All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Dan Williams" <djbw@kernel.org>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH 14/15] PCI/TSM: Create MMIO descriptors via TDISP Report
Date: Sun, 05 Jul 2026 22:24:35 +0000	[thread overview]
Message-ID: <20260705222435.E62B91F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260705220819.2472765-15-djbw@kernel.org>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] 32-bit unsigned multiplication overflow in MMIO region size calculation silently truncates the size for regions >= 4GB.
- [Medium] Bitwise NOT of a 32-bit `unsigned long` mask zeroes out the upper 32 bits of a 64-bit physical address on 32-bit architectures.
--

commit cfcbb8abea88df9f3a56b20ab3e4fac1bdbf37ea
Author: Dan Williams <djbw@kernel.org>

PCI/TSM: Create MMIO descriptors via TDISP Report

This commit introduces a helper function to create encrypted MMIO descriptors
from a TDISP Report. The descriptors allow the low-level TSM driver to inform
ioremap() how to map the device's MMIO correctly based on the device's
expectations. It also computes the obfuscated base addresses for each
encrypted MMIO range.

Link: https://lore.kernel.org/linux-coco/20251117140007.122062-8-aneesh.kumar@kernel.org/ [1]

> diff --git a/drivers/pci/tsm/core.c b/drivers/pci/tsm/core.c
> --- a/drivers/pci/tsm/core.c
> +++ b/drivers/pci/tsm/core.c

[ ... ]

> +struct pci_tsm_mmio *pci_tsm_mmio_alloc(struct pci_dev *pdev)
> +{

[ ... ]

> +	for (i = 0; i < mmio_range_count; i++) {
> +		u64 range_off;
> +		struct range range;
> +		const struct pci_tsm_devif_mmio *mmio_data = &report->mmio[i];
> +		struct pci_tsm_mmio_entry *entry =
> +			pci_tsm_mmio_entry(mmio, mmio->nr);
> +		u64 tsm_offset = __le64_to_cpu(mmio_data->phys);
> +		u64 size = __le32_to_cpu(mmio_data->nr_pfns) * SZ_4K;

[Severity: High]
Does this calculation suffer from a 32-bit multiplication overflow?

Since __le32_to_cpu() returns a 32-bit unsigned integer and SZ_4K is also
32-bit, if nr_pfns is large enough (representing 4GB or more), the
multiplication will overflow before it is zero-extended and assigned to the
64-bit size variable.

Could this lead to the size being truncated (e.g., yielding 0 for exactly
4GB) and exposing intended secure MMIO space to the VM as unencrypted
memory?

> +		u32 attr = __le32_to_cpu(mmio_data->attributes);
> +		int bar = FIELD_GET(PCI_TSM_DEVIF_REPORT_MMIO_ATTR_RANGE_ID,
> +				    attr);

[ ... ]

> +		if (last_bar < bar) {
> +			unsigned long mask = pci_resource_len(pdev, bar) - 1;
> +
> +			/* Transition to a new bar */
> +			last_bar = bar;
> +
> +			/*
> +			 * Determine the obfuscated base of the BAR. BAR
> +			 * offsets are never obfuscated.
> +			 */
> +			reporting_bar_base = tsm_offset & ~mask;

[Severity: Medium]
Will this bitwise operation truncate the upper 32 bits of the physical
address on 32-bit architectures?

On 32-bit platforms with 64-bit physical addresses (like PAE), unsigned
long is 32 bits. The mask truncates the BAR size, and ~mask flips those
32 bits. When it is promoted to u64 for the bitwise AND with tsm_offset,
the upper 32 bits of the zero-extended ~mask will be 0.

Could this completely erase the upper 32 bits of reporting_bar_base when
compiled for 32-bit platforms?

> +		} else if (tsm_offset < last_reporting_end) {

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260705220819.2472765-1-djbw@kernel.org?part=14

  reply	other threads:[~2026-07-05 22:24 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-05 22:08 [PATCH 00/15] Device Evidence and Trust for PCI Security Protocol (TDISP) Dan Williams
2026-07-05 22:08 ` [PATCH 01/15] netlink: specs: Introduce multi-message blobs for SPDM Dan Williams
2026-07-05 22:13   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 02/15] tools: ynl: Teach pyynl to handle blobs Dan Williams
2026-07-05 22:18   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 03/15] tools: ynl: Teach ynl_gen_c to validate and dump 'blob' attributes Dan Williams
2026-07-05 22:20   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 04/15] device core: Introduce "device evidence" over netlink Dan Williams
2026-07-05 22:20   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 05/15] device core: Add "device evidence" 'validate' command Dan Williams
2026-07-05 22:26   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 06/15] PCI/TSM: Add device evidence support Dan Williams
2026-07-05 22:16   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 07/15] modules: Document the global async_probe parameter Dan Williams
2026-07-05 22:15   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 08/15] device core: Initial device trust infrastructure Dan Williams
2026-07-05 22:17   ` sashiko-bot
2026-07-06 13:45   ` Jason Gunthorpe
2026-07-05 22:08 ` [PATCH 09/15] PCI, device core: Move "untrusted" concept to DEVICE_TRUST_ADVERSARY Dan Williams
2026-07-05 22:25   ` sashiko-bot
2026-07-06 13:49   ` Jason Gunthorpe
2026-07-07 13:04   ` Robin Murphy
2026-07-05 22:08 ` [PATCH 10/15] PCI/TSM: Add device interface security LOCKED support Dan Williams
2026-07-05 22:25   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 11/15] PCI/TSM: Add device interface security RUN support Dan Williams
2026-07-05 22:21   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 12/15] PCI/TSM: Add device interface security DMA enable/disable Dan Williams
2026-07-05 22:25   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 13/15] PCI, device core: Add private memory access for DEVICE_TRUST_TCB Dan Williams
2026-07-05 22:28   ` sashiko-bot
2026-07-06 12:42   ` Aneesh Kumar K.V
2026-07-05 22:08 ` [PATCH 14/15] PCI/TSM: Create MMIO descriptors via TDISP Report Dan Williams
2026-07-05 22:24   ` sashiko-bot [this message]
2026-07-05 22:08 ` [PATCH 15/15] PCI/TSM: Add relative MMIO offset support? Dan Williams
2026-07-05 22:25   ` sashiko-bot
2026-07-06 12:51 ` [PATCH 00/15] Device Evidence and Trust for PCI Security Protocol (TDISP) Jason Gunthorpe
2026-07-06 20:55   ` Dan Williams (nvidia)
2026-07-07 12:43     ` Jason Gunthorpe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260705222435.E62B91F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=djbw@kernel.org \
    --cc=linux-pci@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.