Xen project Mailing List

Re: [PATCH] ioreq: Assert with out of bounds vCPU ID

To: Teddy Astie <teddy.astie@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Fri, 14 Nov 2025 13:24:32 +0000

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PYNCRcJ5PwEaNgW0xdKz4FQJJfGCSSWx3K+lYxabLts=; b=AT+6+FxxQSD6kaChjFpD0ssbegiW/sJHLllD9tLx1WPCW2GX1qaOsAUap575m4ozxF/DH5hnVnj3Nq7CtPQTwAfimBdLSuMXIN1k7MgPdY1QeAHUSDM/vrP3848F4RwLaGWJMI8/SScYmNECMGmg+ojNop2X9Yq0bN9ZMIfyGx2YUJGa2HiBDIVtbNIuNPvCZyV4TVobXnGSdYZZu/YVBP0zGtNkG5xj7e+nuCQyqkKGxBmP15a9/eeCHkn0sF1X/WVhPJKAKcgk1MG2wf55YUrQ00UH4r1LqCNaLCG1owc+7C2W3djhl/wBnAx2AwccWlR6XxaQhFd8YT98A0YFfA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=emVDBphZwUNe60tTFFON+CSaNf053/WtU/BilcZlIGeXRXecDQwD76/RwMtdLeBxQCEeBMgXxjjlkttl45m1pGhbK/VRj87C7D0IWc+TtVhJGe5DX4Q8JB/zgj0kq2b5EIG8Ar67rgwc24/MeLX/XbC37m2aa0htQQ7meX9ihFd6Z6RnML+umTLLkET3hQLWUTkMYD2CWdFeSpIcADvFMYl5YHirrC7AZp1K+5ePP9aoAv6jhfWug7ClXmkOY8NOgY+OowuFT4UPg4U6szAr27VyseZp+yoka1vqDDvoAQNfMLsBS18gywLGG3Do/+4Ro0p94LAECi2KDfAqCHNHKg==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julian Vetter <julian.vetter@xxxxxxxxxx>

Delivery-date: Fri, 14 Nov 2025 13:24:51 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 14/11/2025 1:05 pm, Teddy Astie wrote: > A 4K page appears to be able to hold 128 ioreq entries, which luckly > matches the current vCPU limit. However, if we decide to increase the > domain vCPU limit, that doesn't hold anymore and this function would now > silently create a out of bounds pointer leading to confusing problems. > > All architectures have no more than 128 as vCPU limit on HVM guests, > and have pages that are at most 4 KB, so this case doesn't occurs in > with the current limits. > > Assert if the vCPU ID will lead to a out of bounds pointer. > > No functional change. > > Reported-by: Julian Vetter <julian.vetter@xxxxxxxxxx> > Signed-off-by: Teddy Astie <teddy.astie@xxxxxxxxxx> > --- > Not sure if this is the best approach, perhaps preventing compilation if the > vCPU limit is higher than what the ioreq page can hold is preferable ? > > xen/common/ioreq.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/xen/common/ioreq.c b/xen/common/ioreq.c > index f5fd30ce12..b2ef46ed7b 100644 > --- a/xen/common/ioreq.c > +++ b/xen/common/ioreq.c > @@ -99,6 +99,7 @@ static ioreq_t *get_ioreq(struct ioreq_server *s, struct > vcpu *v) > > ASSERT((v == current) || !vcpu_runnable(v)); > ASSERT(p != NULL); > + ASSERT(v->vcpu_id < (PAGE_SIZE / sizeof(struct ioreq))); > > return &p->vcpu_ioreq[v->vcpu_id]; > } The 128 vCPU problem was known and IOERQ servers intentionally had multi-page capabilities from the outset to address this problem. See the calculation in ioreq_server_max_frames(). It hasn't been exercised in anger because there's still the APIC ID limit at 128 still, but IOREQ servers are expected to work correctly above this limit. That said, this function is clearly buggy and in need of fixing. To the assert specifically, that's really not appropriate. If it were to ever fire, we'd have an XSA. Logic if this nature either needs to be fail safe (if returning NULL is ok), or be a BUG() so it doesn't become unsafe in release builds. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.