From: sashiko-bot@kernel.org
To: "Eric Farman" <farman@linux.ibm.com>
Cc: "Alexander Gordeev" <agordeev@linux.ibm.com>,
kvm@vger.kernel.org, linux-s390@vger.kernel.org,
"Heiko Carstens" <hca@linux.ibm.com>,
"Vasily Gorbik" <gor@linux.ibm.com>
Subject: Re: [PATCH v1 5/6] s390/vfio_ccw: ensure index for read/write regions are within range
Date: Tue, 14 Jul 2026 23:45:03 +0000 [thread overview]
Message-ID: <20260714234503.7C5661F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260714232208.1683788-6-farman@linux.ibm.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Flawed usage of `array_index_nospec()` incorrectly clamps out-of-bounds indices to 0 before a subtraction, leading to a speculative integer underflow and out-of-bounds array access.
--
--- Patch [5]: [PATCH v1 5/6] s390/vfio_ccw: ensure index for read/write regions are within range ---
commit f00821fcd31baacca490cf51ca9a9206a56fdf45
Author: Eric Farman <farman@linux.ibm.com>
s390/vfio_ccw: ensure index for read/write regions are within range
The introduction of the capability chain clamped the region indexes to the
range of the capabilities itself, but neglected to do so for the existing
read/write regions. This commit enforces the same checks for those regions.
> --- a/drivers/s390/cio/vfio_ccw_ops.c
> +++ b/drivers/s390/cio/vfio_ccw_ops.c
> @@ -245,6 +245,8 @@ static ssize_t vfio_ccw_mdev_read(struct vfio_device *vdev,
> if (index >= VFIO_CCW_NUM_REGIONS + private->num_regions)
> return -EINVAL;
>
> + index = array_index_nospec(index, VFIO_CCW_NUM_REGIONS + private->num_regions);
> +
> switch (index) {
> case VFIO_CCW_CONFIG_REGION_INDEX:
> return vfio_ccw_mdev_read_io_region(private, buf, count, ppos);
> default:
> index -= VFIO_CCW_NUM_REGIONS;
> return private->region[index].ops->read(private, buf, count,
> ppos);
[Severity: High]
Does this introduce a speculative out-of-bounds access regression?
If an attacker provides an out-of-bounds index, the architectural bounds
check is bypassed during speculative execution. The array_index_nospec()
mitigation will clamp the out-of-bounds index to 0 to resolve data
dependencies safely.
However, if the CPU mispredicts the switch statement and executes the
default case, the clamped index of 0 is subtracted by
VFIO_CCW_NUM_REGIONS. This causes an integer underflow, leading to a
speculative read of private->region with a negative index, followed by
a speculative indirect call via ops->read().
Could we perform the array_index_nospec() masking after the subtraction,
specifically clamping against private->num_regions instead?
[ ... ]
> @@ -297,6 +299,8 @@ static ssize_t vfio_ccw_mdev_write(struct vfio_device *vdev,
> if (index >= VFIO_CCW_NUM_REGIONS + private->num_regions)
> return -EINVAL;
>
> + index = array_index_nospec(index, VFIO_CCW_NUM_REGIONS + private->num_regions);
> +
> switch (index) {
> case VFIO_CCW_CONFIG_REGION_INDEX:
> return vfio_ccw_mdev_write_io_region(private, buf, count, ppos);
> default:
> index -= VFIO_CCW_NUM_REGIONS;
> return private->region[index].ops->write(private, buf, count,
> ppos);
[Severity: High]
Will this suffer from the same speculative integer underflow as the read
path?
If array_index_nospec() clamps an out-of-bounds index to 0, the
subsequent subtraction will result in an underflow, allowing a
speculative out-of-bounds read and an indirect call through ops->write().
Additionally, it looks like this identical anti-speculation pattern is
already present in other locations such as
vfio_ccw_mdev_ioctl_get_region_info(),
intel_vgpu_ioctl_get_region_info(), and vfio_pci_ioctl_get_region_info().
Do those locations also need to be updated?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260714232208.1683788-1-farman@linux.ibm.com?part=5
next prev parent reply other threads:[~2026-07-14 23:45 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-14 23:22 [PATCH v1 0/6] s390/vfio_ccw fixes Eric Farman
2026-07-14 23:22 ` [PATCH v1 1/6] s390/vfio_ccw: fix out of bounds check on CCW array Eric Farman
2026-07-14 23:37 ` sashiko-bot
2026-07-14 23:22 ` [PATCH v1 2/6] s390/vfio_ccw: limit the number of channel program segments Eric Farman
2026-07-14 23:38 ` sashiko-bot
2026-07-14 23:22 ` [PATCH v1 3/6] s390/vfio_ccw: free all memory if cp_init() fails Eric Farman
2026-07-14 23:36 ` sashiko-bot
2026-07-14 23:22 ` [PATCH v1 4/6] s390/vfio_ccw: copy maximum possible IDAL from guest Eric Farman
2026-07-14 23:34 ` sashiko-bot
2026-07-14 23:22 ` [PATCH v1 5/6] s390/vfio_ccw: ensure index for read/write regions are within range Eric Farman
2026-07-14 23:45 ` sashiko-bot [this message]
2026-07-14 23:22 ` [PATCH v1 6/6] s390/vfio_ccw: lock I/O resources alongside I/O regions Eric Farman
2026-07-14 23:38 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260714234503.7C5661F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=agordeev@linux.ibm.com \
--cc=farman@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.