[{"id":3686776,"web_url":"http://patchwork.ozlabs.org/comment/3686776/","msgid":"<20260505235638.3F6CDC2BCB4@smtp.kernel.org>","list_archive_url":null,"date":"2026-05-05T23:56:37","subject":"Re: [PATCH v15 6/7] vfio/pci: Add a reset_done callback for\n vfio-pci driver","submitter":{"id":93311,"url":"http://patchwork.ozlabs.org/api/people/93311/","name":null,"email":"sashiko-bot@kernel.org"},"content":"Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:\n- [Critical] Concurrent execution of `vfio_pci_core_aer_reset_done` and `vfio_pci_core_disable` leads to an exploitable Use-After-Free on `vdev->pci_saved_state`.\n- [High] The return value of `pci_load_saved_state()` is ignored, potentially pushing corrupted state to the hardware.\n- [Medium] The state recovery logic is marked `static`, depriving vendor-specific VFIO PCI drivers of the feature.\n--\n\ncommit 50af2d4f1aef440c94cd13a26e090b9661198f8c\nAuthor: Farhan Ali <alifm@linux.ibm.com>\n\nvfio/pci: Add a reset_done callback for vfio-pci driver\n\nOn error recovery for a PCI device bound to the vfio-pci driver, this\ncommit attempts to restore the device state to its initial saved state\nby adding a reset_done callback.\n\n> diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c\n> index f47a49ca67fae..6358b59fab2b1 100644\n> --- a/drivers/vfio/pci/vfio_pci_core.c\n> +++ b/drivers/vfio/pci/vfio_pci_core.c\n\n[ ... ]\n\n> @@ -2255,6 +2255,17 @@ pci_ers_result_t vfio_pci_core_aer_err_detected(struct pci_dev *pdev,\n>  }\n>  EXPORT_SYMBOL_GPL(vfio_pci_core_aer_err_detected);\n>  \n> +static void vfio_pci_core_aer_reset_done(struct pci_dev *pdev)\n\nVendor-specific VFIO PCI drivers sometimes override the .reset_done callback\nin their pci_error_handlers. Should this function be exported instead of\nstatic, so that vendor drivers can also invoke the core framework's state\nrestoration?\n\n> +{\n> +\tstruct vfio_pci_core_device *vdev = dev_get_drvdata(&pdev->dev);\n> +\n> +\tif (!vdev->pci_saved_state)\n> +\t\treturn;\n> +\n\nIs there a race condition here between the AER recovery thread and the VFIO\ndevice close path?\n\nThe AER thread invokes vfio_pci_core_aer_reset_done() holding\ndevice_lock(&pdev->dev), but without VFIO-specific locks like dev_set->lock.\n\nConcurrently, closing the VFIO device file descriptor invokes the disable\npath:\n\nvfio_pci_core_close_device() -> vfio_pci_core_disable()\n\nThe disable path runs with dev_set->lock held, but without\ndevice_lock(&pdev->dev), and it frees the saved state:\n\npci_load_and_free_saved_state(pdev, &vdev->pci_saved_state)\n\nCould vdev->pci_saved_state be freed immediately after the check here,\ncausing a use-after-free when it is passed to pci_load_saved_state() below?\n\n> +\tpci_load_saved_state(pdev, vdev->pci_saved_state);\n> +\tpci_restore_state(pdev);\n\nCan pci_load_saved_state() fail and return an error?\n\nIf it returns an error, such as -EINVAL for capability size mismatches,\ndev->state_saved remains false and the capability buffers may only be\npartially copied.\n\nSince the return value is ignored here, does calling pci_restore_state(pdev)\nimmediately afterward risk pushing partially populated or corrupted state back\nto the hardware?