From: sashiko-bot@kernel.org
To: "Eric Farman" <farman@linux.ibm.com>
Cc: linux-s390@vger.kernel.org, "Vasily Gorbik" <gor@linux.ibm.com>,
kvm@vger.kernel.org, "Alexander Gordeev" <agordeev@linux.ibm.com>,
"Heiko Carstens" <hca@linux.ibm.com>
Subject: Re: [PATCH v1 1/6] s390/vfio_ccw: fix out of bounds check on CCW array
Date: Tue, 14 Jul 2026 23:37:32 +0000 [thread overview]
Message-ID: <20260714233733.73DEA1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260714232208.1683788-2-farman@linux.ibm.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [High] The patch introduces an off-by-one regression that incorrectly rejects valid channel programs consisting of exactly CCWCHAIN_LEN_MAX (256) CCWs.
Pre-existing issues:
- [High] Leaked ccwchain structures when a subsequent TIC processing fails.
--
--- Patch [1]: [PATCH v1 1/6] s390/vfio_ccw: fix out of bounds check on CCW array ---
commit ccfdffefc50adaae37db8e069d19bc3ab3f7721c
Author: Eric Farman <farman@linux.ibm.com>
s390/vfio_ccw: fix out of bounds check on CCW array
This commit limits the channel command word counting loop to 256 iterations
to prevent out-of-bounds array access. It changes the loop condition and
the subsequent error check to reject chains larger than 256 words.
> diff --git a/drivers/s390/cio/vfio_ccw_cp.c b/drivers/s390/cio/vfio_ccw_cp.c
> index 7561aa7d3e017..80c3d87f54822 100644
> --- a/drivers/s390/cio/vfio_ccw_cp.c
> +++ b/drivers/s390/cio/vfio_ccw_cp.c
> @@ -393,9 +393,9 @@ static int ccwchain_calc_length(u64 iova, struct channel_program *cp)
> break;
>
> ccw++;
> - } while (cnt < CCWCHAIN_LEN_MAX + 1);
> + } while (cnt < CCWCHAIN_LEN_MAX);
>
> - if (cnt == CCWCHAIN_LEN_MAX + 1)
> + if (cnt >= CCWCHAIN_LEN_MAX)
[Severity: High]
Does this code incorrectly reject valid channel programs consisting of
exactly 256 command words?
If a guest issues a valid request with exactly 256 command words in a chain,
the loop will correctly process all of them and cnt will reach 256. The
new check evaluates to true since 256 >= 256, incorrectly conflating
this valid termination with an over-length chain and unconditionally
returning -EINVAL.
> cnt = -EINVAL;
>
> return cnt;
[Severity: High]
This is a pre-existing issue, but does this code leak ccwchain structures
if a subsequent transfer in channel fails?
Looking at ccwchain_handle_ccw(), if a guest issues a request with
multiple transfer in channel commands, and an earlier command is valid but
a later one fails, the valid chain allocated during ccwchain_loop_tic()
is added to cp->ccwchain_list.
When the invalid command fails, ccwchain_handle_ccw() catches the error
and only frees its own top-level chain:
drivers/s390/cio/vfio_ccw_cp.c:ccwchain_handle_ccw() {
...
ret = ccwchain_loop_tic(chain, cp);
if (ret)
ccwchain_free(chain);
...
}
The error is returned to cp_init(), which leaves cp->initialized as false:
drivers/s390/cio/vfio_ccw_cp.c:cp_init() {
...
INIT_LIST_HEAD(&cp->ccwchain_list);
...
ret = ccwchain_handle_ccw(orb->cmd.cpa, cp);
if (!ret)
cp->initialized = true;
...
}
Because cp->initialized is false, cp_free() ignores the list during
device teardown:
drivers/s390/cio/vfio_ccw_cp.c:cp_free() {
...
if (!cp->initialized)
return;
...
}
When the next request arrives, cp_init() calls INIT_LIST_HEAD again,
which permanently orphans the leaked chains on the list.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260714232208.1683788-1-farman@linux.ibm.com?part=1
next prev parent reply other threads:[~2026-07-14 23:37 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-14 23:22 [PATCH v1 0/6] s390/vfio_ccw fixes Eric Farman
2026-07-14 23:22 ` [PATCH v1 1/6] s390/vfio_ccw: fix out of bounds check on CCW array Eric Farman
2026-07-14 23:37 ` sashiko-bot [this message]
2026-07-14 23:22 ` [PATCH v1 2/6] s390/vfio_ccw: limit the number of channel program segments Eric Farman
2026-07-14 23:38 ` sashiko-bot
2026-07-14 23:22 ` [PATCH v1 3/6] s390/vfio_ccw: free all memory if cp_init() fails Eric Farman
2026-07-14 23:36 ` sashiko-bot
2026-07-14 23:22 ` [PATCH v1 4/6] s390/vfio_ccw: copy maximum possible IDAL from guest Eric Farman
2026-07-14 23:34 ` sashiko-bot
2026-07-14 23:22 ` [PATCH v1 5/6] s390/vfio_ccw: ensure index for read/write regions are within range Eric Farman
2026-07-14 23:45 ` sashiko-bot
2026-07-14 23:22 ` [PATCH v1 6/6] s390/vfio_ccw: lock I/O resources alongside I/O regions Eric Farman
2026-07-14 23:38 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260714233733.73DEA1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=agordeev@linux.ibm.com \
--cc=farman@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox