From: sashiko-bot@kernel.org
To: "Szymon Durawa" <szymon.durawa@linux.intel.com>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH v5 2/8] PCI: vmd: Add vmd_configure_cfgbar() helper function
Date: Thu, 25 Jun 2026 06:17:51 +0000 [thread overview]
Message-ID: <20260625061751.AE0551F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260625082940.1290740-3-szymon.durawa@linux.intel.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Destruction of SRCU struct before freeing IRQ handlers leads to potential Use-After-Free.
--
commit 277c077bdf8fa22a45d1262f68f3e1a7fc357e50
Author: Szymon Durawa <szymon.durawa@linux.intel.com>
PCI: vmd: Add vmd_configure_cfgbar() helper function
Move the VMD CFGBAR initialization code to a new helper
vmd_configure_cfgbar(). No functional changes.
> diff --git a/drivers/pci/controller/vmd.c b/drivers/pci/controller/vmd.c
> index 070b247b3fbbe..2c824660cabd5 100644
> --- a/drivers/pci/controller/vmd.c
> +++ b/drivers/pci/controller/vmd.c
[ ... ]
> @@ -857,13 +869,7 @@ static int vmd_enable_domain(struct vmd_dev *vmd, unsigned long features)
> return ret;
> }
>
> - res = &vmd->dev->resource[VMD_CFGBAR];
> - vmd->resources[0] = (struct resource) {
> - .name = "VMD CFGBAR",
> - .start = vmd->busn_start,
> - .end = vmd->busn_start + (resource_size(res) >> 20) - 1,
> - .flags = IORESOURCE_BUS | IORESOURCE_PCI_FIXED,
> - };
> + vmd_configure_cfgbar(vmd);
[Severity: High]
This is a pre-existing issue, but does vmd_remove() have a use-after-free
race?
In vmd_alloc_irqs(), the interrupts are requested via devm_request_irq(),
which means they are freed automatically by devres after vmd_remove() returns.
However, vmd_remove() explicitly destroys the SRCU structure:
vmd_remove()
vmd_cleanup_srcu()
cleanup_srcu_struct(&vmd->irqs[i].srcu)
If an interrupt fires after cleanup_srcu_struct() but before the devres
cleanup unregisters the IRQ, vmd_irq() will unconditionally access the
destroyed SRCU structure:
vmd_irq()
idx = srcu_read_lock(&irqs->srcu);
Should the IRQs be freed before the SRCU structures are destroyed?
>
> /*
> * If the window is below 4GB, clear IORESOURCE_MEM_64 so we can
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260625082940.1290740-1-szymon.durawa@linux.intel.com?part=2
next prev parent reply other threads:[~2026-06-25 6:17 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 8:29 [PATCH v5 0/8] VMD add second root bus support Szymon Durawa
2026-06-25 8:29 ` [PATCH v5 1/8] PCI: vmd: Add vmd_bus_enumeration() helper function Szymon Durawa
2026-06-25 6:15 ` sashiko-bot
2026-06-25 8:29 ` [PATCH v5 2/8] PCI: vmd: Add vmd_configure_cfgbar() " Szymon Durawa
2026-06-25 6:17 ` sashiko-bot [this message]
2026-06-25 8:29 ` [PATCH v5 3/8] PCI: vmd: Add vmd_configure_membar() and vmd_configure_membar1_membar2() Szymon Durawa
2026-06-25 6:19 ` sashiko-bot
2026-06-25 8:29 ` [PATCH v5 4/8] PCI: vmd: Add vmd_create_bus() Szymon Durawa
2026-06-25 6:18 ` sashiko-bot
2026-06-25 8:29 ` [PATCH v5 5/8] PCI: vmd: Replace hardcoded values with enum and defines Szymon Durawa
2026-06-25 6:20 ` sashiko-bot
2026-06-25 8:29 ` [PATCH v5 6/8] PCI: vmd: Convert bus and busn_start to an array Szymon Durawa
2026-06-25 6:18 ` sashiko-bot
2026-06-25 8:29 ` [PATCH v5 7/8] PCI: vmd: Add support for second rootbus under VMD Szymon Durawa
2026-06-25 6:20 ` sashiko-bot
2026-06-25 8:29 ` [PATCH v5 8/8] PCI: vmd: Add workaround for bus number hardwired to fixed non-zero value Szymon Durawa
2026-06-25 6:30 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260625061751.AE0551F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=szymon.durawa@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.