Kernel KVM virtualization development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Zhiping Zhang" <zhipingz@meta.com>
Cc: linux-pci@vger.kernel.org, kvm@vger.kernel.org,
	dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v11 1/4] PCI/TPH: Add requester/completer type helpers
Date: Thu, 02 Jul 2026 18:33:30 +0000	[thread overview]
Message-ID: <20260702183330.A5C6F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260702181025.2694961-2-zhipingz@meta.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] The newly added `pcie_tph_enabled_req_type()` can return an invalid reserved value (2 / 0b10) because a pre-existing internal function, `get_rp_completer_type()`, lacks the safety checks introduced in this patch and was not refactored.
--

commit e4c05b2d02aee077c988b64f210719a661f03806
Author: Zhiping Zhang <zhipingz@meta.com>

PCI/TPH: Add requester/completer type helpers

This commit adds pcie_tph_enabled_req_type() to query the enabled TPH
requester mode and pcie_tph_completer_type() to check TPH completer support.
The new completer helper safely folds the reserved 0b10 encoding into "not
supported".

> diff --git a/drivers/pci/tph.c b/drivers/pci/tph.c
> index 655ffd60e62f6..e7693fd9d6763 100644
> --- a/drivers/pci/tph.c
> +++ b/drivers/pci/tph.c

[ ... ]

> @@ -173,6 +173,51 @@ u32 pcie_tph_get_st_table_loc(struct pci_dev *pdev)
>  }
>  EXPORT_SYMBOL(pcie_tph_get_st_table_loc);
>  
> +/**
> + * pcie_tph_enabled_req_type - Return the device's enabled TPH requester type
> + * @pdev: PCI device to query
> + *
> + * Return: PCI_TPH_REQ_DISABLE, PCI_TPH_REQ_TPH_ONLY or PCI_TPH_REQ_EXT_TPH.
> + */
> +u8 pcie_tph_enabled_req_type(struct pci_dev *pdev)
> +{
> +	return pdev->tph_req_type;

[Severity: High]
This is a pre-existing issue, but could pdev->tph_req_type hold the reserved
value 2 (0b10) here?

While this patch safely decodes the completer field via
pcie_tph_completer_type(), the pre-existing get_rp_completer_type() function
accesses the same capability on the Root Port but lacks this bounds checking.

If a Root Port presents the reserved value 0b10, get_rp_completer_type()
propagates it:

drivers/pci/tph.c:get_rp_completer_type() {
    ...
    return FIELD_GET(PCI_EXP_DEVCAP2_TPH_COMP_MASK, reg);
}

This unvalidated value can then be assigned to pdev->tph_req_type during
setup:

drivers/pci/tph.c:pcie_enable_tph() {
    ...
    pdev->tph_req_type = min(pdev->tph_req_type, rp_req_type);
    ...
}

Since the newly added pcie_tph_enabled_req_type() API is documented to return
only 0, 1, or 3, returning the reserved value 2 violates this contract and
could risk logic errors in callers. 

Writing this undocumented value to the TPH Control register could also cause
undefined hardware behavior or AER panics.

Should get_rp_completer_type() be refactored to fold the reserved value
identically to how pcie_tph_completer_type() handles it?

> +}
> +EXPORT_SYMBOL(pcie_tph_enabled_req_type);

[ ... ]

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260702181025.2694961-1-zhipingz@meta.com?part=1

  reply	other threads:[~2026-07-02 18:33 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02 18:10 [PATCH v11 0/4] vfio/dma-buf: add TPH support for peer-to-peer access Zhiping Zhang
2026-07-02 18:10 ` [PATCH v11 1/4] PCI/TPH: Add requester/completer type helpers Zhiping Zhang
2026-07-02 18:33   ` sashiko-bot [this message]
2026-07-02 18:10 ` [PATCH v11 2/4] dma-buf: add optional get_pci_tph() callback Zhiping Zhang
2026-07-02 18:33   ` sashiko-bot
2026-07-02 18:10 ` [PATCH v11 3/4] vfio/pci: implement get_pci_tph and DMA_BUF_TPH feature Zhiping Zhang
2026-07-02 18:29   ` sashiko-bot
2026-07-03  4:13   ` fengchengwen
2026-07-03  6:57     ` Zhiping Zhang
2026-07-02 18:10 ` [PATCH v11 4/4] RDMA/mlx5: get tph for p2p access when registering dma-buf mr Zhiping Zhang
2026-07-02 18:42   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260702183330.A5C6F1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=kvm@vger.kernel.org \
    --cc=linux-pci@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=zhipingz@meta.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox