From: sashiko-bot@kernel.org
To: "Daniel Machon" <daniel.machon@microchip.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH net-next v2 04/13] net: lan966x: add FDMA LLP register write helper
Date: Wed, 29 Apr 2026 13:10:02 +0000 [thread overview]
Message-ID: <20260429131002.D9B3BC19425@smtp.kernel.org> (raw)
In-Reply-To: <20260428-lan966x-pci-fdma-v2-4-d3ec66e06202@microchip.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] Missing Hardware Initialization in Fallback Path
- [High] Ignored return value of `fdma_dcbs_init()` leads to memory corruption
- [High] Stale destroyed `page_pool` left in XDP RX queues leading to UAF / Double Free
--
commit e1cc739c153cef02ae9d3a24aa4e6dc773ba0fd8
Author: Daniel Machon <daniel.machon@microchip.com>
net: lan966x: add FDMA LLP register write helper
This commit moves the LLP register writes from the channel start/activate
functions into the allocation functions. It also introduces a shared
lan966x_fdma_llp_configure() helper to write the LLP registers.
> diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c b/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c
> index f8ce735a7fc0..6c5761e886d4 100644
> --- a/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c
> +++ b/drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c
[ ... ]
> @@ -127,6 +134,9 @@ static int lan966x_fdma_rx_alloc(struct lan966x_rx *rx)
> fdma_dcbs_init(fdma, FDMA_DCB_INFO_DATAL(fdma->db_size),
> FDMA_DCB_STATUS_INTR);
This is existing code, but could the error recovery path here lead to a
use-after-free or double free?
If fdma_alloc_coherent() fails just prior to this, the newly created
page_pool is destroyed. In the lan966x_fdma_reload() fallback path, the old
page_pool pointer is restored in the lan966x->rx structure, but it is never
re-registered with xdp_rxq_info_reg_mem_model().
The xdp_rxq structures will continue holding the mem.id of the destroyed
page_pool. When the queues are eventually torn down, will
xdp_rxq_info_unreg_mem_model() attempt to free the destroyed page_pool?
Also, is it safe to ignore the return value of fdma_dcbs_init() here?
If fdma_dcbs_init() invokes allocation callbacks that fail with -ENOMEM, the
remaining DMA descriptors could be left uninitialized and retain a dataptr
of 0.
By ignoring the failure, won't the driver falsely assume initialization
succeeded and enable hardware DMA, potentially causing the DMA engine to
write incoming frames to physical address 0?
>
> + lan966x_fdma_llp_configure(lan966x, (u64)fdma->dma,
> + fdma->channel_id);
> +
> return 0;
> }
>
> @@ -136,14 +146,6 @@ static void lan966x_fdma_rx_start(struct lan966x_rx *rx)
> struct fdma *fdma = &rx->fdma;
> u32 mask;
>
> - /* When activating a channel, first is required to write the first DCB
> - * address and then to activate it
> - */
> - lan_wr(lower_32_bits((u64)fdma->dma), lan966x,
> - FDMA_DCB_LLP(fdma->channel_id));
> - lan_wr(upper_32_bits((u64)fdma->dma), lan966x,
> - FDMA_DCB_LLP1(fdma->channel_id));
> -
By moving the LLP register writes out of lan966x_fdma_rx_start(), does this
break the fallback path in lan966x_fdma_reload() used for the AMBA interface?
If lan966x_fdma_rx_alloc() fails due to memory pressure, the driver jumps to
the restore label, copies back the old RX state, and calls
lan966x_fdma_rx_start() to re-activate the channel.
Because lan966x_fdma_rx_start() no longer writes the LLP register, and the
channel was previously disabled via a hardware DB_DISCARD, will the hardware
be re-activated without its base descriptor pointer configured, leading to
the DMA fetching from a stale or invalid address?
> lan_wr(FDMA_CH_CFG_CH_DCB_DB_CNT_SET(fdma->n_dbs) |
> FDMA_CH_CFG_CH_INTR_DB_EOF_ONLY_SET(1) |
> FDMA_CH_CFG_CH_INJ_PORT_SET(0) |
[ ... ]
> @@ -214,6 +216,9 @@ static int lan966x_fdma_tx_alloc(struct lan966x_tx *tx)
>
> fdma_dcbs_init(fdma, 0, 0);
Similar to the RX side, this is existing code, but does ignoring the return
value of fdma_dcbs_init() here also risk DMA hardware fetching from an
invalid descriptor if allocation fails?
>
> + lan966x_fdma_llp_configure(lan966x, (u64)fdma->dma,
> + fdma->channel_id);
> +
> return 0;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260428-lan966x-pci-fdma-v2-0-d3ec66e06202@microchip.com?part=4
next prev parent reply other threads:[~2026-04-29 13:10 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-28 13:06 [PATCH net-next v2 00/13] net: lan966x: add support for PCIe FDMA Daniel Machon
2026-04-28 13:06 ` [PATCH net-next v2 01/13] MAINTAINERS: add FDMA library to Sparx5 SoC entry Daniel Machon
2026-04-28 13:06 ` [PATCH net-next v2 02/13] net: microchip: fdma: rename contiguous dataptr helpers Daniel Machon
2026-04-28 13:06 ` [PATCH net-next v2 03/13] net: microchip: fdma: add PCIe ATU support Daniel Machon
2026-04-28 13:06 ` [PATCH net-next v2 04/13] net: lan966x: add FDMA LLP register write helper Daniel Machon
2026-04-29 13:10 ` sashiko-bot [this message]
2026-04-28 13:06 ` [PATCH net-next v2 05/13] net: lan966x: export FDMA helpers for reuse Daniel Machon
2026-04-28 13:06 ` [PATCH net-next v2 06/13] net: lan966x: add FDMA ops dispatch for PCIe support Daniel Machon
2026-04-29 13:10 ` sashiko-bot
2026-04-28 13:06 ` [PATCH net-next v2 07/13] net: lan966x: clear FDMA interrupt stickies after switch reset Daniel Machon
2026-04-28 13:06 ` [PATCH net-next v2 08/13] net: lan966x: add shutdown callback to stop FDMA on reboot Daniel Machon
2026-04-29 13:10 ` sashiko-bot
2026-04-28 13:06 ` [PATCH net-next v2 09/13] net: lan966x: add PCIe FDMA support Daniel Machon
2026-04-29 13:10 ` sashiko-bot
2026-04-28 13:06 ` [PATCH net-next v2 10/13] net: lan966x: add PCIe FDMA MTU change support Daniel Machon
2026-04-29 13:10 ` sashiko-bot
2026-04-28 13:07 ` [PATCH net-next v2 11/13] net: lan966x: add PCIe FDMA XDP support Daniel Machon
2026-04-29 13:10 ` sashiko-bot
2026-04-28 13:07 ` [PATCH net-next v2 12/13] misc: lan966x-pci: dts: extend cpu reg to cover PCIE DBI space Daniel Machon
2026-04-28 13:07 ` [PATCH net-next v2 13/13] misc: lan966x-pci: dts: add fdma interrupt to overlay Daniel Machon
2026-04-28 16:07 ` [PATCH net-next v2 00/13] net: lan966x: add support for PCIe FDMA Herve Codina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260429131002.D9B3BC19425@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel.machon@microchip.com \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox