From: sashiko-bot@kernel.org
To: "Steffen Eiden" <seiden@linux.ibm.com>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH v3 01/27] VFIO: take reference to the KVM module
Date: Fri, 29 May 2026 16:49:05 +0000 [thread overview]
Message-ID: <20260529164906.73ACF1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260529155050.2902245-2-seiden@linux.ibm.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Unconditional KVM reference overwrite and subsequent premature release in the VFIO cdev bind error path.
--
commit 0e9c12cfda2c8eedbfdfe11e2a9a3b8ef09209f4
Author: Paolo Bonzini <pbonzini@redhat.com>
VFIO: take reference to the KVM module
VFIO implicitly took a reference to the KVM module via symbol_get and
symbol_put. In preparation for removing these, this patch stores a pointer
to the KVM module and uses module_get()/module_put() to keep KVM alive.
> diff --git a/drivers/vfio/vfio_main.c b/drivers/vfio/vfio_main.c
> index 6222376ab6ab5..78b9cad348b19 100644
> --- a/drivers/vfio/vfio_main.c
> +++ b/drivers/vfio/vfio_main.c
[ ... ]
> @@ -490,6 +496,8 @@ void vfio_device_put_kvm(struct vfio_device *device)
>
> clear:
> device->kvm = NULL;
> + module_put(device->kvm_module);
> + device->kvm_module = NULL;
> }
> #endif
[Severity: High]
This isn't a bug introduced by this patch, but does this change exacerbate
a bug in the cdev bind error path by adding a module_put() underflow?
In vfio_df_ioctl_bind_iommufd(), if a second bind attempt is made on an
already-open device via a new file descriptor, the code unconditionally
calls vfio_df_get_kvm_safe() before checking device->open_count:
vfio_df_get_kvm_safe(df);
ret = vfio_df_open(df);
if (ret)
goto out_put_kvm;
If the new descriptor's kvm is populated, vfio_device_get_kvm_safe() blindly
overwrites device->kvm and device->kvm_module, leaking the prior references
held by the first valid bind.
If the new descriptor's kvm is NULL, vfio_device_get_kvm_safe() returns early,
leaving device->kvm still pointing to the first descriptor's KVM.
Then vfio_df_open() predictably fails with -EINVAL because
device->open_count != 0, and the error path jumps to out_put_kvm:
out_put_kvm:
vfio_device_put_kvm(device);
This drops the KVM references and clears device->kvm to NULL. This destroys
the KVM association for the initially bound, actively running process, and
could lead to a use-after-free of KVM structures.
By adding module_put(device->kvm_module) to vfio_device_put_kvm(), does this
also cause a module reference underflow for the actively running process?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260529155050.2902245-1-seiden@linux.ibm.com?part=1
next prev parent reply other threads:[~2026-05-29 16:49 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-29 15:50 [PATCH v3 00/27] KVM: s390: Introduce arm64 KVM Steffen Eiden
2026-05-29 15:50 ` [PATCH v3 01/27] VFIO: take reference to the KVM module Steffen Eiden
2026-05-29 16:49 ` sashiko-bot [this message]
2026-05-29 15:50 ` [PATCH v3 02/27] KVM, vfio: remove symbol_get(kvm_get_kvm_safe) from vfio Steffen Eiden
2026-05-29 16:39 ` sashiko-bot
2026-05-29 15:50 ` [PATCH v3 03/27] KVM, vfio: remove symbol_get(kvm_put_kvm) " Steffen Eiden
2026-05-29 17:22 ` sashiko-bot
2026-05-29 15:50 ` [PATCH v3 04/27] uapi: KVM: Provide arm64 UAPI for other host architectures Steffen Eiden
2026-05-29 17:10 ` sashiko-bot
2026-05-29 15:50 ` [PATCH v3 05/27] arm64: Extract sysreg definitions Steffen Eiden
2026-05-29 17:22 ` sashiko-bot
2026-05-29 15:50 ` [PATCH v3 06/27] arm64: Provide arm64 API for non-native architectures Steffen Eiden
2026-05-29 17:41 ` sashiko-bot
2026-05-29 15:50 ` [PATCH v3 07/27] KVM: arm64: Provide arm64 KVM " Steffen Eiden
2026-05-29 17:45 ` sashiko-bot
2026-05-29 15:50 ` [PATCH v3 08/27] arm64: Extract pstate definitions from ptrace Steffen Eiden
2026-05-29 15:50 ` [PATCH v3 09/27] KVM: arm64: Share kvm_emulate definitions Steffen Eiden
2026-05-29 18:13 ` sashiko-bot
2026-05-29 15:50 ` [PATCH v3 10/27] KVM: arm64: Make some arm64 KVM code shareable Steffen Eiden
2026-05-29 19:15 ` sashiko-bot
2026-05-29 15:50 ` [PATCH v3 11/27] KVM: arm64: Access elements of vcpu_gp_regs individually Steffen Eiden
2026-05-29 15:50 ` [PATCH v3 12/27] KVM: arm64: Share reset general register code Steffen Eiden
2026-05-29 15:50 ` [PATCH v3 13/27] KVM: arm64: Extract & share ipa size shift calculation Steffen Eiden
2026-05-29 15:50 ` [PATCH v3 14/27] KVM: s390: Move s390 kvm code into a subdirectory Steffen Eiden
2026-05-30 6:46 ` sashiko-bot
2026-05-29 15:50 ` [PATCH v3 15/27] KVM: S390: Refactor gmap Steffen Eiden
2026-05-30 6:56 ` sashiko-bot
2026-05-29 15:50 ` [PATCH v3 16/27] KVM: Make device name configurable Steffen Eiden
2026-05-30 7:12 ` sashiko-bot
2026-05-29 15:50 ` [PATCH v3 17/27] KVM: Remove KVM_MMIO as config option Steffen Eiden
2026-05-30 7:23 ` sashiko-bot
2026-05-29 15:50 ` [PATCH v3 18/27] KVM: s390: Prepare kvm-s390 for a second kvm module Steffen Eiden
2026-05-29 15:50 ` [PATCH v3 19/27] s390: Introduce Start Arm Execution instruction Steffen Eiden
2026-05-29 15:50 ` [PATCH v3 20/27] KVM: s390: arm64: Introduce host definitions Steffen Eiden
2026-05-30 8:07 ` sashiko-bot
2026-05-29 15:50 ` [PATCH v3 21/27] s390/hwcaps: Report SAE support as hwcap Steffen Eiden
2026-05-29 15:50 ` [PATCH v3 22/27] KVM: s390: Add basic arm64 kvm module Steffen Eiden
2026-05-30 8:23 ` sashiko-bot
2026-05-29 15:50 ` [PATCH v3 23/27] KVM: s390: arm64: Implement required functions Steffen Eiden
2026-05-29 15:50 ` [PATCH v3 24/27] KVM: s390: arm64: Implement vm/vcpu create destroy Steffen Eiden
2026-05-30 8:57 ` sashiko-bot
2026-05-29 15:50 ` [PATCH v3 25/27] KVM: s390: arm64: Implement vCPU IOCTLs Steffen Eiden
2026-05-30 9:09 ` sashiko-bot
2026-05-29 15:50 ` [PATCH v3 26/27] KVM: s390: arm64: Implement basic page fault handler Steffen Eiden
2026-05-30 9:22 ` sashiko-bot
2026-05-29 15:50 ` [PATCH v3 27/27] KVM: s390: arm64: Enable KVM_ARM64 config and Kbuild Steffen Eiden
2026-05-30 9:37 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260529164906.73ACF1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=seiden@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.