From: sashiko-bot@kernel.org
To: "Farhan Ali" <alifm@linux.ibm.com>
Cc: "Heiko Carstens" <hca@linux.ibm.com>,
linux-s390@vger.kernel.org, kvm@vger.kernel.org,
"Vasily Gorbik" <gor@linux.ibm.com>,
"Alexander Gordeev" <agordeev@linux.ibm.com>
Subject: Re: [PATCH v1 2/5] KVM: s390: pci: Fix missing error codes and memory unaccounting
Date: Mon, 13 Jul 2026 17:41:25 +0000 [thread overview]
Message-ID: <20260713174126.05FC71F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260713172600.1284-3-alifm@linux.ibm.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] `unaccount_mem()` incorrectly relies on `current` to reverse memory accounting, allowing arbitrary processes to corrupt their own memory limits.
- [High] Unrestricted overwrite of AIF structures on repeated ioctl calls leads to severe memory and resource leaks.
--
--- Patch [2]: [PATCH v1 2/5] KVM: s390: pci: Fix missing error codes and memory unaccounting ---
commit 38461cd36a2d54b4c7ee766e7c866405617494d9
Author: Farhan Ali <alifm@linux.ibm.com>
KVM: s390: pci: Fix missing error codes and memory unaccounting
In kvm_s390_pci_aif_enable(), two error paths failed to set an error code
and did not roll back memory accounting on failure. This commit propagates
the error code and calls unaccount_mem() in the cleanup path.
Fixes: 3c5a1b6f0a18 ("KVM: s390: pci: provide routines for enabling/disabling interrupt forwarding")
> diff --git a/arch/s390/kvm/pci.c b/arch/s390/kvm/pci.c
> index 5bbbb1de4b5a0..42db20c2afca5 100644
> --- a/arch/s390/kvm/pci.c
> +++ b/arch/s390/kvm/pci.c
> @@ -282,14 +282,17 @@ static int kvm_s390_pci_aif_enable(struct zpci_dev *zdev, struct zpci_fib *fib,
> }
>
> /* Account for pinned pages, roll back on failure */
> - if (account_mem(pcount))
> + rc = account_mem(pcount);
> + if (rc)
> goto unpin2;
>
> /* AISB must be allocated before we can fill in GAITE */
> mutex_lock(&aift->aift_lock);
> bit = airq_iv_alloc_bit(aift->sbv);
> - if (bit == -1UL)
> + if (bit == -1UL) {
> + rc = -ENOMEM;
> goto unlock;
> + }
> zdev->aisb = bit; /* store the summary bit number */
> zdev->aibv = airq_iv_create(msi_vecs, AIRQ_IV_DATA |
> AIRQ_IV_BITLOCK |
[Severity: High]
This is a pre-existing issue, but could this unconditional overwrite of
zdev->aibv lead to a memory and resource leak?
If a userspace caller issues the KVM_S390_ZPCIOP_REG_AEN ioctl multiple times
for the same device, kvm_s390_pci_aif_enable() lacks state validation (e.g.,
verifying zdev->kzdev->fib.fmt0.aibv == 0).
Would this cause the code to repeatedly pin new pages, allocate new airq_iv
structures, and blindly overwrite the zdev->aibv and zdev->aisb pointers,
permanently orphaning the previously allocated resources?
> @@ -333,6 +336,8 @@ static int kvm_s390_pci_aif_enable(struct zpci_dev *zdev, struct zpci_fib *fib,
> return rc;
>
> unlock:
> + if (pcount > 0)
> + unaccount_mem(pcount);
[Severity: High]
This isn't a bug introduced by this patch, but does unaccount_mem()
incorrectly rely on current to reverse memory accounting?
If process A pins memory via ioctl (accounting against process A's limits) and
passes the KVM file descriptor to process B, and process B closes it, the
file's .release handler triggers KVM unregistration.
Calling unaccount_mem() in process B's context would subtract from process B's
limits while leaking process A's limits.
Could this allow an unprivileged process to artificially underflow its
locked_vm and pinned_vm limits, bypassing RLIMIT_MEMLOCK and allowing
unlimited memory pinning?
> mutex_unlock(&aift->aift_lock);
> unpin2:
> if (fib->fmt0.sum == 1)
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260713172600.1284-1-alifm@linux.ibm.com?part=2
next prev parent reply other threads:[~2026-07-13 17:41 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-13 17:25 [PATCH v1 0/5] KVM s390x PCI fixes Farhan Ali
2026-07-13 17:25 ` [PATCH v1 1/5] KVM: s390: pci: Fix refcount leak in memory accounting functions Farhan Ali
2026-07-13 17:41 ` sashiko-bot
2026-07-13 17:25 ` [PATCH v1 2/5] KVM: s390: pci: Fix missing error codes and memory unaccounting Farhan Ali
2026-07-13 17:41 ` sashiko-bot [this message]
2026-07-13 17:25 ` [PATCH v1 3/5] KVM: s390: pci: Fix NULL dereference on AIBV allocation failure Farhan Ali
2026-07-13 17:50 ` sashiko-bot
2026-07-13 17:25 ` [PATCH v1 4/5] KVM: s390: pci: Fix resource leak on IRQ registration failure Farhan Ali
2026-07-13 17:43 ` sashiko-bot
2026-07-13 17:26 ` [PATCH v1 5/5] KVM: s390: pci: Fix AIBV and AISB spanning multiple pages Farhan Ali
2026-07-13 17:41 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260713174126.05FC71F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=agordeev@linux.ibm.com \
--cc=alifm@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.