From: sashiko-bot@kernel.org
To: "Nathan Lynch via B4 Relay" <devnull+nathan.lynch.amd.com@kernel.org>
Cc: dmaengine@vger.kernel.org, vkoul@kernel.org, Frank.Li@kernel.org,
linux-pci@vger.kernel.org
Subject: Re: [PATCH v2 12/23] dmaengine: sdxi: Add descriptor ring management
Date: Wed, 13 May 2026 05:21:36 +0000 [thread overview]
Message-ID: <20260513052137.14261C4AF0B@smtp.kernel.org> (raw)
In-Reply-To: <20260511-sdxi-base-v2-12-889cfed17e3f@amd.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] Unkillable task hang and Use-After-Free in ring reservation during device removal or hardware wedge.
- [High] Potential torn reads of the shared 64-bit read index on 32-bit architectures permanently wedge the ring.
- [Low] Macro `sdxi_ring_resv_foreach` evaluates the `resv_` argument multiple times.
--
commit fb903a32d5204efe5e95d75203c430ca1c4e7e8d
Author: Nathan Lynch <nathan.lynch@amd.com>
dmaengine: sdxi: Add descriptor ring management
This commit introduces a library for managing SDXI descriptor ring state,
encapsulating free space checks, write index updates, and reservation
iteration. It provides blocking and non-blocking reservation APIs and
mechanisms to iterate over descriptors within a reservation.
> diff --git a/drivers/dma/sdxi/ring.c b/drivers/dma/sdxi/ring.c
> new file mode 100644
> index 0000000000000..91b28c7afbbf9
> --- /dev/null
> +++ b/drivers/dma/sdxi/ring.c
[ ... ]
> +static u64 sdxi_ring_state_load_ridx(struct sdxi_ring_state *rs)
> +{
> + lockdep_assert_held(&rs->lock);
> + return le64_to_cpu(READ_ONCE(*rs->read_index_ptr));
> +}
Can this result in a torn read on 32-bit architectures? READ_ONCE() on a
64-bit variable expands to two 32-bit load instructions on 32-bit systems.
Since the SDXI hardware updates this memory location concurrently via DMA,
the CPU might observe a torn value if the read occurs while the index
crosses a 32-bit boundary. This could produce a massively inflated read
index, causing the subsequent check in sdxi_ring_try_reserve() to
permanently return -EIO.
[ ... ]
> +/* Blocking ring reservation. Retries until success or non-transient error. */
> +int sdxi_ring_reserve(struct sdxi_ring_state *rs, size_t nr,
> + struct sdxi_ring_resv *resv)
> +{
> + int ret;
> +
> + wait_event(rs->wqh,
> + (ret = sdxi_ring_try_reserve(rs, nr, resv)) != -EBUSY);
> +
> + return ret;
> +}
Does this wait_event() need to handle timeouts or signals? If the hardware
wedges or the device is hot-unplugged, the read index will never advance,
leaving tasks permanently hung in TASK_UNINTERRUPTIBLE sleep.
Furthermore, if the driver is unbound and destroys the wait queue while
tasks are still waiting here, could this result in a use-after-free and
subsequent kernel panic when the scheduler interacts with the freed wait
queue?
[ ... ]
> diff --git a/drivers/dma/sdxi/ring.h b/drivers/dma/sdxi/ring.h
> new file mode 100644
> index 0000000000000..d5682687c05cd
> --- /dev/null
> +++ b/drivers/dma/sdxi/ring.h
[ ... ]
> +#define sdxi_ring_resv_foreach(resv_, desc_) \
> + for (sdxi_ring_resv_reset(resv_), \
> + desc_ = sdxi_ring_resv_next(resv_); \
> + desc_; \
> + desc_ = sdxi_ring_resv_next(resv_))
This isn't a bug, but this macro evaluates the resv_ argument multiple times.
If a caller passes an expression with side effects, it could cause unintended
behavior.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260511-sdxi-base-v2-0-889cfed17e3f@amd.com?part=12
next prev parent reply other threads:[~2026-05-13 5:21 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 19:16 [PATCH v2 00/23] dmaengine: Smart Data Accelerator Interface (SDXI) basic support Nathan Lynch via B4 Relay
2026-05-11 19:16 ` [PATCH v2 01/23] PCI: Add SNIA SDXI accelerator sub-class Nathan Lynch via B4 Relay
2026-05-11 20:48 ` Frank Li
2026-05-12 23:50 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 02/23] MAINTAINERS: Add entry for SDXI driver Nathan Lynch via B4 Relay
2026-05-11 19:16 ` [PATCH v2 03/23] dmaengine: sdxi: Add PCI initialization Nathan Lynch via B4 Relay
2026-05-11 21:22 ` Frank Li
2026-05-13 0:05 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 04/23] dmaengine: sdxi: Feature discovery and initial configuration Nathan Lynch via B4 Relay
2026-05-11 21:30 ` Frank Li
2026-05-13 0:33 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 05/23] dmaengine: sdxi: Configure context tables Nathan Lynch via B4 Relay
2026-05-13 1:12 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 06/23] dmaengine: sdxi: Allocate DMA pools Nathan Lynch via B4 Relay
2026-05-13 1:30 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 07/23] dmaengine: sdxi: Allocate administrative context Nathan Lynch via B4 Relay
2026-05-13 2:20 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 08/23] dmaengine: sdxi: Install " Nathan Lynch via B4 Relay
2026-05-13 3:17 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 09/23] dmaengine: sdxi: Start functions on probe, stop on remove Nathan Lynch via B4 Relay
2026-05-13 3:35 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 10/23] dmaengine: sdxi: Complete administrative context jump start Nathan Lynch via B4 Relay
2026-05-13 3:54 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 11/23] dmaengine: sdxi: Add client context alloc and release APIs Nathan Lynch via B4 Relay
2026-05-13 4:46 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 12/23] dmaengine: sdxi: Add descriptor ring management Nathan Lynch via B4 Relay
2026-05-13 5:21 ` sashiko-bot [this message]
2026-05-11 19:16 ` [PATCH v2 13/23] dmaengine: sdxi: Add unit tests for descriptor ring reservations Nathan Lynch via B4 Relay
2026-05-13 5:48 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 14/23] dmaengine: sdxi: Attach descriptor ring state to contexts Nathan Lynch via B4 Relay
2026-05-11 19:16 ` [PATCH v2 15/23] dmaengine: sdxi: Per-context access key (AKey) table entry allocator Nathan Lynch via B4 Relay
2026-05-11 19:16 ` [PATCH v2 16/23] dmaengine: sdxi: Generic descriptor manipulation helpers Nathan Lynch via B4 Relay
2026-05-11 19:16 ` [PATCH v2 17/23] dmaengine: sdxi: Add completion status block API Nathan Lynch via B4 Relay
2026-05-11 19:16 ` [PATCH v2 18/23] dmaengine: sdxi: Encode context start, stop, and sync descriptors Nathan Lynch via B4 Relay
2026-05-11 19:16 ` [PATCH v2 19/23] dmaengine: sdxi: Provide context start and stop APIs Nathan Lynch via B4 Relay
2026-05-11 19:16 ` [PATCH v2 20/23] dmaengine: sdxi: Encode nop, copy, and interrupt descriptors Nathan Lynch via B4 Relay
2026-05-11 19:16 ` [PATCH v2 21/23] dmaengine: sdxi: Add unit tests for descriptor encoding Nathan Lynch via B4 Relay
2026-05-11 19:16 ` [PATCH v2 22/23] dmaengine: sdxi: MSI/MSI-X vector allocation and mapping Nathan Lynch via B4 Relay
2026-05-11 19:16 ` [PATCH v2 23/23] dmaengine: sdxi: Add DMA engine provider Nathan Lynch via B4 Relay
2026-05-11 20:47 ` Frank Li
2026-05-11 22:28 ` Lynch, Nathan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260513052137.14261C4AF0B@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=devnull+nathan.lynch.amd.com@kernel.org \
--cc=dmaengine@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox