return_t apple_dext_reset_device(io_connect_t connection);\n+\n+/*\n+ * Set the IRQ enable mask in the dext. Only vectors with their\n+ * corresponding bit set will be recorded as pending when the\n+ * hardware fires. mask[] is 4 x uint64_t covering 256 vectors.\n+ */\n+kern_return_t apple_dext_set_irq_mask(io_connect_t connection,\n+ const uint64_t mask[4]);\n+\n+/*\n+ * Read and clear all pending interrupt bits from the dext.\n+ * Returns up to 256 bits (4 MSI/MSI-X vectors per bit) across\n+ * 4 uint64_t words. Each bit that was set is atomically cleared\n+ * in the dext.\n+ */\n+kern_return_t apple_dext_read_pending_irqs(io_connect_t connection,\n+ uint64_t pending[4]);\n+\n+/*\n+ * Opaque state for async interrupt notification from the dext.\n+ */\n+typedef struct AppleDextInterruptNotify AppleDextInterruptNotify;\n+\n+/*\n+ * Create async interrupt notification. handler_fn is called on a GCD\n+ * dispatch queue whenever the dext signals that one or more interrupt\n+ * bits have been set. The handler should wake the QEMU main loop,\n+ * which then calls apple_dext_read_pending_irqs() to drain the bits.\n+ *\n+ * The notification is armed immediately upon creation.\n+ */\n+AppleDextInterruptNotify *\n+apple_dext_interrupt_notify_create(io_connect_t connection,\n+ void (*handler_fn)(void *opaque),\n+ void *opaque);\n+\n+/*\n+ * Re-arm the async interrupt notification after draining pending bits.\n+ * Must be called after each wakeup to receive subsequent notifications.\n+ */\n+kern_return_t\n+apple_dext_interrupt_notify_rearm(AppleDextInterruptNotify *notify);\n+\n+/*\n+ * Tear down and free async interrupt notification state.\n+ */\n+void apple_dext_interrupt_notify_destroy(AppleDextInterruptNotify *notify);\n+\n+#endif /* HW_VFIO_APPLE_DEXT_CLIENT_H */\ndiff --git a/hw/vfio/meson.build b/hw/vfio/meson.build\nindex 1ee9c11d5b..965c8e5b80 100644\n--- a/hw/vfio/meson.build\n+++ b/hw/vfio/meson.build\n@@ -36,3 +36,10 @@ system_ss.add(when: 'CONFIG_IOMMUFD', if_false: files('iommufd-stubs.c'))\n system_ss.add(when: 'CONFIG_VFIO_PCI', if_true: files(\n 'display.c',\n ))\n+\n+# Apple VFIO backend\n+if host_os == 'darwin'\n+ system_ss.add(when: 'CONFIG_VFIO',\n+ if_true: [files('apple-dext-client.c'),\n+ coref, iokit])\n+endif\n", "prefixes": [ "RFC", "07/10" ] }