\n\n> +}\n> +","headers":{"Return-Path":"\n <linux-pci+bounces-53818-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-pci@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=d7fBo999;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=linux-pci+bounces-53818-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=\"d7fBo999\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g9FmB3SN2z1yJx\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 06 May 2026 09:56:42 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 49A9F302A4C7\n\tfor <incoming@patchwork.ozlabs.org>; Tue,  5 May 2026 23:56:39 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 9CC803290B8;\n\tTue,  5 May 2026 23:56:38 +0000 (UTC)","from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 7A3613264C2\n\tfor <linux-pci@vger.kernel.org>; Tue,  5 May 2026 23:56:38 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id 3F6CDC2BCB4;\n\tTue,  5 May 2026 23:56:38 +0000 (UTC)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1778025398; cv=none;\n b=cEMJWdC+lxTZ9Jf8EcH+pSmoMp9F3M7tEzngXVOLK7SonevdWbzot8fTXOey06XIDH542gSCb/iRHRCbg4BwjsX1y9y26F5GubDSwS+PoYWgmRHfOhaJDdavtgFNOeZqujA7U4MyhOGlMqt83hfSPghwJ4uodHh2Do0r0Nj1+mY=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1778025398; c=relaxed/simple;\n\tbh=t+90LNdeQiAdwG9I/bOCuS87OwD+8NcSjAIU5OtDiCg=;\n\th=From:Subject:To:Cc:In-Reply-To:References:Content-Type:Date:\n\t Message-Id;\n b=VjcntQPChWFC8qGfyX+vTBtALbfUL7sPYO4qL2BnibSM+fbpQv5YjO7bGE97YgjHZPs47zZ3Njxy0zKUsv/TU9/Suxm0Tg+bX/HgzeecEngv5a36JLt8o0YTfIXUBCtKx+S2wzK5TltEXpO5Hbp/oXMf4MDpY/K9PUB8a9RX9S0=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=d7fBo999; arc=none smtp.client-ip=10.30.226.201","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n\ts=k20201202; t=1778025398;\n\tbh=t+90LNdeQiAdwG9I/bOCuS87OwD+8NcSjAIU5OtDiCg=;\n\th=From:Subject:Reply-To:To:Cc:In-Reply-To:References:Date:From;\n\tb=d7fBo999A0S2wUSWUWSdNzgq1KQnuM4ajl/DMDIgdyBlvKHENqJ3adA1WGIPWl2LO\n\t rZPcW4XiNSyU4hs1wvBCaHQhT2ndSE9Cg8YbYcWEy6/OtTTt7L5vBIa++WiR6oi+W/\n\t GOXe2t2fn8LzcMKMSiKDfM+x9BOHgBa8zZMuNpSpHMvc+yfvjMkpAOyWSyzTO8Ha+L\n\t YqzXnrE143cydr2dfFsU5fd5D+irccEwjEGnN9VHiGuOC/WPlMarAnz6wEHIpf334C\n\t 4DTVLQxiND24X3X/h5aCetPTAIsg3Bbr7fDVUCOBVdQbXMhIz8zF2G/nnvsCMCeNKa\n\t vI4Ty0lbxTwSQ==","From":"sashiko-bot@kernel.org","Subject":"Re: [PATCH v15 6/7] vfio/pci: Add a reset_done callback for\n vfio-pci driver","Reply-To":"sashiko@lists.linux.dev","To":"\"Farhan Ali\" <alifm@linux.ibm.com>","Cc":"linux-pci@vger.kernel.org","In-Reply-To":"<20260505200510.2954-7-alifm@linux.ibm.com>","References":"<20260505200510.2954-7-alifm@linux.ibm.com>","Content-Type":"text/plain; charset=utf-8","Content-Transfer-Encoding":"quoted-printable","Date":"Tue, 05 May 2026 23:56:37 +0000","Message-Id":"<20260505235638.3F6CDC2BCB4@smtp.kernel.org>","Precedence":"bulk","X-Mailing-List":"linux-pci@vger.kernel.org","List-Id":"<linux-pci.vger.kernel.org>","List-Subscribe":"<mailto:linux-pci+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-pci+unsubscribe@vger.kernel.org>"}}]