From: sashiko-bot@kernel.org
To: "Hans Zhang" <18255117159@163.com>
Cc: wsa+renesas@sang-engineering.com, linux-pci@vger.kernel.org
Subject: Re: [PATCH v3 5/7] PCI: aardvark: Add 100 ms delay after link training
Date: Tue, 12 May 2026 01:31:57 +0000 [thread overview]
Message-ID: <20260512013157.99675C2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260511055923.37117-6-18255117159@163.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [Critical] Potential Use-After-Free (UAF) in the IRQ handler during advk_pcie_probe() failure due to unbalanced teardown symmetry.
- [High] Memory and hardware resources are leaked in the error paths of advk_pcie_probe().
- [Medium] The commit message incorrectly claims that `link_gen` holds the negotiated link speed.
--
commit 1f92b585affbc960f9cf75de361f24796312c8bb
Author: Hans Zhang <18255117159@163.com>
PCI: aardvark: Add 100 ms delay after link training
This commit introduces a 100 ms delay after PCIe link training completes for
speeds greater than 5.0 GT/s. It utilizes the existing pcie->link_gen field
and pci_host_common_link_train_delay() to implement this requirement.
> The driver already maintains a 'link_gen' field that holds the negotiated
> link speed. Use it together with pci_host_common_link_train_delay() to
> insert the required delay immediately after confirming that the link
> is up.
This isn't a bug, but is this description accurate? The pcie->link_gen field
is populated during driver probe via of_pci_get_max_link_speed() and does
not appear to be dynamically updated with the actual negotiated link speed
from the hardware.
[ ... ]
Looking at the error paths in advk_pcie_probe(), if steps like
advk_pcie_init_irq_domain() or pci_host_probe() fail, the driver returns
without calling pci_bridge_emul_cleanup() to free the emulated bridge memory.
It also appears to skip calling advk_pcie_disable_phy() to power off the PHY.
Does this code leak the PHY and emulated bridge memory resources in these
error paths?
Also in advk_pcie_probe(), the driver registers advk_pcie_irq_handler using
devm_request_irq() and enables hardware interrupts via advk_pcie_setup_hw().
If a later step like pci_host_probe() fails, the error path calls
advk_pcie_remove_irq_domain(), which frees the irq domain.
Since the hardware interrupts are not masked and the IRQ handler is not
deregistered in this error path, devm_request_irq() defers unregistration
until after the probe function returns.
Could a hardware interrupt fire in this window, causing
advk_pcie_irq_handler() to call generic_handle_domain_irq() and dereference
the freed pcie->irq_domain pointer?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260511055923.37117-1-18255117159@163.com?part=5
next prev parent reply other threads:[~2026-05-12 1:31 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 5:59 [PATCH v3 0/7] PCI: Add common helper for 100 ms delay after link training Hans Zhang
2026-05-11 5:59 ` [PATCH v3 1/7] PCI: Add pci_host_common_link_train_delay() helper Hans Zhang
2026-05-12 0:07 ` sashiko-bot
2026-05-12 0:45 ` Hans Zhang
2026-05-12 7:05 ` Claudiu Beznea
2026-05-12 10:06 ` Hans Zhang
2026-05-11 5:59 ` [PATCH v3 2/7] PCI: cadence: Add post-link delay for LGA and j721e glue driver Hans Zhang
2026-05-12 0:24 ` sashiko-bot
2026-05-12 0:44 ` Hans Zhang
2026-05-11 5:59 ` [PATCH v3 3/7] PCI: cadence: HPA: Add post-link delay Hans Zhang
2026-05-12 0:44 ` sashiko-bot
2026-05-11 5:59 ` [PATCH v3 4/7] PCI: dwc: Use common pci_host_common_link_train_delay() helper Hans Zhang
2026-05-11 7:02 ` Krzysztof Wilczyński
2026-05-12 0:43 ` Hans Zhang
2026-05-12 7:14 ` Krzysztof Wilczyński
2026-05-12 10:06 ` Hans Zhang
2026-05-12 6:45 ` Manivannan Sadhasivam
2026-05-12 7:14 ` Krzysztof Wilczyński
2026-05-12 1:00 ` sashiko-bot
2026-05-11 5:59 ` [PATCH v3 5/7] PCI: aardvark: Add 100 ms delay after link training Hans Zhang
2026-05-12 1:31 ` sashiko-bot [this message]
2026-05-11 5:59 ` [PATCH v3 6/7] PCI: mediatek-gen3: Add 100 ms delay after link up Hans Zhang
2026-05-12 1:59 ` sashiko-bot
2026-05-11 5:59 ` [PATCH v3 7/7] PCI: rzg3s-host: Use common pci_host_common_link_train_delay() helper Hans Zhang
2026-05-12 2:15 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260512013157.99675C2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=18255117159@163.com \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.