{"id":2220999,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2220999/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-pci/patch/20260408163922.1740497-1-mnencia@kcore.it/","project":{"id":28,"url":"http://patchwork.ozlabs.org/api/1.1/projects/28/?format=json","name":"Linux PCI development","link_name":"linux-pci","list_id":"linux-pci.vger.kernel.org","list_email":"linux-pci@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260408163922.1740497-1-mnencia@kcore.it>","date":"2026-04-08T16:39:22","name":"PCI/IOV: Fix out-of-bounds access in sriov_restore_vf_rebar_state()","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"c8b61ed45686da07fc16acfad3d68be3b5892428","submitter":{"id":93088,"url":"http://patchwork.ozlabs.org/api/1.1/people/93088/?format=json","name":"Marco Nenciarini","email":"mnencia@kcore.it"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linux-pci/patch/20260408163922.1740497-1-mnencia@kcore.it/mbox/","series":[{"id":499160,"url":"http://patchwork.ozlabs.org/api/1.1/series/499160/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-pci/list/?series=499160","date":"2026-04-08T16:39:22","name":"PCI/IOV: Fix out-of-bounds access in sriov_restore_vf_rebar_state()","version":1,"mbox":"http://patchwork.ozlabs.org/series/499160/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2220999/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2220999/checks/","tags":{},"headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-pci@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n unprotected) header.d=kcore.it header.i=@kcore.it header.a=rsa-sha256\n header.s=spark header.b=jZu8AnMs;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.105.105.114; helo=tor.lore.kernel.org;\n envelope-from=linux-pci+bounces-52162-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key)\n header.d=kcore.it header.i=@kcore.it header.b=\"jZu8AnMs\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=49.13.27.68","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=kcore.it","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=kcore.it"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org [172.105.105.114])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frTQ75Tclz1yD3\n\tfor ; Thu, 09 Apr 2026 02:42:55 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id BFBB23009556\n\tfor ; Wed, 8 Apr 2026 16:39:35 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 7AB243BAD8F;\n\tWed, 8 Apr 2026 16:39:34 +0000 (UTC)","from spark.kcore.it (spark.kcore.it [49.13.27.68])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 241BC349AFF;\n\tWed, 8 Apr 2026 16:39:32 +0000 (UTC)","from mnencia by spark.kcore.it with local (Exim 4.96)\n\t(envelope-from )\n\tid 1wAVw2-007Imd-0E;\n\tWed, 08 Apr 2026 18:39:22 +0200"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775666374; cv=none;\n b=alitCWFRpct7U6/+NHjQ3GMibCY68rqah+kpFID3VqBA/CpMCIqx9nDlTvrQHez4DZBHE4un0QYeV1tgCiS0DVckpR0IYp7TXgUPdt+8sUXrZZSQo6NoZ4O6aEHGZCOPTGmK6YTilgzDOGqZWx0kMMPx7FduxbhaSTb/i5vWRl0=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775666374; c=relaxed/simple;\n\tbh=u6aaNp69KxTS+5US/rEwJlQdnHC2yKeTURhPqApbPdM=;\n\th=From:To:Cc:Subject:Date:Message-Id:MIME-Version:Content-Type;\n b=TyXxI7ke+4DTnpKJI1F9n7Ej0ALR+/TVm5bptMxohOHfAAYdf1pt3hMI1CSECOBd/MP9BG+3VyBpp8xqHyoIPD+XtwNH21gre9d1GdQRgbngtVnYC7hSwVdIQDmdApL25YLrSJzQXE9E4RIqNAqmHWfo/5jHz37BxlCdYlJeIr4=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=kcore.it;\n