| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250929151749.2007b192.alex.williamson@redhat.com>
Date: Mon, 29 Sep 2025 15:17:49 -0600
From: Alex Williamson <alex.williamson@...hat.com>
To: Leon Romanovsky <leon@...nel.org>
Cc: Leon Romanovsky <leonro@...dia.com>, Jason Gunthorpe <jgg@...dia.com>,
Andrew Morton <akpm@...ux-foundation.org>, Bjorn Helgaas
<bhelgaas@...gle.com>, Christian König
<christian.koenig@....com>, dri-devel@...ts.freedesktop.org,
iommu@...ts.linux.dev, Jens Axboe <axboe@...nel.dk>, Joerg Roedel
<joro@...tes.org>, kvm@...r.kernel.org, linaro-mm-sig@...ts.linaro.org,
linux-block@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-media@...r.kernel.org, linux-mm@...ck.org, linux-pci@...r.kernel.org,
Logan Gunthorpe <logang@...tatee.com>, Marek Szyprowski
<m.szyprowski@...sung.com>, Robin Murphy <robin.murphy@....com>, Sumit
Semwal <sumit.semwal@...aro.org>, Vivek Kasireddy
<vivek.kasireddy@...el.com>, Will Deacon <will@...nel.org>
Subject: Re: [PATCH v4 10/10] vfio/pci: Add dma-buf export support for MMIO
regions
On Sun, 28 Sep 2025 17:50:20 +0300
Leon Romanovsky <leon@...nel.org> wrote:
> +static int validate_dmabuf_input(struct vfio_pci_core_device *vdev,
> + struct vfio_device_feature_dma_buf *dma_buf,
> + struct vfio_region_dma_range *dma_ranges,
> + struct p2pdma_provider **provider)
> +{
> + struct pci_dev *pdev = vdev->pdev;
> + u32 bar = dma_buf->region_index;
> + resource_size_t bar_size;
> + u64 sum;
> + int i;
> +
> + if (dma_buf->flags)
> + return -EINVAL;
> + /*
> + * For PCI the region_index is the BAR number like everything else.
> + */
> + if (bar >= VFIO_PCI_ROM_REGION_INDEX)
> + return -ENODEV;
> +
> + *provider = pcim_p2pdma_provider(pdev, bar);
> + if (!provider)
This needs to be IS_ERR_OR_NULL() or the function needs to settle on a
consistent error return value regardless of CONFIG_PCI_P2PDMA.
> + return -EINVAL;
> +
> + bar_size = pci_resource_len(pdev, bar);
We get to this feature via vfio_pci_core_ioctl_feature(), which is used
by several variant drivers, some of which mangle the BAR size exposed
to the user, ex. hisi_acc. I'm afraid this might actually be giving
dmabuf access to a portion of the BAR that isn't exposed otherwise.
> + for (i = 0; i < dma_buf->nr_ranges; i++) {
> + u64 offset = dma_ranges[i].offset;
> + u64 len = dma_ranges[i].length;
> +
> + if (!PAGE_ALIGNED(offset) || !PAGE_ALIGNED(len))
> + return -EINVAL;
> +
> + if (check_add_overflow(offset, len, &sum) || sum > bar_size)
> + return -EINVAL;
> + }
> +
> + return 0;
> +}
> +
> +int vfio_pci_core_feature_dma_buf(struct vfio_pci_core_device *vdev, u32 flags,
> + struct vfio_device_feature_dma_buf __user *arg,
> + size_t argsz)
> +{
> + struct vfio_device_feature_dma_buf get_dma_buf = {};
> + struct vfio_region_dma_range *dma_ranges;
> + DEFINE_DMA_BUF_EXPORT_INFO(exp_info);
> + struct p2pdma_provider *provider;
> + struct vfio_pci_dma_buf *priv;
> + int ret;
> +
> + ret = vfio_check_feature(flags, argsz, VFIO_DEVICE_FEATURE_GET,
> + sizeof(get_dma_buf));
> + if (ret != 1)
> + return ret;
> +
> + if (copy_from_user(&get_dma_buf, arg, sizeof(get_dma_buf)))
> + return -EFAULT;
> +
> + if (!get_dma_buf.nr_ranges)
> + return -EINVAL;
> +
> + dma_ranges = memdup_array_user(&arg->dma_ranges, get_dma_buf.nr_ranges,
> + sizeof(*dma_ranges));
> + if (IS_ERR(dma_ranges))
> + return PTR_ERR(dma_ranges);
> +
> + ret = validate_dmabuf_input(vdev, &get_dma_buf, dma_ranges, &provider);
> + if (ret)
> + return ret;
goto err_free_ranges;
Thanks,
Alex
Powered by blists - more mailing lists