From: sashiko-bot@kernel.org
To: "Yousef Alhouseen" <alhouseenyousef@gmail.com>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH] vfio/type1: validate dirty bitmap page size before use
Date: Wed, 24 Jun 2026 19:25:55 +0000 [thread overview]
Message-ID: <20260624192556.669BB1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260624191204.3774-1-alhouseenyousef@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Calling `__ffs()` and `__fls()` with an argument of 0 results in undefined behavior when userspace passes `dirty.flags = 0`.
--
commit 38ca5c3a7cef062b9bd643fc4332459f28940553
Author: Yousef Alhouseen <alhouseenyousef@gmail.com>
vfio/type1: validate dirty bitmap page size before use
The dirty bitmap ioctl paths derive a shift with __ffs() from the userspace
supplied bitmap page size before comparing it with the IOMMU page size. A zero
page size has undefined behavior, and a non-power-of-2 value makes the bitmap
size check use a different granularity than the page size later accepted by
the ioctl.
> diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
> index c8151ba54de33..9499381d06a20 100644
> --- a/drivers/vfio/vfio_iommu_type1.c
> +++ b/drivers/vfio/vfio_iommu_type1.c
[ ... ]
> @@ -3039,6 +3043,9 @@ static int vfio_iommu_type1_dirty_pages(struct vfio_iommu *iommu,
[Severity: High]
This isn't a bug introduced by this patch, but does calling __ffs() and
__fls() with an argument of 0 result in undefined behavior when userspace
passes dirty.flags set to 0?
In vfio_iommu_type1_dirty_pages():
if (dirty.argsz < minsz || dirty.flags & ~mask)
return -EINVAL;
/* only one flag should be set at a time */
if (__ffs(dirty.flags) != __fls(dirty.flags))
return -EINVAL;
If dirty.flags is 0, the mask check evaluates to 0 and passes, allowing
__ffs(0) and __fls(0) to execute. Since these macros map to __builtin_ctzl
and __builtin_clzl, this results in undefined behavior.
Could this be triggered by userspace to cause a denial of service?
> range.bitmap.size))
> return -EINVAL;
>
> + if (!is_power_of_2(range.bitmap.pgsize))
> + return -EINVAL;
> +
> pgshift = __ffs(range.bitmap.pgsize);
> ret = verify_bitmap_size(size >> pgshift,
> range.bitmap.size);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260624191204.3774-1-alhouseenyousef@gmail.com?part=1
prev parent reply other threads:[~2026-06-24 19:25 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-24 19:12 [PATCH] vfio/type1: validate dirty bitmap page size before use Yousef Alhouseen
2026-06-24 19:22 ` Alex Williamson
2026-06-24 19:25 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260624192556.669BB1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=alhouseenyousef@gmail.com \
--cc=kvm@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.