[PATCH 1/2] vfio-user: reject zero DMA page size capability

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH 1/2] vfio-user: reject zero DMA page size capability
@ 2026-05-22  8:13 zhaoguohan
  2026-05-22  8:13 ` [PATCH 2/2] vfio-user: reject zero migration " zhaoguohan
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: zhaoguohan @ 2026-05-22  8:13 UTC (permalink / raw)
  To: John Levon, Thanos Makatos, Cédric Le Goater; +Cc: qemu-devel

From: GuoHan Zhao <zhaoguohan@kylinos.cn>

check_pgsizes() validates that no page-size bits smaller than
VFIO_USER_DEF_PGSIZE are set, but it still accepts pgsizes=0. This lets a
malformed server overwrite the default page-size mask with zero.

Later vfio_user_setup() asserts that proxy->dma_pgsizes is non-zero, so device
realization aborts instead of reporting a version capability error. Reject a
zero DMA page-size mask during version capability parsing.

Fixes: 36227628d824 (vfio-user: implement message send infrastructure)
Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
---
 hw/vfio-user/proxy.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/hw/vfio-user/proxy.c b/hw/vfio-user/proxy.c
index 8b7cc36231ab..7c3036ec83c5 100644
--- a/hw/vfio-user/proxy.c
+++ b/hw/vfio-user/proxy.c
@@ -1155,9 +1155,11 @@ static bool check_pgsizes(VFIOUserProxy *proxy, QObject *qobj, Error **errp)
         return false;
     }
 
-    /* must be larger than default */
-    if (pgsizes & (VFIO_USER_DEF_PGSIZE - 1)) {
-        error_setg(errp, "pgsize 0x%"PRIx64" too small", pgsizes);
+    /* must not be zero or smaller than default */
+    if (pgsizes < VFIO_USER_DEF_PGSIZE ||
+        (pgsizes & (VFIO_USER_DEF_PGSIZE - 1))) {
+        error_setg(errp, "%s 0x%"PRIx64" too small",
+                   VFIO_USER_CAP_PGSIZES, pgsizes);
         return false;
     }
 
-- 
2.43.0



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 2/2] vfio-user: reject zero migration page size capability
  2026-05-22  8:13 [PATCH 1/2] vfio-user: reject zero DMA page size capability zhaoguohan
@ 2026-05-22  8:13 ` zhaoguohan
  2026-05-26  8:52 ` [PATCH 1/2] vfio-user: reject zero DMA " John Levon
  2026-05-28  5:52 ` Michael Tokarev
  2 siblings, 0 replies; 4+ messages in thread
From: zhaoguohan @ 2026-05-22  8:13 UTC (permalink / raw)
  To: John Levon, Thanos Makatos, Cédric Le Goater; +Cc: qemu-devel

From: GuoHan Zhao <zhaoguohan@kylinos.cn>

check_migr_pgsize() validates that no page-size bits smaller than
VFIO_USER_DEF_PGSIZE are set, but it still accepts pgsize=0. This can replace
the default migration page size with an unusable value.

Reject a zero migration page size during version capability parsing, matching
the lower-bound check used for the DMA page-size capability.

Fixes: 36227628d824 (vfio-user: implement message send infrastructure)
Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
---
 hw/vfio-user/proxy.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/hw/vfio-user/proxy.c b/hw/vfio-user/proxy.c
index 7c3036ec83c5..96a9bbeefcd3 100644
--- a/hw/vfio-user/proxy.c
+++ b/hw/vfio-user/proxy.c
@@ -1081,9 +1081,11 @@ static bool check_migr_pgsize(VFIOUserProxy *proxy, QObject *qobj, Error **errp)
         return false;
     }
 
-    /* must be larger than default */
-    if (pgsize & (VFIO_USER_DEF_PGSIZE - 1)) {
-        error_setg(errp, "pgsize 0x%"PRIx64" too small", pgsize);
+    /* must not be zero or smaller than default */
+    if (pgsize < VFIO_USER_DEF_PGSIZE ||
+        (pgsize & (VFIO_USER_DEF_PGSIZE - 1))) {
+        error_setg(errp, "%s 0x%"PRIx64" too small",
+                   VFIO_USER_CAP_PGSIZE, pgsize);
         return false;
     }
 
-- 
2.43.0



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH 1/2] vfio-user: reject zero DMA page size capability
  2026-05-22  8:13 [PATCH 1/2] vfio-user: reject zero DMA page size capability zhaoguohan
  2026-05-22  8:13 ` [PATCH 2/2] vfio-user: reject zero migration " zhaoguohan
@ 2026-05-26  8:52 ` John Levon
  2026-05-28  5:52 ` Michael Tokarev
  2 siblings, 0 replies; 4+ messages in thread
From: John Levon @ 2026-05-26  8:52 UTC (permalink / raw)
  To: zhaoguohan; +Cc: Thanos Makatos, Cédric Le Goater, qemu-devel

On Fri, May 22, 2026 at 04:13:05PM +0800, zhaoguohan@kylinos.cn wrote:

> check_pgsizes() validates that no page-size bits smaller than
> VFIO_USER_DEF_PGSIZE are set, but it still accepts pgsizes=0. This lets a
> malformed server overwrite the default page-size mask with zero.
> 
> Later vfio_user_setup() asserts that proxy->dma_pgsizes is non-zero, so device
> realization aborts instead of reporting a version capability error. Reject a
> zero DMA page-size mask during version capability parsing.
> 
> Fixes: 36227628d824 (vfio-user: implement message send infrastructure)
> Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
> ---
>  hw/vfio-user/proxy.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/hw/vfio-user/proxy.c b/hw/vfio-user/proxy.c
> index 8b7cc36231ab..7c3036ec83c5 100644
> --- a/hw/vfio-user/proxy.c
> +++ b/hw/vfio-user/proxy.c
> @@ -1155,9 +1155,11 @@ static bool check_pgsizes(VFIOUserProxy *proxy, QObject *qobj, Error **errp)
>          return false;
>      }
>  
> -    /* must be larger than default */
> -    if (pgsizes & (VFIO_USER_DEF_PGSIZE - 1)) {
> -        error_setg(errp, "pgsize 0x%"PRIx64" too small", pgsizes);
> +    /* must not be zero or smaller than default */
> +    if (pgsizes < VFIO_USER_DEF_PGSIZE ||
> +        (pgsizes & (VFIO_USER_DEF_PGSIZE - 1))) {
> +        error_setg(errp, "%s 0x%"PRIx64" too small",
> +                   VFIO_USER_CAP_PGSIZES, pgsizes);
>          return false;
>      }
>  

Reviewed-by: John Levon <john.levon@nutanix.com>


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 1/2] vfio-user: reject zero DMA page size capability
  2026-05-22  8:13 [PATCH 1/2] vfio-user: reject zero DMA page size capability zhaoguohan
  2026-05-22  8:13 ` [PATCH 2/2] vfio-user: reject zero migration " zhaoguohan
  2026-05-26  8:52 ` [PATCH 1/2] vfio-user: reject zero DMA " John Levon
@ 2026-05-28  5:52 ` Michael Tokarev
  2 siblings, 0 replies; 4+ messages in thread
From: Michael Tokarev @ 2026-05-28  5:52 UTC (permalink / raw)
  To: zhaoguohan, John Levon, Thanos Makatos, Cédric Le Goater
  Cc: qemu-devel, qemu-stable

On 22.05.2026 11:13, zhaoguohan@kylinos.cn wrote:
> From: GuoHan Zhao <zhaoguohan@kylinos.cn>
> 
> check_pgsizes() validates that no page-size bits smaller than
> VFIO_USER_DEF_PGSIZE are set, but it still accepts pgsizes=0. This lets a
> malformed server overwrite the default page-size mask with zero.
> 
> Later vfio_user_setup() asserts that proxy->dma_pgsizes is non-zero, so device
> realization aborts instead of reporting a version capability error. Reject a
> zero DMA page-size mask during version capability parsing.
> 
> Fixes: 36227628d824 (vfio-user: implement message send infrastructure)
> Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>

This smells like a qemu-stable material (11.0.x).

I'm picking this and patch 2/2 for stable-11.0 branch.
Please let me know if I shouldn't.

Thanks,

/mjt



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-05-28  5:53 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-22  8:13 [PATCH 1/2] vfio-user: reject zero DMA page size capability zhaoguohan
2026-05-22  8:13 ` [PATCH 2/2] vfio-user: reject zero migration " zhaoguohan
2026-05-26  8:52 ` [PATCH 1/2] vfio-user: reject zero DMA " John Levon
2026-05-28  5:52 ` Michael Tokarev

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.