Linux PCI subsystem development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Dan Williams" <djbw@kernel.org>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH 12/15] PCI/TSM: Add device interface security DMA enable/disable
Date: Sun, 05 Jul 2026 22:25:04 +0000	[thread overview]
Message-ID: <20260705222505.2CBEE1F00A3D@smtp.kernel.org> (raw)
In-Reply-To: <20260705220819.2472765-13-djbw@kernel.org>

Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:

New issues:
- [High] Missing NULL pointer check for optional `ops->disable_dma` in `pci_tsm_disable_dma()`.
- [Medium] TSM flags are defined as bit masks instead of bit numbers, misusing bitops APIs and creating a latent out-of-bounds write hazard.
- [Low] Invalid member access syntax in `__must_hold()` lock annotations causes build failures for static analysis tools.

Pre-existing issues:
- [High] Missing NULL pointer checks for optional TSM operations (`run`, `unlock`) in the TSM core.
--

commit b2823259422c2c0267dccac4b1d9d8a5703f85ac
Author: Dan Williams <djbw@kernel.org>

PCI/TSM: Add device interface security DMA enable/disable

This patch adds helper functions to enable and disable device access to
private memory for the PCI TSM interface. It also introduces a new flag
to track when DMA access is enabled for a given device.

> diff --git a/drivers/pci/tsm/core.c b/drivers/pci/tsm/core.c
> --- a/drivers/pci/tsm/core.c
> +++ b/drivers/pci/tsm/core.c
> @@ -754,6 +754,48 @@ static ssize_t unlock_store(struct device *dev, struct device_attribute *attr,
>  }
>  static DEVICE_ATTR_WO(unlock);
>  
> +/* pci_dma_configure() helper to finalize access to private memory. */
> +int pci_tsm_enable_dma(struct pci_dev *pdev) __must_hold(&pdev->dev->mutex)

[Severity: Low]
Does this __must_hold() annotation cause build failures with static analysis
tools?

The dev field in struct pci_dev is an embedded struct device, not a
pointer, so it looks like this should use the dot operator instead of the
arrow operator for accessing the mutex.

> +{
> +	struct device *dev = &pdev->dev;
> +	const struct pci_tsm_ops *ops;
> +	int rc;

[ ... ]

> +	ops = to_pci_tsm_ops(pdev->tsm);
> +	if (!ops->enable_dma)
> +		return 0;
> +
> +	rc = ops->enable_dma(pdev);
> +	if (rc == 0)
> +		set_bit(PCI_TSM_F_DMA, &pdev->tsm->flags);

[Severity: Medium]
Can this corrupt memory?

The set_bit() function expects a bit number as its argument, but the
PCI_TSM_F_DMA flag is defined as a bit mask. Passing the evaluated mask
value instead of the bit index causes it to set the wrong bit in the flags
field.

If a future flag shifts by 64, wouldn't passing 64 to set_bit() write past
the end of the unsigned long flags field and silently corrupt adjacent
memory?

> +	return rc;
> +}
> +
> +/*
> + * pci_dma_cleanup() helper to block private memory access as device is
> + * going idle
> + */
> +void pci_tsm_disable_dma(struct pci_dev *pdev) __must_hold(&pdev->dev->mutex)

[Severity: Low]
Is this __must_hold() annotation affected by the same embedded struct access
issue mentioned in pci_tsm_enable_dma()?

> +{
> +	const struct pci_tsm_ops *ops;
> +
> +	if (!pdev->tsm)
> +		return;
> +
> +	if (!test_and_clear_bit(PCI_TSM_F_DMA, &pdev->tsm->flags))
> +		return;
> +
> +	ops = to_pci_tsm_ops(pdev->tsm);
> +	ops->disable_dma(pdev);

[Severity: High]
Will this crash if a backend driver implements enable_dma but leaves
disable_dma as NULL?

The disable_dma pointer is unconditionally dereferenced here, whereas
pci_tsm_enable_dma() checks for the presence of the enable_dma callback
before calling it.

