All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Dan Williams" <djbw@kernel.org>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH 10/15] PCI/TSM: Add device interface security LOCKED support
Date: Sun, 05 Jul 2026 22:25:20 +0000	[thread overview]
Message-ID: <20260705222520.D458B1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260705220819.2472765-11-djbw@kernel.org>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:

New issues:
- [High] Sysfs operations `unlock_store` and `disconnect_store` do not verify the active TSM context type (`pdev->tsm`), allowing userspace to trigger kernel panics by performing operations on the wrong context type.
- [High] `pci_tsm_unlock()` returns early without clearing the TSM context if a driver is attached, causing a dangling pointer and Use-After-Free during subsystem teardown.

Pre-existing issues:
- [High] A TOCTOU race condition in `tsm_unregister()` allows `lock_store()` to attach a PCI device to a TSM that is actively being destroyed.
--

commit 82cae08595d79f2459048e59ff4784f6bfb600ba
Author: Dan Williams <djbw@kernel.org>

PCI/TSM: Add device interface security LOCKED support

This patch implements the LOCK/UNLOCK operations in pci_tsm_ops to allow a VM
to manage the security state of assigned devices. It provides the lock and
unlock sysfs attributes to transition the device between TDISP LOCKED and
UNLOCKED states.

> diff --git a/drivers/pci/tsm/core.c b/drivers/pci/tsm/core.c
> index 220842df42bc5..590e19f6c2b80 100644
> --- a/drivers/pci/tsm/core.c
> +++ b/drivers/pci/tsm/core.c

[ ... ]

> @@ -531,6 +552,125 @@ static ssize_t dsm_show(struct device *dev, struct device_attribute *attr,
>  }
>  static DEVICE_ATTR_RO(dsm);
>  
> +/**
> + * pci_tsm_unlock() - Transition TDI from LOCKED/RUN to UNLOCKED
> + * @pdev: TDI device to unlock
> + *
> + * Returns void, requires all callers to have satisfied dependencies like making
> + * sure the device is locked and detached from its driver.
> + */
> +static void pci_tsm_unlock(struct pci_dev *pdev)
> +{
> +	lockdep_assert_held_write(&pci_tsm_rwsem);
> +	device_lock_assert(&pdev->dev);
> +
> +	if (dev_WARN_ONCE(&pdev->dev, pdev->dev.driver,
> +			  "unlock attempted on driver attached device\n"))
> +		return;
> +

[Severity: High]
If pci_tsm_unlock() aborts early here because a driver is attached, pdev->tsm
is not cleared.

During subsystem teardown, __pci_tsm_destroy() calls pci_tsm_unlock(). If it
aborts here, does pdev->tsm remain pointing to the context while the TSM
provider unregisters and frees its memory, leaving a dangling pointer?

> +	device_cc_reject(&pdev->dev);
> +	to_pci_tsm_ops(pdev->tsm)->unlock(pdev->tsm);
> +	pdev->tsm = NULL;
> +}
> +
> +static int pci_tsm_lock(struct pci_dev *pdev, struct tsm_dev *tsm_dev)

[ ... ]

> +static ssize_t lock_store(struct device *dev, struct device_attribute *attr,
> +			  const char *buf, size_t len)
> +{
> +	struct pci_dev *pdev = to_pci_dev(dev);
> +	int rc, id;
> +
> +	rc = sscanf(buf, "tsm%d\n", &id);
> +	if (rc != 1)
> +		return -EINVAL;
> +
> +	ACQUIRE(rwsem_write_kill, lock)(&pci_tsm_rwsem);
> +	if ((rc = ACQUIRE_ERR(rwsem_write_kill, &lock)))
> +		return rc;
> +
> +	if (pdev->tsm)
> +		return -EBUSY;
> +
> +	struct tsm_dev *tsm_dev __free(put_tsm_dev) = find_tsm_dev(id);
> +	if (!is_devsec_tsm(tsm_dev))
> +		return -ENXIO;
> +
> +	rc = pci_tsm_lock(pdev, tsm_dev);

[Severity: High]
This is a pre-existing issue, but can lock_store() attach a PCI device to a
TSM that is actively being destroyed?

In tsm_unregister(), pci_tsm_unregister() sweeps the devices and drops
pci_tsm_rwsem. Before the device is actually unregistered and freed by
device_unregister(), could lock_store() acquire the rwsem, look up the dying
tsm_dev via find_tsm_dev(), and attach it to a PCI device?

This seems like it could lead to a use-after-free when the TSM memory is freed
shortly after.

> +	if (rc)
> +		return rc;
> +	return len;
> +}
> +

[ ... ]

> +static ssize_t unlock_store(struct device *dev, struct device_attribute *attr,
> +			  const char *buf, size_t len)
> +{
> +	struct pci_dev *pdev = to_pci_dev(dev);
> +	struct tsm_dev *tsm_dev;
> +	int rc;
> +
> +	ACQUIRE(rwsem_write_kill, lock)(&pci_tsm_rwsem);
> +	if ((rc = ACQUIRE_ERR(rwsem_write_kill, &lock)))
> +		return rc;
> +
> +	if (!pdev->tsm)
> +		return -EINVAL;
> +

[Severity: High]
Does unlock_store() need to verify that pdev->tsm is a devsec context before
proceeding?

A PCI device can hold only one TSM context at a time, but if it has both
capabilities, both sets of sysfs attributes are visible. If a user writes to
unlock when the device has a link context, pci_tsm_unlock() executes and
dereferences ops->unlock(). Since link TSMs do not implement unlock, this
pointer is NULL, potentially causing a kernel panic.

Similarly, does the existing disconnect_store() verify if the context is a
link context? If disconnect is written to when the device has a devsec
context, __pci_tsm_disconnect() attempts to cast via to_pci_tsm_pf0(),
receiving NULL, and then dereferences it via guard(mutex)(&tsm_pf0->lock).

> +	tsm_dev = pdev->tsm->tsm_dev;
> +	if (!sysfs_streq(buf, dev_name(&tsm_dev->dev)))
> +		return -EINVAL;
> +
> +	ACQUIRE(device_intr, dev_lock)(&pdev->dev);
> +	if ((rc = ACQUIRE_ERR(device_intr, &dev_lock)))
> +		return rc;
> +
> +	if (pdev->dev.driver)
> +		return -EBUSY;
> +
> +	pci_tsm_unlock(pdev);
> +
> +	return len;
> +}
> +static DEVICE_ATTR_WO(unlock);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260705220819.2472765-1-djbw@kernel.org?part=10

  reply	other threads:[~2026-07-05 22:25 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-05 22:08 [PATCH 00/15] Device Evidence and Trust for PCI Security Protocol (TDISP) Dan Williams
2026-07-05 22:08 ` [PATCH 01/15] netlink: specs: Introduce multi-message blobs for SPDM Dan Williams
2026-07-05 22:13   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 02/15] tools: ynl: Teach pyynl to handle blobs Dan Williams
2026-07-05 22:18   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 03/15] tools: ynl: Teach ynl_gen_c to validate and dump 'blob' attributes Dan Williams
2026-07-05 22:20   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 04/15] device core: Introduce "device evidence" over netlink Dan Williams
2026-07-05 22:20   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 05/15] device core: Add "device evidence" 'validate' command Dan Williams
2026-07-05 22:26   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 06/15] PCI/TSM: Add device evidence support Dan Williams
2026-07-05 22:16   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 07/15] modules: Document the global async_probe parameter Dan Williams
2026-07-05 22:15   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 08/15] device core: Initial device trust infrastructure Dan Williams
2026-07-05 22:17   ` sashiko-bot
2026-07-06 13:45   ` Jason Gunthorpe
2026-07-05 22:08 ` [PATCH 09/15] PCI, device core: Move "untrusted" concept to DEVICE_TRUST_ADVERSARY Dan Williams
2026-07-05 22:25   ` sashiko-bot
2026-07-06 13:49   ` Jason Gunthorpe
2026-07-07 13:04   ` Robin Murphy
2026-07-05 22:08 ` [PATCH 10/15] PCI/TSM: Add device interface security LOCKED support Dan Williams
2026-07-05 22:25   ` sashiko-bot [this message]
2026-07-05 22:08 ` [PATCH 11/15] PCI/TSM: Add device interface security RUN support Dan Williams
2026-07-05 22:21   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 12/15] PCI/TSM: Add device interface security DMA enable/disable Dan Williams
2026-07-05 22:25   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 13/15] PCI, device core: Add private memory access for DEVICE_TRUST_TCB Dan Williams
2026-07-05 22:28   ` sashiko-bot
2026-07-06 12:42   ` Aneesh Kumar K.V
2026-07-05 22:08 ` [PATCH 14/15] PCI/TSM: Create MMIO descriptors via TDISP Report Dan Williams
2026-07-05 22:24   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 15/15] PCI/TSM: Add relative MMIO offset support? Dan Williams
2026-07-05 22:25   ` sashiko-bot
2026-07-06 12:51 ` [PATCH 00/15] Device Evidence and Trust for PCI Security Protocol (TDISP) Jason Gunthorpe
2026-07-06 20:55   ` Dan Williams (nvidia)
2026-07-07 12:43     ` Jason Gunthorpe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260705222520.D458B1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=djbw@kernel.org \
    --cc=linux-pci@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.