Re: [PATCH v8 3/7] PCI/TPH: Fix pcie_tph_get_st_table_size() for MSI-X table location

Linux PCI subsystem development
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Chengwen Feng" <fengchengwen@huawei.com>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH v8 3/7] PCI/TPH: Fix pcie_tph_get_st_table_size() for MSI-X table location
Date: Fri, 08 May 2026 19:31:27 +0000	[thread overview]
Message-ID: <20260508193127.912BEC2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260508064053.37529-4-fengchengwen@huawei.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Modifying pcie_tph_get_st_table_size() to return > 0 for MSI-X located ST tables causes severe out-of-bounds read/writes in PCI configuration space during TPH state save and restore.
--

commit 73d4864dbc8b240284d0329056ab114562107193
Author: Chengwen Feng <fengchengwen@huawei.com>

    PCI/TPH: Fix pcie_tph_get_st_table_size() for MSI-X table location
    
    pcie_tph_get_st_table_size() previously only returned valid size when ST
    Table is in TPH Capability space. According to PCIe spec [1], ST table size
    is also valid when ST Table is located in MSI-X table.

[ ... ]

> diff --git a/drivers/pci/tph.c b/drivers/pci/tph.c
> index ba31b010f67ad..de5bd7039cdca 100644
> --- a/drivers/pci/tph.c
> +++ b/drivers/pci/tph.c

[ ... ]

> @@ -200,7 +201,7 @@ u16 pcie_tph_get_st_table_size(struct pci_dev *pdev)
>  
>  	/* Check ST table location first */
>  	loc = pcie_tph_get_st_table_loc(pdev);
> -	if (loc != PCI_TPH_LOC_CAP)
> +	if (loc != PCI_TPH_LOC_CAP && loc != PCI_TPH_LOC_MSIX)
>  		return 0;
>  
>  	pci_read_config_dword(pdev, pdev->tph_cap + PCI_TPH_CAP, &reg);

If pcie_tph_get_st_table_size() returns a value greater than 0 when the ST
table is located in the MSI-X table, does this cause pci_restore_tph_state()
to write out of bounds in the PCI configuration space?

Looking at pci_restore_tph_state(), it uses the size returned by
pcie_tph_get_st_table_size() to write ST entries directly into the TPH
Extended Capability:

drivers/pci/tph.c:pci_restore_tph_state() {
	...
	st_entry = (u16 *)cap;
	offset = PCI_TPH_BASE_SIZEOF;
	num_entries = pcie_tph_get_st_table_size(pdev);
	for (i = 0; i < num_entries; i++) {
		pci_write_config_word(pdev, pdev->tph_cap + offset,
				      *st_entry++);
		offset += sizeof(u16);
	}
}

When the ST table is located in MSI-X, the entries are memory mapped rather
than stored in the TPH capability itself.

Because the TPH Extended Capability is only 12 bytes long in this case, could
this loop clobber subsequent capabilities in the configuration space during
resume?

A similar out-of-bounds read would occur in pci_save_tph_state().

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260508064053.37529-1-fengchengwen@huawei.com?part=3

next prev parent reply	other threads:[~2026-05-08 19:31 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-08  6:40 [PATCH v8 0/7] vfio/pci: Add PCIe TPH support Chengwen Feng
2026-05-08  6:40 ` [PATCH v8 1/7] PCI/TPH: Fix pcie_tph_get_st_table_loc() field extraction Chengwen Feng
2026-05-08  6:40 ` [PATCH v8 2/7] PCI/TPH: Export pcie_tph_get_st_modes() for external use Chengwen Feng
2026-05-08 19:02   ` sashiko-bot
2026-05-08  6:40 ` [PATCH v8 3/7] PCI/TPH: Fix pcie_tph_get_st_table_size() for MSI-X table location Chengwen Feng
2026-05-08 19:31   ` sashiko-bot [this message]
2026-05-08  6:40 ` [PATCH v8 4/7] vfio/pci: Add PCIe TPH interface with capability query Chengwen Feng
2026-05-08 20:03   ` sashiko-bot
2026-05-08 22:40   ` Alex Williamson
2026-05-09  3:28     ` fengchengwen
2026-05-11  4:36       ` Alex Williamson
2026-05-08  6:40 ` [PATCH v8 5/7] vfio/pci: Add PCIe TPH enable/disable support Chengwen Feng
2026-05-08 20:46   ` sashiko-bot
2026-05-08  6:40 ` [PATCH v8 6/7] vfio/pci: Add PCIe TPH GET_ST interface Chengwen Feng
2026-05-08  6:40 ` [PATCH v8 7/7] vfio/pci: Add PCIe TPH SET_ST interface Chengwen Feng
2026-05-08 21:49   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260508193127.912BEC2BCB0@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=fengchengwen@huawei.com \
    --cc=linux-pci@vger.kernel.org \
    --cc=sashiko@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox