Re: [PATCH] vfio: prevent infinite loop in vfio_mig_get_next_state() on blocked arc

Next message: Andy Shevchenko: "Re: [PATCH 2/2] iio: imu: bmi160: add IRQF_NO_THREAD to data-ready trigger IRQ"
Previous message: Aaron Tomlin: "Re: [PATCH v5] PM: QoS: Introduce boot parameter pm_qos_resume_latency_us"
In reply to: Junrui Luo: "[PATCH] vfio: prevent infinite loop in vfio_mig_get_next_state() on blocked arc"
Next in thread: Tian, Kevin: "RE: [PATCH] vfio: prevent infinite loop in vfio_mig_get_next_state() on blocked arc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jason Gunthorpe

Date: Tue Jun 02 2026 - 21:07:31 EST

On Tue, Jun 02, 2026 at 04:58:48PM +0800, Junrui Luo wrote:
> vfio_mig_get_next_state() walks vfio_from_fsm_table[] one step at a time,
> looping to skip optional states the device does not support until
> *next_fsm is supported. A blocked transition is encoded as
> VFIO_DEVICE_STATE_ERROR, which the trailing return reports as -EINVAL.
>
> The skip loop does not account for the ERROR sentinel.
> state_flags_table[ERROR] is ~0U and vfio_from_fsm_table[ERROR][*] is
> ERROR, so once *next_fsm becomes ERROR the loop condition stays true and
> *next_fsm never changes. The blocked arcs STOP_COPY -> PRE_COPY and
> STOP_COPY -> PRE_COPY_P2P map to ERROR yet pass the support check on a
> precopy-capable device, causing the loop to spin forever while holding
> the driver state mutex. This can result in a soft lockup, and a panic
> with softlockup_panic set.
>
> Terminate the skip loop on the ERROR sentinel so a blocked transition
> falls through to the existing return and reports -EINVAL.
>
> Fixes: 4db52602a607 ("vfio: Extend the device migration protocol with PRE_COPY")
> Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
> ---
> drivers/vfio/vfio_main.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)

Reviewed-by: Jason Gunthorpe <jgg@xxxxxxxxxx>

Jason