All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Yazen Ghannam" <yazen.ghannam@amd.com>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH 5/5] PCI/FLIT: Ratelimit flit error logging
Date: Tue, 14 Jul 2026 19:18:26 +0000	[thread overview]
Message-ID: <20260714191826.BA81E1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260714183950.1620016-6-yazen.ghannam@amd.com>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:

New issues:
- [Medium] Sysfs Group Directory Leak for devices without FLIT capability.
- [Medium] Missing input validation allows negative burst values, permanently suppressing flit error logs.

Pre-existing issues:
- [High] Surprise hot-unplug or malicious endpoint causes an infinite loop in `flit_isr`, leading to a hard CPU lockup.
--

--- Patch [5]: [PATCH 5/5] PCI/FLIT: Ratelimit flit error logging ---
commit 3a5e2834e7b9f5641abd9dbcf3215773fe5a6904
Author: Yazen Ghannam <yazen.ghannam@amd.com>

PCI/FLIT: Ratelimit flit error logging

This commit introduces a per-device ratelimit state for flit error logging
to prevent console log flooding. It exposes tuning parameters via per-device
sysfs attributes and applies the ratelimiter inside the interrupt handler.

> diff --git a/drivers/pci/pcie/flit.c b/drivers/pci/pcie/flit.c
> index 83cf53f392913..7cb5aff7c552c 100644
> --- a/drivers/pci/pcie/flit.c
> +++ b/drivers/pci/pcie/flit.c
[ ... ]
> +static ssize_t flit_ratelimit_burst_store(struct device *dev,
> +					  struct device_attribute *attr,
> +					  const char *buf, size_t count)
> +{
> +	struct pci_dev *pdev = to_pci_dev(dev);
> +	int burst;
> +
> +	if (!capable(CAP_SYS_ADMIN))
> +		return -EPERM;
> +
> +	if (kstrtoint(buf, 0, &burst) < 0)
> +		return -EINVAL;
> +
> +	pdev->flit_ratelimit.burst = burst;

[Severity: Medium]
Does this allow negative values to be assigned to the burst limit?

If a user writes a negative string (like "-5"), kstrtoint() will parse it
successfully into a negative integer. If burst is negative, the core
___ratelimit() check (rs->burst <= rs->printed) will permanently evaluate to
true, which would silently suppress all future flit error logs.

> +
> +	return count;
> +}
> +static DEVICE_ATTR_RW(flit_ratelimit_burst);
> +
> +static struct attribute *flit_attrs[] = {
> +	&dev_attr_flit_ratelimit_interval_ms.attr,
> +	&dev_attr_flit_ratelimit_burst.attr,
> +	NULL
> +};
> +
> +static umode_t flit_attrs_are_visible(struct kobject *kobj,
> +				      struct attribute *a, int n)
> +{
> +	struct device *dev = kobj_to_dev(kobj);
> +	struct pci_dev *pdev = to_pci_dev(dev);
> +
> +	if (!pdev->flit_cap)
> +		return 0;

[Severity: Medium]
Because this attribute group has a name (".name = "flit""), does returning 0
here leak an empty sysfs directory for devices without the FLIT capability?

Returning 0 suppresses the individual attributes, but the sysfs core will
still create an empty "/sys/bus/pci/devices/.../flit/" directory. Should
this return SYSFS_GROUP_INVISIBLE instead to suppress the entire directory?

> +
> +	return a->mode;
>  }
>  
> +const struct attribute_group flit_attr_group = {
> +	.name = "flit",
> +	.attrs = flit_attrs,
> +	.is_visible = flit_attrs_are_visible,
> +};
[ ... ]
>  	do {
>  		pci_read_config_dword(pdev, flit + PCI_FLIT_ERR_LOG1, &err_log1);
>  
>  		if (!(err_log1 & PCI_FLIT_ERR_LOG_VALID))
>  			break;
>  
>  		pci_read_config_dword(pdev, flit + PCI_FLIT_ERR_LOG2, &err_log2);
> -		pci_info(pdev, HW_ERR "  Error Log1: 0x%08x Error Log2: 0x%08x\n", err_log1, err_log2);
> +		if (print)
> +			pci_info(pdev, HW_ERR "  Error Log1: 0x%08x Error Log2: 0x%08x\n",
> +				 err_log1, err_log2);
>  		trace_flit_event(pci_name(pdev), cntr_ctrl, cntr_sta, err_log1, err_log2);
>  
>  		pci_write_config_dword(pdev, flit + PCI_FLIT_ERR_LOG1, err_log1);
> -	} while (err_log1 & PCI_FLIT_ERR_LOG_MORE);
> +	} while (err_log1 & PCI_FLIT_ERR_LOG_MORE);

[Severity: High]
This is a pre-existing issue, but is this loop safe against surprise device
hot-unplugs?

If the device is disconnected, pci_read_config_dword() will fail and assign
~0 (0xFFFFFFFF) to err_log1. Because ~0 has all bits set, the initial check
for PCI_FLIT_ERR_LOG_VALID will pass.

The loop condition checking for PCI_FLIT_ERR_LOG_MORE will also pass, creating
an unconditional infinite loop that could cause a hard CPU lockup.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260714183950.1620016-1-yazen.ghannam@amd.com?part=5

      reply	other threads:[~2026-07-14 19:18 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-14 18:39 [PATCH 0/5] PCIe Flit Logging Ext Capability Support Yazen Ghannam
2026-07-14 18:39 ` [PATCH 1/5] PCI/portdrv: Group PCI Exp Cap services into a single mask Yazen Ghannam
2026-07-14 19:11   ` sashiko-bot
2026-07-14 18:39 ` [PATCH 2/5] PCI/FLIT: Add support for Flit Logging Extended Capability Yazen Ghannam
2026-07-14 19:17   ` sashiko-bot
2026-07-14 18:39 ` [PATCH 3/5] PCI/FLIT: Negotiate _OSC control for Flit Error Logging Yazen Ghannam
2026-07-14 19:36   ` sashiko-bot
2026-07-14 18:39 ` [PATCH 4/5] PCI/FLIT: Add trace event for flit errors Yazen Ghannam
2026-07-14 19:16   ` sashiko-bot
2026-07-14 18:39 ` [PATCH 5/5] PCI/FLIT: Ratelimit flit error logging Yazen Ghannam
2026-07-14 19:18   ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260714191826.BA81E1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=linux-pci@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=yazen.ghannam@amd.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.