From: sashiko-bot@kernel.org
To: Frank.Li@oss.nxp.com
Cc: linux-pci@vger.kernel.org, Frank.Li@kernel.org,
dmaengine@vger.kernel.org, imx@lists.linux.dev, vkoul@kernel.org
Subject: Re: [PATCH v7 3/9] PCI: endpoint: pci-epf-test: Use dmaenigne_prep_config_single() to simplify code
Date: Thu, 21 May 2026 17:31:00 +0000 [thread overview]
Message-ID: <20260521173101.0A7131F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260521-dma_prep_config-v7-3-1f73f4899883@nxp.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Unvalidated `size` from PCIe test registers leads to arbitrarily large `kzalloc` allocations, potentially triggering kernel warnings or panics.
--
commit a2e73aaa3ad55ca4f65ceeb2cf567d9f9ac1f014
Author: Frank Li <Frank.Li@nxp.com>
PCI: endpoint: pci-epf-test: Use dmaenigne_prep_config_single() to simplify code
This commit simplifies the DMA configuration code by replacing
dmaengine_slave_config() and dmaengine_prep_slave_single() with a single
call to dmaengine_prep_config_single().
> diff --git a/drivers/pci/endpoint/functions/pci-epf-test.c b/drivers/pci/endpoint/functions/pci-epf-test.c
> --- a/drivers/pci/endpoint/functions/pci-epf-test.c
> +++ b/drivers/pci/endpoint/functions/pci-epf-test.c
> @@ -182,12 +182,8 @@ static int pci_epf_test_data_transfer(struct pci_epf_test *epf_test,
> else
> sconf.src_addr = dma_remote;
>
> - if (dmaengine_slave_config(chan, &sconf)) {
> - dev_err(dev, "DMA slave config fail\n");
> - return -EIO;
> - }
> - tx = dmaengine_prep_slave_single(chan, dma_local, len, dir,
> - flags);
> + tx = dmaengine_prep_config_single(chan, dma_local, len,
> + dir, flags, &sconf);
[Severity: High]
This is a pre-existing issue, but I noticed a potential problem with how the
len parameter is handled by the callers of this transfer code.
The functions pci_epf_test_copy(), pci_epf_test_read(), and
pci_epf_test_write() read a 32-bit size value directly from the memory-mapped
reg->size register, which is controlled by an external PCIe host.
This raw size is then passed directly to kzalloc() without any bounds checking
or validation.
Could this allow a malicious or misconfigured PCIe host to pass an arbitrarily
large size to kzalloc(), triggering a page allocator warning and stack trace
that might remotely crash the endpoint kernel if it is configured with
panic_on_warn?
> } else {
> tx = dmaengine_prep_dma_memcpy(chan, dma_dst, dma_src, len,
> flags);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260521-dma_prep_config-v7-0-1f73f4899883@nxp.com?part=3
next prev parent reply other threads:[~2026-05-21 17:31 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-21 15:32 [PATCH v7 0/9] dmaengine: Add new API to combine configuration and descriptor preparation Frank.Li
2026-05-21 15:32 ` [PATCH v7 1/9] dmaengine: Add API to combine configuration and preparation (sg and single) Frank.Li
2026-05-21 15:32 ` [PATCH v7 2/9] dmaengine: Add safe API to combine configuration and preparation Frank.Li
2026-05-21 17:10 ` sashiko-bot
2026-05-21 15:32 ` [PATCH v7 3/9] PCI: endpoint: pci-epf-test: Use dmaenigne_prep_config_single() to simplify code Frank.Li
2026-05-21 17:31 ` sashiko-bot [this message]
2026-05-21 15:32 ` [PATCH v7 4/9] dmaengine: dw-edma: Use new .device_prep_config_sg() callback Frank.Li
2026-05-21 17:56 ` sashiko-bot
2026-05-21 15:32 ` [PATCH v7 5/9] dmaengine: dw-edma: Pass dma_slave_config to dw_edma_device_transfer() Frank.Li
2026-05-21 18:10 ` sashiko-bot
2026-05-21 15:32 ` [PATCH v7 6/9] nvmet: pci-epf: Remove unnecessary dmaengine_terminate_sync() on each DMA transfer Frank.Li
2026-05-21 18:31 ` sashiko-bot
2026-05-21 15:32 ` [PATCH v7 7/9] nvmet: pci-epf: Use dmaengine_prep_config_single_safe() API Frank.Li
2026-05-21 19:05 ` sashiko-bot
2026-05-21 15:32 ` [PATCH v7 8/9] PCI: epf-mhi: Use dmaengine_prep_config_single() to simplify code Frank.Li
2026-05-21 15:32 ` [PATCH v7 9/9] crypto: atmel: Use dmaengine_prep_config_sg() API Frank.Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260521173101.0A7131F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=Frank.Li@oss.nxp.com \
--cc=dmaengine@vger.kernel.org \
--cc=imx@lists.linux.dev \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox