From: sashiko-bot@kernel.org
To: "Chengwen Feng" <fengchengwen@huawei.com>
Cc: linux-pci@vger.kernel.org, kvm@vger.kernel.org
Subject: Re: [PATCH v16 11/12] vfio/pci: Add TPH_ST_CONFIG for PCIe TPH ST configuration
Date: Thu, 04 Jun 2026 13:51:37 +0000 [thread overview]
Message-ID: <20260604135138.1FA0C1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260604132804.28678-12-fengchengwen@huawei.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Lockless modification of the `tph_permit` bitfield races with updates to adjacent bitfields, risking data corruption of critical device state flags.
- [Medium] The `tph_permit` flag is not reset when the VFIO device is closed, leaking state between user sessions.
--
commit 3866f62cd649303d4e63fcdfae7f9e49073c8b9c
Author: Chengwen Feng <fengchengwen@huawei.com>
Subject: vfio/pci: Add TPH_ST_CONFIG for PCIe TPH ST configuration
This patch adds the VFIO_DEVICE_FEATURE_TPH_ST_CONFIG feature to allow
userspace to configure PCIe TPH Steering Tag table entries. It uses a shadow
table to cache entries, paired with a per-device mutex for concurrent access
protection.
> diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
> index 7c6e3e1213d3e..e20c92a3dfcb1 100644
> --- a/drivers/vfio/pci/vfio_pci_core.c
> +++ b/drivers/vfio/pci/vfio_pci_core.c
[ ... ]
> @@ -496,6 +496,50 @@ static const struct dev_pm_ops vfio_pci_core_pm_ops = {
[ ... ]
> +static void vfio_pci_tph_deinit(struct vfio_pci_core_device *vdev)
> +{
> + kfree(vdev->tph_st_shadow);
> + vdev->tph_st_shadow = NULL;
> + vdev->tph_st_entries = 0;
> +}
[Severity: Medium]
When the VFIO device is closed, should tph_permit be reset to 0 here or in
vfio_pci_core_disable()?
Because struct vfio_pci_core_device persists across opens, a subsequent
user opening the same device will inherit tph_permit = 1.
Could this allow the new user to bypass the explicit feature opt-in sequence
required by the API and cause cross-session state leakage?
[ ... ]
> diff --git a/include/linux/vfio_pci_core.h b/include/linux/vfio_pci_core.h
> index 5f32830766a0f..9cac61c63ead2 100644
> --- a/include/linux/vfio_pci_core.h
> +++ b/include/linux/vfio_pci_core.h
> @@ -143,6 +143,9 @@ struct vfio_pci_core_device {
> struct notifier_block nb;
> struct rw_semaphore memory_lock;
> struct list_head dmabufs;
> + struct mutex tph_lock;
> + u16 *tph_st_shadow;
> + u16 tph_st_entries;
> };
[Severity: High]
Is it safe to modify tph_permit locklessly?
In struct vfio_pci_core_device, tph_permit is defined as a 1-bit bitfield
adjacent to other state flags like pm_runtime_engaged.
Because bitfields share the same underlying memory word, modifying
tph_permit translates to a non-atomic read-modify-write operation.
If vfio_pci_core_feature_tph_enable() sets vdev->tph_permit = 1 without a
lock, could it race with concurrent ioctls modifying adjacent bitfields
(such as pm_runtime_engaged under vdev->igate) and cause silent state
corruption?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260604132804.28678-1-fengchengwen@huawei.com?part=11
next prev parent reply other threads:[~2026-06-04 13:51 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-04 13:27 [PATCH v16 00/12] vfio/pci: Add PCIe TPH support Chengwen Feng
2026-06-04 13:27 ` [PATCH v16 01/12] PCI/TPH: Fix pcie_tph_get_st_table_loc() field extraction Chengwen Feng
2026-06-04 13:27 ` [PATCH v16 02/12] PCI/TPH: Fix tph_enabled concurrent update race by bitfield packing Chengwen Feng
2026-06-04 13:27 ` [PATCH v16 03/12] PCI/TPH: Cache TPH requester capability at probe time Chengwen Feng
2026-06-04 13:27 ` [PATCH v16 04/12] PCI/TPH: Refactor pcie_enable_tph & add explicit requester variant Chengwen Feng
2026-06-04 13:27 ` [PATCH v16 05/12] PCI/TPH: Refactor pcie_tph_get_cpu_st & add explicit variant Chengwen Feng
2026-06-04 13:27 ` [PATCH v16 06/12] PCI/TPH: expose the enabled TPH requester type Chengwen Feng
2026-06-04 13:27 ` [PATCH v16 07/12] PCI/TPH: Add pcie_tph_supported() helper to check TPH capability attributes Chengwen Feng
2026-06-04 13:28 ` [PATCH v16 08/12] vfio/pci: Hide TPH capability when TPH is unsupported Chengwen Feng
2026-06-04 13:48 ` sashiko-bot
2026-06-04 13:28 ` [PATCH v16 09/12] vfio/pci: Add TPH_ENABLE feature skeleton and unsafe module parameter Chengwen Feng
2026-06-04 13:54 ` sashiko-bot
2026-06-15 1:26 ` fengchengwen
2026-06-04 13:28 ` [PATCH v16 10/12] vfio/pci: Add TPH_CPU_ST to query CPU's TPH steering tag Chengwen Feng
2026-06-04 13:55 ` sashiko-bot
2026-06-15 1:31 ` fengchengwen
2026-06-04 13:28 ` [PATCH v16 11/12] vfio/pci: Add TPH_ST_CONFIG for PCIe TPH ST configuration Chengwen Feng
2026-06-04 13:51 ` sashiko-bot [this message]
2026-06-04 13:28 ` [PATCH v16 12/12] vfio/pci: Virtualize PCIe TPH capability registers Chengwen Feng
2026-06-04 14:05 ` sashiko-bot
2026-06-15 3:57 ` fengchengwen
2026-06-15 12:19 ` [PATCH v16 00/12] vfio/pci: Add PCIe TPH support fengchengwen
2026-06-15 14:19 ` Alex Williamson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260604135138.1FA0C1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=fengchengwen@huawei.com \
--cc=kvm@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.