spf=pass smtp.mailfrom=kcore.it;\n dkim=pass (1024-bit key) header.d=kcore.it header.i=@kcore.it\n header.b=jZu8AnMs; arc=none smtp.client-ip=49.13.27.68","DKIM-Signature":"v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kcore.it;\n\ts=spark; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-Id:\n\tDate:Subject:Cc:To:From:Sender:Reply-To:Content-ID:Content-Description:\n\tResent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:\n\tIn-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:\n\tList-Post:List-Owner:List-Archive;\n\tbh=I21Y2KDp0LnjyiR5WuBPPxI8t01E0XecHwF5bX7E4ck=; b=jZu8AnMstPCnAr8CC3okbg4G3a\n\tb9RTy96uCGDpQkXTl685o0d6kGO6FLG6jJVCtjx61iQfTTM+ly0iPuS7FS7x3fN9zX9epppvjQC8O\n\ttz38Y5yNK/pB+70rA8FeQQRdyiC/YzM+A7UvH3oEMzU9MzRwjL7gKbvnPO9WzO99Ef08=;","From":"Marco Nenciarini ","To":"Bjorn Helgaas ","Cc":"=?utf-8?q?Micha=C5=82_Winiarski?= ,\n\t=?utf-8?q?Ilpo_J=C3=A4rvinen?= ,\n linux-pci@vger.kernel.org, linux-kernel@vger.kernel.org,\n stable@vger.kernel.org, Marco Nenciarini ","Subject":"[PATCH] PCI/IOV: Fix out-of-bounds access in\n sriov_restore_vf_rebar_state()","Date":"Wed, 8 Apr 2026 18:39:22 +0200","Message-Id":"<20260408163922.1740497-1-mnencia@kcore.it>","X-Mailer":"git-send-email 2.39.5","Precedence":"bulk","X-Mailing-List":"linux-pci@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=UTF-8","Content-Transfer-Encoding":"8bit"},"content":"sriov_restore_vf_rebar_state() extracts bar_idx from the VF Resizable\nBAR control register using a 3-bit field (PCI_VF_REBAR_CTRL_BAR_IDX,\nbits 0-2), which yields values in the range 0-7. This value is then\nused to index into dev->sriov->barsz[], which has PCI_SRIOV_NUM_BARS\n(6) entries.\n\nIf the PCI config space read returns garbage data (e.g. 0xffffffff when\nthe device is no longer accessible on the bus), bar_idx is 7, causing\nan out-of-bounds array access. UBSAN reports this as:\n\n UBSAN: array-index-out-of-bounds in drivers/pci/iov.c:948:51\n index 7 is out of range for type 'resource_size_t [6]'\n\nThis was observed on an NVIDIA RTX PRO 1000 GPU (GB207GLM) that fell\noff the PCIe bus during a failed GC6 power state exit. The subsequent\npci_restore_state() call triggered the UBSAN splat in\nsriov_restore_vf_rebar_state() since all config space reads returned\n0xffffffff.\n\nAdd a bounds check on bar_idx before using it as an array index to\nprevent the out-of-bounds access.\n\nFixes: 5a8f77e24a30 (\"PCI/IOV: Restore VF resizable BAR state after reset\")\nCc: stable@vger.kernel.org\nSigned-off-by: Marco Nenciarini \n---\nCc: Michał Winiarski \nCc: Ilpo Järvinen \n\n drivers/pci/iov.c | 2 ++\n 1 file changed, 2 insertions(+)","diff":"diff --git a/drivers/pci/iov.c b/drivers/pci/iov.c\nindex 00784a60b..521f2cb64 100644\n--- a/drivers/pci/iov.c\n+++ b/drivers/pci/iov.c\n@@ -946,6 +946,8 @@ static void sriov_restore_vf_rebar_state(struct pci_dev *dev)\n \n \t\tpci_read_config_dword(dev, pos + PCI_VF_REBAR_CTRL, &ctrl);\n \t\tbar_idx = FIELD_GET(PCI_VF_REBAR_CTRL_BAR_IDX, ctrl);\n+\t\tif (bar_idx >= PCI_SRIOV_NUM_BARS)\n+\t\t\tcontinue;\n \t\tsize = pci_rebar_bytes_to_size(dev->sriov->barsz[bar_idx]);\n \t\tctrl &= ~PCI_VF_REBAR_CTRL_BAR_SIZE;\n \t\tctrl |= FIELD_PREP(PCI_VF_REBAR_CTRL_BAR_SIZE, size);\n","prefixes":[]}