Re: [PATCH v4 10/10] vfio/pci: Add dma-buf export support for MMIO regions

[Alex Williamson]

On Sun, 28 Sep 2025 17:50:20 +0300
Leon Romanovsky <l...@kernel.org> wrote:
> +static int validate_dmabuf_input(struct vfio_pci_core_device *vdev,
> +                              struct vfio_device_feature_dma_buf *dma_buf,
> +                              struct vfio_region_dma_range *dma_ranges,
> +                              struct p2pdma_provider **provider)
> +{
> +     struct pci_dev *pdev = vdev->pdev;
> +     u32 bar = dma_buf->region_index;
> +     resource_size_t bar_size;
> +     u64 sum;
> +     int i;
> +
> +     if (dma_buf->flags)
> +             return -EINVAL;
> +     /*
> +      * For PCI the region_index is the BAR number like  everything else.
> +      */
> +     if (bar >= VFIO_PCI_ROM_REGION_INDEX)
> +             return -ENODEV;
> +
> +     *provider = pcim_p2pdma_provider(pdev, bar);
> +     if (!provider)

This needs to be IS_ERR_OR_NULL() or the function needs to settle on a
consistent error return value regardless of CONFIG_PCI_P2PDMA.

> +             return -EINVAL;
> +
> +     bar_size = pci_resource_len(pdev, bar);

We get to this feature via vfio_pci_core_ioctl_feature(), which is used
by several variant drivers, some of which mangle the BAR size exposed
to the user, ex. hisi_acc.  I'm afraid this might actually be giving
dmabuf access to a portion of the BAR that isn't exposed otherwise.

> +     for (i = 0; i < dma_buf->nr_ranges; i++) {
> +             u64 offset = dma_ranges[i].offset;
> +             u64 len = dma_ranges[i].length;
> +
> +             if (!PAGE_ALIGNED(offset) || !PAGE_ALIGNED(len))
> +                     return -EINVAL;
> +
> +             if (check_add_overflow(offset, len, &sum) || sum > bar_size)
> +                     return -EINVAL;
> +     }
> +
> +     return 0;
> +}
> +
> +int vfio_pci_core_feature_dma_buf(struct vfio_pci_core_device *vdev, u32 
> flags,
> +                               struct vfio_device_feature_dma_buf __user 
> *arg,
> +                               size_t argsz)
> +{
> +     struct vfio_device_feature_dma_buf get_dma_buf = {};
> +     struct vfio_region_dma_range *dma_ranges;
> +     DEFINE_DMA_BUF_EXPORT_INFO(exp_info);
> +     struct p2pdma_provider *provider;
> +     struct vfio_pci_dma_buf *priv;
> +     int ret;
> +
> +     ret = vfio_check_feature(flags, argsz, VFIO_DEVICE_FEATURE_GET,
> +                              sizeof(get_dma_buf));
> +     if (ret != 1)
> +             return ret;
> +
> +     if (copy_from_user(&get_dma_buf, arg, sizeof(get_dma_buf)))
> +             return -EFAULT;
> +
> +     if (!get_dma_buf.nr_ranges)
> +             return -EINVAL;
> +
> +     dma_ranges = memdup_array_user(&arg->dma_ranges, get_dma_buf.nr_ranges,
> +                                    sizeof(*dma_ranges));
> +     if (IS_ERR(dma_ranges))
> +             return PTR_ERR(dma_ranges);
> +
> +     ret = validate_dmabuf_input(vdev, &get_dma_buf, dma_ranges, &provider);
> +     if (ret)
> +             return ret;

goto err_free_ranges;

Thanks,
Alex