* [PATCH] PCI/IOV: Fix out-of-bounds access in sriov_restore_vf_rebar_state()
@ 2026-04-08 16:39 Marco Nenciarini
2026-04-14 13:01 ` Marco Nenciarini
2026-04-14 13:34 ` Michał Winiarski
0 siblings, 2 replies; 3+ messages in thread
From: Marco Nenciarini @ 2026-04-08 16:39 UTC (permalink / raw)
To: Bjorn Helgaas
Cc: Michał Winiarski, Ilpo Järvinen, linux-pci,
linux-kernel, stable, Marco Nenciarini
sriov_restore_vf_rebar_state() extracts bar_idx from the VF Resizable
BAR control register using a 3-bit field (PCI_VF_REBAR_CTRL_BAR_IDX,
bits 0-2), which yields values in the range 0-7. This value is then
used to index into dev->sriov->barsz[], which has PCI_SRIOV_NUM_BARS
(6) entries.
If the PCI config space read returns garbage data (e.g. 0xffffffff when
the device is no longer accessible on the bus), bar_idx is 7, causing
an out-of-bounds array access. UBSAN reports this as:
UBSAN: array-index-out-of-bounds in drivers/pci/iov.c:948:51
index 7 is out of range for type 'resource_size_t [6]'
This was observed on an NVIDIA RTX PRO 1000 GPU (GB207GLM) that fell
off the PCIe bus during a failed GC6 power state exit. The subsequent
pci_restore_state() call triggered the UBSAN splat in
sriov_restore_vf_rebar_state() since all config space reads returned
0xffffffff.
Add a bounds check on bar_idx before using it as an array index to
prevent the out-of-bounds access.
Fixes: 5a8f77e24a30 ("PCI/IOV: Restore VF resizable BAR state after reset")
Cc: stable@vger.kernel.org
Signed-off-by: Marco Nenciarini <mnencia@kcore.it>
---
Cc: Michał Winiarski <michal.winiarski@intel.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
drivers/pci/iov.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/pci/iov.c b/drivers/pci/iov.c
index 00784a60b..521f2cb64 100644
--- a/drivers/pci/iov.c
+++ b/drivers/pci/iov.c
@@ -946,6 +946,8 @@ static void sriov_restore_vf_rebar_state(struct pci_dev *dev)
pci_read_config_dword(dev, pos + PCI_VF_REBAR_CTRL, &ctrl);
bar_idx = FIELD_GET(PCI_VF_REBAR_CTRL_BAR_IDX, ctrl);
+ if (bar_idx >= PCI_SRIOV_NUM_BARS)
+ continue;
size = pci_rebar_bytes_to_size(dev->sriov->barsz[bar_idx]);
ctrl &= ~PCI_VF_REBAR_CTRL_BAR_SIZE;
ctrl |= FIELD_PREP(PCI_VF_REBAR_CTRL_BAR_SIZE, size);
--
2.47.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] PCI/IOV: Fix out-of-bounds access in sriov_restore_vf_rebar_state()
2026-04-08 16:39 [PATCH] PCI/IOV: Fix out-of-bounds access in sriov_restore_vf_rebar_state() Marco Nenciarini
@ 2026-04-14 13:01 ` Marco Nenciarini
2026-04-14 13:34 ` Michał Winiarski
1 sibling, 0 replies; 3+ messages in thread
From: Marco Nenciarini @ 2026-04-14 13:01 UTC (permalink / raw)
To: bhelgaas; +Cc: michal.winiarski, ilpo.jarvinen, linux-pci, mnencia
Gentle ping on this. It is a one-line bounds check fix for a real
UBSAN splat triggered when config space reads return 0xffffffff
(device fallen off the bus).
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] PCI/IOV: Fix out-of-bounds access in sriov_restore_vf_rebar_state()
2026-04-08 16:39 [PATCH] PCI/IOV: Fix out-of-bounds access in sriov_restore_vf_rebar_state() Marco Nenciarini
2026-04-14 13:01 ` Marco Nenciarini
@ 2026-04-14 13:34 ` Michał Winiarski
1 sibling, 0 replies; 3+ messages in thread
From: Michał Winiarski @ 2026-04-14 13:34 UTC (permalink / raw)
To: Marco Nenciarini
Cc: Bjorn Helgaas, Ilpo Järvinen, linux-pci, linux-kernel,
stable
On Wed, Apr 08, 2026 at 06:39:22PM +0200, Marco Nenciarini wrote:
> sriov_restore_vf_rebar_state() extracts bar_idx from the VF Resizable
> BAR control register using a 3-bit field (PCI_VF_REBAR_CTRL_BAR_IDX,
> bits 0-2), which yields values in the range 0-7. This value is then
> used to index into dev->sriov->barsz[], which has PCI_SRIOV_NUM_BARS
> (6) entries.
>
> If the PCI config space read returns garbage data (e.g. 0xffffffff when
> the device is no longer accessible on the bus), bar_idx is 7, causing
> an out-of-bounds array access. UBSAN reports this as:
>
> UBSAN: array-index-out-of-bounds in drivers/pci/iov.c:948:51
> index 7 is out of range for type 'resource_size_t [6]'
>
> This was observed on an NVIDIA RTX PRO 1000 GPU (GB207GLM) that fell
> off the PCIe bus during a failed GC6 power state exit. The subsequent
> pci_restore_state() call triggered the UBSAN splat in
> sriov_restore_vf_rebar_state() since all config space reads returned
> 0xffffffff.
>
> Add a bounds check on bar_idx before using it as an array index to
> prevent the out-of-bounds access.
>
> Fixes: 5a8f77e24a30 ("PCI/IOV: Restore VF resizable BAR state after reset")
> Cc: stable@vger.kernel.org
> Signed-off-by: Marco Nenciarini <mnencia@kcore.it>
Reviewed-by: Michał Winiarski <michal.winiarski@intel.com>
Thanks,
-Michał
> ---
> Cc: Michał Winiarski <michal.winiarski@intel.com>
> Cc: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
>
> drivers/pci/iov.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/pci/iov.c b/drivers/pci/iov.c
> index 00784a60b..521f2cb64 100644
> --- a/drivers/pci/iov.c
> +++ b/drivers/pci/iov.c
> @@ -946,6 +946,8 @@ static void sriov_restore_vf_rebar_state(struct pci_dev *dev)
>
> pci_read_config_dword(dev, pos + PCI_VF_REBAR_CTRL, &ctrl);
> bar_idx = FIELD_GET(PCI_VF_REBAR_CTRL_BAR_IDX, ctrl);
> + if (bar_idx >= PCI_SRIOV_NUM_BARS)
> + continue;
> size = pci_rebar_bytes_to_size(dev->sriov->barsz[bar_idx]);
> ctrl &= ~PCI_VF_REBAR_CTRL_BAR_SIZE;
> ctrl |= FIELD_PREP(PCI_VF_REBAR_CTRL_BAR_SIZE, size);
> --
> 2.47.3
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-14 13:34 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-08 16:39 [PATCH] PCI/IOV: Fix out-of-bounds access in sriov_restore_vf_rebar_state() Marco Nenciarini
2026-04-14 13:01 ` Marco Nenciarini
2026-04-14 13:34 ` Michał Winiarski
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox