Re: [PATCH 2/2] vfio: Prevent open_count decrement to negative

From: Jason Gunthorpe
Date: Mon May 26 2025 - 19:53:16 EST

Next message: Miguel Ojeda: "Re: [PATCH 1/7] rust: kunit: support KUnit-mapped `assert!` macros in `#[test]`s"
Previous message: Jason Gunthorpe: "Re: [PATCH 1/2] vfio: Fix unbalanced vfio_df_close call in no-iommu mode"
Next in thread: Yi Liu: "Re: [PATCH 2/2] vfio: Prevent open_count decrement to negative"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, May 16, 2025 at 09:45:22AM -0700, Jacob Pan wrote:
> When vfio_df_close() is called with open_count=0, it triggers a warning in
> vfio_assert_device_open() but still decrements open_count to -1. This allows
> a subsequent open to incorrectly pass the open_count == 0 check, leading to
> unintended behavior, such as setting df->access_granted = true.
>
> For example, running an IOMMUFD compat no-IOMMU device with VFIO tests
> (https://github.com/awilliam/tests/blob/master/vfio-noiommu-pci-device-open.c)
> results in a warning and a failed VFIO_GROUP_GET_DEVICE_FD ioctl on the first
> run, but the second run succeeds incorrectly.
>
> Add checks to avoid decrementing open_count below zero
>
> Signed-off-by: Jacob Pan <jacob.pan@xxxxxxxxxxxxxxxxxxx>
> ---
> drivers/vfio/vfio_main.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)

Reviewed-by: Jason Gunthorpe <jgg@xxxxxxxxxx>

Jason

Next message: Miguel Ojeda: "Re: [PATCH 1/7] rust: kunit: support KUnit-mapped `assert!` macros in `#[test]`s"
Previous message: Jason Gunthorpe: "Re: [PATCH 1/2] vfio: Fix unbalanced vfio_df_close call in no-iommu mode"
Next in thread: Yi Liu: "Re: [PATCH 2/2] vfio: Prevent open_count decrement to negative"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]