From: Jagannathan Raman <jag.raman@oracle.com>
Originally-by: John Johnson <john.g.johnson@oracle.com>
Signed-off-by: Elena Ufimtseva <elena.ufimtseva@oracle.com>
Signed-off-by: Jagannathan Raman <jag.raman@oracle.com>
Signed-off-by: John Levon <john.levon@nutanix.com>
---
hw/vfio/trace-events | 1 +
hw/vfio/user-container.c | 10 +++++++++-
hw/vfio/user-protocol.h | 12 ++++++++++++
hw/vfio/user.c | 34 ++++++++++++++++++++++++++++++++++
hw/vfio/user.h | 1 +
5 files changed, 57 insertions(+), 1 deletion(-)
diff --git a/hw/vfio/trace-events b/hw/vfio/trace-events
index 68fe6f5689..0f2e338194 100644
--- a/hw/vfio/trace-events
+++ b/hw/vfio/trace-events
@@ -183,3 +183,4 @@ vfio_user_recv_read(uint16_t id, int read) " id 0x%x read 0x%x"
vfio_user_recv_request(uint16_t cmd) " command 0x%x"
vfio_user_send_write(uint16_t id, int wrote) " id 0x%x wrote 0x%x"
vfio_user_version(uint16_t major, uint16_t minor, const char *caps) " major %d minor %d caps: %s"
+vfio_user_get_info(uint32_t nregions, uint32_t nirqs) " #regions %d #irqs %d"
diff --git a/hw/vfio/user-container.c b/hw/vfio/user-container.c
index 1fd42e9bfd..f1218560a4 100644
--- a/hw/vfio/user-container.c
+++ b/hw/vfio/user-container.c
@@ -12,6 +12,7 @@
#include <linux/vfio.h>
#include "hw/vfio/vfio-common.h"
+#include "hw/vfio/user.h"
#include "exec/address-spaces.h"
#include "exec/memory.h"
#include "exec/ram_addr.h"
@@ -141,7 +142,14 @@ static void vfio_disconnect_user_container(VFIOUserContainer *container)
static bool vfio_user_get_device(VFIOUserContainer *container,
VFIODevice *vbasedev, Error **errp)
{
- struct vfio_device_info info = { 0 };
+ struct vfio_device_info info = { .argsz = sizeof(info) };
+ int ret;
+
+ ret = vfio_user_get_info(vbasedev->proxy, &info);
+ if (ret) {
+ error_setg_errno(errp, -ret, "get info failure");
+ return ret;
+ }
vbasedev->fd = -1;
diff --git a/hw/vfio/user-protocol.h b/hw/vfio/user-protocol.h
index 5de5b2030c..5f9ef1768f 100644
--- a/hw/vfio/user-protocol.h
+++ b/hw/vfio/user-protocol.h
@@ -113,4 +113,16 @@ typedef struct {
*/
#define VFIO_USER_DEF_MAX_BITMAP (256 * 1024 * 1024)
+/*
+ * VFIO_USER_DEVICE_GET_INFO
+ * imported from struct vfio_device_info
+ */
+typedef struct {
+ VFIOUserHdr hdr;
+ uint32_t argsz;
+ uint32_t flags;
+ uint32_t num_regions;
+ uint32_t num_irqs;
+} VFIOUserDeviceInfo;
+
#endif /* VFIO_USER_PROTOCOL_H */
diff --git a/hw/vfio/user.c b/hw/vfio/user.c
index aa561fdba3..645b927f97 100644
--- a/hw/vfio/user.c
+++ b/hw/vfio/user.c
@@ -32,6 +32,13 @@
#include "user.h"
#include "trace.h"
+/*
+ * These are to defend against a malign server trying
+ * to force us to run out of memory.
+ */
+#define VFIO_USER_MAX_REGIONS 100
+#define VFIO_USER_MAX_IRQS 50
+
static int wait_time = 5000; /* wait up to 5 sec for busy servers */
static IOThread *vfio_user_iothread;
@@ -1088,3 +1095,30 @@ bool vfio_user_validate_version(VFIOUserProxy *proxy, Error **errp)
trace_vfio_user_version(msgp->major, msgp->minor, msgp->capabilities);
return true;
}
+
+int vfio_user_get_info(VFIOUserProxy *proxy, struct vfio_device_info *info)
+{
+ VFIOUserDeviceInfo msg;
+ uint32_t argsz = sizeof(msg) - sizeof(msg.hdr);
+
+ memset(&msg, 0, sizeof(msg));
+ vfio_user_request_msg(&msg.hdr, VFIO_USER_DEVICE_GET_INFO, sizeof(msg), 0);
+ msg.argsz = argsz;
+
+ vfio_user_send_wait(proxy, &msg.hdr, NULL, 0);
+ if (msg.hdr.flags & VFIO_USER_ERROR) {
+ return -msg.hdr.error_reply;
+ }
+ trace_vfio_user_get_info(msg.num_regions, msg.num_irqs);
+
+ memcpy(info, &msg.argsz, argsz);
+
+ /* defend against a malicious server */
+ if (info->num_regions > VFIO_USER_MAX_REGIONS ||
+ info->num_irqs > VFIO_USER_MAX_IRQS) {
+ error_printf("%s: invalid reply\n", __func__);
+ return -EINVAL;
+ }
+
+ return 0;
+}
diff --git a/hw/vfio/user.h b/hw/vfio/user.h
index 9c3b279839..18a5a40073 100644
--- a/hw/vfio/user.h
+++ b/hw/vfio/user.h
@@ -93,5 +93,6 @@ void vfio_user_set_handler(VFIODevice *vbasedev,
void (*handler)(void *opaque, VFIOUserMsg *msg),
void *reqarg);
bool vfio_user_validate_version(VFIOUserProxy *proxy, Error **errp);
+int vfio_user_get_info(VFIOUserProxy *proxy, struct vfio_device_info *info);
#endif /* VFIO_USER_H */
--
2.34.1