From: sashiko-bot@kernel.org
To: "Narayana Murty N" <nnmlinux@linux.ibm.com>
Cc: kvm@vger.kernel.org
Subject: Re: [RFC PATCH 4/6] selftests/vfio: Exercise sPAPR DDW path for hugepage DMA mappings
Date: Fri, 03 Jul 2026 08:11:30 +0000 [thread overview]
Message-ID: <20260703081131.6188B1F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260703032806.40946-5-nnmlinux@linux.ibm.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] The selftest helper `spapr_tce_iova_inside_window` fails to check for arithmetic overflow when validating whether an IOVA range fits within the window.
--
commit 09ce4770fae5d9e1ed108bb9feb0bc727a9b8bcc
Author: Narayana Murty N <nnmlinux@linux.ibm.com>
selftests/vfio: Exercise sPAPR DDW path for hugepage DMA mappings
Prepare the DMA window before IOVA allocation in the DMA mapping tests.
Anonymous mappings use the default sPAPR DMA window, while HugeTLB mappings
force a DDW with the requested page size. The tests are skipped gracefully
if allocation fails or if the platform lacks support.
> diff --git a/tools/testing/selftests/vfio/vfio_dma_mapping_test.c b/tools/testing/selftests/vfio/vfio_dma_mapping_test.c
> index 7d0de8c79de13..4411fdbd56da5 100644
> --- a/tools/testing/selftests/vfio/vfio_dma_mapping_test.c
> +++ b/tools/testing/selftests/vfio/vfio_dma_mapping_test.c
[ ... ]
> @@ -236,6 +249,13 @@ FIXTURE_SETUP(vfio_dma_map_limit_test)
>
> self->iommu = iommu_init(variant->iommu_mode);
> self->device = vfio_pci_device_init(device_bdf, self->iommu);
> +
> + ret = iommu_prepare_dma_window(self->iommu, region_size, region_size,
> + false);
[Severity: Medium]
Will this setup cause the test suite to silently pass invalid mappings in the
overflow test?
In tools/testing/selftests/vfio/lib/iommu.c, spapr_tce_iova_inside_window()
checks bounds using:
if (region->iova + region->size > window->start + window->size)
return false;
When the vfio_dma_map_limit_test's overflow test constructs a wrapping IOVA
(region->iova = ~(iova_t)0 & ~(region->size - 1)), region->iova + region->size
will wrap around to 0.
Since 0 is not greater than window->start + window->size, the check incorrectly
evaluates to false, making the function return true. Does this missing overflow
check defeat the wrapper's bounds validation and pass invalid mapping requests
down to the kernel ioctl?
> + if (ret)
> + SKIP(return, "DMA window unavailable: %s (%d)\n",
> + strerror(-ret), -ret);
> +
> region->vaddr = mmap(NULL, self->mmap_size, PROT_READ | PROT_WRITE,
> MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
> ASSERT_NE(region->vaddr, MAP_FAILED);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260703032806.40946-1-nnmlinux@linux.ibm.com?part=4
next prev parent reply other threads:[~2026-07-03 8:11 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-03 3:28 [RFC PATCH 0/6] selftests/vfio: Add sPAPR TCE v2 coverage Narayana Murty N
2026-07-03 3:28 ` [RFC PATCH 1/6] selftests/vfio: allow selecting IOMMU backend from environment Narayana Murty N
2026-07-03 8:06 ` sashiko-bot
2026-07-03 3:28 ` [RFC PATCH 2/6] selftests/vfio: add sPAPR TCE v2 IOMMU mode Narayana Murty N
2026-07-03 8:09 ` sashiko-bot
2026-07-03 3:28 ` [RFC PATCH 3/6] selftests/vfio: add sPAPR TCE v2 DMA window helpers Narayana Murty N
2026-07-03 8:05 ` sashiko-bot
2026-07-03 3:28 ` [RFC PATCH 4/6] selftests/vfio: Exercise sPAPR DDW path for hugepage DMA mappings Narayana Murty N
2026-07-03 8:11 ` sashiko-bot [this message]
2026-07-03 3:28 ` [RFC PATCH 5/6] selftests/vfio: Accept sPAPR errno for DMA range overflow Narayana Murty N
2026-07-03 8:08 ` sashiko-bot
2026-07-03 3:28 ` [RFC PATCH 6/6] selftests/vfio: Enable VFIO selftests on ppc64 and ppc64le Narayana Murty N
2026-07-03 8:14 ` sashiko-bot
2026-07-03 8:28 ` [RFC PATCH 0/6] selftests/vfio: Add sPAPR TCE v2 coverage Harsh Prateek Bora
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260703081131.6188B1F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=nnmlinux@linux.ibm.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox