From: sashiko-bot@kernel.org
To: "Koichiro Den" <den@valinux.co.jp>
Cc: vkoul@kernel.org, Frank.Li@kernel.org, dmaengine@vger.kernel.org
Subject: Re: [PATCH v3 10/13] dmaengine: dw-edma-pcie: Add register offset match flag
Date: Sat, 20 Jun 2026 17:18:27 +0000 [thread overview]
Message-ID: <20260620171827.5BB751F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260620170040.3756043-11-den@valinux.co.jp>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The driver adds statically defined offsets to PCI BAR mapping pointers without validating them against the size of the mapped BAR, enabling out-of-bounds MMIO accesses.
--
commit ba4f6509ffb3ea527d21eedc70cede2c4bd0c13c
Author: Koichiro Den <den@valinux.co.jp>
dmaengine: dw-edma-pcie: Add register offset match flag
This commit adds a match-data flag for devices whose DMA register block
starts at an offset inside the mapped BAR. It applies this offset to the
register base during the PCIe probe.
> diff --git a/drivers/dma/dw-edma/dw-edma-pcie.c b/drivers/dma/dw-edma/dw-edma-pcie.c
> --- a/drivers/dma/dw-edma/dw-edma-pcie.c
> +++ b/drivers/dma/dw-edma/dw-edma-pcie.c
[ ... ]
> @@ -465,6 +466,8 @@ static int dw_edma_pcie_probe(struct pci_dev *pdev,
> chip->reg_base = pcim_iomap_table(pdev)[dma_data->rg.bar];
> if (!chip->reg_base)
> return -ENOMEM;
> + if (match->flags & DW_EDMA_PCIE_F_REG_OFFSET)
> + chip->reg_base += dma_data->rg.off;
[Severity: High]
This is a pre-existing issue, but since the new code adds another offset
here, could a malicious or malfunctioning PCIe device cause out-of-bounds
MMIO accesses by reporting an artificially small BAR size?
The driver maps the device BARs using pcim_iomap_regions(), which maps
exactly the size of the BAR as reported by the device during enumeration.
It then calculates pointers by adding statically defined offsets to the
mapped base address in dw_edma_pcie_probe() without bounds checks:
drivers/dma/dw-edma/dw-edma-pcie.c:dw_edma_pcie_probe() {
...
ll_region->vaddr.io += ll_block->off;
...
dt_region->vaddr.io += dt_block->off;
...
}
Does the driver need to verify that the mapped region is large enough to
contain the hardcoded offsets and sizes before adding them, to prevent
potential kernel panics or memory corruption when the DMA engine accesses
these pointers?
>
> for (i = 0; i < chip->ll_wr_cnt && !dma_data->cfg_non_ll; i++) {
> struct dw_edma_region *ll_region = &chip->ll_region_wr[i];
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260620170040.3756043-1-den@valinux.co.jp?part=10
next prev parent reply other threads:[~2026-06-20 17:18 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-20 17:00 [PATCH v3 00/13] dmaengine: dw-edma: Prepare for PCI EP DMA (part 1/3) Koichiro Den
2026-06-20 17:00 ` [PATCH v3 01/13] dmaengine: dw-edma: Add per-channel interrupt routing control Koichiro Den
2026-06-20 17:13 ` sashiko-bot
2026-06-20 17:00 ` [PATCH v3 02/13] dmaengine: dw-edma: Add core quiesce operations Koichiro Den
2026-06-20 17:15 ` sashiko-bot
2026-06-20 17:00 ` [PATCH v3 03/13] dmaengine: dw-edma: Add delegated channel request helpers Koichiro Den
2026-06-20 17:25 ` sashiko-bot
2026-06-20 17:00 ` [PATCH v3 04/13] dmaengine: dw-edma: Initialize IRQ data before requesting IRQs Koichiro Den
2026-06-20 17:16 ` sashiko-bot
2026-06-20 17:00 ` [PATCH v3 05/13] dmaengine: dw-edma: Add partial channel ownership mode Koichiro Den
2026-06-20 17:16 ` sashiko-bot
2026-06-20 17:00 ` [PATCH v3 06/13] dmaengine: dw-edma-pcie: Track non-LL mode in DMA data Koichiro Den
2026-06-20 17:15 ` sashiko-bot
2026-06-20 17:00 ` [PATCH v3 07/13] dmaengine: dw-edma-pcie: Add capability match data Koichiro Den
2026-06-20 17:11 ` sashiko-bot
2026-06-20 17:00 ` [PATCH v3 08/13] dmaengine: dw-edma-pcie: Rename vsec_data to dma_data Koichiro Den
2026-06-20 17:11 ` sashiko-bot
2026-06-20 17:00 ` [PATCH v3 09/13] dmaengine: dw-edma-pcie: Add platform ops to match data Koichiro Den
2026-06-20 17:13 ` sashiko-bot
2026-06-20 17:00 ` [PATCH v3 10/13] dmaengine: dw-edma-pcie: Add register offset match flag Koichiro Den
2026-06-20 17:18 ` sashiko-bot [this message]
2026-06-20 17:00 ` [PATCH v3 11/13] dmaengine: dw-edma-pcie: Factor out descriptor block address lookup Koichiro Den
2026-06-20 17:00 ` [PATCH v3 12/13] dmaengine: dw-edma-pcie: Handle optional data blocks Koichiro Den
2026-06-20 17:14 ` sashiko-bot
2026-06-20 17:00 ` [PATCH v3 13/13] dmaengine: dw-edma-pcie: Add chip flags to match data Koichiro Den
2026-06-20 17:16 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260620171827.5BB751F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=den@valinux.co.jp \
--cc=dmaengine@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox