From: sashiko-bot@kernel.org
To: "Frank Li" <Frank.Li@nxp.com>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH v4 8/9] PCI: epf-mhi: Use dmaengine_prep_config_single() to simplify code
Date: Wed, 06 May 2026 23:26:15 +0000 [thread overview]
Message-ID: <20260506232615.C2334C2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260506-dma_prep_config-v4-8-85b3d22babff@nxp.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Critical] Asymmetric DMA workqueue teardown risks Use-After-Free on late callbacks.
- [High] Synchronous transfer timeouts indiscriminately kill concurrent async transfers, leaking their memory and mappings.
--
commit 05444e0385986a82cafbe547e6d0ad335a0e1fbb
Author: Frank Li <Frank.Li@nxp.com>
PCI: epf-mhi: Use dmaengine_prep_config_single() to simplify code
Use dmaengine_prep_config_single() to simplify pci_epf_mhi_edma_read[_sync]()
and pci_epf_mhi_edma_write[_sync](). No functional change.
> diff --git a/drivers/pci/endpoint/functions/pci-epf-mhi.c b/drivers/pci/endpoint/functions/pci-epf-mhi.c
> index 7f5326925ed54..c3e3b58fb86cd 100644
> --- a/drivers/pci/endpoint/functions/pci-epf-mhi.c
> +++ b/drivers/pci/endpoint/functions/pci-epf-mhi.c
> @@ -342,9 +336,10 @@ static int pci_epf_mhi_edma_read(struct mhi_ep_cntrl *mhi_cntrl,
> goto err_unlock;
> }
>
> - desc = dmaengine_prep_slave_single(chan, dst_addr, buf_info->size,
> - DMA_DEV_TO_MEM,
> - DMA_CTRL_ACK | DMA_PREP_INTERRUPT);
> + desc = dmaengine_prep_config_single(chan, dst_addr, buf_info->size,
> + DMA_DEV_TO_MEM,
> + DMA_CTRL_ACK | DMA_PREP_INTERRUPT,
> + &config);
> if (!desc) {
> dev_err(dev, "Failed to prepare DMA\n");
> ret = -EIO;
This isn't a bug introduced by this commit, but in pci_epf_mhi_edma_read() and
pci_epf_mhi_edma_write(), if the synchronous transfer times out (e.g., if the
channel is stuck processing a prior async transfer), the error recovery path
calls dmaengine_terminate_sync(chan):
ret = wait_for_completion_timeout(&complete, msecs_to_jiffies(1000));
if (!ret) {
dev_err(dev, "DMA transfer timeout\n");
dmaengine_terminate_sync(chan);
ret = -ETIMEDOUT;
} else {
Because async transfers run concurrently and share the channel, does this
abruptly abort them without invoking their completion callbacks?
Will this leak the transfer structures and their dma_map_single()
mappings, and stall the MHI endpoint data channel?
[ ... ]
This isn't a bug introduced by this commit, but looking at
pci_epf_mhi_dma_deinit(), it destroys the workqueue before releasing the
active DMA channels:
destroy_workqueue(epf_mhi->dma_wq);
dma_release_channel(epf_mhi->dma_chan_tx);
dma_release_channel(epf_mhi->dma_chan_rx);
If an asynchronous DMA transfer completes right after the workqueue is
destroyed but before the channel is fully released, the dmaengine interrupt
handler will invoke pci_epf_mhi_dma_async_callback(). This callback
unconditionally calls queue_work(epf_mhi->dma_wq, ...).
Does attempting to enqueue work onto a destroyed workqueue cause a
use-after-free memory corruption?
Should the channels be explicitly terminated with dmaengine_terminate_sync()
before the workqueue is destroyed?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260506-dma_prep_config-v4-0-85b3d22babff@nxp.com?part=8
next prev parent reply other threads:[~2026-05-06 23:26 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-06 20:44 [PATCH v4 0/9] dmaengine: Add new API to combine configuration and descriptor preparation Frank Li
2026-05-06 20:44 ` [PATCH v4 1/9] dmaengine: Add API to combine configuration and preparation (sg and single) Frank Li
2026-05-06 21:39 ` sashiko-bot
2026-05-06 20:44 ` [PATCH v4 2/9] dmaengine: Add safe API to combine configuration and preparation Frank Li
2026-05-06 22:02 ` sashiko-bot
2026-05-06 20:44 ` [PATCH v4 3/9] PCI: endpoint: pci-epf-test: Use dmaenigne_prep_config_single() to simplify code Frank Li
2026-05-06 20:44 ` [PATCH v4 4/9] dmaengine: dw-edma: Use new .device_prep_config_sg() callback Frank Li
2026-05-06 22:17 ` sashiko-bot
2026-05-06 20:44 ` [PATCH v4 5/9] dmaengine: dw-edma: Pass dma_slave_config to dw_edma_device_transfer() Frank Li
2026-05-06 22:36 ` sashiko-bot
2026-05-06 20:44 ` [PATCH v4 6/9] nvmet: pci-epf: Remove unnecessary dmaengine_terminate_sync() on each DMA transfer Frank Li
2026-05-06 20:44 ` [PATCH v4 7/9] nvmet: pci-epf: Use dmaengine_prep_config_single_safe() API Frank Li
2026-05-06 23:05 ` sashiko-bot
2026-05-06 20:44 ` [PATCH v4 8/9] PCI: epf-mhi: Use dmaengine_prep_config_single() to simplify code Frank Li
2026-05-06 23:26 ` sashiko-bot [this message]
2026-05-06 20:44 ` [PATCH v4 9/9] crypto: atmel: Use dmaengine_prep_config_single() API Frank Li
2026-05-06 23:31 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260506232615.C2334C2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@nxp.com \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox