From: sashiko-bot@kernel.org
To: "Nathan Lynch via B4 Relay" <devnull+nathan.lynch.amd.com@kernel.org>
Cc: linux-pci@vger.kernel.org, Frank.Li@kernel.org,
dmaengine@vger.kernel.org, vkoul@kernel.org
Subject: Re: [PATCH v2 22/23] dmaengine: sdxi: MSI/MSI-X vector allocation and mapping
Date: Wed, 13 May 2026 22:17:35 +0000 [thread overview]
Message-ID: <20260513221736.2D635C19425@smtp.kernel.org> (raw)
In-Reply-To: <20260511-sdxi-base-v2-22-889cfed17e3f@amd.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [Critical] Hardware is stopped AFTER tearing down active software contexts, leading to use-after-free and DMA corruption.
- [High] Missing pci_free_irq_vectors() in error paths and during unregistration.
- [High] sdxi_alloc_vector() incorrectly allocates vector 0, conflicting with the dedicated error log interrupt.
--
commit e45016c3a6e72f74d9db1a7a06247322707bec64
Author: Nathan Lynch <nathan.lynch@amd.com>
dmaengine: sdxi: MSI/MSI-X vector allocation and mapping
During PCI probe, allocate a vector per context supported by the function
as reported by the capability register, plus one for the error log
interrupt. Introduce sdxi_alloc_vector() and sdxi_free_vector() which are
wrappers around the IDA tracking the allocated vector range. Also introduce
sdxi_vector_to_irq() to translate the device-relative index to the Linux
IRQ number.
> diff --git a/drivers/dma/sdxi/device.c b/drivers/dma/sdxi/device.c
> index cc289b271ae22..79bd776394790 100644
> --- a/drivers/dma/sdxi/device.c
> +++ b/drivers/dma/sdxi/device.c
[ ... ]
> @@ -347,5 +349,7 @@ void sdxi_unregister(struct device *dev)
> sdxi_cxt_exit(cxt);
> xa_destroy(&sdxi->client_cxts);
>
> + ida_destroy(&sdxi->vectors);
> +
> sdxi_dev_stop(sdxi);
> }
This isn't an issue introduced by this patch, but does this sequence lead to a
use-after-free?
sdxi_unregister() iterates over client_cxts and calls sdxi_cxt_exit() for all
active contexts, which frees their descriptor rings and control structures.
Only afterwards does it call sdxi_dev_stop() to stop the hardware.
Because the hardware is still active, it may continue to write to the freed
DMA memory. Additionally, since the DMA engine unregistration happens later
via devres, active DMA channels will still hold pointers to the freed
contexts, leading to a double-free when devres triggers
sdxi_dma_free_chan_resources().
> diff --git a/drivers/dma/sdxi/pci.c b/drivers/dma/sdxi/pci.c
> index 0f72cd359cf5c..67e28b8d7f94d 100644
> --- a/drivers/dma/sdxi/pci.c
> +++ b/drivers/dma/sdxi/pci.c
[ ... ]
> @@ -49,12 +52,35 @@ static int sdxi_pci_init(struct sdxi_dev *sdxi)
> return dev_err_probe(dev, PTR_ERR(sdxi->dbs),
> "failed to map doorbell region\n");
>
> + /*
> + * Allocate the minimum required set of vectors plus one for
> + * each client context supported by the function.
> + */
> + cap1_max_cxt = FIELD_GET(SDXI_MMIO_CAP1_MAX_CXT,
> + sdxi_read64(sdxi, SDXI_MMIO_CAP1));
> + vecs = pci_alloc_irq_vectors(pdev, SDXI_MIN_VECTORS,
> + SDXI_MIN_VECTORS + cap1_max_cxt,
> + PCI_IRQ_MSI | PCI_IRQ_MSIX);
> + if (vecs < 0)
> + return dev_err_probe(dev, vecs,
> + "failed to allocate MSIs (max_cxt=%u)\n",
> + cap1_max_cxt);
> +
> + sdxi->nr_vectors = vecs;
Are the allocated IRQ vectors leaked on error paths and driver unbind?
Looking at sdxi_register() in drivers/dma/sdxi/device.c, if
sdxi_device_init() fails after sdxi->bus_ops->init() succeeds:
sdxi_register()
err = sdxi->bus_ops->init(sdxi);
if (err)
return err;
return sdxi_device_init(sdxi);
There does not seem to be a way to free the vectors since sdxi_bus_ops lacks
a deinit callback. Similarly, sdxi_unregister() cannot release the IRQ
vectors when the driver unbinds.
> diff --git a/drivers/dma/sdxi/sdxi.h b/drivers/dma/sdxi/sdxi.h
> index 1786da7642cc8..11773162c023d 100644
> --- a/drivers/dma/sdxi/sdxi.h
> +++ b/drivers/dma/sdxi/sdxi.h
[ ... ]
> @@ -59,12 +80,48 @@ struct sdxi_dev {
> struct dma_pool *cxt_ctl_pool;
> struct dma_pool *cst_blk_pool;
>
> + unsigned int nr_vectors;
> + struct ida vectors;
> +
> struct sdxi_cxt *admin_cxt;
> struct xarray client_cxts; /* context id -> (struct sdxi_cxt *) */
>
> const struct sdxi_bus_ops *bus_ops;
> };
>
> +/**
> + * sdxi_alloc_vector() - Allocate an interrupt vector.
