All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Dan Williams" <djbw@kernel.org>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH 11/15] PCI/TSM: Add device interface security RUN support
Date: Sun, 05 Jul 2026 22:21:26 +0000	[thread overview]
Message-ID: <20260705222127.1ED5C1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260705220819.2472765-12-djbw@kernel.org>

Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:

New issues:
- [High] `pci_tsm_accept()` unconditionally invokes the `run` callback without verifying the TSM type or callback presence, leading to a NULL pointer dereference.
- [High] The `PCI_TSM_F_ACCEPT` flag is not explicitly cleared, allowing a reused context to bypass the TDISP RUN state transition.

Pre-existing issues:
- [High] Missing validation of TSM type in `unlock_store` and `disconnect_store` can cause NULL pointer dereferences.
- [High] Lock order inversion between `pci_tsm_rwsem` and `device_lock(&pdev->dev)` causes an ABBA deadlock.
--

commit dff8c6ed3353a6c7f7bb4d5a991bf30cccd06be9
Author: Dan Williams <djbw@kernel.org>

PCI/TSM: Add device interface security RUN support

This commit introduces a sysfs trigger to transition a device from the TDISP
LOCKED state to the RUN state. It connects the accept trigger to a new run
operation in the pci_tsm_ops structure. The RUN state prepares the device for
private operation by enabling private MMIO access.

> diff --git a/drivers/pci/tsm/core.c b/drivers/pci/tsm/core.c
> index 590e19f6c2b80..1f09ab4e8d4c5 100644
> --- a/drivers/pci/tsm/core.c
> +++ b/drivers/pci/tsm/core.c

[ ... ]

> @@ -552,6 +552,89 @@ static ssize_t dsm_show(struct device *dev, struct device_attribute *attr,
>  }
>  static DEVICE_ATTR_RO(dsm);
>  
> +/**
> + * pci_tsm_accept() - accept a device for private MMIO operation
> + * @pdev: PCI device to accept
> + *
> + * "Accept" transitions the device interface to the RUN state, it is
> + * only suitable to make that transition from a known idle (no active
> + * DMA / MMIO mappings) state. The "driver detached" state is a coarse
> + * way to assert that requirement.
> + */
> +static int pci_tsm_accept(struct pci_dev *pdev)
> +{
> +	int rc;
> +
> +	ACQUIRE(rwsem_read_intr, lock)(&pci_tsm_rwsem);
> +	if ((rc = ACQUIRE_ERR(rwsem_read_intr, &lock)))
> +		return rc;
> +
> +	if (!pdev->tsm)
> +		return -EINVAL;
> +
> +	ACQUIRE(device_intr, dev_lock)(&pdev->dev);

[Severity: High]
This is a pre-existing issue, but does acquiring pci_tsm_rwsem and then
device_lock(&pdev->dev) cause an ABBA deadlock?

If a device driver's remove() callback is invoked holding device_lock, and it
calls pci_tsm_unbind(), which then attempts to acquire pci_tsm_rwsem, this
could invert the lock ordering. 

Concurrently, sysfs operations like unlock_store or lock_store acquire
pci_tsm_rwsem before device_lock, which could trigger a deadlock.

> +	if ((rc = ACQUIRE_ERR(device_intr, &dev_lock)))
> +		return rc;
> +
> +	if (pdev->dev.driver)
> +		return -EBUSY;
> +
> +	if (test_bit(PCI_TSM_F_ACCEPT, &pdev->tsm->flags))

[Severity: High]
Can a reused context bypass the TDISP RUN state transition because
PCI_TSM_F_ACCEPT is never explicitly cleared?

When a device is unlocked, the provider's ops->unlock() retains the
struct pci_tsm object in memory. When the device is locked again, the
core constructor pci_tsm_devsec_constructor() initializes the base fields
but does not clear flags. 

Does this allow a subsequent call to pci_tsm_accept() to observe the leftover
PCI_TSM_F_ACCEPT bit and return success without calling the hardware run
operation?

> +		return 0;
> +
> +	rc = to_pci_tsm_ops(pdev->tsm)->run(pdev);

[Severity: High]
Does this code unconditionally invoke the run callback without verifying the
TSM type or callback presence, leading to a NULL pointer dereference?

If a user space process writes to the accept sysfs attribute of a device that
is bound to a link TSM (which does not populate devsec_ops) or a devsec TSM
that omitted the run callback, it seems this would result in a kernel crash.

> +	if (rc)
> +		return rc;
> +
> +	set_bit(PCI_TSM_F_ACCEPT, &pdev->tsm->flags);
> +
> +	return 0;
> +}

[ ... ]

> @@ -568,9 +651,9 @@ static void pci_tsm_unlock(struct pci_dev *pdev)
>  			  "unlock attempted on driver attached device\n"))
>  		return;
>  
> -	device_cc_reject(&pdev->dev);
>  	to_pci_tsm_ops(pdev->tsm)->unlock(pdev->tsm);

[Severity: High]
This isn't a bug introduced by this patch, but could the lack of TSM type
validation in unlock_store and disconnect_store cause NULL pointer
dereferences?

If a user writes the name of a link TSM to the unlock attribute, or a devsec
TSM to the disconnect attribute, the sysfs handler matches the name. 

Since it fails to verify the specific type of operations supported by the TSM
before calling ops->unlock or ops->disconnect, could this lead to a crash?

>  	pdev->tsm = NULL;
> +	/* implicit clear of PCI_TSM_F_ACCEPT */

[Severity: High]
Is this assumption correct that un-assigning the pointer clears the memory
of the provider-managed flags field?

As asked above, if the struct pci_tsm object remains in memory and flags are
not cleared during initialization, it looks like the PCI_TSM_F_ACCEPT flag
could persist across locking cycles.

>  }

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260705220819.2472765-1-djbw@kernel.org?part=11

  reply	other threads:[~2026-07-05 22:21 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-05 22:08 [PATCH 00/15] Device Evidence and Trust for PCI Security Protocol (TDISP) Dan Williams
2026-07-05 22:08 ` [PATCH 01/15] netlink: specs: Introduce multi-message blobs for SPDM Dan Williams
2026-07-05 22:13   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 02/15] tools: ynl: Teach pyynl to handle blobs Dan Williams
2026-07-05 22:18   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 03/15] tools: ynl: Teach ynl_gen_c to validate and dump 'blob' attributes Dan Williams
2026-07-05 22:20   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 04/15] device core: Introduce "device evidence" over netlink Dan Williams
2026-07-05 22:20   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 05/15] device core: Add "device evidence" 'validate' command Dan Williams
2026-07-05 22:26   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 06/15] PCI/TSM: Add device evidence support Dan Williams
2026-07-05 22:16   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 07/15] modules: Document the global async_probe parameter Dan Williams
2026-07-05 22:15   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 08/15] device core: Initial device trust infrastructure Dan Williams
2026-07-05 22:17   ` sashiko-bot
2026-07-06 13:45   ` Jason Gunthorpe
2026-07-05 22:08 ` [PATCH 09/15] PCI, device core: Move "untrusted" concept to DEVICE_TRUST_ADVERSARY Dan Williams
2026-07-05 22:25   ` sashiko-bot
2026-07-06 13:49   ` Jason Gunthorpe
2026-07-07 13:04   ` Robin Murphy
2026-07-05 22:08 ` [PATCH 10/15] PCI/TSM: Add device interface security LOCKED support Dan Williams
2026-07-05 22:25   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 11/15] PCI/TSM: Add device interface security RUN support Dan Williams
2026-07-05 22:21   ` sashiko-bot [this message]
2026-07-05 22:08 ` [PATCH 12/15] PCI/TSM: Add device interface security DMA enable/disable Dan Williams
2026-07-05 22:25   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 13/15] PCI, device core: Add private memory access for DEVICE_TRUST_TCB Dan Williams
2026-07-05 22:28   ` sashiko-bot
2026-07-06 12:42   ` Aneesh Kumar K.V
2026-07-05 22:08 ` [PATCH 14/15] PCI/TSM: Create MMIO descriptors via TDISP Report Dan Williams
2026-07-05 22:24   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 15/15] PCI/TSM: Add relative MMIO offset support? Dan Williams
2026-07-05 22:25   ` sashiko-bot
2026-07-06 12:51 ` [PATCH 00/15] Device Evidence and Trust for PCI Security Protocol (TDISP) Jason Gunthorpe
2026-07-06 20:55   ` Dan Williams (nvidia)
2026-07-07 12:43     ` Jason Gunthorpe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260705222127.1ED5C1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=djbw@kernel.org \
    --cc=linux-pci@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.