* [PATCH] PCI/P2PDMA: Use RCU_INIT_POINTER() to clear pdev->p2pdma
@ 2026-06-12 8:34 lirongqing
2026-06-12 8:48 ` sashiko-bot
0 siblings, 1 reply; 3+ messages in thread
From: lirongqing @ 2026-06-12 8:34 UTC (permalink / raw)
To: Bjorn Helgaas, kwilczynski, linux-pci, linux-kernel; +Cc: Li RongQing
From: Li RongQing <lirongqing@baidu.com>
Since pdev->p2pdma is an RCU-protected pointer, directly assigning
NULL to it violates RCU semantics and triggers sparse static analysis
warnings.
Fix this by using RCU_INIT_POINTER() instead of a raw assignment,
ensuring proper RCU annotations and consistency with the subsequent
synchronize_rcu() call.
Signed-off-by: Li RongQing <lirongqing@baidu.com>
---
drivers/pci/p2pdma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/p2pdma.c b/drivers/pci/p2pdma.c
index 7c89854..fd986242 100644
--- a/drivers/pci/p2pdma.c
+++ b/drivers/pci/p2pdma.c
@@ -236,7 +236,7 @@ static void pci_p2pdma_release(void *data)
return;
/* Flush and disable pci_alloc_p2p_mem() */
- pdev->p2pdma = NULL;
+ RCU_INIT_POINTER(pdev->p2pdma, NULL);
if (p2pdma->pool)
synchronize_rcu();
xa_destroy(&p2pdma->map_types);
--
2.9.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] PCI/P2PDMA: Use RCU_INIT_POINTER() to clear pdev->p2pdma
2026-06-12 8:34 [PATCH] PCI/P2PDMA: Use RCU_INIT_POINTER() to clear pdev->p2pdma lirongqing
@ 2026-06-12 8:48 ` sashiko-bot
2026-06-16 18:57 ` Leon Romanovsky
0 siblings, 1 reply; 3+ messages in thread
From: sashiko-bot @ 2026-06-12 8:48 UTC (permalink / raw)
To: lirongqing; +Cc: linux-pci
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] pci_p2pdma_release() skips synchronize_rcu() when p2pdma->pool is NULL, causing a use-after-free of the devm-allocated p2pdma structure and corruption of its map_types xarray for concurrent RCU readers.
- [High] Missing devres action removal in pci_p2pdma_add_resource() error paths causes Use-After-Free of p2p_pgmap during devres teardown.
--
commit eb4ec2c32d602512abbeccbe720637cf83f85cb6
Author: Li RongQing <lirongqing@baidu.com>
PCI/P2PDMA: Use RCU_INIT_POINTER() to clear pdev->p2pdma
Since pdev->p2pdma is an RCU-protected pointer, directly assigning
NULL to it violates RCU semantics and triggers sparse static analysis
warnings.
Fix this by using RCU_INIT_POINTER() instead of a raw assignment,
ensuring proper RCU annotations and consistency with the subsequent
synchronize_rcu() call.
> diff --git a/drivers/pci/p2pdma.c b/drivers/pci/p2pdma.c
> index 7c898542af8d5..fd98624208c50 100644
> --- a/drivers/pci/p2pdma.c
> +++ b/drivers/pci/p2pdma.c
> @@ -236,7 +236,7 @@ static void pci_p2pdma_release(void *data)
> return;
>
> /* Flush and disable pci_alloc_p2p_mem() */
> - pdev->p2pdma = NULL;
> + RCU_INIT_POINTER(pdev->p2pdma, NULL);
> if (p2pdma->pool)
> synchronize_rcu();
[Severity: High]
This isn't a bug introduced by this patch, but could skipping
synchronize_rcu() here result in a use-after-free for concurrent RCU readers?
If p2pdma->pool is NULL, synchronize_rcu() is bypassed before destroying the
map_types xarray and returning. Since the p2pdma structure is managed by
devres, it will be freed shortly after this callback returns.
If concurrent RCU readers (like those executing pci_p2pdma_map_type()) obtain
the pointer just before it is cleared, will they continue to access the freed
map_types xarray and p2pdma structure?
> xa_destroy(&p2pdma->map_types);
While reviewing this file, I noticed another pre-existing issue in
pci_p2pdma_add_resource():
drivers/pci/p2pdma.c:pci_p2pdma_add_resource()
{
[ ... ]
error = devm_add_action_or_reset(&pdev->dev, pci_p2pdma_unmap_mappings,
p2p_pgmap);
if (error)
goto pages_free;
p2pdma = rcu_dereference_protected(pdev->p2pdma, 1);
error = gen_pool_add_owner(p2pdma->pool, (unsigned long)addr,
pci_bus_address(pdev, bar) + offset,
range_len(&pgmap->range), dev_to_node(&pdev->dev),
&pgmap->ref);
if (error)
goto pages_free;
[ ... ]
pages_free:
devm_memunmap_pages(&pdev->dev, pgmap);
pgmap_free:
devm_kfree(&pdev->dev, p2p_pgmap);
[Severity: High]
This is also a pre-existing issue, but are we leaving a dangling pointer in
the devres list here?
If gen_pool_add_owner() fails, the code jumps to the pages_free label and
explicitly frees p2p_pgmap via devm_kfree(). However, the devres action
pci_p2pdma_unmap_mappings is not removed.
During devres teardown, the registered action will execute and call
pci_p2pdma_unmap_mappings() with the freed p2p_pgmap pointer. This
dereferences p2p_pgmap->mem->owner->kobj, resulting in a use-after-free.
Would it be safer to use devm_remove_action() here to prevent this?
return error;
}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260612083452.1639-1-lirongqing@baidu.com?part=1
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] PCI/P2PDMA: Use RCU_INIT_POINTER() to clear pdev->p2pdma
2026-06-12 8:48 ` sashiko-bot
@ 2026-06-16 18:57 ` Leon Romanovsky
0 siblings, 0 replies; 3+ messages in thread
From: Leon Romanovsky @ 2026-06-16 18:57 UTC (permalink / raw)
To: sashiko-reviews; +Cc: lirongqing, linux-pci
On Fri, Jun 12, 2026 at 08:48:24AM +0000, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
>
> Pre-existing issues:
> - [High] pci_p2pdma_release() skips synchronize_rcu() when p2pdma->pool is NULL, causing a use-after-free of the devm-allocated p2pdma structure and corruption of its map_types xarray for concurrent RCU readers.
> - [High] Missing devres action removal in pci_p2pdma_add_resource() error paths causes Use-After-Free of p2p_pgmap during devres teardown.
> --
>
> commit eb4ec2c32d602512abbeccbe720637cf83f85cb6
> Author: Li RongQing <lirongqing@baidu.com>
>
> PCI/P2PDMA: Use RCU_INIT_POINTER() to clear pdev->p2pdma
>
> Since pdev->p2pdma is an RCU-protected pointer, directly assigning
> NULL to it violates RCU semantics and triggers sparse static analysis
> warnings.
>
> Fix this by using RCU_INIT_POINTER() instead of a raw assignment,
> ensuring proper RCU annotations and consistency with the subsequent
> synchronize_rcu() call.
>
> > diff --git a/drivers/pci/p2pdma.c b/drivers/pci/p2pdma.c
> > index 7c898542af8d5..fd98624208c50 100644
> > --- a/drivers/pci/p2pdma.c
> > +++ b/drivers/pci/p2pdma.c
> > @@ -236,7 +236,7 @@ static void pci_p2pdma_release(void *data)
> > return;
> >
> > /* Flush and disable pci_alloc_p2p_mem() */
> > - pdev->p2pdma = NULL;
> > + RCU_INIT_POINTER(pdev->p2pdma, NULL);
> > if (p2pdma->pool)
> > synchronize_rcu();
>
> [Severity: High]
> This isn't a bug introduced by this patch, but could skipping
> synchronize_rcu() here result in a use-after-free for concurrent RCU readers?
>
> If p2pdma->pool is NULL, synchronize_rcu() is bypassed before destroying the
> map_types xarray and returning. Since the p2pdma structure is managed by
> devres, it will be freed shortly after this callback returns.
>
> If concurrent RCU readers (like those executing pci_p2pdma_map_type()) obtain
> the pointer just before it is cleared, will they continue to access the freed
> map_types xarray and p2pdma structure?
>
> > xa_destroy(&p2pdma->map_types);
I do not believe this is a bug. The p2pdma->pool field is NULL only for
in-kernel users that fully control the lifecycle of their drivers.
In that mode, there should not be any concurrent RCU readers when the
device is released.
Thanks
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-16 18:57 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-12 8:34 [PATCH] PCI/P2PDMA: Use RCU_INIT_POINTER() to clear pdev->p2pdma lirongqing
2026-06-12 8:48 ` sashiko-bot
2026-06-16 18:57 ` Leon Romanovsky
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox