Re: [PATCH v6 06/18] KVM: selftests: Add helper to get host IRQ from device MSI-X for IRQ bypass test

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Buffer truncation when parsing /proc/interrupts causes incorrect IRQ extraction or test crashes on large systems.
--

commit e51d631d9d46231f822d202d28c9466d2c3d253d
Author: David Matlack <dmatlack@google.com>

KVM: selftests: Add helper to get host IRQ from device MSI-X for IRQ bypass test

This commit introduces proc_util.c and proc_util.h to provide utility functions
for interacting with the proc filesystem. It adds vfio_msix_to_host_irq() to
parse /proc/interrupts and find the host Linux IRQ for a given VFIO device BDF
and MSI-X vector.

> diff --git a/tools/testing/selftests/kvm/lib/proc_util.c b/tools/testing/selftests/kvm/lib/proc_util.c
> new file mode 100644
> index 0000000000000..84d30f055a0a9
> --- /dev/null
> +++ b/tools/testing/selftests/kvm/lib/proc_util.c
[ ... ]
> +unsigned int vfio_msix_to_host_irq(const char *device_bdf, int msix)
> +{
> +	char search_string[64];
> +	char line[4096];
> +	int irq = -1;
> +	FILE *fp;
> +
> +	fp = open_proc_interrupts();
> +
> +	snprintf(search_string, sizeof(search_string), "vfio-msix[%d]", msix);
> +
> +	while (fgets(line, sizeof(line), fp)) {
> +		if (strstr(line, device_bdf) && strstr(line, search_string)) {
> +			TEST_ASSERT_EQ(1, sscanf(line, "%d:", &irq));

[Severity: Medium]
Could this fixed-size buffer lead to truncated line parsing on larger systems?

On systems with many CPUs, a single line in /proc/interrupts can exceed 4096
bytes. When this happens, fgets() will split the line into multiple chunks. 

The first chunk will contain the actual IRQ number at the start, but not the 
device_bdf or vfio-msix strings (which are at the end of the line), so it 
will be skipped.

The subsequent chunk will contain the device strings, causing strstr() to
match, but this chunk won't start with the IRQ number. When sscanf() runs
on this later chunk, it could return 0 and cause the TEST_ASSERT_EQ() to
abort the test, or worse, silently parse an interrupt count as the IRQ number,
which could disrupt the host system if the test attempts to change the SMP
affinity of that unrelated IRQ.

> +			break;
> +		}
> +	}
> +
> +	fclose(fp);
> +
> +	TEST_ASSERT(irq != -1, "Failed to locate IRQ for %s %s", device_bdf,
> +		    search_string);
> +	return (unsigned int)irq;
> +}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260610005338.2967132-1-seanjc@google.com?part=6