From: sashiko-bot@kernel.org
To: "Vipin Sharma" <vipinsh@google.com>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH v4 02/16] vfio/pci: Preserve vfio-pci device files across Live Update
Date: Wed, 13 May 2026 03:24:23 +0000 [thread overview]
Message-ID: <20260513032424.5A921C2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260511234802.2280368-3-vipinsh@google.com>
Thank you for your contribution! Sashiko AI review found 5 potential issue(s) to consider:
- [High] Time-of-Check to Time-of-Use (TOCTOU) race condition when validating `vdev->irq_type`.
- [High] Post-freeze access vulnerability allows userspace to re-activate the device.
- [High] Silent failure of `vfio_pci_core_try_reset()` leaves the device in an inconsistent state.
- [Medium] Missing `kho_is_enabled()` check before calling KHO preservation APIs.
- [Medium] Missing INTx disable before device reset may cause spurious interrupts.
--
commit 8744f868d8d8c3c92253e4db7b371be095529dce
Author: Vipin Sharma <vipinsh@google.com>
vfio/pci: Preserve vfio-pci device files across Live Update
Implement the live update file handler callbacks to preserve a vfio-pci
device across a Live Update. State about each device is serialized into
a new ABI struct vfio_pci_core_device_ser and preserved using KHO and LUO.
> diff --git a/drivers/vfio/pci/vfio_pci_liveupdate.c b/drivers/vfio/pci/vfio_pci_liveupdate.c
> index 1c74854600ea4..5cc57bf39dbee 100644
> --- a/drivers/vfio/pci/vfio_pci_liveupdate.c
> +++ b/drivers/vfio/pci/vfio_pci_liveupdate.c
[ ... ]
> +static int vfio_pci_liveupdate_preserve(struct liveupdate_file_op_args *args)
> {
> - return -EOPNOTSUPP;
> + struct vfio_device *device = vfio_device_from_file(args->file);
> + struct vfio_pci_core_device_ser *ser;
> + struct vfio_pci_core_device *vdev;
> + struct pci_dev *pdev;
> +
> + vdev = container_of(device, struct vfio_pci_core_device, vdev);
> + pdev = vdev->pdev;
> +
> + ser = kho_alloc_preserve(sizeof(*ser));
Is it safe to call kho_alloc_preserve() without first checking if the KHO
subsystem is enabled via kho_is_enabled()?
Unconditionally allocating and preserving memory might add tracking state to
folios that will never be utilized if the subsystem is disabled.
[ ... ]
> +static int vfio_pci_liveupdate_freeze(struct liveupdate_file_op_args *args)
> +{
> + struct vfio_device *device = vfio_device_from_file(args->file);
> + struct vfio_pci_core_device *vdev;
> + struct pci_dev *pdev;
> + int ret;
> +
> + vdev = container_of(device, struct vfio_pci_core_device, vdev);
> + pdev = vdev->pdev;
> +
> + guard(mutex)(&device->dev_set->lock);
> +
> + /*
> + * Userspace must disable interrupts on the device prior to freeze so
> + * that the device does not send any interrupts until new interrupt
> + * handlers have been established by the next kernel.
> + */
> + if (vdev->irq_type != VFIO_PCI_NUM_IRQS) {
Does this check need to hold vdev->igate?
Without the mutex, could a concurrent ioctl() such as VFIO_DEVICE_SET_IRQS
modify the irq_type immediately after this check passes, allowing the device
to generate interrupts during kexec?
> + pci_err(pdev, "Freeze failed! Interrupts are still enabled.\n");
> + return -EINVAL;
> + }
> +
> + guard(rwsem_write)(&vdev->memory_lock);
[ ... ]
> + /*
> + * Reset is a temporary measure to provide kernel after kexec a clean
> + * device while VFIO live update work is under development and not
> + * fully supported. It will go away once continuous DMA support is
> + * added to device preservation.
> + */
> + vfio_pci_zap_bars(vdev);
> + ret = pci_load_saved_state(pdev, vdev->pci_saved_state);
> + if (ret)
> + return ret;
> + pci_clear_master(pdev);
Does the PCI_COMMAND register need to have PCI_COMMAND_INTX_DISABLE explicitly
written prior to calling vfio_pci_core_try_reset()?
I noticed that the standard disable path in vfio_pci_core_disable() does this
to prevent spurious interrupts from firing during the hardware reset.
> + vfio_pci_core_try_reset(vdev);
If vfio_pci_core_try_reset() silently fails because it cannot acquire the PCI
locks or because the device does not support reset, the kexec will still
proceed.
Could this allow the next kernel to inherit a device that still has active DMA
engines or internal state?
> + pci_restore_state(pdev);
> + return 0;
> +}
Once vfio_pci_liveupdate_freeze() completes and releases the locks, what
prevents userspace threads from issuing new write(), mmap(), or ioctl() calls
on the device file descriptor?
Because kexec doesn't freeze userspace tasks, could a concurrent thread
re-enable DMA and interrupts on the device right before the kexec jump,
risking memory corruption in the successor kernel?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260511234802.2280368-1-vipinsh@google.com?part=2
next prev parent reply other threads:[~2026-05-13 3:24 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 23:47 [PATCH v4 00/16] vfio/pci: Base Live Update support for VFIO Vipin Sharma
2026-05-11 23:47 ` [PATCH v4 01/16] vfio/pci: Register a file handler with Live Update Orchestrator Vipin Sharma
2026-05-13 2:44 ` sashiko-bot
2026-05-11 23:47 ` [PATCH v4 02/16] vfio/pci: Preserve vfio-pci device files across Live Update Vipin Sharma
2026-05-12 20:59 ` David Matlack
2026-05-12 21:29 ` Vipin Sharma
2026-05-13 3:24 ` sashiko-bot [this message]
2026-05-11 23:47 ` [PATCH v4 03/16] vfio/pci: Retrieve preserved device files after " Vipin Sharma
2026-05-13 4:23 ` sashiko-bot
2026-05-11 23:47 ` [PATCH v4 04/16] vfio/pci: Notify PCI subsystem about devices preserved across " Vipin Sharma
2026-05-11 23:47 ` [PATCH v4 05/16] vfio: Enforce preserved devices are retrieved via LIVEUPDATE_SESSION_RETRIEVE_FD Vipin Sharma
2026-05-13 19:16 ` sashiko-bot
2026-05-11 23:47 ` [PATCH v4 06/16] vfio/pci: Store incoming Live Update state in struct vfio_pci_core_device Vipin Sharma
2026-05-13 20:13 ` sashiko-bot
2026-05-11 23:47 ` [PATCH v4 07/16] docs: liveupdate: Add documentation for VFIO PCI Vipin Sharma
2026-05-11 23:47 ` [PATCH v4 08/16] vfio: selftests: Build liveupdate library in VFIO selftests Vipin Sharma
2026-05-13 20:28 ` sashiko-bot
2026-05-11 23:47 ` [PATCH v4 09/16] vfio: selftests: Add vfio_pci_liveupdate_uapi_test Vipin Sharma
2026-05-11 23:47 ` [PATCH v4 10/16] vfio: selftests: Initialize vfio_pci_device using a VFIO cdev FD Vipin Sharma
2026-05-11 23:47 ` [PATCH v4 11/16] vfio: selftests: Add Makefile support for TEST_GEN_PROGS_EXTENDED Vipin Sharma
2026-05-11 23:47 ` [PATCH v4 12/16] vfio: selftests: Add vfio_pci_liveupdate_kexec_test Vipin Sharma
2026-05-11 23:47 ` [PATCH v4 13/16] vfio: selftests: Expose iommu_modes to tests Vipin Sharma
2026-05-11 23:48 ` [PATCH v4 14/16] vfio: selftests: Expose low-level helper routines for setting up struct vfio_pci_device Vipin Sharma
2026-05-11 23:48 ` [PATCH v4 15/16] vfio: selftests: Verify that opening VFIO device fails during Live Update Vipin Sharma
2026-05-11 23:48 ` [PATCH v4 16/16] vfio: selftests: Add continuous DMA to vfio_pci_liveupdate_kexec_test Vipin Sharma
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260513032424.5A921C2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vipinsh@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox