From: sashiko-bot@kernel.org
To: "Marc Zyngier" <maz@kernel.org>
Cc: kvmarm@lists.linux.dev, kvm@vger.kernel.org,
"Oliver Upton" <oupton@kernel.org>
Subject: Re: [PATCH] KVM: Make kvm_io_bus_get_dev() filter devices by ops
Date: Fri, 26 Jun 2026 11:46:35 +0000 [thread overview]
Message-ID: <20260626114635.82A0B1F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260626111344.802555-1-maz@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Dropping the SRCU lock in kvm_io_bus_get_dev() exposes a Use-After-Free for VGIC redistributors.
--
commit 954101cd7bbd1642133e68638e5210cf89b88023
Author: Marc Zyngier <maz@kernel.org>
KVM: Make kvm_io_bus_get_dev() filter devices by ops
This commit updates kvm_io_bus_get_dev() to check the device ops pointer
before dropping the SRCU lock. This aims to prevent lifetime issues where
a caller might introspect an object of the wrong type after the lock is
dropped.
> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> --- a/virt/kvm/kvm_main.c
> +++ b/virt/kvm/kvm_main.c
[ ... ]
> @@ -6081,7 +6082,9 @@ struct kvm_io_device *kvm_io_bus_get_dev(struct kvm *kvm, enum kvm_bus bus_idx,
> if (dev_idx < 0)
> goto out_unlock;
>
> - iodev = bus->range[dev_idx].dev;
> + if (bus->range[dev_idx].dev &&
> + bus->range[dev_idx].dev->ops == ops)
> + iodev = bus->range[dev_idx].dev;
>
> out_unlock:
> srcu_read_unlock(&kvm->srcu, srcu_idx);
[Severity: High]
This is a pre-existing issue, but does dropping the SRCU lock here before
returning the matched device pointer expose a use-after-free?
If a host VMM concurrently executes KVM_SIGNAL_MSI (with a doorbell address
overlapping the redistributor) and KVM_CREATE_VCPU (forced to fail due to
resource exhaustion), the failed vCPU creation path can unregister the
device and free the vCPU memory.
Because the SRCU lock is already dropped here, the unregister path won't
be blocked. When the MSI injection path resumes in __vgic_doorbell_to_its(),
it can dereference the freed vCPU memory:
arch/arm64/kvm/vgic/vgic-its.c:__vgic_doorbell_to_its() {
...
kvm_io_dev = kvm_io_bus_get_dev(kvm, KVM_MMIO_BUS, &kvm_io_gic_ops, db);
if (!kvm_io_dev)
return ERR_PTR(-EINVAL);
iodev = container_of(kvm_io_dev, struct vgic_io_device, dev);
if (iodev->iodev_type != IODEV_ITS)
return ERR_PTR(-EINVAL);
...
}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260626111344.802555-1-maz@kernel.org?part=1
next prev parent reply other threads:[~2026-06-26 11:46 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-26 11:13 [PATCH] KVM: Make kvm_io_bus_get_dev() filter devices by ops Marc Zyngier
2026-06-26 11:46 ` sashiko-bot [this message]
2026-06-26 12:41 ` Marc Zyngier
2026-06-26 17:26 ` Oliver Upton
2026-06-26 13:09 ` Will Deacon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260626114635.82A0B1F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=maz@kernel.org \
--cc=oupton@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox