From: sashiko-bot@kernel.org
To: "Wei Fang" <wei.fang@nxp.com>
Cc: Frank.Li@kernel.org, imx@lists.linux.dev
Subject: Re: [PATCH net-next 14/15] net: enetc: refactor MR interrupt enable/disable helpers
Date: Tue, 12 May 2026 23:34:31 +0000 [thread overview]
Message-ID: <20260512233431.A5B42C2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260511080805.2052495-15-wei.fang@nxp.com>
Thank you for your contribution! Sashiko AI review found 5 potential issue(s) to consider:
- [High] Teardown race in enetc_msg_psi_free() leading to Use-After-Free.
- [High] Uninitialized work_struct access in enetc_msg_psi_init() leading to kernel panic.
- [High] Resource leak and Use-After-Free on error path in enetc_msg_psi_init().
- [High] DMA Memory Use-After-Free in enetc_msg_free_mbx().
- [High] Race condition in enetc_msg_task() resulting in missed VF messages.
--
commit 776ed9b5141bfafabe9032ba504482f8555f1985
Author: Wei Fang <wei.fang@nxp.com>
net: enetc: refactor MR interrupt enable/disable helpers
The patch consolidates enetc_msg_enable_mr_int() and
enetc_msg_disable_mr_int() into a single enetc_msg_set_mr_int() helper
that takes a boolean enable parameter. This prepares the code for
dynamic interrupt mask generation based on the number of enabled VFs.
> diff --git a/drivers/net/ethernet/freescale/enetc/enetc_msg.c b/drivers/net/ethernet/freescale/enetc/enetc_msg.c
> index f3e78865617e6..73e32c9b65a89 100644
> --- a/drivers/net/ethernet/freescale/enetc/enetc_msg.c
> +++ b/drivers/net/ethernet/freescale/enetc/enetc_msg.c
[ ... ]
> @@ -171,7 +171,7 @@ static void enetc_msg_task(struct work_struct *work)
> if (!mr_mask) {
> /* re-arm MR interrupts, w1c the IDR reg */
> enetc_wr(hw, ENETC_PSIIDR, ENETC_PSIIER_MR_MASK);
> - enetc_msg_enable_mr_int(hw);
> + enetc_msg_set_mr_int(pf, true);
> return;
> }
This isn't a bug in your patch, but is there a race condition here that
could result in missed VF messages?
The code reads ENETC_PSIMSGRR earlier in the loop. If a VF sends a message
after the read but before the write to ENETC_PSIIDR, the hardware will set
the interrupt status bit, which is then immediately cleared by the write
to ENETC_PSIIDR. When the interrupt is enabled shortly after, it will not
fire.
Should the driver clear the interrupt status before checking for messages?
[ ... ]
> @@ -264,7 +264,7 @@ static int enetc_msg_psi_init(struct enetc_pf *pf)
> }
>
> /* enable MR interrupts */
> - enetc_msg_enable_mr_int(&si->hw);
> + enetc_msg_set_mr_int(pf, true);
>
> return 0;
This isn't a bug in your patch, but looking at the surrounding code in
enetc_msg_psi_init(), is there a risk of accessing an uninitialized
work_struct?
vector = pci_irq_vector(si->pdev, ENETC_SI_INT_IDX);
err = request_irq(vector, enetc_msg_psi_msix, 0, pf->msg_int_name, si);
...
/* initialize PSI mailbox */
INIT_WORK(&pf->msg_task, enetc_msg_task);
Since request_irq() enables the interrupt immediately, if a pending
interrupt fires before INIT_WORK() is called, the handler will schedule
the uninitialized work_struct. Should INIT_WORK() be called before
request_irq()?
Also, looking at the error path just below this:
err_init_mbx:
for (i--; i >= 0; i--)
enetc_msg_free_mbx(si, i);
free_irq(vector, si);
return err;
Does this code leak the scheduled work? If an interrupt fired during the
allocation loop and scheduled pf->msg_task, free_irq() will wait for the
handler to finish but will not cancel the scheduled work. After returning,
the work could execute and access the freed mailbox memory. Should
cancel_work_sync() be called in this error path?
