From: sashiko-bot@kernel.org
To: "Dan Williams" <djbw@kernel.org>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH 11/15] PCI/TSM: Add device interface security RUN support
Date: Sun, 05 Jul 2026 22:21:26 +0000 [thread overview]
Message-ID: <20260705222127.1ED5C1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260705220819.2472765-12-djbw@kernel.org>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
New issues:
- [High] `pci_tsm_accept()` unconditionally invokes the `run` callback without verifying the TSM type or callback presence, leading to a NULL pointer dereference.
- [High] The `PCI_TSM_F_ACCEPT` flag is not explicitly cleared, allowing a reused context to bypass the TDISP RUN state transition.
Pre-existing issues:
- [High] Missing validation of TSM type in `unlock_store` and `disconnect_store` can cause NULL pointer dereferences.
- [High] Lock order inversion between `pci_tsm_rwsem` and `device_lock(&pdev->dev)` causes an ABBA deadlock.
--
commit dff8c6ed3353a6c7f7bb4d5a991bf30cccd06be9
Author: Dan Williams <djbw@kernel.org>
PCI/TSM: Add device interface security RUN support
This commit introduces a sysfs trigger to transition a device from the TDISP
LOCKED state to the RUN state. It connects the accept trigger to a new run
operation in the pci_tsm_ops structure. The RUN state prepares the device for
private operation by enabling private MMIO access.
> diff --git a/drivers/pci/tsm/core.c b/drivers/pci/tsm/core.c
> index 590e19f6c2b80..1f09ab4e8d4c5 100644
> --- a/drivers/pci/tsm/core.c
> +++ b/drivers/pci/tsm/core.c
[ ... ]
> @@ -552,6 +552,89 @@ static ssize_t dsm_show(struct device *dev, struct device_attribute *attr,
> }
> static DEVICE_ATTR_RO(dsm);
>
> +/**
> + * pci_tsm_accept() - accept a device for private MMIO operation
> + * @pdev: PCI device to accept
> + *
> + * "Accept" transitions the device interface to the RUN state, it is
> + * only suitable to make that transition from a known idle (no active
> + * DMA / MMIO mappings) state. The "driver detached" state is a coarse
> + * way to assert that requirement.
> + */
> +static int pci_tsm_accept(struct pci_dev *pdev)
> +{
> + int rc;
> +
> + ACQUIRE(rwsem_read_intr, lock)(&pci_tsm_rwsem);
> + if ((rc = ACQUIRE_ERR(rwsem_read_intr, &lock)))
> + return rc;
> +
> + if (!pdev->tsm)
> + return -EINVAL;
> +
> + ACQUIRE(device_intr, dev_lock)(&pdev->dev);
[Severity: High]
This is a pre-existing issue, but does acquiring pci_tsm_rwsem and then
device_lock(&pdev->dev) cause an ABBA deadlock?
If a device driver's remove() callback is invoked holding device_lock, and it
calls pci_tsm_unbind(), which then attempts to acquire pci_tsm_rwsem, this
could invert the lock ordering.
Concurrently, sysfs operations like unlock_store or lock_store acquire
pci_tsm_rwsem before device_lock, which could trigger a deadlock.
> + if ((rc = ACQUIRE_ERR(device_intr, &dev_lock)))
> + return rc;
> +
> + if (pdev->dev.driver)
> + return -EBUSY;
> +
> + if (test_bit(PCI_TSM_F_ACCEPT, &pdev->tsm->flags))
[Severity: High]
Can a reused context bypass the TDISP RUN state transition because
PCI_TSM_F_ACCEPT is never explicitly cleared?
When a device is unlocked, the provider's ops->unlock() retains the
struct pci_tsm object in memory. When the device is locked again, the
core constructor pci_tsm_devsec_constructor() initializes the base fields
but does not clear flags.
Does this allow a subsequent call to pci_tsm_accept() to observe the leftover
PCI_TSM_F_ACCEPT bit and return success without calling the hardware run
operation?
> + return 0;
> +
> + rc = to_pci_tsm_ops(pdev->tsm)->run(pdev);
[Severity: High]
Does this code unconditionally invoke the run callback without verifying the
TSM type or callback presence, leading to a NULL pointer dereference?
If a user space process writes to the accept sysfs attribute of a device that
is bound to a link TSM (which does not populate devsec_ops) or a devsec TSM
that omitted the run callback, it seems this would result in a kernel crash.
> + if (rc)
> + return rc;
> +
> + set_bit(PCI_TSM_F_ACCEPT, &pdev->tsm->flags);
> +
> + return 0;
> +}
[ ... ]
> @@ -568,9 +651,9 @@ static void pci_tsm_unlock(struct pci_dev *pdev)
> "unlock attempted on driver attached device\n"))
> return;
>
> - device_cc_reject(&pdev->dev);
> to_pci_tsm_ops(pdev->tsm)->unlock(pdev->tsm);
[Severity: High]
This isn't a bug introduced by this patch, but could the lack of TSM type
validation in unlock_store and disconnect_store cause NULL pointer
dereferences?
If a user writes the name of a link TSM to the unlock attribute, or a devsec
TSM to the disconnect attribute, the sysfs handler matches the name.
Since it fails to verify the specific type of operations supported by the TSM
before calling ops->unlock or ops->disconnect, could this lead to a crash?
> pdev->tsm = NULL;
> + /* implicit clear of PCI_TSM_F_ACCEPT */
[Severity: High]
Is this assumption correct that un-assigning the pointer clears the memory
of the provider-managed flags field?
As asked above, if the struct pci_tsm object remains in memory and flags are
not cleared during initialization, it looks like the PCI_TSM_F_ACCEPT flag
could persist across locking cycles.
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260705220819.2472765-1-djbw@kernel.org?part=11
next prev parent reply other threads:[~2026-07-05 22:21 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-05 22:08 [PATCH 00/15] Device Evidence and Trust for PCI Security Protocol (TDISP) Dan Williams
2026-07-05 22:08 ` [PATCH 01/15] netlink: specs: Introduce multi-message blobs for SPDM Dan Williams
2026-07-05 22:13 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 02/15] tools: ynl: Teach pyynl to handle blobs Dan Williams
2026-07-05 22:18 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 03/15] tools: ynl: Teach ynl_gen_c to validate and dump 'blob' attributes Dan Williams
2026-07-05 22:20 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 04/15] device core: Introduce "device evidence" over netlink Dan Williams
2026-07-05 22:20 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 05/15] device core: Add "device evidence" 'validate' command Dan Williams
2026-07-05 22:26 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 06/15] PCI/TSM: Add device evidence support Dan Williams
2026-07-05 22:16 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 07/15] modules: Document the global async_probe parameter Dan Williams
2026-07-05 22:15 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 08/15] device core: Initial device trust infrastructure Dan Williams
2026-07-05 22:17 ` sashiko-bot
2026-07-06 13:45 ` Jason Gunthorpe
2026-07-05 22:08 ` [PATCH 09/15] PCI, device core: Move "untrusted" concept to DEVICE_TRUST_ADVERSARY Dan Williams
2026-07-05 22:25 ` sashiko-bot
2026-07-06 13:49 ` Jason Gunthorpe
2026-07-05 22:08 ` [PATCH 10/15] PCI/TSM: Add device interface security LOCKED support Dan Williams
2026-07-05 22:25 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 11/15] PCI/TSM: Add device interface security RUN support Dan Williams
2026-07-05 22:21 ` sashiko-bot [this message]
2026-07-05 22:08 ` [PATCH 12/15] PCI/TSM: Add device interface security DMA enable/disable Dan Williams
2026-07-05 22:25 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 13/15] PCI, device core: Add private memory access for DEVICE_TRUST_TCB Dan Williams
2026-07-05 22:28 ` sashiko-bot
2026-07-06 12:42 ` Aneesh Kumar K.V
2026-07-05 22:08 ` [PATCH 14/15] PCI/TSM: Create MMIO descriptors via TDISP Report Dan Williams
2026-07-05 22:24 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 15/15] PCI/TSM: Add relative MMIO offset support? Dan Williams
2026-07-05 22:25 ` sashiko-bot
2026-07-06 12:51 ` [PATCH 00/15] Device Evidence and Trust for PCI Security Protocol (TDISP) Jason Gunthorpe
2026-07-06 20:55 ` Dan Williams (nvidia)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260705222127.1ED5C1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=djbw@kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox