From: sashiko-bot@kernel.org
To: "Dimitri Daskalakis" <dimitri.daskalakis1@gmail.com>
Cc: linux-pci@vger.kernel.org, kvm@vger.kernel.org
Subject: Re: [RFC 12/12] PCI: Reserve bus range for SIOV devices
Date: Thu, 04 Jun 2026 15:25:05 +0000 [thread overview]
Message-ID: <20260604152505.800DA1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260604150153.3619662-13-dimitri.daskalakis1@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Malicious PCIe configuration can cause an integer underflow in bus numbering reservation, leading to broken bus allocation logic.
--
commit b3162f0225b56986a66cccbae6221dcaf9c28ae6
Author: Dimitri Daskalakis <daskald@meta.com>
Subject: PCI: Reserve bus range for SIOV devices
SDI routing IDs are computed from the PF's devfn plus an offset and
stride. When the stride pushes routing IDs past the current bus number,
additional bus numbers must be reserved during PCI bus scanning. This
commit adds pci_siov_bus_range() to compute the maximum number of
additional buses required, parallel to SR-IOV.
> diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
> index bebc32c8d374f..9ef6827ab3453 100644
> --- a/drivers/pci/probe.c
> +++ b/drivers/pci/probe.c
> @@ -3100,8 +3100,8 @@ static unsigned int pci_scan_child_bus_extend(struct pci_bus *bus,
> for (devnr = 0; devnr < PCI_MAX_NR_DEVS; devnr++)
> pci_scan_slot(bus, PCI_DEVFN(devnr, 0));
>
> - /* Reserve buses for SR-IOV capability */
> - used_buses = pci_iov_bus_range(bus);
> + /* Reserve buses for SR-IOV and SIOV capability */
> + used_buses = max(pci_iov_bus_range(bus), pci_siov_bus_range(bus));
[Severity: High]
This isn't a bug introduced by this patch, but if pci_siov_bus_range()
returns a negative integer due to a 16-bit capability wraparound, won't
assigning it to the unsigned int used_buses result in an underflow?
If used_buses becomes a massive positive value, the subsequent
max += used_buses would wrap max backwards. This could corrupt the PCI
enumeration state, cause overlapping bus assignments, and potentially
bypass IOMMU isolation if RIDs collide.
> max += used_buses;
>
> /*
> diff --git a/drivers/pci/siov.c b/drivers/pci/siov.c
> index 7372ce95714b2..6405a88300524 100644
> --- a/drivers/pci/siov.c
> +++ b/drivers/pci/siov.c
[ ... ]
> @@ -111,3 +111,24 @@ void pci_siov_release(struct pci_dev *dev)
> +int pci_siov_bus_range(struct pci_bus *bus)
> +{
> + int max = 0;
> + struct pci_dev *dev;
> +
> + list_for_each_entry(dev, &bus->devices, bus_list) {
> + if (!dev->siov)
> + continue;
> + if (dev->siov->max_SDI_buses > max)
> + max = dev->siov->max_SDI_buses;
> + }
> +
> + return max ? max - bus->number : 0;
[Severity: High]
This is a pre-existing issue inherited from SR-IOV, but could a malicious
PCIe device provide offset and stride values that cause the 16-bit
capability to wrap around?
If max_SDI_buses wraps around and ends up strictly less than bus->number
(but non-zero), this subtraction yields a negative integer, leading to
the underflow in pci_scan_child_bus_extend() mentioned above.
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260604150153.3619662-1-dimitri.daskalakis1@gmail.com?part=12
next prev parent reply other threads:[~2026-06-04 15:25 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-04 15:01 [RFC 00/12] PCI: Add support for Scalable I/O Virtualization Dimitri Daskalakis
2026-06-04 15:01 ` [RFC 01/12] PCI: Add helpers to identify SR-IOV PFs/VFs Dimitri Daskalakis
2026-06-04 15:01 ` [RFC 02/12] PCI: Convert iov.c to pci_is_sriov_* helpers Dimitri Daskalakis
2026-06-04 15:15 ` sashiko-bot
2026-06-04 15:01 ` [RFC 03/12] PCI: Convert pci.h " Dimitri Daskalakis
2026-06-04 15:01 ` [RFC 04/12] PCI: Convert arch/powerpc " Dimitri Daskalakis
2026-06-04 17:26 ` sashiko-bot
2026-06-04 15:01 ` [RFC 05/12] PCI: Convert s390/pci/pci.c " Dimitri Daskalakis
2026-06-04 15:01 ` [RFC 06/12] PCI: Convert vfio_pci_core.c " Dimitri Daskalakis
2026-06-04 15:01 ` [RFC 07/12] PCI: Convert xen-pciback and pci-driver " Dimitri Daskalakis
2026-06-04 15:11 ` Juergen Gross
2026-06-04 15:24 ` sashiko-bot
2026-06-04 15:01 ` [RFC 08/12] PCI: Add is_sriov bit to struct pci_dev Dimitri Daskalakis
2026-06-04 15:01 ` [RFC 09/12] PCI: Add helper to compute VF Routing ID to pci.h Dimitri Daskalakis
2026-06-04 15:01 ` [RFC 10/12] PCI: Add Scalable I/O Virtualization data structure definitions Dimitri Daskalakis
2026-06-04 15:23 ` sashiko-bot
2026-06-04 15:01 ` [RFC 11/12] PCI: Initialize and release SIOV capability Dimitri Daskalakis
2026-06-04 15:23 ` sashiko-bot
2026-06-04 15:01 ` [RFC 12/12] PCI: Reserve bus range for SIOV devices Dimitri Daskalakis
2026-06-04 15:25 ` sashiko-bot [this message]
2026-06-04 18:20 ` [RFC 00/12] PCI: Add support for Scalable I/O Virtualization Jason Gunthorpe
2026-06-04 23:49 ` Dimitri Daskalakis
2026-06-04 23:53 ` Jason Gunthorpe
2026-06-05 0:59 ` Jakub Kicinski
2026-06-05 4:14 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260604152505.800DA1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dimitri.daskalakis1@gmail.com \
--cc=kvm@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.