Re: [PATCH v3 1/5] PCI: endpoint: Define endpoint DMA BAR metadata format

Linux PCI subsystem development
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Koichiro Den" <den@valinux.co.jp>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH v3 1/5] PCI: endpoint: Define endpoint DMA BAR metadata format
Date: Sat, 20 Jun 2026 17:10:47 +0000	[thread overview]
Message-ID: <20260620171048.1161B1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260620170438.3756593-2-den@valinux.co.jp>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] The endpoint DMA BAR metadata format contains an inherent limit mismatch between the `metadata length` field and the maximum possible size of the tables it describes.
--

commit 8e3a71eaeea3ed7cc589bce08e6fd2a630ca1075
Author: Koichiro Den <den@valinux.co.jp>

PCI: endpoint: Define endpoint DMA BAR metadata format

This commit defines a BAR-resident metadata format for endpoint functions
that expose an endpoint-integrated DMA controller to a PCI host.

> diff --git a/include/linux/pci-ep-dma.h b/include/linux/pci-ep-dma.h
> new file mode 100644
> index 0000000000000..c5fd7aab2101f
> --- /dev/null
> +++ b/include/linux/pci-ep-dma.h

[ ... ]

> +#define PCI_EP_DMA_METADATA_HDR_LEN		0x1c
> +
> +#define PCI_EP_DMA_METADATA_HDR			0x04
> +#define  PCI_EP_DMA_METADATA_HDR_REV		GENMASK(7, 0)
> +#define  PCI_EP_DMA_METADATA_HDR_LEN_FIELD	GENMASK(31, 16)
> +
> +#define PCI_EP_DMA_METADATA_CTRL		0x08
> +#define  PCI_EP_DMA_METADATA_CTRL_REG_BAR	GENMASK(2, 0)
> +#define  PCI_EP_DMA_METADATA_CTRL_WR_CH_COUNT	GENMASK(10, 3)
> +#define  PCI_EP_DMA_METADATA_CTRL_RD_CH_COUNT	GENMASK(18, 11)
> +#define  PCI_EP_DMA_METADATA_CTRL_CH_ENTRY_SIZE	GENMASK(26, 19)

[Severity: Medium]
Could this layout result in the total computed size exceeding the 16-bit
length field capacity?

The PCI_EP_DMA_METADATA_HDR_LEN_FIELD defines a 16-bit metadata length
field (maximum 65,535 bytes). However, the format also specifies an 8-bit
write channel count (up to 255), an 8-bit read channel count (up to 255),
and an 8-bit channel entry size (up to 255 bytes). 

If an endpoint were to specify these maximum values, the total computed size
could reach 130,078 bytes (a 28 byte header plus 510 channels at 255 bytes
each). This exceeds the maximum value that the 16-bit metadata length
field can represent.

Would this ABI inconsistency allow a malicious endpoint to craft a payload
where the table bounds exceed the reported length, potentially leading to
out-of-bounds reads in future host drivers if they map memory based on the
length but iterate using the channel counts?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260620170438.3756593-1-den@valinux.co.jp?part=1

next prev parent reply	other threads:[~2026-06-20 17:10 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-20 17:04 [PATCH v3 0/5] PCI: endpoint: Expose endpoint DMA resources (part 2/3) Koichiro Den
2026-06-20 17:04 ` [PATCH v3 1/5] PCI: endpoint: Define endpoint DMA BAR metadata format Koichiro Den
2026-06-20 17:10   ` sashiko-bot [this message]
2026-06-20 17:04 ` [PATCH v3 2/5] PCI: endpoint: Add DMA auxiliary resource metadata Koichiro Den
2026-06-20 17:09   ` sashiko-bot
2026-06-20 17:04 ` [PATCH v3 3/5] PCI: endpoint: Add API to delegate EPC DMA channels to the host Koichiro Den
2026-06-20 17:26   ` sashiko-bot
2026-06-20 17:04 ` [PATCH v3 4/5] PCI: dwc: Expose endpoint DMA resources Koichiro Den
2026-06-20 17:14   ` sashiko-bot
2026-06-20 17:04 ` [PATCH v3 5/5] PCI: dwc: Implement endpoint DMA channel delegation Koichiro Den
2026-06-20 17:16   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260620171048.1161B1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=den@valinux.co.jp \
    --cc=linux-pci@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox