From: sashiko-bot@kernel.org
To: "Wei Fang" <wei.fang@nxp.com>
Cc: Frank.Li@kernel.org, imx@lists.linux.dev
Subject: Re: [PATCH net-next 14/15] net: enetc: refactor MR interrupt enable/disable helpers
Date: Tue, 12 May 2026 23:34:31 +0000 [thread overview]
Message-ID: <20260512233431.A5B42C2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260511080805.2052495-15-wei.fang@nxp.com>
Thank you for your contribution! Sashiko AI review found 5 potential issue(s) to consider:
- [High] Teardown race in enetc_msg_psi_free() leading to Use-After-Free.
- [High] Uninitialized work_struct access in enetc_msg_psi_init() leading to kernel panic.
- [High] Resource leak and Use-After-Free on error path in enetc_msg_psi_init().
- [High] DMA Memory Use-After-Free in enetc_msg_free_mbx().
- [High] Race condition in enetc_msg_task() resulting in missed VF messages.
--
commit 776ed9b5141bfafabe9032ba504482f8555f1985
Author: Wei Fang <wei.fang@nxp.com>
net: enetc: refactor MR interrupt enable/disable helpers
The patch consolidates enetc_msg_enable_mr_int() and
enetc_msg_disable_mr_int() into a single enetc_msg_set_mr_int() helper
that takes a boolean enable parameter. This prepares the code for
dynamic interrupt mask generation based on the number of enabled VFs.
> diff --git a/drivers/net/ethernet/freescale/enetc/enetc_msg.c b/drivers/net/ethernet/freescale/enetc/enetc_msg.c
> index f3e78865617e6..73e32c9b65a89 100644
> --- a/drivers/net/ethernet/freescale/enetc/enetc_msg.c
> +++ b/drivers/net/ethernet/freescale/enetc/enetc_msg.c
[ ... ]
> @@ -171,7 +171,7 @@ static void enetc_msg_task(struct work_struct *work)
> if (!mr_mask) {
> /* re-arm MR interrupts, w1c the IDR reg */
> enetc_wr(hw, ENETC_PSIIDR, ENETC_PSIIER_MR_MASK);
> - enetc_msg_enable_mr_int(hw);
> + enetc_msg_set_mr_int(pf, true);
> return;
> }
This isn't a bug in your patch, but is there a race condition here that
could result in missed VF messages?
The code reads ENETC_PSIMSGRR earlier in the loop. If a VF sends a message
after the read but before the write to ENETC_PSIIDR, the hardware will set
the interrupt status bit, which is then immediately cleared by the write
to ENETC_PSIIDR. When the interrupt is enabled shortly after, it will not
fire.
Should the driver clear the interrupt status before checking for messages?
[ ... ]
> @@ -264,7 +264,7 @@ static int enetc_msg_psi_init(struct enetc_pf *pf)
> }
>
> /* enable MR interrupts */
> - enetc_msg_enable_mr_int(&si->hw);
> + enetc_msg_set_mr_int(pf, true);
>
> return 0;
This isn't a bug in your patch, but looking at the surrounding code in
enetc_msg_psi_init(), is there a risk of accessing an uninitialized
work_struct?
vector = pci_irq_vector(si->pdev, ENETC_SI_INT_IDX);
err = request_irq(vector, enetc_msg_psi_msix, 0, pf->msg_int_name, si);
...
/* initialize PSI mailbox */
INIT_WORK(&pf->msg_task, enetc_msg_task);
Since request_irq() enables the interrupt immediately, if a pending
interrupt fires before INIT_WORK() is called, the handler will schedule
the uninitialized work_struct. Should INIT_WORK() be called before
request_irq()?
Also, looking at the error path just below this:
err_init_mbx:
for (i--; i >= 0; i--)
enetc_msg_free_mbx(si, i);
free_irq(vector, si);
return err;
Does this code leak the scheduled work? If an interrupt fired during the
allocation loop and scheduled pf->msg_task, free_irq() will wait for the
handler to finish but will not cancel the scheduled work. After returning,
the work could execute and access the freed mailbox memory. Should
cancel_work_sync() be called in this error path?
>
> @@ -285,7 +285,7 @@ static void enetc_msg_psi_free(struct enetc_pf *pf)
> cancel_work_sync(&pf->msg_task);
>
> /* disable MR interrupts */
> - enetc_msg_disable_mr_int(&si->hw);
> + enetc_msg_set_mr_int(pf, false);
This isn't a bug in your patch, but is there a teardown race here?
If a hardware interrupt fires right after cancel_work_sync() completes,
the handler will execute and call schedule_work(&pf->msg_task). The work
will then run after the mailboxes are freed and the IRQ is unregistered.
Should enetc_msg_set_mr_int() and free_irq() be called before
cancel_work_sync()?
>
> for (i = 0; i < pf->num_vfs; i++)
> enetc_msg_free_mbx(si, i);
While looking at this teardown path, I noticed enetc_msg_free_mbx() calls
dma_free_coherent() before clearing the hardware base address registers
(ENETC_PSIVMSGRCVAR0 and ENETC_PSIVMSGRCVAR1).
If a VF sends a message before the registers are zeroed, could the hardware
perform a DMA write to memory that has already been returned to the allocator?
Should the hardware registers be cleared before the backing DMA memory
is freed?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260511080805.2052495-1-wei.fang@nxp.com?part=14
next prev parent reply other threads:[~2026-05-12 23:34 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 8:07 [PATCH net-next 00/15] net: enetc: Prepare for ENETC v4 VF support Wei Fang
2026-05-11 8:07 ` [PATCH net-next 01/15] net: enetc: switch VF primary MAC setter to PF ops for commonization Wei Fang
2026-05-11 15:41 ` Vladimir Oltean
2026-05-12 1:54 ` Wei Fang
2026-05-11 8:07 ` [PATCH net-next 02/15] net: enetc: move VF message handlers to enetc_msg.c Wei Fang
2026-05-11 8:07 ` [PATCH net-next 03/15] net: enetc: avoid VF->PF mailbox timeout during SR-IOV teardown Wei Fang
2026-05-11 8:07 ` [PATCH net-next 04/15] net: enetc: relocate SR-IOV configuration helper for common PF support Wei Fang
2026-05-11 8:07 ` [PATCH net-next 05/15] net: enetc: integrate enetc_msg.c into enetc-pf-common driver Wei Fang
2026-05-11 8:07 ` [PATCH net-next 06/15] net: enetc: use read_poll_timeout() for VF mailbox polling Wei Fang
2026-05-11 8:07 ` [PATCH net-next 07/15] net: enetc: convert mailbox messages to new formats Wei Fang
2026-05-11 8:07 ` [PATCH net-next 08/15] net: enetc: add VF-PF messaging support for IP minor revision query Wei Fang
2026-05-11 8:07 ` [PATCH net-next 09/15] net: enetc: align v1 CBDR API with v4 for VF driver sharing Wei Fang
2026-05-11 8:08 ` [PATCH net-next 10/15] net: enetc: add CBDR setup/teardown hooks to enetc_si_ops for VF support Wei Fang
2026-05-11 8:08 ` [PATCH net-next 11/15] net: enetc: add generic helper to initialize SR-IOV resources Wei Fang
2026-05-11 8:08 ` [PATCH net-next 12/15] net: enetc: use MADDR_TYPE for MAC filter array size Wei Fang
2026-05-11 8:08 ` [PATCH net-next 13/15] net: enetc: dynamically allocate rxmsg based on VF count Wei Fang
2026-05-12 23:59 ` sashiko-bot
2026-05-11 8:08 ` [PATCH net-next 14/15] net: enetc: refactor MR interrupt enable/disable helpers Wei Fang
2026-05-12 23:34 ` sashiko-bot [this message]
2026-05-13 10:20 ` Wei Fang
2026-05-11 8:08 ` [PATCH net-next 15/15] net: enetc: generate MR interrupt mask based on the number of enabled VFs Wei Fang
2026-05-12 23:48 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260512233431.A5B42C2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=imx@lists.linux.dev \
--cc=sashiko-reviews@lists.linux.dev \
--cc=wei.fang@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox