Linux s390 Architecture development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Farhan Ali" <alifm@linux.ibm.com>
Cc: "Vasily Gorbik" <gor@linux.ibm.com>,
	"Alexander Gordeev" <agordeev@linux.ibm.com>,
	linux-pci@vger.kernel.org, linux-s390@vger.kernel.org,
	"Heiko Carstens" <hca@linux.ibm.com>
Subject: Re: [PATCH v21 3/4] PCI: Fail FLR when config space is inaccessible
Date: Tue, 30 Jun 2026 17:13:10 +0000	[thread overview]
Message-ID: <20260630171310.F25D41F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260630164807.643-4-alifm@linux.ibm.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Un-ratelimited pci_warn() in pci_dev_config_accessible() allows an attacker to flood the host kernel log.
- [High] Early bailout in pcie_flr() when config space is inaccessible skips the Function Level Reset and the subsequent wait, allowing device assignment to continue without reset, leaking state.
--

commit ce2804b7f0c0409f73465726275859a70fa16be3
Author: Farhan Ali <alifm@linux.ibm.com>

PCI: Fail FLR when config space is inaccessible

This commit adds a check to validate if a device's config space is
accessible before attempting a Function Level Reset (FLR). If the
device is in an error state and inaccessible, the reset returns early.

> diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
> index e8d7de77241a6..9a9d021301c4e 100644
> --- a/drivers/pci/pci.c
> +++ b/drivers/pci/pci.c
> @@ -4384,6 +4384,9 @@ int pcie_flr(struct pci_dev *dev)
>  {
>  	int ret;
>  
> +	if (!pci_dev_config_accessible(dev, "FLR"))
> +		return -ENOTTY;
> +

[Severity: High]
If a device is momentarily unresponsive and this check returns -ENOTTY
immediately, doesn't this skip the FLR entirely?

Since VFIO's vfio_pci_core_enable() allows assignment to continue if a reset
returns -ENOTTY (by setting vdev->reset_works = false), could a malicious
guest intentionally put the device into an unresponsive state to bypass the
reset and leak device state to the next user?

The previous code path waited before issuing the FLR, but this early return
removes the grace period.

[Severity: High]
Because this early return bypasses the previous delay loop, can a userspace
process spam the VFIO_DEVICE_RESET ioctl in a tight loop?

If the device's config space reads ~0, pci_dev_config_accessible() prints a
warning:

drivers/pci/pci.c:pci_dev_config_accessible() {
	...
	if (PCI_POSSIBLE_ERROR(val)) {
		pci_warn(dev, "Device config space inaccessible; unable to %s\n",
				msg);
		return false;
	}
	...
}

Since this warning is unconditional and not rate-limited, could this tight
loop allow an attacker to trivially flood the host's kernel log?

>  	if (!pci_wait_for_pending_transaction(dev))
>  		pci_err(dev, "timed out waiting for pending transaction; performing function level reset anyway\n");
>

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260630164807.643-1-alifm@linux.ibm.com?part=3

  reply	other threads:[~2026-06-30 17:13 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-30 16:48 [PATCH v21 0/4] [PCI] Error recovery for vfio-pci devices on s390x Farhan Ali
2026-06-30 16:48 ` [PATCH v21 1/4] PCI: Allow per function PCI slots to fix slot reset on s390 Farhan Ali
2026-06-30 17:10   ` sashiko-bot
2026-06-30 16:48 ` [PATCH v21 2/4] PCI: Avoid saving config space state if inaccessible Farhan Ali
2026-06-30 17:07   ` sashiko-bot
2026-06-30 16:48 ` [PATCH v21 3/4] PCI: Fail FLR when config space is inaccessible Farhan Ali
2026-06-30 17:13   ` sashiko-bot [this message]
2026-06-30 16:48 ` [PATCH v21 4/4] PCI/MSI: Enable memory decoding before restoring MSI-X messages Farhan Ali
2026-06-30 17:12   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260630171310.F25D41F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=agordeev@linux.ibm.com \
    --cc=alifm@linux.ibm.com \
    --cc=gor@linux.ibm.com \
    --cc=hca@linux.ibm.com \
    --cc=linux-pci@vger.kernel.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox