From: sashiko-bot@kernel.org
To: "Anthony Krowiak" <akrowiak@linux.ibm.com>
Cc: "Vasily Gorbik" <gor@linux.ibm.com>,
"Heiko Carstens" <hca@linux.ibm.com>,
"Alexander Gordeev" <agordeev@linux.ibm.com>,
linux-s390@vger.kernel.org, kvm@vger.kernel.org
Subject: Re: [PATCH v3 11/15] s390/vfio-ap: Transition device migration state to STOP
Date: Tue, 30 Jun 2026 11:46:09 +0000 [thread overview]
Message-ID: <20260630114609.DE5D31F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260630104132.1598851-12-akrowiak@linux.ibm.com>
Thank you for your contribution! Sashiko AI review found 7 potential issue(s) to consider:
New issues:
- [High] Migration stream file descriptors are not invalidated upon transitioning out of data transfer states, allowing untrusted userspace to modify running guest state.
- [High] The driver unconditionally allows the transition from RESUMING to STOP, failing to reject incomplete migration data as required by the VFIO specification.
Pre-existing issues:
- [Critical] Chunked or partial writes to the RESUMING fd leak memory and cause a NULL pointer dereference on subsequent chunks.
- [Critical] Migration file descriptors do not hold a reference to the `vfio_device` or `matrix_mdev`, leading to a Use-After-Free if the device is removed while the migration FD is kept open.
- [Critical] vfio_ap_release_mig_file accesses and modifies migration state without holding matrix_dev->mdevs_lock, leading to UAF.
- [High] Writing fewer than `sizeof(struct vfio_ap_config)` bytes to the resuming stream bypasses size validation, triggering a Heap Out-of-Bounds read.
- [High] The dynamically allocated `ap_config` is permanently leaked if the VFIO device is closed while the migration file descriptor remains open.
--
commit 1ef55b17508b1d713795918bce912d07492d77e0
Author: Anthony Krowiak <akrowiak@linux.ibm.com>
s390/vfio-ap: Transition device migration state to STOP
This commit updates the vfio-ap migration state machine to allow
transitions to the stop state. It allows returning null when
transitioning from resuming or stop copy to stop.
> diff --git a/drivers/s390/crypto/vfio_ap_migration.c b/drivers/s390/crypto/vfio_ap_migration.c
> index 9cd1e7a3f7430..1b526b743ad02 100644
> --- a/drivers/s390/crypto/vfio_ap_migration.c
> +++ b/drivers/s390/crypto/vfio_ap_migration.c
> @@ -1159,12 +1159,17 @@ vfio_ap_transition_to_state(struct ap_matrix_mdev *matrix_mdev,
> return filp;
> }
>
> + /*
> + * Terminates the data transfer session of the vfio-ap device state
> + * between the source and target hosts. Since the vfio-ap device does
> + * not virtualize a DMA device, there is no internal device state to
> + * incorporate into the vfio-ap device on the target.
> + */
> if ((cur_state == VFIO_DEVICE_STATE_RESUMING &&
> new_state == VFIO_DEVICE_STATE_STOP) ||
> (cur_state == VFIO_DEVICE_STATE_STOP_COPY &&
> new_state == VFIO_DEVICE_STATE_STOP)) {
> - /* TODO */
> - return ERR_PTR(-EOPNOTSUPP);
> + return NULL;
[Severity: High]
Does transitioning to the stop state here leave the active file stream
pointers open for abuse? By simply returning null without clearing
mig_data->resuming_mig_state.filp, userspace might be able to
transition the device to stop and then running, while keeping the
resuming file descriptor open to write to it.
In validate_resuming_write_parms(), it only validates that filp matches
the cached pointer without checking if the device is actually in the
VFIO_DEVICE_STATE_RESUMING state:
validate_resuming_write_parms() {
if (filp != matrix_mdev->mig_data->resuming_mig_state.filp) {
ret = -ENXIO;
goto done;
}
}
Could this trigger asynchronous mutation of the AP hardware
configuration of a live guest?
[Severity: High]
Does unconditionally returning null here bypass verifying the completeness
of the migration data transfer?
If userspace writes a partial configuration and transitions to stop,
will the device silently remain unconfigured without signaling an error
to userspace?
> }
>
> if ((cur_state == VFIO_DEVICE_STATE_STOP &&
[Severity: Critical]
This is a pre-existing issue, but do chunked or partial writes to the
resuming file descriptor leak memory and cause a null pointer dereference?
If a user writes a partial chunk in vfio_ap_resuming_write() where the size
is less than cfg_sz, it skips assigning the dynamically allocated ap_config
back to the global state:
vfio_ap_resuming_write() {
...
if (*pos + len == cfg_sz) {
ret = do_post_copy_validation(mdev_name, ap_config);
...
}
On the subsequent write chunk, retrieving ap_config from mig_data fetches
null, which then gets passed to reallocate_ap_config():
reallocate_ap_config() {
struct vfio_ap_config *ap_config = *mig_ap_config;
...
cur_cfg_sz = ap_config->config_sz;
}
Will this dereference cause a kernel oops?
[Severity: High]
This is a pre-existing issue, but does writing fewer than the expected size
bypass size validation and trigger a heap out-of-bounds read?
In allocate_ap_config(), writing an undersized buffer sets config_size
to the short length:
allocate_ap_config() {
...
} else {
config_size = len;
}
}
If vfio_ap_resuming_write() sees that the received size matches cfg_sz,
it assumes the configuration is fully received and passes the undersized
buffer for validation.
Since userspace controls num_queues, will iterating over it read out
of bounds?
queues_available_on_target_system() {
for (int i = 0; i < source_config->num_queues; i++) {
apqn = source_config->qinfo[i].apqn;
...
}
[Severity: High]
This is a pre-existing issue, but is the dynamically allocated ap_config
permanently leaked if the device is closed while the migration file
descriptor remains open?
If userspace closes the main device file descriptor, the container struct
is freed:
vfio_ap_release_migration_data() {
...
kfree(matrix_mdev->mig_data);
matrix_mdev->mig_data = NULL;
}
When the migration file descriptor is later closed, it bails out early
if the container is null, leaving the nested ap_config allocation orphaned:
vfio_ap_release_mig_file() {
if (!matrix_mdev || !matrix_mdev->mig_data)
return -ENODEV;
...
}
[Severity: Critical]
This is a pre-existing issue, but do migration file descriptors fail to
hold a reference to the vfio_device or matrix_mdev?
When opening the stream, anon_inode_getfile() is called without bumping
the reference count:
vfio_ap_open_file_stream() {
filp = anon_inode_getfile("vfio_ap_mig_file", fops, matrix_mdev, flags);
...
}
If the device is removed via sysfs while the migration file descriptor
is open, will the final reference be dropped?
vfio_ap_mdev_remove() {
...
vfio_put_device(&matrix_mdev->vdev);
}
Could subsequent operations on the open migration file descriptor
dereference the freed matrix_mdev and result in a use-after-free?
[Severity: Critical]
This is a pre-existing issue, but does accessing the migration state
locklessly in vfio_ap_release_mig_file() lead to a use-after-free?
The function checks mig_data without holding a lock:
vfio_ap_release_mig_file() {
if (!matrix_mdev || !matrix_mdev->mig_data)
return -ENODEV;
if (filp == matrix_mdev->mig_data->stop_copy_mig_file)
...
}
If userspace concurrently triggers closure of the primary device, can
the memory be freed under the mdevs_lock?
vfio_ap_release_migration_data() {
kfree(matrix_mdev->mig_data);
matrix_mdev->mig_data = NULL;
}
Could this allow vfio_ap_release_mig_file() to dereference mig_data
immediately after it is freed?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260630104132.1598851-1-akrowiak@linux.ibm.com?part=11
next prev parent reply other threads:[~2026-06-30 11:46 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 10:41 [PATCH v3 00/15] s390/vfio-ap: Add live guest migration support Anthony Krowiak
2026-06-30 10:41 ` [PATCH v3 01/15] s390/vfio-ap: Provide function to get the number of queues assigned to mdev Anthony Krowiak
2026-06-30 10:41 ` [PATCH v3 02/15] s390/vfio-ap: Data structures for facilitating vfio device migration Anthony Krowiak
2026-06-30 10:55 ` sashiko-bot
2026-06-30 10:41 ` [PATCH v3 03/15] s390/vfio-ap: Initialize/release vfio device migration data Anthony Krowiak
2026-06-30 11:04 ` sashiko-bot
2026-06-30 10:41 ` [PATCH v3 04/15] s390/vfio-ap: Reset migration state in VFIO_DEVICE_RESET ioctl handler Anthony Krowiak
2026-06-30 11:10 ` sashiko-bot
2026-06-30 10:41 ` [PATCH v3 05/15] s390-vfio-ap: Callback to get/set vfio device mig state during guest migration Anthony Krowiak
2026-06-30 11:11 ` sashiko-bot
2026-06-30 10:41 ` [PATCH v3 06/15] s390/vfio-ap: Transition guest migration state from STOP to STOP_COPY Anthony Krowiak
2026-06-30 11:23 ` sashiko-bot
2026-06-30 10:41 ` [PATCH v3 07/15] s390/vfio-ap: File ops called to save the vfio device migration state Anthony Krowiak
2026-06-30 11:26 ` sashiko-bot
2026-06-30 10:41 ` [PATCH v3 08/15] s390/vfio-ap: Transition device migration state from STOP to RESUMING Anthony Krowiak
2026-06-30 11:28 ` sashiko-bot
2026-06-30 10:41 ` [PATCH v3 09/15] s390/vfio-ap: Add method to set a new guest AP configuration Anthony Krowiak
2026-06-30 11:34 ` sashiko-bot
2026-06-30 10:41 ` [PATCH v3 10/15] s390/vfio-ap: File ops called to resume the vfio device migration Anthony Krowiak
2026-06-30 11:37 ` sashiko-bot
2026-06-30 10:41 ` [PATCH v3 11/15] s390/vfio-ap: Transition device migration state to STOP Anthony Krowiak
2026-06-30 11:46 ` sashiko-bot [this message]
2026-06-30 10:41 ` [PATCH v3 12/15] s390/vfio-ap: Transition device migration state from STOP to RUNNING and vice versa Anthony Krowiak
2026-06-30 11:48 ` sashiko-bot
2026-06-30 10:41 ` [PATCH v3 13/15] s390/vfio-ap: Callback to get the size of data to be migrated during guest migration Anthony Krowiak
2026-06-30 11:49 ` sashiko-bot
2026-06-30 10:41 ` [PATCH v3 14/15] s390/vfio-ap: Add 'migratable' feature to sysfs 'features' attribute Anthony Krowiak
2026-06-30 11:56 ` sashiko-bot
2026-06-30 10:41 ` [PATCH v3 15/15] s390/vfio-ap: Add live guest migration chapter to vfio-ap.rst Anthony Krowiak
2026-06-30 11:54 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260630114609.DE5D31F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=agordeev@linux.ibm.com \
--cc=akrowiak@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox