limit max DMA region size (#545)

Since the dirty bitmap in message replies is allocated based upon the maximum
size of an individual region, add a limit (somewhat arbitrarily 8TiB, which is a
bitmap size of 256MiB). Add a couple of basic tests on the two DMA limits.

Signed-off-by: John Levon <john.levon@nutanix.com>
Reviewed-by: Thanos Makatos <thanos.makatos@nutanix.com>

5 files changed, 24 insertions, 8 deletions

diff --git a/lib/common.h b/lib/common.h
index a56a0f0..599759f 100644
--- a/lib/common.h
+++ b/lib/common.h
@@ -43,6 +43,7 @@
 #define UNUSED __attribute__((unused))
 #define EXPORT __attribute__((visibility("default")))
 
+#define ONE_TB              (1024UL * 1024 * 1024 * 1024)
 #define PAGE_SIZE           (size_t)sysconf(_SC_PAGE_SIZE)
 #define PAGE_ALIGNED(x)		(((x) & ((typeof(x))(PAGE_SIZE) - 1)) == 0)
 
diff --git a/lib/dma.c b/lib/dma.c
index 32014f0..b76c18c 100644
--- a/lib/dma.c
+++ b/lib/dma.c
@@ -71,7 +71,7 @@ fds_are_same_file(int fd1, int fd2)
 }
 
 dma_controller_t *
-dma_controller_create(vfu_ctx_t *vfu_ctx, int max_regions)
+dma_controller_create(vfu_ctx_t *vfu_ctx, size_t max_regions, size_t max_size)
 {
     dma_controller_t *dma;
 
@@ -83,7 +83,8 @@ dma_controller_create(vfu_ctx_t *vfu_ctx, int max_regions)
     }
 
     dma->vfu_ctx = vfu_ctx;
-    dma->max_regions = max_regions;
+    dma->max_regions = (int)max_regions;
+    dma->max_size = max_size;
     dma->nregions = 0;
     memset(dma->regions, 0, max_regions * sizeof(dma->regions[0]));
     dma->dirty_pgsize = 0;
@@ -298,6 +299,12 @@ MOCK_DEFINE(dma_controller_add_region)(dma_controller_t *dma,
     snprintf(rstr, sizeof(rstr), "[%p, %p) fd=%d offset=%#lx prot=%#x",
              dma_addr, (char *)dma_addr + size, fd, offset, prot);
 
+    if (size > dma->max_size) {
+        vfu_log(dma->vfu_ctx, LOG_ERR, "DMA region size %zu > max %zu",
+                size, dma->max_size);
+        return ERROR_INT(ENOSPC);
+    }
+
     for (idx = 0; idx < dma->nregions; idx++) {
         region = &dma->regions[idx];
 
diff --git a/lib/dma.h b/lib/dma.h
index 9798de9..082ca46 100644
--- a/lib/dma.h
+++ b/lib/dma.h
@@ -92,6 +92,7 @@ typedef struct {
 
 typedef struct dma_controller {
     int max_regions;
+    size_t max_size;
     int nregions;
     struct vfu_ctx *vfu_ctx;
     size_t dirty_pgsize;        // Dirty page granularity
@@ -99,7 +100,7 @@ typedef struct dma_controller {
 } dma_controller_t;
 
 dma_controller_t *
-dma_controller_create(vfu_ctx_t *vfu_ctx, int max_regions);
+dma_controller_create(vfu_ctx_t *vfu_ctx, size_t max_regions, size_t max_size);
 
 void
 dma_controller_remove_all_regions(dma_controller_t *dma,
diff --git a/lib/libvfio-user.c b/lib/libvfio-user.c
index c569714..452b15f 100644
--- a/lib/libvfio-user.c
+++ b/lib/libvfio-user.c
@@ -671,9 +671,7 @@ handle_dirty_pages_get(vfu_ctx_t *vfu_ctx, vfu_msg_t *msg)
         return -1;
     }
 
-    /*
-     * FIXME: this is unbounded until we can limit the maximum DMA region size.
-     */
+    /* NB: this is bound by MAX_DMA_SIZE. */
     argsz = sizeof(*dirty_pages_out) + sizeof(*range_out) +
             range_in->bitmap.size;
 
@@ -1506,7 +1504,8 @@ vfu_setup_device_dma(vfu_ctx_t *vfu_ctx, vfu_dma_register_cb_t *dma_register,
     assert(vfu_ctx != NULL);
 
     // Create the internal DMA controller.
-    vfu_ctx->dma = dma_controller_create(vfu_ctx, VFU_DMA_REGIONS);
+    vfu_ctx->dma = dma_controller_create(vfu_ctx, MAX_DMA_REGIONS,
+                                         MAX_DMA_SIZE);
     if (vfu_ctx->dma == NULL) {
         return ERROR_INT(errno);
     }
diff --git a/lib/private.h b/lib/private.h
index c9a8af7..c7c0627 100644
--- a/lib/private.h
+++ b/lib/private.h
@@ -35,8 +35,16 @@
 
 #include <errno.h>
 
-#include "pci_caps.h"
 #include "common.h"
+#include "pci_caps.h"
+
+/*
+ * The main reason we limit the size of an individual DMA region from the client
+ * is to limit the size of the dirty bitmaps: this corresponds to 256MB at a 4K
+ * page size.
+ */
+#define MAX_DMA_SIZE (8 * ONE_TB)
+#define MAX_DMA_REGIONS 16
 
 #define SERVER_MAX_MSG_SIZE 65536