From: sashiko-bot@kernel.org
To: "Nathan Lynch via B4 Relay" <devnull+nathan.lynch.amd.com@kernel.org>
Cc: vkoul@kernel.org, linux-pci@vger.kernel.org,
dmaengine@vger.kernel.org, Frank.Li@kernel.org
Subject: Re: [PATCH v3 09/23] dmaengine: sdxi: Start functions on probe, stop on remove
Date: Sat, 06 Jun 2026 00:14:48 +0000 [thread overview]
Message-ID: <20260606001448.CC4DA1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260605-sdxi-base-v3-9-4d38ca2bdffe@amd.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [High] Device continues DMA into freed memory if activation fails during probe or if soft-stop times out during driver removal.
- [High] Missing `pci_free_irq_vectors()` in the device remove callback and error paths leaks IRQ resources.
Pre-existing issues:
- [High] Missing switch case in `sdxi_dev_stop()` for `SDXI_GSV_STOP` causes a race condition and spurious reset.
--
commit fce324da74dfb9a79bfe266368af63dc843a0386
Author: Nathan Lynch <nathan.lynch@amd.com>
dmaengine: sdxi: Start functions on probe, stop on remove
This commit drives each SDXI function to the active state during probe by
writing to the GSR register and polling for the GSV_ACTIVE state. It also
introduces an unregister function to stop the device during driver removal.
> diff --git a/drivers/dma/sdxi/device.c b/drivers/dma/sdxi/device.c
> index 4d595e79b8ce5..e8f087f758fde 100644
> --- a/drivers/dma/sdxi/device.c
> +++ b/drivers/dma/sdxi/device.c
[ ... ]
> +static int sdxi_dev_start(struct sdxi_dev *sdxi)
> +{
> + enum sdxi_fn_gsv status = sdxi_dev_gsv(sdxi);
> + int ret;
[ ... ]
> + sdxi_write_fn_gsr(sdxi, SDXI_GSRV_ACTIVE);
> +
> + ret = sdxi_dev_gsv_poll(sdxi, status,
> + status == SDXI_GSV_ACTIVE ||
> + status == SDXI_GSV_ERROR);
> + if (ret) {
> + dev_err(sdxi->dev, "activation timed out, current state: %s\n",
> + gsv_str(status));
> + return ret;
> + }
[Severity: High]
Is there a risk of DMA use-after-free here?
If the device fails to reach the ACTIVE state within the timeout, this returns
-ETIMEDOUT without forcing the device to a hard stop or reset.
Since the error propagates up and causes the probe to fail, devres will
subsequently free DMA-mapped memory such as the L1 and L2 tables. If the
hardware state machine is still running and eventually activates, could it
continue to perform DMA into the freed memory?
[ ... ]
> @@ -290,6 +330,14 @@ int sdxi_register(struct device *dev, const struct sdxi_bus_ops *ops)
> }
> EXPORT_SYMBOL_NS_GPL(sdxi_register, "SDXI");
>
> +void sdxi_unregister(struct device *dev)
> +{
> + struct sdxi_dev *sdxi = dev_get_drvdata(dev);
> +
> + sdxi_dev_stop(sdxi);
> +}
[Severity: High]
Does this safely handle a timeout during stop?
Since the return value of sdxi_dev_stop() is ignored, the unbind process
will continue and free memory even if the hardware refused to stop. This
seems like it could also allow the device to continue DMA into freed memory.
[Severity: High]
This is a pre-existing issue, but looking at sdxi_dev_stop() itself, could
the missing SDXI_GSV_STOP case cause a spurious reset?
If sdxi_dev_stop() is called when the device is already in the STOP state:
drivers/dma/sdxi/device.c:sdxi_dev_stop() {
...
switch (status) {
case SDXI_GSV_INIT:
case SDXI_GSV_ACTIVE:
sdxi_write_fn_gsr(sdxi, SDXI_GSRV_STOP_SF);
break;
default:
/* Unrecognized state; try a reset. */
sdxi_write_fn_gsr(sdxi, SDXI_GSRV_RESET);
break;
}
/* Wait for transition to either stop or error state. */
ret = sdxi_dev_gsv_poll(sdxi, status,
status == SDXI_GSV_STOP ||
status == SDXI_GSV_ERROR);
...
}
The status falls through to the default case, writing SDXI_GSRV_RESET to the
hardware. The read_poll_timeout() then immediately reads the STOP state
(before the asynchronous reset takes effect) and returns success.
Could the subsequent initialization steps then execute concurrently with the
hardware reset, causing undefined device behavior?
> diff --git a/drivers/dma/sdxi/pci.c b/drivers/dma/sdxi/pci.c
> index 42e8af008b100..4d7d6812da6d8 100644
> --- a/drivers/dma/sdxi/pci.c
> +++ b/drivers/dma/sdxi/pci.c
[ ... ]
> +static void sdxi_pci_remove(struct pci_dev *pdev)
> +{
> + pci_disable_sriov(pdev);
> + sdxi_unregister(&pdev->dev);
> +}
[Severity: High]
Does this leak the IRQ vectors allocated during probe?
The driver allocates IRQ vectors using pci_alloc_irq_vectors() in
sdxi_pci_init(), but this remove callback completes without calling
pci_free_irq_vectors().
Similarly, if sdxi_device_init() fails in sdxi_register(), the error is
returned directly without freeing the IRQ vectors.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260605-sdxi-base-v3-0-4d38ca2bdffe@amd.com?part=9
next prev parent reply other threads:[~2026-06-06 0:14 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-06 0:02 [PATCH v3 00/23] dmaengine: Smart Data Accelerator Interface (SDXI) basic support Nathan Lynch via B4 Relay
2026-06-06 0:02 ` [PATCH v3 01/23] PCI: Add SNIA SDXI accelerator sub-class Nathan Lynch via B4 Relay
2026-06-06 0:02 ` [PATCH v3 02/23] MAINTAINERS: Add entry for SDXI driver Nathan Lynch via B4 Relay
2026-06-06 0:02 ` [PATCH v3 03/23] dmaengine: sdxi: Add PCI initialization Nathan Lynch via B4 Relay
2026-06-06 0:02 ` [PATCH v3 04/23] dmaengine: sdxi: Feature discovery and initial configuration Nathan Lynch via B4 Relay
2026-06-06 0:14 ` sashiko-bot
2026-06-06 0:02 ` [PATCH v3 05/23] dmaengine: sdxi: Configure context tables Nathan Lynch via B4 Relay
2026-06-06 0:02 ` [PATCH v3 06/23] dmaengine: sdxi: Allocate DMA pools Nathan Lynch via B4 Relay
2026-06-06 0:15 ` sashiko-bot
2026-06-06 0:02 ` [PATCH v3 07/23] dmaengine: sdxi: Allocate administrative context Nathan Lynch via B4 Relay
2026-06-06 0:02 ` [PATCH v3 08/23] dmaengine: sdxi: Install " Nathan Lynch via B4 Relay
2026-06-06 0:26 ` sashiko-bot
2026-06-06 0:02 ` [PATCH v3 09/23] dmaengine: sdxi: Start functions on probe, stop on remove Nathan Lynch via B4 Relay
2026-06-06 0:14 ` sashiko-bot [this message]
2026-06-06 0:02 ` [PATCH v3 10/23] dmaengine: sdxi: Complete administrative context jump start Nathan Lynch via B4 Relay
2026-06-06 0:12 ` sashiko-bot
2026-06-06 0:02 ` [PATCH v3 11/23] dmaengine: sdxi: Add client context alloc and release APIs Nathan Lynch via B4 Relay
2026-06-06 0:22 ` sashiko-bot
2026-06-06 0:02 ` [PATCH v3 12/23] dmaengine: sdxi: Add descriptor ring management Nathan Lynch via B4 Relay
2026-06-06 0:19 ` sashiko-bot
2026-06-06 0:02 ` [PATCH v3 13/23] dmaengine: sdxi: Add unit tests for descriptor ring reservations Nathan Lynch via B4 Relay
2026-06-06 0:16 ` sashiko-bot
2026-06-06 0:02 ` [PATCH v3 14/23] dmaengine: sdxi: Attach descriptor ring state to contexts Nathan Lynch via B4 Relay
2026-06-06 0:24 ` sashiko-bot
2026-06-06 0:02 ` [PATCH v3 15/23] dmaengine: sdxi: Per-context access key (AKey) table entry allocator Nathan Lynch via B4 Relay
2026-06-06 0:20 ` sashiko-bot
2026-06-06 0:02 ` [PATCH v3 16/23] dmaengine: sdxi: Generic descriptor manipulation helpers Nathan Lynch via B4 Relay
2026-06-06 0:02 ` [PATCH v3 17/23] dmaengine: sdxi: Add completion status block API Nathan Lynch via B4 Relay
2026-06-06 0:21 ` sashiko-bot
2026-06-06 0:02 ` [PATCH v3 18/23] dmaengine: sdxi: Encode context start, stop, and sync descriptors Nathan Lynch via B4 Relay
2026-06-06 0:02 ` [PATCH v3 19/23] dmaengine: sdxi: Provide context start and stop APIs Nathan Lynch via B4 Relay
2026-06-06 0:22 ` sashiko-bot
2026-06-06 0:02 ` [PATCH v3 20/23] dmaengine: sdxi: Encode nop, copy, and interrupt descriptors Nathan Lynch via B4 Relay
2026-06-06 0:20 ` sashiko-bot
2026-06-06 0:02 ` [PATCH v3 21/23] dmaengine: sdxi: Add unit tests for descriptor encoding Nathan Lynch via B4 Relay
2026-06-06 0:26 ` sashiko-bot
2026-06-06 0:02 ` [PATCH v3 22/23] dmaengine: sdxi: MSI/MSI-X vector allocation and mapping Nathan Lynch via B4 Relay
2026-06-06 0:31 ` sashiko-bot
2026-06-06 0:02 ` [PATCH v3 23/23] dmaengine: sdxi: Add DMA engine provider Nathan Lynch via B4 Relay
2026-06-06 0:33 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260606001448.CC4DA1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=devnull+nathan.lynch.amd.com@kernel.org \
--cc=dmaengine@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox