From: Simon Horman <horms@kernel.org>
To: nikhil.rao@amd.com
Cc: Simon Horman <horms@kernel.org>,
netdev@vger.kernel.org, kuba@kernel.org, brett.creeley@amd.com,
eric.joyner@amd.com, andrew+netdev@lunn.ch, davem@davemloft.net,
edumazet@google.com, pabeni@redhat.com
Subject: Re: [PATCH net] pds_core: fix use-after-free on workqueue during remove
Date: Thu, 11 Jun 2026 18:32:02 +0100 [thread overview]
Message-ID: <20260611173201.631727-2-horms@kernel.org> (raw)
In-Reply-To: <20260610025952.196470-1-nikhil.rao@amd.com>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Full review at: https://sashiko.dev
---
pds_core: fix use-after-free on workqueue during remove
This commit fixes a use-after-free on the workqueue during remove by
destroying the workqueue earlier and setting pdsc->wq to NULL.
> diff --git a/drivers/net/ethernet/amd/pds_core/main.c b/drivers/net/ethernet/amd/pds_core/main.c
> index 22db78343eb07..cb3ac26266aa7 100644
> --- a/drivers/net/ethernet/amd/pds_core/main.c
> +++ b/drivers/net/ethernet/amd/pds_core/main.c
> @@ -435,8 +435,10 @@ static void pdsc_remove(struct pci_dev *pdev)
> pdsc_auxbus_dev_del(pdsc, pdsc, &pdsc->padev);
>
> timer_shutdown_sync(&pdsc->wdtimer);
> - if (pdsc->wq)
> + if (pdsc->wq) {
> destroy_workqueue(pdsc->wq);
[Severity: High]
This is a pre-existing issue, but can this destroy_workqueue() call deadlock
with pdsc_pci_reset_thread()?
The PCI subsystem holds device_lock() when calling pdsc_remove().
If pdsc_pci_reset_thread() is currently executing on this workqueue,
destroy_workqueue() will block waiting for it to finish.
However, pdsc_pci_reset_thread() calls pci_reset_function(), which attempts
to acquire the same device_lock(), resulting in a deadlock.
> + pdsc->wq = NULL;
[Severity: High]
Can setting pdsc->wq to NULL here introduce a regression where the interrupt
handler dereferences a NULL pointer?
This assignment is executed before set_bit(PDSC_S_STOPPING_DRIVER,
&pdsc->state) and before pdsc_stop() masks hardware interrupts.
If an interrupt fires (e.g., a NotifyQ event) in this window,
pdsc_adminq_isr() will run. Because the PDSC_S_STOPPING_DRIVER state is not
yet set, the ISR check succeeds and it will unconditionally call queue_work()
with the NULL pdsc->wq:
pdsc_adminq_isr()
...
queue_work(pdsc->wq, &qcq->work);
> + }
>
> mutex_lock(&pdsc->config_lock);
> set_bit(PDSC_S_STOPPING_DRIVER, &pdsc->state);
prev parent reply other threads:[~2026-06-11 17:33 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-10 2:59 [PATCH net] pds_core: fix use-after-free on workqueue during remove Nikhil P. Rao
2026-06-11 17:32 ` Simon Horman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260611173201.631727-2-horms@kernel.org \
--to=horms@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=brett.creeley@amd.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eric.joyner@amd.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nikhil.rao@amd.com \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.