> +}

[ ... ]

> diff --git a/include/linux/pci-tsm.h b/include/linux/pci-tsm.h
> --- a/include/linux/pci-tsm.h
> +++ b/include/linux/pci-tsm.h

[ ... ]

> @@ -102,6 +104,8 @@ struct pci_tdi {
>  
>  /* Private operation acknowledged, future ioremap will use private alias */
>  #define PCI_TSM_F_ACCEPT (1UL << 0)
> +/* DMA access to private memory enabled */
> +#define PCI_TSM_F_DMA (1UL << 1)

[Severity: Medium]
Is this flag intended to be used with atomic bitops?

Because it is defined as a bit mask instead of a bit number, using it with
functions like set_bit() or test_and_clear_bit() will operate on bit 2
instead of bit 1.

[ ... ]

While reviewing this patch, I also noticed a potential issue in the
existing TSM core code:

drivers/pci/tsm/core.c:pci_tsm_accept() {
    ...
    rc = to_pci_tsm_ops(pdev->tsm)->run(pdev);
    if (rc)
        return rc;
    ...
}

[Severity: High]
This is a pre-existing issue, but could this cause a kernel panic if a
backend driver omits the optional run or unlock callbacks?

The code in pci_tsm_accept() and pci_tsm_unlock() seems to unconditionally
dereference these pointers without checking if they are NULL, similar to
the disable_dma issue mentioned above.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260705220819.2472765-1-djbw@kernel.org?part=12

  reply	other threads:[~2026-07-05 22:25 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-05 22:08 [PATCH 00/15] Device Evidence and Trust for PCI Security Protocol (TDISP) Dan Williams
2026-07-05 22:08 ` [PATCH 01/15] netlink: specs: Introduce multi-message blobs for SPDM Dan Williams
2026-07-05 22:13   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 02/15] tools: ynl: Teach pyynl to handle blobs Dan Williams
2026-07-05 22:18   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 03/15] tools: ynl: Teach ynl_gen_c to validate and dump 'blob' attributes Dan Williams
2026-07-05 22:20   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 04/15] device core: Introduce "device evidence" over netlink Dan Williams
2026-07-05 22:20   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 05/15] device core: Add "device evidence" 'validate' command Dan Williams
2026-07-05 22:26   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 06/15] PCI/TSM: Add device evidence support Dan Williams
2026-07-05 22:16   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 07/15] modules: Document the global async_probe parameter Dan Williams
2026-07-05 22:15   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 08/15] device core: Initial device trust infrastructure Dan Williams
2026-07-05 22:17   ` sashiko-bot
2026-07-06 13:45   ` Jason Gunthorpe
2026-07-05 22:08 ` [PATCH 09/15] PCI, device core: Move "untrusted" concept to DEVICE_TRUST_ADVERSARY Dan Williams
2026-07-05 22:25   ` sashiko-bot
2026-07-06 13:49   ` Jason Gunthorpe
2026-07-05 22:08 ` [PATCH 10/15] PCI/TSM: Add device interface security LOCKED support Dan Williams
2026-07-05 22:25   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 11/15] PCI/TSM: Add device interface security RUN support Dan Williams
2026-07-05 22:21   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 12/15] PCI/TSM: Add device interface security DMA enable/disable Dan Williams
2026-07-05 22:25   ` sashiko-bot [this message]
2026-07-05 22:08 ` [PATCH 13/15] PCI, device core: Add private memory access for DEVICE_TRUST_TCB Dan Williams
2026-07-05 22:28   ` sashiko-bot
2026-07-06 12:42   ` Aneesh Kumar K.V
2026-07-05 22:08 ` [PATCH 14/15] PCI/TSM: Create MMIO descriptors via TDISP Report Dan Williams
2026-07-05 22:24   ` sashiko-bot
2026-07-05 22:08 ` [PATCH 15/15] PCI/TSM: Add relative MMIO offset support? Dan Williams
2026-07-05 22:25   ` sashiko-bot
2026-07-06 12:51 ` [PATCH 00/15] Device Evidence and Trust for PCI Security Protocol (TDISP) Jason Gunthorpe
2026-07-06 20:55   ` Dan Williams (nvidia)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260705222505.2CBEE1F00A3D@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=djbw@kernel.org \
    --cc=linux-pci@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox