From: sashiko-bot@kernel.org
To: "Pradhan, Sanman" <sanman.pradhan@hpe.com>
Cc: linux-hwmon@vger.kernel.org
Subject: Re: [PATCH v4 2/2] hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt
Date: Fri, 10 Apr 2026 01:33:21 +0000 [thread overview]
Message-ID: <20260410013323.42269C4CEF7@smtp.kernel.org> (raw)
In-Reply-To: <20260410002521.422645-3-sanman.pradhan@hpe.com>
Sashiko AI review found 1 potential issue(s):
- [Critical] Unsafe DMA Buffer Allocation / Cacheline Sharing in `struct powerz_priv`
--
commit eb68688b567b41c8eb7f2b911d80d14a178791ce
Author: Sanman Pradhan <psanman@juniper.net>
hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt
This commit fixes a bug where wait_for_completion_interruptible_timeout
returning a negative value due to a signal would bypass the usb_kill_urb
cleanup. It captures the return value into a long and handles both the
signal and timeout cases appropriately.
> diff --git a/drivers/hwmon/powerz.c b/drivers/hwmon/powerz.c
> index a75b941bd6e2f..96438f5f05d48 100644
> --- a/drivers/hwmon/powerz.c
> +++ b/drivers/hwmon/powerz.c
[ ... ]
> @@ -127,8 +128,14 @@ static int powerz_read_data(struct usb_device *udev, struct powerz_priv *priv)
> if (ret)
> return ret;
>
> - if (!wait_for_completion_interruptible_timeout
> - (&priv->completion, msecs_to_jiffies(5))) {
> + rc = wait_for_completion_interruptible_timeout(&priv->completion,
> + msecs_to_jiffies(5));
This isn't a bug introduced by this patch, but could this completion logic
be vulnerable to memory corruption on architectures with larger cache
lines?
Looking at struct powerz_priv:
struct powerz_priv {
char transfer_buffer[64];
struct mutex mutex;
struct completion completion;
struct urb *urb;
int status;
};
Since transfer_buffer[64] only occupies 64 bytes, could it share a
cacheline with the mutex and completion fields on architectures where
ARCH_DMA_MINALIGN is greater than 64?
When the USB subsystem unmaps the DMA buffer after a transfer, the DMA
layer might invalidate the entire cacheline. If the CPU concurrently
modifies the completion or mutex fields during wait queue operations
or locking, could those CPU writes be lost due to the invalidation?
Would it be safer to allocate the transfer buffer separately using a
dedicated allocation, or add adequate padding to ensure it occupies its
own cacheline?
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260410002521.422645-1-sanman.pradhan@hpe.com?part=2
next prev parent reply other threads:[~2026-04-10 1:33 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-10 0:25 [PATCH v4 0/2] hwmon: (powerz) Fix disconnect and signal handling bugs Pradhan, Sanman
2026-04-10 0:25 ` [PATCH v4 1/2] hwmon: (powerz) Fix use-after-free on USB disconnect Pradhan, Sanman
2026-04-10 1:04 ` sashiko-bot
2026-04-10 15:28 ` Guenter Roeck
2026-04-10 0:25 ` [PATCH v4 2/2] hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt Pradhan, Sanman
2026-04-10 1:33 ` sashiko-bot [this message]
2026-04-10 15:29 ` Guenter Roeck
2026-04-10 5:29 ` [PATCH v4 0/2] hwmon: (powerz) Fix disconnect and signal handling bugs Thomas Weißschuh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260410013323.42269C4CEF7@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-hwmon@vger.kernel.org \
--cc=sanman.pradhan@hpe.com \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox