From: Leon Romanovsky <leon@kernel.org>
To: sashiko-reviews@lists.linux.dev
Cc: lirongqing <lirongqing@baidu.com>, linux-pci@vger.kernel.org
Subject: Re: [PATCH] PCI/P2PDMA: Use RCU_INIT_POINTER() to clear pdev->p2pdma
Date: Tue, 16 Jun 2026 21:57:42 +0300 [thread overview]
Message-ID: <20260616185742.GS327369@unreal> (raw)
In-Reply-To: <20260612084824.A3DE91F00A3A@smtp.kernel.org>
On Fri, Jun 12, 2026 at 08:48:24AM +0000, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
>
> Pre-existing issues:
> - [High] pci_p2pdma_release() skips synchronize_rcu() when p2pdma->pool is NULL, causing a use-after-free of the devm-allocated p2pdma structure and corruption of its map_types xarray for concurrent RCU readers.
> - [High] Missing devres action removal in pci_p2pdma_add_resource() error paths causes Use-After-Free of p2p_pgmap during devres teardown.
> --
>
> commit eb4ec2c32d602512abbeccbe720637cf83f85cb6
> Author: Li RongQing <lirongqing@baidu.com>
>
> PCI/P2PDMA: Use RCU_INIT_POINTER() to clear pdev->p2pdma
>
> Since pdev->p2pdma is an RCU-protected pointer, directly assigning
> NULL to it violates RCU semantics and triggers sparse static analysis
> warnings.
>
> Fix this by using RCU_INIT_POINTER() instead of a raw assignment,
> ensuring proper RCU annotations and consistency with the subsequent
> synchronize_rcu() call.
>
> > diff --git a/drivers/pci/p2pdma.c b/drivers/pci/p2pdma.c
> > index 7c898542af8d5..fd98624208c50 100644
> > --- a/drivers/pci/p2pdma.c
> > +++ b/drivers/pci/p2pdma.c
> > @@ -236,7 +236,7 @@ static void pci_p2pdma_release(void *data)
> > return;
> >
> > /* Flush and disable pci_alloc_p2p_mem() */
> > - pdev->p2pdma = NULL;
> > + RCU_INIT_POINTER(pdev->p2pdma, NULL);
> > if (p2pdma->pool)
> > synchronize_rcu();
>
> [Severity: High]
> This isn't a bug introduced by this patch, but could skipping
> synchronize_rcu() here result in a use-after-free for concurrent RCU readers?
>
> If p2pdma->pool is NULL, synchronize_rcu() is bypassed before destroying the
> map_types xarray and returning. Since the p2pdma structure is managed by
> devres, it will be freed shortly after this callback returns.
>
> If concurrent RCU readers (like those executing pci_p2pdma_map_type()) obtain
> the pointer just before it is cleared, will they continue to access the freed
> map_types xarray and p2pdma structure?
>
> > xa_destroy(&p2pdma->map_types);
I do not believe this is a bug. The p2pdma->pool field is NULL only for
in-kernel users that fully control the lifecycle of their drivers.
In that mode, there should not be any concurrent RCU readers when the
device is released.
Thanks
prev parent reply other threads:[~2026-06-16 18:57 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 8:34 [PATCH] PCI/P2PDMA: Use RCU_INIT_POINTER() to clear pdev->p2pdma lirongqing
2026-06-12 8:48 ` sashiko-bot
2026-06-16 18:57 ` Leon Romanovsky [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260616185742.GS327369@unreal \
--to=leon@kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=lirongqing@baidu.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox