From: sashiko-bot@kernel.org
To: "Farhan Ali" <alifm@linux.ibm.com>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH v15 6/7] vfio/pci: Add a reset_done callback for vfio-pci driver
Date: Tue, 05 May 2026 23:56:37 +0000 [thread overview]
Message-ID: <20260505235638.3F6CDC2BCB4@smtp.kernel.org> (raw)
In-Reply-To: <20260505200510.2954-7-alifm@linux.ibm.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [Critical] Concurrent execution of `vfio_pci_core_aer_reset_done` and `vfio_pci_core_disable` leads to an exploitable Use-After-Free on `vdev->pci_saved_state`.
- [High] The return value of `pci_load_saved_state()` is ignored, potentially pushing corrupted state to the hardware.
- [Medium] The state recovery logic is marked `static`, depriving vendor-specific VFIO PCI drivers of the feature.
--
commit 50af2d4f1aef440c94cd13a26e090b9661198f8c
Author: Farhan Ali <alifm@linux.ibm.com>
vfio/pci: Add a reset_done callback for vfio-pci driver
On error recovery for a PCI device bound to the vfio-pci driver, this
commit attempts to restore the device state to its initial saved state
by adding a reset_done callback.
> diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
> index f47a49ca67fae..6358b59fab2b1 100644
> --- a/drivers/vfio/pci/vfio_pci_core.c
> +++ b/drivers/vfio/pci/vfio_pci_core.c
[ ... ]
> @@ -2255,6 +2255,17 @@ pci_ers_result_t vfio_pci_core_aer_err_detected(struct pci_dev *pdev,
> }
> EXPORT_SYMBOL_GPL(vfio_pci_core_aer_err_detected);
>
> +static void vfio_pci_core_aer_reset_done(struct pci_dev *pdev)
Vendor-specific VFIO PCI drivers sometimes override the .reset_done callback
in their pci_error_handlers. Should this function be exported instead of
static, so that vendor drivers can also invoke the core framework's state
restoration?
> +{
> + struct vfio_pci_core_device *vdev = dev_get_drvdata(&pdev->dev);
> +
> + if (!vdev->pci_saved_state)
> + return;
> +
Is there a race condition here between the AER recovery thread and the VFIO
device close path?
The AER thread invokes vfio_pci_core_aer_reset_done() holding
device_lock(&pdev->dev), but without VFIO-specific locks like dev_set->lock.
Concurrently, closing the VFIO device file descriptor invokes the disable
path:
vfio_pci_core_close_device() -> vfio_pci_core_disable()
The disable path runs with dev_set->lock held, but without
device_lock(&pdev->dev), and it frees the saved state:
pci_load_and_free_saved_state(pdev, &vdev->pci_saved_state)
Could vdev->pci_saved_state be freed immediately after the check here,
causing a use-after-free when it is passed to pci_load_saved_state() below?
> + pci_load_saved_state(pdev, vdev->pci_saved_state);
> + pci_restore_state(pdev);
Can pci_load_saved_state() fail and return an error?
If it returns an error, such as -EINVAL for capability size mismatches,
dev->state_saved remains false and the capability buffers may only be
partially copied.
Since the return value is ignored here, does calling pci_restore_state(pdev)
immediately afterward risk pushing partially populated or corrupted state back
to the hardware?
> +}
> +
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260505200510.2954-1-alifm@linux.ibm.com?part=6
next prev parent reply other threads:[~2026-05-05 23:56 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-05 20:05 [PATCH v15 0/7] Error recovery for vfio-pci devices on s390x Farhan Ali
2026-05-05 20:05 ` [PATCH v15 1/7] PCI: Allow per function PCI slots to fix slot reset on s390 Farhan Ali
2026-05-05 21:29 ` sashiko-bot
2026-05-05 20:05 ` [PATCH v15 2/7] PCI: Avoid saving config space state if inaccessible Farhan Ali
2026-05-05 21:58 ` sashiko-bot
2026-05-05 20:05 ` [PATCH v15 3/7] PCI: Fail FLR when config space is inaccessible Farhan Ali
2026-05-05 22:20 ` sashiko-bot
2026-05-05 20:05 ` [PATCH v15 4/7] s390/pci: Store PCI error information for passthrough devices Farhan Ali
2026-05-05 22:56 ` sashiko-bot
2026-05-06 9:38 ` Niklas Schnelle
2026-05-06 17:20 ` Farhan Ali
2026-05-08 19:58 ` Niklas Schnelle
2026-05-05 20:05 ` [PATCH v15 5/7] vfio-pci/zdev: Add a device feature for error information Farhan Ali
2026-05-05 23:27 ` sashiko-bot
2026-05-05 20:05 ` [PATCH v15 6/7] vfio/pci: Add a reset_done callback for vfio-pci driver Farhan Ali
2026-05-05 23:56 ` sashiko-bot [this message]
2026-05-05 20:05 ` [PATCH v15 7/7] vfio/pci: Remove the pcie check for VFIO_PCI_ERR_IRQ_INDEX Farhan Ali
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260505235638.3F6CDC2BCB4@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=alifm@linux.ibm.com \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.