> + *
> + * A vector that will have the same lifetime as the device does not
> + * need to be released explicitly. Otherwise the vector must be
> + * released with sdxi_free_vector().
> + */
> +static inline int sdxi_alloc_vector(struct sdxi_dev *sdxi)
> +{
> + return ida_alloc_max(&sdxi->vectors, sdxi->nr_vectors - 1,
> + GFP_KERNEL);
> +}
Will this code allocate vector 0 and conflict with the error log interrupt?
The commit message and SDXI_ERROR_VECTOR define vector 0 as reserved for the
error log interrupt. However, ida_alloc_max() starts searching for free IDs
at index 0.
Since vector 0 is never pre-allocated or explicitly reserved in the IDA
during initialization, the first caller to sdxi_alloc_vector() will be
mistakenly assigned vector 0, causing completion interrupts and error log
interrupts to conflict.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260511-sdxi-base-v2-0-889cfed17e3f@amd.com?part=22
next prev parent reply other threads:[~2026-05-13 22:17 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 19:16 [PATCH v2 00/23] dmaengine: Smart Data Accelerator Interface (SDXI) basic support Nathan Lynch via B4 Relay
2026-05-11 19:16 ` [PATCH v2 01/23] PCI: Add SNIA SDXI accelerator sub-class Nathan Lynch via B4 Relay
2026-05-11 20:48 ` Frank Li
2026-05-12 23:50 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 02/23] MAINTAINERS: Add entry for SDXI driver Nathan Lynch via B4 Relay
2026-05-11 19:16 ` [PATCH v2 03/23] dmaengine: sdxi: Add PCI initialization Nathan Lynch via B4 Relay
2026-05-11 21:22 ` Frank Li
2026-05-13 0:05 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 04/23] dmaengine: sdxi: Feature discovery and initial configuration Nathan Lynch via B4 Relay
2026-05-11 21:30 ` Frank Li
2026-05-13 0:33 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 05/23] dmaengine: sdxi: Configure context tables Nathan Lynch via B4 Relay
2026-05-13 1:12 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 06/23] dmaengine: sdxi: Allocate DMA pools Nathan Lynch via B4 Relay
2026-05-13 1:30 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 07/23] dmaengine: sdxi: Allocate administrative context Nathan Lynch via B4 Relay
2026-05-13 2:20 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 08/23] dmaengine: sdxi: Install " Nathan Lynch via B4 Relay
2026-05-13 3:17 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 09/23] dmaengine: sdxi: Start functions on probe, stop on remove Nathan Lynch via B4 Relay
2026-05-13 3:35 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 10/23] dmaengine: sdxi: Complete administrative context jump start Nathan Lynch via B4 Relay
2026-05-13 3:54 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 11/23] dmaengine: sdxi: Add client context alloc and release APIs Nathan Lynch via B4 Relay
2026-05-13 4:46 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 12/23] dmaengine: sdxi: Add descriptor ring management Nathan Lynch via B4 Relay
2026-05-13 5:21 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 13/23] dmaengine: sdxi: Add unit tests for descriptor ring reservations Nathan Lynch via B4 Relay
2026-05-13 5:48 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 14/23] dmaengine: sdxi: Attach descriptor ring state to contexts Nathan Lynch via B4 Relay
2026-05-13 19:31 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 15/23] dmaengine: sdxi: Per-context access key (AKey) table entry allocator Nathan Lynch via B4 Relay
2026-05-13 19:54 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 16/23] dmaengine: sdxi: Generic descriptor manipulation helpers Nathan Lynch via B4 Relay
2026-05-13 20:21 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 17/23] dmaengine: sdxi: Add completion status block API Nathan Lynch via B4 Relay
2026-05-13 20:38 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 18/23] dmaengine: sdxi: Encode context start, stop, and sync descriptors Nathan Lynch via B4 Relay
2026-05-11 19:16 ` [PATCH v2 19/23] dmaengine: sdxi: Provide context start and stop APIs Nathan Lynch via B4 Relay
2026-05-13 21:18 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 20/23] dmaengine: sdxi: Encode nop, copy, and interrupt descriptors Nathan Lynch via B4 Relay
2026-05-13 21:33 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 21/23] dmaengine: sdxi: Add unit tests for descriptor encoding Nathan Lynch via B4 Relay
2026-05-13 21:55 ` sashiko-bot
2026-05-11 19:16 ` [PATCH v2 22/23] dmaengine: sdxi: MSI/MSI-X vector allocation and mapping Nathan Lynch via B4 Relay
2026-05-13 22:17 ` sashiko-bot [this message]
2026-05-11 19:16 ` [PATCH v2 23/23] dmaengine: sdxi: Add DMA engine provider Nathan Lynch via B4 Relay
2026-05-11 20:47 ` Frank Li
2026-05-11 22:28 ` Lynch, Nathan
2026-05-13 20:01 ` Frank Li
2026-05-13 22:57 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260513221736.2D635C19425@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=devnull+nathan.lynch.amd.com@kernel.org \
--cc=dmaengine@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox