From: Paolo Abeni <pabeni@redhat.com>
To: illusion.wang@nebula-matrix.com
Cc: dimon.zhao@nebula-matrix.com, alvin.wang@nebula-matrix.com,
sam.chen@nebula-matrix.com, netdev@vger.kernel.org,
andrew+netdev@lunn.ch, corbet@lwn.net, kuba@kernel.org,
horms@kernel.org, linux-doc@vger.kernel.org, pabeni@redhat.com,
vadim.fedorenko@linux.dev, lukas.bulwahn@redhat.com,
edumazet@google.com, enelsonmoore@gmail.com,
skhan@linuxfoundation.org, hkallweit1@gmail.com,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v20 net-next 08/10] net/nebula-matrix: add Dispatch layer implementation
Date: Thu, 2 Jul 2026 11:43:01 +0200 [thread overview]
Message-ID: <20260702094301.111400-1-pabeni@redhat.com> (raw)
In-Reply-To: <20260630010718.4346-9-illusion.wang@nebula-matrix.com>
From: AI Reviewer <ai@example.com>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Full review at: https://sashiko.dev/
---
net/nebula-matrix: add Dispatch layer implementation
This patch introduces a control-level routing mechanism for the Dispatch layer,
supporting direct and channel routing paths based on declared control levels.
It establishes the message handling framework and sets up the resource layer
locking strategy for operations like MSI-X configuration.
> diff --git a/drivers/net/ethernet/nebula-matrix/nbl/nbl_core/nbl_dispatch.c b/drivers/net/ethernet/nebula-matrix/nbl/nbl_core/nbl_dispatch.c
> index f0b4406ca5601..ca565c6c4819f 100644
> --- a/drivers/net/ethernet/nebula-matrix/nbl/nbl_core/nbl_dispatch.c
> +++ b/drivers/net/ethernet/nebula-matrix/nbl/nbl_core/nbl_dispatch.c
[ ... ]
> +static void nbl_disp_chan_configure_msix_map_resp(void *priv, u16 src_id,
> + u16 msg_id, void *data,
> + u32 data_len)
> +{
> + struct nbl_dispatch_mgt *disp_mgt = (struct nbl_dispatch_mgt *)priv;
> + struct nbl_channel_ops *chan_ops = disp_mgt->chan_ops_tbl->ops;
> + struct nbl_resource_ops *res_ops = disp_mgt->res_ops_tbl->ops;
> + struct nbl_resource_mgt *p = disp_mgt->res_ops_tbl->priv;
> + struct device *dev = disp_mgt->common->dev;
> + struct nbl_chan_param_cfg_msix_map param = { 0 };
> + struct nbl_chan_ack_info chan_ack;
> + int err = NBL_CHAN_RESP_OK;
> + int copy_len;
> + int ret;
> +
> + copy_len = data_len < sizeof(param) ? data_len : sizeof(param);
> + memcpy(¶m, data, copy_len);
> + ret = NBL_OPS_CALL_LOCK_RET(disp_mgt, res_ops->configure_msix_map, p,
> + src_id, le16_to_cpu(param.num_net_msix),
> + le16_to_cpu(param.num_others_msix),
> + le16_to_cpu(param.msix_mask_en));
[Severity: High]
This is a pre-existing issue, but does exposing this configuration via
channel messages allow a VM to trigger an unbounded memory leak?
Looking at the underlying nbl_res_intr_configure_msix_map() implementation,
it allocates device-managed memory for the MSI-X map table:
nbl_res_intr_configure_msix_map() {
...
msix_map_table->base_addr = dmam_alloc_coherent(dev,
msix_map_table->size,
&msix_map_table->dma,
GFP_KERNEL);
...
}
However, prior to this allocation, it appears to call
nbl_res_intr_destroy_msix_map(), which merely clears the pointer without
freeing the previously allocated memory:
nbl_res_intr_destroy_msix_map() {
...
intr_mgt->func_intr_res[func_id].msix_map_table.base_addr = NULL;
...
}
Since this patch wires up nbl_disp_chan_configure_msix_map_resp() to
process NBL_CHAN_MSG_CONFIGURE_MSIX_MAP channel messages from untrusted VMs,
could a compromised VM repeatedly send these messages to exhaust host memory
and DMA mapping space?
> + if (ret)
> + err = NBL_CHAN_RESP_ERR;
> +
> + NBL_CHAN_ACK(chan_ack, src_id, NBL_CHAN_MSG_CONFIGURE_MSIX_MAP, msg_id,
> + err, NULL, 0);
> + ret = chan_ops->send_ack(disp_mgt->chan_ops_tbl->priv, &chan_ack);
> + if (ret)
> + dev_err(dev,
> + "channel send ack failed with ret: %d, msg_type: %d\n",
> + ret, NBL_CHAN_MSG_CONFIGURE_MSIX_MAP);
> +}
--
This is an AI-generated review.
next prev parent reply other threads:[~2026-07-02 9:43 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 1:07 [PATCH v20 net-next 00/10] nbl driver for Nebulamatrix NICs illusion.wang
2026-06-30 1:07 ` [PATCH v20 net-next 01/10] net/nebula-matrix: add minimum nbl build framework illusion.wang
2026-06-30 1:07 ` [PATCH v20 net-next 02/10] net/nebula-matrix: add our driver architecture illusion.wang
2026-06-30 1:07 ` [PATCH v20 net-next 03/10] net/nebula-matrix: channel msg value and msg struct illusion.wang
2026-06-30 1:07 ` [PATCH v20 net-next 04/10] net/nebula-matrix: add channel layer illusion.wang
2026-07-02 9:42 ` Paolo Abeni
2026-06-30 1:07 ` [PATCH v20 net-next 05/10] net/nebula-matrix: add common resource implementation illusion.wang
2026-07-02 9:42 ` Paolo Abeni
2026-06-30 1:07 ` [PATCH v20 net-next 06/10] net/nebula-matrix: add intr " illusion.wang
2026-07-02 9:42 ` Paolo Abeni
2026-06-30 1:07 ` [PATCH v20 net-next 07/10] net/nebula-matrix: add vsi " illusion.wang
2026-06-30 1:07 ` [PATCH v20 net-next 08/10] net/nebula-matrix: add Dispatch layer implementation illusion.wang
2026-07-02 9:43 ` Paolo Abeni [this message]
2026-06-30 1:07 ` [PATCH v20 net-next 09/10] net/nebula-matrix: add common/ctrl dev init/remove operation illusion.wang
2026-07-02 9:43 ` Paolo Abeni
2026-06-30 1:07 ` [PATCH v20 net-next 10/10] net/nebula-matrix: add common dev start/stop operation illusion.wang
2026-07-02 9:43 ` Paolo Abeni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702094301.111400-1-pabeni@redhat.com \
--to=pabeni@redhat.com \
--cc=alvin.wang@nebula-matrix.com \
--cc=andrew+netdev@lunn.ch \
--cc=corbet@lwn.net \
--cc=dimon.zhao@nebula-matrix.com \
--cc=edumazet@google.com \
--cc=enelsonmoore@gmail.com \
--cc=hkallweit1@gmail.com \
--cc=horms@kernel.org \
--cc=illusion.wang@nebula-matrix.com \
--cc=kuba@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lukas.bulwahn@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=sam.chen@nebula-matrix.com \
--cc=skhan@linuxfoundation.org \
--cc=vadim.fedorenko@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox