Re: [PATCH v7 5/6] vfio/pci: Add PCIe TPH GET_ST interface

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Chengwen Feng" <fengchengwen@huawei.com>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH v7 5/6] vfio/pci: Add PCIe TPH GET_ST interface
Date: Fri, 08 May 2026 00:18:51 +0000	[thread overview]
Message-ID: <20260508001852.6EA4FC2BCB2@smtp.kernel.org> (raw)
In-Reply-To: <20260507130956.34441-6-fengchengwen@huawei.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Low] Missing op->argsz validation before copying the st structure from user space.
--

commit 3e63e4fb1478346ccd55bac2783b7a7e1dce2cc3
Author: Chengwen Feng <fengchengwen@huawei.com>
vfio/pci: Add PCIe TPH GET_ST interface

Add support to batch get CPU steering tags for device-specific TPH mode
that does not implement an ST table. This interface requires enabling the
'enable_unsafe_tph_ds_mode' module parameter.

> diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
> --- a/drivers/vfio/pci/vfio_pci_core.c
> +++ b/drivers/vfio/pci/vfio_pci_core.c
[ ... ]
> @@ -1533,6 +1533,77 @@ static int vfio_pci_tph_disable(struct vfio_pci_core_device *vdev)
> +static int vfio_pci_tph_get_st(struct vfio_pci_core_device *vdev,
> +			       struct vfio_device_pci_tph_op *op,
> +			       void __user *uarg)
> +{
> +	struct pci_dev *pdev = vdev->pdev;
> +	struct vfio_pci_tph_entry *ents;
> +	struct vfio_pci_tph_st st;
> +	enum tph_mem_type mtype;
> +	size_t size, ents_off;
> +	int i, err;
> +
> +	if (!enable_unsafe_tph_ds_mode ||
> +		pcie_tph_get_st_table_loc(pdev) != PCI_TPH_LOC_NONE)
> +		return -EOPNOTSUPP;
> +
> +	if (copy_from_user(&st, uarg, sizeof(st)))
> +		return -EFAULT;

Should this code validate op->argsz before copying the structure from user
space?

If a user program passes an argsz that is smaller than sizeof(st), and
the provided pointer happens to be at the very end of a mapped page,
copy_from_user() will attempt to read into unmapped memory and return
-EFAULT instead of the expected -EINVAL.

Other VFIO ioctl implementations, such as vfio_pci_tph_enable(), check
op->argsz before calling copy_from_user().

> +
> +	/* Check reserved fields are zero */
> +	if (memchr_inv(&st.reserved, 0, sizeof(st.reserved)))
> +		return -EINVAL;
> +
> +	if (!st.count || st.count > VFIO_PCI_TPH_MAX_ENTRIES)
> +		return -EINVAL;
> +
> +	size = st.count * sizeof(*ents);
> +	if (op->argsz < offsetofend(struct vfio_device_pci_tph_op, st) + size)
> +		return -EINVAL;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260507130956.34441-1-fengchengwen@huawei.com?part=5

next prev parent reply	other threads:[~2026-05-08  0:18 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-07 13:09 [PATCH v7 0/6] vfio/pci: Add PCIe TPH support Chengwen Feng
2026-05-07 13:09 ` [PATCH v7 1/6] PCI/TPH: Fix pcie_tph_get_st_table_loc() field extraction Chengwen Feng
2026-05-07 13:09 ` [PATCH v7 2/6] PCI/TPH: Export pcie_tph_get_st_modes() for external use Chengwen Feng
2026-05-07 22:19   ` sashiko-bot
2026-05-07 13:09 ` [PATCH v7 3/6] vfio/pci: Add PCIe TPH interface with capability query Chengwen Feng
2026-05-07 23:20   ` sashiko-bot
2026-05-07 13:09 ` [PATCH v7 4/6] vfio/pci: Add PCIe TPH enable/disable support Chengwen Feng
2026-05-07 23:49   ` sashiko-bot
2026-05-07 13:09 ` [PATCH v7 5/6] vfio/pci: Add PCIe TPH GET_ST interface Chengwen Feng
2026-05-08  0:18   ` sashiko-bot [this message]
2026-05-07 13:09 ` [PATCH v7 6/6] vfio/pci: Add PCIe TPH SET_ST interface Chengwen Feng
2026-05-08  0:52   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260508001852.6EA4FC2BCB2@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=fengchengwen@huawei.com \
    --cc=linux-pci@vger.kernel.org \
    --cc=sashiko@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.