From: sashiko-bot@kernel.org
To: "Aaron Lewis" <aaronlewis@google.com>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH 3/4] vfio: selftests: Allow a size for vfio_dma_mapping_perf_test
Date: Wed, 01 Jul 2026 20:44:24 +0000 [thread overview]
Message-ID: <20260701204424.CDDF11F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701203311.326798-4-aaronlewis@google.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [Medium] The -h option and invalid arguments fail to exit the program, causing unintended execution of all tests.
- [Medium] Multiple usages of the '-a' flag overwrite the wordexp structure without WRDE_REUSE, causing memory leaks and dropping previous arguments.
- [Medium] Using size_t for math and return type in parse_size() causes undefined behavior and silent truncation on 32-bit architectures.
--
commit d938d0d26cc3c95a10e15ae011fce57f55a320c9
Author: Aaron Lewis <aaronlewis@google.com>
vfio: selftests: Allow a size for vfio_dma_mapping_perf_test
Allow the user to specify a DMA region size via the command line for
vfio_dma_mapping_perf_test.
> diff --git a/tools/testing/selftests/vfio/vfio_dma_mapping_perf_test.c b/tools/testing/selftests/vfio/vfio_dma_mapping_perf_test.c
> index 4639bda7ebaa3..2d8fc3e8e0787 100644
> --- a/tools/testing/selftests/vfio/vfio_dma_mapping_perf_test.c
> +++ b/tools/testing/selftests/vfio/vfio_dma_mapping_perf_test.c
[ ... ]
> +size_t parse_size(const char *size)
> +{
> + size_t base;
> + char *scale;
> + int shift = 0;
[ ... ]
> + switch (tolower(*scale)) {
> + case 't':
> + shift = 40;
> + break;
[ ... ]
> + VFIO_ASSERT_TRUE((base << shift) >> shift == base,
> + "Overflow scaling size!");
> +
> + return base << shift;
> +}
[Severity: Medium]
On 32-bit architectures where size_t is 32-bit, will shifting a 32-bit integer
by 40 when parsing terabytes cause undefined behavior?
Because compilers can mask over-sized shift counts, the overflow check here
might evaluate as true and silently pass while returning a drastically
truncated size. Should this function use u64 internally and as its return
type to match test_params.size?
[ ... ]
> +static void populate_harness_args(struct harness_args *args, const char *argv_0,
> + const char *cmdlne)
> +{
> + if (wordexp(argv_0, &args->exp, WRDE_NOCMD) == 0 &&
> + wordexp(cmdlne, &args->exp, WRDE_APPEND | WRDE_NOCMD) == 0) {
[Severity: Medium]
If a user passes multiple '-a' flags, does the first wordexp() call without
WRDE_REUSE or WRDE_APPEND leak the previously allocated memory in args->exp?
This also looks like it would discard any arguments appended by earlier '-a'
flags, and potentially leave args->argv pointing to leaked allocations if the
second wordexp() fails.
> + args->argc = args->exp.we_wordc;
> + args->argv = args->exp.we_wordv;
> + }
> +}
> +
> +static void setup_test(struct harness_args *args, int argc, char *argv[])
> +{
> + int opt;
> +
> + test_params = (struct test_params) {
> + .size = SZ_1G,
> + };
> +
> + while ((opt = getopt(argc, argv, "a:b:h")) != -1) {
> + switch (opt) {
[ ... ]
> + case 'h':
> + default:
> + help(argv[0]);
> + goto out;
> + }
> + }
> +
> +out:
> + // Reset getopt() state to allow the test harness to use it.
> + optind = 1;
> +}
[Severity: Medium]
When the '-h' option or an invalid argument is provided, does jumping to 'out'
unintentionally allow the program to continue executing?
Because setup_test() returns normally to main() in this path, main() will
subsequently execute test_harness_run(), which runs the full test suite
immediately after printing the help message instead of terminating.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260701203311.326798-1-aaronlewis@google.com?part=3
next prev parent reply other threads:[~2026-07-01 20:44 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-01 20:33 [PATCH 0/4] Introduce vfio_dma_mapping_perf_test Aaron Lewis
2026-07-01 20:33 ` [PATCH 1/4] vfio: selftests: " Aaron Lewis
2026-07-01 20:44 ` sashiko-bot
2026-07-01 20:33 ` [PATCH 2/4] vfio: selftests: Add memfd test to vfio_dma_mapping_perf_test Aaron Lewis
2026-07-01 20:43 ` sashiko-bot
2026-07-01 20:33 ` [PATCH 3/4] vfio: selftests: Allow a size for vfio_dma_mapping_perf_test Aaron Lewis
2026-07-01 20:44 ` sashiko-bot [this message]
2026-07-01 20:33 ` [PATCH 4/4] vfio: selftests: Allow the flag MAP_POPULATE to be set on the cmdline Aaron Lewis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260701204424.CDDF11F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=aaronlewis@google.com \
--cc=kvm@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.