[{"id":3688691,"web_url":"http://patchwork.ozlabs.org/comment/3688691/","msgid":"<20260508193127.912BEC2BCB0@smtp.kernel.org>","list_archive_url":null,"date":"2026-05-08T19:31:27","subject":"Re: [PATCH v8 3/7] PCI/TPH: Fix pcie_tph_get_st_table_size() for\n MSI-X table location","submitter":{"id":93311,"url":"http://patchwork.ozlabs.org/api/people/93311/","name":null,"email":"sashiko-bot@kernel.org"},"content":"Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:\n- [High] Modifying pcie_tph_get_st_table_size() to return > 0 for MSI-X located ST tables causes severe out-of-bounds read/writes in PCI configuration space during TPH state save and restore.\n--\n\ncommit 73d4864dbc8b240284d0329056ab114562107193\nAuthor: Chengwen Feng <fengchengwen@huawei.com>\n\n    PCI/TPH: Fix pcie_tph_get_st_table_size() for MSI-X table location\n    \n    pcie_tph_get_st_table_size() previously only returned valid size when ST\n    Table is in TPH Capability space. According to PCIe spec [1], ST table size\n    is also valid when ST Table is located in MSI-X table.\n\n[ ... ]\n\n> diff --git a/drivers/pci/tph.c b/drivers/pci/tph.c\n> index ba31b010f67ad..de5bd7039cdca 100644\n> --- a/drivers/pci/tph.c\n> +++ b/drivers/pci/tph.c\n\n[ ... ]\n\n> @@ -200,7 +201,7 @@ u16 pcie_tph_get_st_table_size(struct pci_dev *pdev)\n>  \n>  \t/* Check ST table location first */\n>  \tloc = pcie_tph_get_st_table_loc(pdev);\n> -\tif (loc != PCI_TPH_LOC_CAP)\n> +\tif (loc != PCI_TPH_LOC_CAP && loc != PCI_TPH_LOC_MSIX)\n>  \t\treturn 0;\n>  \n>  \tpci_read_config_dword(pdev, pdev->tph_cap + PCI_TPH_CAP, &reg);\n\nIf pcie_tph_get_st_table_size() returns a value greater than 0 when the ST\ntable is located in the MSI-X table, does this cause pci_restore_tph_state()\nto write out of bounds in the PCI configuration space?\n\nLooking at pci_restore_tph_state(), it uses the size returned by\npcie_tph_get_st_table_size() to write ST entries directly into the TPH\nExtended Capability:\n\ndrivers/pci/tph.c:pci_restore_tph_state() {\n\t...\n\tst_entry = (u16 *)cap;\n\toffset = PCI_TPH_BASE_SIZEOF;\n\tnum_entries = pcie_tph_get_st_table_size(pdev);\n\tfor (i = 0; i < num_entries; i++) {\n\t\tpci_write_config_word(pdev, pdev->tph_cap + offset,\n\t\t\t\t      *st_entry++);\n\t\toffset += sizeof(u16);\n\t}\n}\n\nWhen the ST table is located in MSI-X, the entries are memory mapped rather\nthan stored in the TPH capability itself.\n\nBecause the TPH Extended Capability is only 12 bytes long in this case, could\nthis loop clobber subsequent capabilities in the configuration space during\nresume?\n\nA similar out-of-bounds read would occur in pci_save_tph_state().","headers":{"Return-Path":"\n <linux-pci+bounces-54281-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-pci@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=m3ZkoWJf;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=linux-pci+bounces-54281-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=\"m3ZkoWJf\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4gBzlG0m2Lz1yK7\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 09 May 2026 05:31:54 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id D876030417AB\n\tfor <incoming@patchwork.ozlabs.org>; Fri,  8 May 2026 19:31:28 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 42467284662;\n\tFri,  8 May 2026 19:31:28 +0000 (UTC)","from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 1F74D352921\n\tfor <linux-pci@vger.kernel.org>; Fri,  8 May 2026 19:31:27 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id 912BEC2BCB0;\n\tFri,  8 May 2026 19:31:27 +0000 (UTC)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1778268688; cv=none;\n b=Gpgu7kwUSW379GRbFo8htxThnAaQps93lYna382h91L5rfL2dDwLjrQYKsDtAqf6q4ZfLzUOpNFrOwsblLHyhhR7oKDuibcetBWxMAv/h9KYsX6JRyibCIeOnSI7MBxK9T34RX8AX9vKs45SS/Ud0FrVDpPd9AC4h4Uy3OA5hhA=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1778268688; c=relaxed/simple;\n\tbh=579xusswqy24/8BNkTNAejWlYtNidFjK6kzQ/Gxp7Vs=;\n\th=From:Subject:To:Cc:In-Reply-To:References:Content-Type:Date:\n\t Message-Id;\n b=QKrZFIegiqloCF+T2TJAAaJXH/omG1H6kMzFSr8aiieSNPBhro0yxFlOuGF5Kfm9LOuhamK6VP6F4/DxzC/5AAcHelFZmLOSnV46SWrYjgO9ua0Lxyt3Mur691UL+uvASvMizPgB1FBFosX43JMVMDrX4ZlNeqE745eIACxZJoQ=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=m3ZkoWJf; arc=none smtp.client-ip=10.30.226.201","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n\ts=k20201202; t=1778268687;\n\tbh=579xusswqy24/8BNkTNAejWlYtNidFjK6kzQ/Gxp7Vs=;\n\th=From:Subject:Reply-To:To:Cc:In-Reply-To:References:Date:From;\n\tb=m3ZkoWJfCEMMG9nEBGQCfaUfAVAn/1PZeeEVIJr2RcXNaFF6Ti0yEsf6TNiGxlbnJ\n\t xCMvVkzKQPPeE1RM4HUbknOXZKWHxJlyCMmhSmtG2822eudsGPDPJQhoMs7Lnjcg91\n\t OgcUkNilox4EQbNEdBpy+yp3q/CnYZekLRWEfsmTCfV9owvzwnuZRDnF283u//7dHR\n\t nVNMu7QPilq9vGS5rd44uO6DcixOSkg2Jii8l0XUHbg+gMxPICLdakUl5+xvacwvOF\n\t LPiNTsme/58WHNkU70zn5iG0RMEgWwd0CI8wClcZdjlUCYA7nX9PcqhXeoNhTEOal5\n\t zk2h2ZpoNT5bQ==","From":"sashiko-bot@kernel.org","Subject":"Re: [PATCH v8 3/7] PCI/TPH: Fix pcie_tph_get_st_table_size() for\n MSI-X table location","Reply-To":"sashiko@lists.linux.dev","To":"\"Chengwen Feng\" <fengchengwen@huawei.com>","Cc":"linux-pci@vger.kernel.org","In-Reply-To":"<20260508064053.37529-4-fengchengwen@huawei.com>","References":"<20260508064053.37529-4-fengchengwen@huawei.com>","Content-Type":"text/plain; charset=utf-8","Content-Transfer-Encoding":"quoted-printable","Date":"Fri, 08 May 2026 19:31:27 +0000","Message-Id":"<20260508193127.912BEC2BCB0@smtp.kernel.org>","Precedence":"bulk","X-Mailing-List":"linux-pci@vger.kernel.org","List-Id":"<linux-pci.vger.kernel.org>","List-Subscribe":"<mailto:linux-pci+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-pci+unsubscribe@vger.kernel.org>"}}]