From: sashiko-bot@kernel.org
To: "Dimitri Daskalakis" <dimitri.daskalakis1@gmail.com>
Cc: linux-pci@vger.kernel.org, kvm@vger.kernel.org
Subject: Re: [RFC 10/12] PCI: Add Scalable I/O Virtualization data structure definitions
Date: Thu, 04 Jun 2026 15:23:18 +0000 [thread overview]
Message-ID: <20260604152318.B2BDA1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260604150153.3619662-11-dimitri.daskalakis1@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Refactoring of VF routing ID calculation introduces a silent 16-bit truncation that bypasses the maximum bus number bounds check.
--
commit ca9b97e7dff7c499701ce4b55ae9cf14d51bbed7
Author: Dimitri Daskalakis <daskald@meta.com>
PCI: Add Scalable I/O Virtualization data structure definitions
Define the PCIe SIOV extended capability registers per the PCIe 7.0
spec, and introduce the kernel-internal data structures needed to track
SIOV state on a Physical Function. Add an is_siov bit to struct pci_dev
along with helpers to identify SIOV PFs/VFs.
> diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
> index 45411960fd2ef..fd7c04e26c164 100644
> --- a/drivers/pci/pci.h
> +++ b/drivers/pci/pci.h
> @@ -683,6 +683,19 @@ struct pci_sriov {
> bool drivers_autoprobe; /* Auto probing of VFs by driver */
> };
>
> +/* Scalable I/O Virtualization */
> +struct pci_siov {
> + struct pci_dev *self; /* This PF */
> + u32 cap; /* SIOV Capabilities */
> + u16 pos; /* Capability position */
> + u16 total_SDIs; /* Total SDIs associated with the PF */
> + u16 num_SDIs; /* Number of SDIs currently enabled */
> + u16 offset; /* First SDI Routing ID offset */
> + u16 stride; /* Following SDI stride */
> + u16 driver_max_SDIs;/* Max num SDIs driver supports */
> + u8 max_SDI_buses; /* Max buses consumed by SDIs */
> +};
> +
[Severity: High]
This patch series relies on the pci_virtfn_routing_id() helper introduced in
an earlier commit ("PCI: Add helper to compute VF Routing ID to pci.h"), but
doesn't this helper introduce a silent truncation issue?
In drivers/pci/pci.h:
static inline u16 pci_virtfn_routing_id(struct pci_dev *pf, u16 offset,
u16 stride, int id)
{
return (pf->bus->number << 8) + pf->devfn + offset + stride * id;
}
If the calculated bus number exceeds 255, the internal calculation exceeds
0xFFFF and is truncated by the u16 return type.
When this is used to determine the bus number in drivers/pci/iov.c:
int pci_iov_virtfn_bus(struct pci_dev *dev, int vf_id)
{
...
return pci_virtfn_routing_id(dev, dev->sriov->offset,
dev->sriov->stride, vf_id) >> 8;
}
The right shift is performed on the truncated 16-bit value, resulting in a
wrapped-around bus number.
Consequently, does this allow the bounds check in sriov_enable() to be
bypassed?
drivers/pci/iov.c:sriov_enable() {
...
bus = pci_iov_virtfn_bus(dev, nr_virtfn - 1);
if (bus > dev->bus->busn_res.end) {
...
}
Because the wrapped-around bus value appears to be within bounds, this could
allow VFs to be enabled on invalid, overlapping bus numbers.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260604150153.3619662-1-dimitri.daskalakis1@gmail.com?part=10
next prev parent reply other threads:[~2026-06-04 15:23 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-04 15:01 [RFC 00/12] PCI: Add support for Scalable I/O Virtualization Dimitri Daskalakis
2026-06-04 15:01 ` [RFC 01/12] PCI: Add helpers to identify SR-IOV PFs/VFs Dimitri Daskalakis
2026-06-04 15:01 ` [RFC 02/12] PCI: Convert iov.c to pci_is_sriov_* helpers Dimitri Daskalakis
2026-06-04 15:15 ` sashiko-bot
2026-06-04 15:01 ` [RFC 03/12] PCI: Convert pci.h " Dimitri Daskalakis
2026-06-04 15:01 ` [RFC 04/12] PCI: Convert arch/powerpc " Dimitri Daskalakis
2026-06-04 17:26 ` sashiko-bot
2026-06-04 15:01 ` [RFC 05/12] PCI: Convert s390/pci/pci.c " Dimitri Daskalakis
2026-06-04 15:01 ` [RFC 06/12] PCI: Convert vfio_pci_core.c " Dimitri Daskalakis
2026-06-04 15:01 ` [RFC 07/12] PCI: Convert xen-pciback and pci-driver " Dimitri Daskalakis
2026-06-04 15:11 ` Juergen Gross
2026-06-04 15:24 ` sashiko-bot
2026-06-04 15:01 ` [RFC 08/12] PCI: Add is_sriov bit to struct pci_dev Dimitri Daskalakis
2026-06-04 15:01 ` [RFC 09/12] PCI: Add helper to compute VF Routing ID to pci.h Dimitri Daskalakis
2026-06-04 15:01 ` [RFC 10/12] PCI: Add Scalable I/O Virtualization data structure definitions Dimitri Daskalakis
2026-06-04 15:23 ` sashiko-bot [this message]
2026-06-04 15:01 ` [RFC 11/12] PCI: Initialize and release SIOV capability Dimitri Daskalakis
2026-06-04 15:23 ` sashiko-bot
2026-06-04 15:01 ` [RFC 12/12] PCI: Reserve bus range for SIOV devices Dimitri Daskalakis
2026-06-04 15:25 ` sashiko-bot
2026-06-04 18:20 ` [RFC 00/12] PCI: Add support for Scalable I/O Virtualization Jason Gunthorpe
2026-06-04 23:49 ` Dimitri Daskalakis
2026-06-04 23:53 ` Jason Gunthorpe
2026-06-05 0:59 ` Jakub Kicinski
2026-06-05 4:14 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260604152318.B2BDA1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dimitri.daskalakis1@gmail.com \
--cc=kvm@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.