>
> @@ -285,7 +285,7 @@ static void enetc_msg_psi_free(struct enetc_pf *pf)
> cancel_work_sync(&pf->msg_task);
>
> /* disable MR interrupts */
> - enetc_msg_disable_mr_int(&si->hw);
> + enetc_msg_set_mr_int(pf, false);
This isn't a bug in your patch, but is there a teardown race here?
If a hardware interrupt fires right after cancel_work_sync() completes,
the handler will execute and call schedule_work(&pf->msg_task). The work
will then run after the mailboxes are freed and the IRQ is unregistered.
Should enetc_msg_set_mr_int() and free_irq() be called before
cancel_work_sync()?
>
> for (i = 0; i < pf->num_vfs; i++)
> enetc_msg_free_mbx(si, i);
While looking at this teardown path, I noticed enetc_msg_free_mbx() calls
dma_free_coherent() before clearing the hardware base address registers
(ENETC_PSIVMSGRCVAR0 and ENETC_PSIVMSGRCVAR1).
If a VF sends a message before the registers are zeroed, could the hardware
perform a DMA write to memory that has already been returned to the allocator?
Should the hardware registers be cleared before the backing DMA memory
is freed?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260511080805.2052495-1-wei.fang@nxp.com?part=14
next prev parent reply other threads:[~2026-05-12 23:34 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 8:07 [PATCH net-next 00/15] net: enetc: Prepare for ENETC v4 VF support Wei Fang
2026-05-11 8:07 ` [PATCH net-next 01/15] net: enetc: switch VF primary MAC setter to PF ops for commonization Wei Fang
2026-05-11 15:41 ` Vladimir Oltean
2026-05-12 1:54 ` Wei Fang
2026-05-11 8:07 ` [PATCH net-next 02/15] net: enetc: move VF message handlers to enetc_msg.c Wei Fang
2026-05-11 8:07 ` [PATCH net-next 03/15] net: enetc: avoid VF->PF mailbox timeout during SR-IOV teardown Wei Fang
2026-05-11 8:07 ` [PATCH net-next 04/15] net: enetc: relocate SR-IOV configuration helper for common PF support Wei Fang
2026-05-11 8:07 ` [PATCH net-next 05/15] net: enetc: integrate enetc_msg.c into enetc-pf-common driver Wei Fang
2026-05-11 8:07 ` [PATCH net-next 06/15] net: enetc: use read_poll_timeout() for VF mailbox polling Wei Fang
2026-05-11 8:07 ` [PATCH net-next 07/15] net: enetc: convert mailbox messages to new formats Wei Fang
2026-05-11 8:07 ` [PATCH net-next 08/15] net: enetc: add VF-PF messaging support for IP minor revision query Wei Fang
2026-05-11 8:07 ` [PATCH net-next 09/15] net: enetc: align v1 CBDR API with v4 for VF driver sharing Wei Fang
2026-05-11 8:08 ` [PATCH net-next 10/15] net: enetc: add CBDR setup/teardown hooks to enetc_si_ops for VF support Wei Fang
2026-05-11 8:08 ` [PATCH net-next 11/15] net: enetc: add generic helper to initialize SR-IOV resources Wei Fang
2026-05-11 8:08 ` [PATCH net-next 12/15] net: enetc: use MADDR_TYPE for MAC filter array size Wei Fang
2026-05-11 8:08 ` [PATCH net-next 13/15] net: enetc: dynamically allocate rxmsg based on VF count Wei Fang
2026-05-12 23:59 ` sashiko-bot
2026-05-11 8:08 ` [PATCH net-next 14/15] net: enetc: refactor MR interrupt enable/disable helpers Wei Fang
2026-05-12 23:34 ` sashiko-bot [this message]
2026-05-13 10:20 ` Wei Fang
2026-05-11 8:08 ` [PATCH net-next 15/15] net: enetc: generate MR interrupt mask based on the number of enabled VFs Wei Fang
2026-05-12 23:48 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260512233431.A5B42C2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=imx@lists.linux.dev \
--cc=sashiko-reviews@lists.linux.dev \
--cc=wei.fang@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.