From: sashiko-bot@kernel.org
To: wei.fang@oss.nxp.com
Cc: imx@lists.linux.dev, Frank.Li@kernel.org
Subject: Re: [PATCH net-next 03/15] net: enetc: add link status message support to PF driver
Date: Sat, 06 Jun 2026 07:24:38 +0000 [thread overview]
Message-ID: <20260606072439.50C3A1F00898@smtp.kernel.org> (raw)
In-Reply-To: <20260605065550.3038579-4-wei.fang@oss.nxp.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] The `msg_lock` mutex is used uninitialized if the device does not support SR-IOV or if the PF initializes with 0 VFs, leading to a kernel panic or lockdep splat on link up/down.
- [High] A malicious or unresponsive VF can stall the PF's shared message handler for 200ms per request, causing a Denial of Service (DoS).
- [Medium] Data race on `pf->link_status_ms_mask` during SR-IOV teardown causes a 200ms timeout on concurrent link state changes.
--
commit 7d8f9f9cc2f3db8a098f8342c6d804d1aeb36a72
Author: Wei Fang <wei.fang@nxp.com>
Date: Fri Jun 5 06:55:38 2026 +0000
net: enetc: add link status message support to PF driver
Add link status message support to the PF driver using three command IDs
under message class 0x80 (ENETC_MSG_CLASS_ID_LINK_STATUS).
> diff --git a/drivers/net/ethernet/freescale/enetc/enetc_pf_common.c b/drivers/net/ethernet/freescale/enetc/enetc_pf_common.c
> --- a/drivers/net/ethernet/freescale/enetc/enetc_pf_common.c
> +++ b/drivers/net/ethernet/freescale/enetc/enetc_pf_common.c
> @@ -458,6 +458,8 @@ int enetc_init_sriov_resources(struct enetc_pf *pf)
> for (int i = 0; i < pf->total_vfs; i++)
> mutex_init(&pf->vf_state[i].lock);
>
> + mutex_init(&pf->msg_lock);
> +
> return 0;
> }
[Severity: High]
If the device does not support SR-IOV or total_vfs is 0,
enetc_init_sriov_resources() returns early:
pf->total_vfs = pci_sriov_get_totalvfs(pf->si->pdev);
if (!pf->total_vfs)
return 0;
This skips the mutex_init() for msg_lock.
However, the phylink callbacks enetc4_pl_mac_link_up() and
enetc4_pl_mac_link_down() unconditionally call enetc_pf_notify_vf_link_up()
and enetc_pf_notify_vf_link_down().
These functions eventually reach enetc_pf_notify_vf_link_status(), which
attempts to acquire this uninitialized lock:
enetc_pf_notify_vf_link_status()
mutex_lock(&pf->msg_lock);
Could this cause a lockdep warning or a crash when the device link comes
up or goes down and total_vfs is 0?
> diff --git a/drivers/net/ethernet/freescale/enetc/enetc_msg.c b/drivers/net/ethernet/freescale/enetc/enetc_msg.c
> --- a/drivers/net/ethernet/freescale/enetc/enetc_msg.c
> +++ b/drivers/net/ethernet/freescale/enetc/enetc_msg.c
[ ... ]
> +static int enetc_pf_send_msg(struct enetc_pf *pf, u32 msg_code, u16 ms_mask)
> +{
> + struct enetc_si *si = pf->si;
> + u32 val;
> +
> + enetc_wr(&si->hw, ENETC_PSIMSGSR,
> + FIELD_PREP(PSIMSGSR_MC, msg_code) | ms_mask);
> +
> + return read_poll_timeout(enetc_rd, val, !(val & ms_mask), 1000,
> + 200000, false, &si->hw, ENETC_PSIMSGSR);
> +}
> +
> +static void enetc_msg_notify_vf_link_status(struct enetc_pf *pf, u16 ms_mask,
> + bool link_up)
> +{
[ ... ]
> + if (enetc_pf_send_msg(pf, pf_msg, ms_mask))
> + dev_err_ratelimited(&pf->si->pdev->dev,
> + "PF notifies link status failed\n");
> +}
[Severity: High]
If a VF is malicious, crashed, or improperly configured and fails to clear
its bit in ENETC_PSIMSGSR, enetc_pf_send_msg() will block the phylink worker
thread for its maximum 200ms polling timeout.
Because enetc_msg_notify_vf_link_status() only logs an error and does not
remove the unresponsive VF from pf->link_status_ms_mask, won't every
subsequent link state change also incur this 200ms stall?
Additionally, a malicious VF could spam ENETC_MSG_REGISTER_LINK_CHANGE_NOTIFIER
messages, forcing the PF to repeatedly call enetc_pf_send_msg() while holding
pf->msg_lock. Could this stall the shared msg_task workqueue and starve
other VFs?
> @@ -361,6 +471,7 @@ int enetc_sriov_configure(struct pci_dev *pdev, int num_vfs)
> if (!num_vfs) {
> pci_disable_sriov(pdev);
> enetc_msg_psi_free(pf);
> + pf->link_status_ms_mask = 0;
> pf->num_vfs = 0;
> } else {
[Severity: Medium]
When disabling SR-IOV, pf->link_status_ms_mask is cleared outside of
pf->msg_lock and after the VFs have been disabled via pci_disable_sriov().
If a physical link state change occurs concurrently, could
enetc_pf_notify_vf_link_status() acquire the lock, observe a stale non-zero
ms_mask, and attempt to notify destroyed VFs?
Since the VFs are no longer active, they wouldn't clear their bits, causing
enetc_pf_send_msg() to inevitably timeout after 200ms. Should this mask be
cleared under the msg_lock before disabling SR-IOV?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260605065550.3038579-1-wei.fang@oss.nxp.com?part=3
next prev parent reply other threads:[~2026-06-06 7:24 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-05 6:55 [PATCH net-next 00/15] net: enetc: SR-IOV improvements and ENETC v4 VF support wei.fang
2026-06-05 6:55 ` [PATCH net-next 01/15] net: enetc: add trusted " wei.fang
2026-06-06 7:24 ` sashiko-bot
2026-06-06 13:37 ` Wei Fang (OSS)
2026-06-05 6:55 ` [PATCH net-next 02/15] net: enetc: move msg_task and msg_int_name to struct enetc_si wei.fang
2026-06-05 6:55 ` [PATCH net-next 03/15] net: enetc: add link status message support to PF driver wei.fang
2026-06-06 7:24 ` sashiko-bot [this message]
2026-06-06 14:05 ` Wei Fang (OSS)
2026-06-05 6:55 ` [PATCH net-next 04/15] net: enetc: add link speed " wei.fang
2026-06-06 7:24 ` sashiko-bot
2026-06-05 6:55 ` [PATCH net-next 05/15] net: enetc: use enetc_set_si_hw_addr() to set VF MAC address wei.fang
2026-06-05 6:55 ` [PATCH net-next 06/15] net: enetc: relocate enetc_pf_set_vf_mac() for common PF support wei.fang
2026-06-05 6:55 ` [PATCH net-next 07/15] net: enetc: add .ndo_set_vf_mac() to the enetc v4 driver wei.fang
2026-06-05 6:55 ` [PATCH net-next 08/15] net: enetc: move mac_filter from struct enetc_pf to struct enetc_si wei.fang
2026-06-06 7:24 ` sashiko-bot
2026-06-07 2:52 ` Wei Fang (OSS)
2026-06-05 6:55 ` [PATCH net-next 09/15] net: enetc: add MAC address filtering support for VFs of ENETC v4 wei.fang
2026-06-06 7:24 ` sashiko-bot
2026-06-05 6:55 ` [PATCH net-next 10/15] net: enetc: simplify and rename PSIIER enable/disable helpers wei.fang
2026-06-05 6:55 ` [PATCH net-next 11/15] net: enetc: restore VF MAC promiscuous mode after FLR for ENETC v4 wei.fang
2026-06-06 7:24 ` sashiko-bot
2026-06-05 6:55 ` [PATCH net-next 12/15] net: enetc: add VF support for i.MX94 and i.MX95 wei.fang
2026-06-06 7:24 ` sashiko-bot
2026-06-07 3:53 ` Wei Fang (OSS)
2026-06-05 6:55 ` [PATCH net-next 13/15] net: enetc: implement ndo_set_rx_mode_async for ENETC v4 VF wei.fang
2026-06-06 7:24 ` sashiko-bot
2026-06-07 4:01 ` Wei Fang (OSS)
2026-06-05 6:55 ` [PATCH net-next 14/15] net: enetc: add PSI-to-VSI link status notification support for VF wei.fang
2026-06-06 7:24 ` sashiko-bot
2026-06-05 6:55 ` [PATCH net-next 15/15] net: enetc: add ndo_get_vf_config() support wei.fang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260606072439.50C3A1F00898@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=imx@lists.linux.dev \
--cc=sashiko-reviews@lists.linux.dev \
--cc=wei.fang@oss.nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.