From: sashiko-bot@kernel.org
To: "Dan Williams" <djbw@kernel.org>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH 10/15] PCI/TSM: Add device interface security LOCKED support
Date: Sun, 05 Jul 2026 22:25:20 +0000 [thread overview]
Message-ID: <20260705222520.D458B1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260705220819.2472765-11-djbw@kernel.org>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [High] Sysfs operations `unlock_store` and `disconnect_store` do not verify the active TSM context type (`pdev->tsm`), allowing userspace to trigger kernel panics by performing operations on the wrong context type.
- [High] `pci_tsm_unlock()` returns early without clearing the TSM context if a driver is attached, causing a dangling pointer and Use-After-Free during subsystem teardown.
Pre-existing issues:
- [High] A TOCTOU race condition in `tsm_unregister()` allows `lock_store()` to attach a PCI device to a TSM that is actively being destroyed.
--
commit 82cae08595d79f2459048e59ff4784f6bfb600ba
Author: Dan Williams <djbw@kernel.org>
PCI/TSM: Add device interface security LOCKED support
This patch implements the LOCK/UNLOCK operations in pci_tsm_ops to allow a VM
to manage the security state of assigned devices. It provides the lock and
unlock sysfs attributes to transition the device between TDISP LOCKED and
UNLOCKED states.
> diff --git a/drivers/pci/tsm/core.c b/drivers/pci/tsm/core.c
> index 220842df42bc5..590e19f6c2b80 100644
> --- a/drivers/pci/tsm/core.c
> +++ b/drivers/pci/tsm/core.c
[ ... ]
> @@ -531,6 +552,125 @@ static ssize_t dsm_show(struct device *dev, struct device_attribute *attr,
> }
> static DEVICE_ATTR_RO(dsm);
>
> +/**
> + * pci_tsm_unlock() - Transition TDI from LOCKED/RUN to UNLOCKED
> + * @pdev: TDI device to unlock
> + *
> + * Returns void, requires all callers to have satisfied dependencies like making
> + * sure the device is locked and detached from its driver.
> + */
> +static void pci_tsm_unlock(struct pci_dev *pdev)
> +{
> + lockdep_assert_held_write(&pci_tsm_rwsem);
> + device_lock_assert(&pdev->dev);
> +
> + if (dev_WARN_ONCE(&pdev->dev, pdev->dev.driver,
> + "unlock attempted on driver attached device\n"))
> + return;
> +
[Severity: High]
If pci_tsm_unlock() aborts early here because a driver is attached, pdev->tsm
is not cleared.
During subsystem teardown, __pci_tsm_destroy() calls pci_tsm_unlock(). If it
aborts here, does pdev->tsm remain pointing to the context while the TSM
provider unregisters and frees its memory, leaving a dangling pointer?
> + device_cc_reject(&pdev->dev);
> + to_pci_tsm_ops(pdev->tsm)->unlock(pdev->tsm);
> + pdev->tsm = NULL;
> +}
> +
> +static int pci_tsm_lock(struct pci_dev *pdev, struct tsm_dev *tsm_dev)
[ ... ]
> +static ssize_t lock_store(struct device *dev, struct device_attribute *attr,
> + const char *buf, size_t len)
> +{
> + struct pci_dev *pdev = to_pci_dev(dev);
> + int rc, id;
> +
> + rc = sscanf(buf, "tsm%d\n", &id);
> + if (rc != 1)
> + return -EINVAL;
> +
> + ACQUIRE(rwsem_write_kill, lock)(&pci_tsm_rwsem);
> + if ((rc = ACQUIRE_ERR(rwsem_write_kill, &lock)))
> + return rc;
> +
> + if (pdev->tsm)
> + return -EBUSY;
> +
> + struct tsm_dev *tsm_dev __free(put_tsm_dev) = find_tsm_dev(id);
> + if (!is_devsec_tsm(tsm_dev))
> + return -ENXIO;
> +
> + rc = pci_tsm_lock(pdev, tsm_dev);
[Severity: High]
This is a pre-existing issue, but can lock_store() attach a PCI device to a
TSM that is actively being destroyed?
In tsm_unregister(), pci_tsm_unregister() sweeps the devices and drops
pci_tsm_rwsem. Before the device is actually unregistered and freed by
device_unregister(), could lock_store() acquire the rwsem, look up the dying
tsm_dev via find_tsm_dev(), and attach it to a PCI device?
This seems like it could lead to a use-after-free when the TSM memory is freed
shortly after.
> + if (rc)
> + return rc;
> + return len;
> +}
> +
[ ... ]
> +static ssize_t unlock_store(struct device *dev, struct device_attribute *attr,
> + const char *buf, size_t len)
> +{
> + struct pci_dev *pdev = to_pci_dev(dev);
> + struct tsm_dev *tsm_dev;
> + int rc;
> +
> + ACQUIRE(rwsem_write_kill, lock)(&pci_tsm_rwsem);
> + if ((rc = ACQUIRE_ERR(rwsem_write_kill, &lock)))
> + return rc;
> +
> + if (!pdev->tsm)
> + return -EINVAL;
> +
[Severity: High]
Does unlock_store() need to verify that pdev->tsm is a devsec context before
proceeding?
A PCI device can hold only one TSM context at a time, but if it has both
capabilities, both sets of sysfs attributes are visible. If a user writes to
unlock when the device has a link context, pci_tsm_unlock() executes and
dereferences ops->unlock(). Since link TSMs do not implement unlock, this
pointer is NULL, potentially causing a kernel panic.
Similarly, does the existing disconnect_store() verify if the context is a
link context? If disconnect is written to when the device has a devsec
context, __pci_tsm_disconnect() attempts to cast via to_pci_tsm_pf0(),
receiving NULL, and then dereferences it via guard(mutex)(&tsm_pf0->lock).
> + tsm_dev = pdev->tsm->tsm_dev;
> + if (!sysfs_streq(buf, dev_name(&tsm_dev->dev)))
> + return -EINVAL;
> +
> + ACQUIRE(device_intr, dev_lock)(&pdev->dev);
> + if ((rc = ACQUIRE_ERR(device_intr, &dev_lock)))
> + return rc;
> +
> + if (pdev->dev.driver)
> + return -EBUSY;
> +
> + pci_tsm_unlock(pdev);
> +
> + return len;
> +}
> +static DEVICE_ATTR_WO(unlock);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260705220819.2472765-1-djbw@kernel.org?part=10
next prev parent reply other threads:[~2026-07-05 22:25 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-05 22:08 [PATCH 00/15] Device Evidence and Trust for PCI Security Protocol (TDISP) Dan Williams
2026-07-05 22:08 ` [PATCH 01/15] netlink: specs: Introduce multi-message blobs for SPDM Dan Williams
2026-07-05 22:13 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 02/15] tools: ynl: Teach pyynl to handle blobs Dan Williams
2026-07-05 22:18 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 03/15] tools: ynl: Teach ynl_gen_c to validate and dump 'blob' attributes Dan Williams
2026-07-05 22:20 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 04/15] device core: Introduce "device evidence" over netlink Dan Williams
2026-07-05 22:20 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 05/15] device core: Add "device evidence" 'validate' command Dan Williams
2026-07-05 22:26 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 06/15] PCI/TSM: Add device evidence support Dan Williams
2026-07-05 22:16 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 07/15] modules: Document the global async_probe parameter Dan Williams
2026-07-05 22:15 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 08/15] device core: Initial device trust infrastructure Dan Williams
2026-07-05 22:17 ` sashiko-bot
2026-07-06 13:45 ` Jason Gunthorpe
2026-07-05 22:08 ` [PATCH 09/15] PCI, device core: Move "untrusted" concept to DEVICE_TRUST_ADVERSARY Dan Williams
2026-07-05 22:25 ` sashiko-bot
2026-07-06 13:49 ` Jason Gunthorpe
2026-07-05 22:08 ` [PATCH 10/15] PCI/TSM: Add device interface security LOCKED support Dan Williams
2026-07-05 22:25 ` sashiko-bot [this message]
2026-07-05 22:08 ` [PATCH 11/15] PCI/TSM: Add device interface security RUN support Dan Williams
2026-07-05 22:21 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 12/15] PCI/TSM: Add device interface security DMA enable/disable Dan Williams
2026-07-05 22:25 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 13/15] PCI, device core: Add private memory access for DEVICE_TRUST_TCB Dan Williams
2026-07-05 22:28 ` sashiko-bot
2026-07-06 12:42 ` Aneesh Kumar K.V
2026-07-05 22:08 ` [PATCH 14/15] PCI/TSM: Create MMIO descriptors via TDISP Report Dan Williams
2026-07-05 22:24 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 15/15] PCI/TSM: Add relative MMIO offset support? Dan Williams
2026-07-05 22:25 ` sashiko-bot
2026-07-06 12:51 ` [PATCH 00/15] Device Evidence and Trust for PCI Security Protocol (TDISP) Jason Gunthorpe
2026-07-06 20:55 ` Dan Williams (nvidia)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260705222520.D458B1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=djbw@kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox