From: sashiko-bot@kernel.org
To: "Nathan Lynch via B4 Relay" <devnull+nathan.lynch.amd.com@kernel.org>
Cc: Frank.Li@kernel.org, dmaengine@vger.kernel.org, vkoul@kernel.org,
linux-pci@vger.kernel.org
Subject: Re: [PATCH v2 16/23] dmaengine: sdxi: Generic descriptor manipulation helpers
Date: Wed, 13 May 2026 20:21:14 +0000 [thread overview]
Message-ID: <20260513202115.B748AC19425@smtp.kernel.org> (raw)
In-Reply-To: <20260511-sdxi-base-v2-16-889cfed17e3f@amd.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Data race and TOCTOU race in descriptor ownership validation defeats the safety check.
- [Medium] Severe performance degradation due to Read-Modify-Write (RMW) on Write-Combining (WC) DMA memory.
--
commit 54eb4223ce2b3ad6354bf153f2d7fc8aa53474e0
Author: Nathan Lynch <nathan.lynch@amd.com>
dmaengine: sdxi: Generic descriptor manipulation helpers
Introduce small helper functions for manipulating certain common properties
of descriptors after their operation-specific encoding has been performed but
before they are submitted.
> diff --git a/drivers/dma/sdxi/descriptor.h b/drivers/dma/sdxi/descriptor.h
> new file mode 100644
> index 0000000000000..c0f01b1be726d
> --- /dev/null
> +++ b/drivers/dma/sdxi/descriptor.h
[ ... ]
> +static inline void sdxi_desc_vl_expect(const struct sdxi_desc *desc, bool expected)
> +{
> + u8 vl = FIELD_GET(SDXI_DSC_VL, le32_to_cpu(desc->opcode));
> +
> + WARN_RATELIMIT(vl != expected, "expected vl=%u but got %u\n", expected, vl);
> +}
The descriptor ring is often mapped as DMA coherent memory, which on many
architectures is Write-Combining or uncached. Does reading desc->opcode
here and in the calling functions trigger synchronous, non-posted PCIe reads?
If these helpers are called directly on the DMA ring, this read-modify-write
pattern might cause multiple PCIe reads per descriptor and artificially cap
the DMA engine's throughput. Is there a way to redesign the API to avoid
reading from the ring, perhaps by returning the modified opcode or passing
it as state?
[ ... ]
> +static inline void sdxi_desc_set_fence(struct sdxi_desc *desc)
> +{
> + u32 opcode = le32_to_cpu(desc->opcode);
> +
> + sdxi_desc_vl_expect(desc, 0);
Can this double-read sequence lead to a time-of-check to time-of-use race?
If the driver erroneously calls this helper on an active descriptor (vl=1),
the first read of desc->opcode into the local opcode variable fetches vl=1.
If the hardware then completes the operation and writes vl=0 to desc->opcode
in memory, the second read inside sdxi_desc_vl_expect() fetches vl=0.
The validation check would then succeed, bypassing the WARN_RATELIMIT safety
net. The helper then writes back the stale local opcode (which still has
vl=1) to memory, silently re-submitting the completed descriptor.
Could desc->opcode be read exactly once using READ_ONCE(), and that local
value passed into sdxi_desc_vl_expect() to avoid this race?
> + FIELD_MODIFY(SDXI_DSC_FE, &opcode, 1);
> + desc->opcode = cpu_to_le32(opcode);
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260511-sdxi-base-v2-0-889cfed17e3f@amd.com?part=16
next prev parent reply other threads:[~2026-05-13 20:21 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 19:16 [PATCH v2 00/23] dmaengine: Smart Data Accelerator Interface (SDXI) basic support Nathan Lynch via B4 Relay
2026-05-11 19:16 ` [PATCH v2 01/23] PCI: Add SNIA SDXI accelerator sub-class Nathan Lynch via B4 Relay
2026-05-11 20:48 ` Frank Li
2026-05-12 23:50 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 02/23] MAINTAINERS: Add entry for SDXI driver Nathan Lynch via B4 Relay
2026-05-11 19:16 ` [PATCH v2 03/23] dmaengine: sdxi: Add PCI initialization Nathan Lynch via B4 Relay
2026-05-11 21:22 ` Frank Li
2026-05-13 0:05 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 04/23] dmaengine: sdxi: Feature discovery and initial configuration Nathan Lynch via B4 Relay
2026-05-11 21:30 ` Frank Li
2026-05-13 0:33 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 05/23] dmaengine: sdxi: Configure context tables Nathan Lynch via B4 Relay
2026-05-13 1:12 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 06/23] dmaengine: sdxi: Allocate DMA pools Nathan Lynch via B4 Relay
2026-05-13 1:30 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 07/23] dmaengine: sdxi: Allocate administrative context Nathan Lynch via B4 Relay
2026-05-13 2:20 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 08/23] dmaengine: sdxi: Install " Nathan Lynch via B4 Relay
2026-05-13 3:17 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 09/23] dmaengine: sdxi: Start functions on probe, stop on remove Nathan Lynch via B4 Relay
2026-05-13 3:35 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 10/23] dmaengine: sdxi: Complete administrative context jump start Nathan Lynch via B4 Relay
2026-05-13 3:54 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 11/23] dmaengine: sdxi: Add client context alloc and release APIs Nathan Lynch via B4 Relay
2026-05-13 4:46 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 12/23] dmaengine: sdxi: Add descriptor ring management Nathan Lynch via B4 Relay
2026-05-13 5:21 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 13/23] dmaengine: sdxi: Add unit tests for descriptor ring reservations Nathan Lynch via B4 Relay
2026-05-13 5:48 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 14/23] dmaengine: sdxi: Attach descriptor ring state to contexts Nathan Lynch via B4 Relay
2026-05-13 19:31 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 15/23] dmaengine: sdxi: Per-context access key (AKey) table entry allocator Nathan Lynch via B4 Relay
2026-05-13 19:54 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 16/23] dmaengine: sdxi: Generic descriptor manipulation helpers Nathan Lynch via B4 Relay
2026-05-13 20:21 ` sashiko-bot [this message]
2026-05-11 19:16 ` [PATCH v2 17/23] dmaengine: sdxi: Add completion status block API Nathan Lynch via B4 Relay
2026-05-13 20:38 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 18/23] dmaengine: sdxi: Encode context start, stop, and sync descriptors Nathan Lynch via B4 Relay
2026-05-11 19:16 ` [PATCH v2 19/23] dmaengine: sdxi: Provide context start and stop APIs Nathan Lynch via B4 Relay
2026-05-13 21:18 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 20/23] dmaengine: sdxi: Encode nop, copy, and interrupt descriptors Nathan Lynch via B4 Relay
2026-05-13 21:33 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 21/23] dmaengine: sdxi: Add unit tests for descriptor encoding Nathan Lynch via B4 Relay
2026-05-13 21:55 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 22/23] dmaengine: sdxi: MSI/MSI-X vector allocation and mapping Nathan Lynch via B4 Relay
2026-05-13 22:17 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 23/23] dmaengine: sdxi: Add DMA engine provider Nathan Lynch via B4 Relay
2026-05-11 20:47 ` Frank Li
2026-05-11 22:28 ` Lynch, Nathan
2026-05-13 20:01 ` Frank Li
2026-05-13 22:57 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260513202115.B748AC19425@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=devnull+nathan.lynch.amd.com@kernel.org \
--cc=dmaengine@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox