From: sashiko-bot@kernel.org
To: "David Jeffery" <djeffery@redhat.com>
Cc: linux-pci@vger.kernel.org, linux-scsi@vger.kernel.org
Subject: Re: [PATCH 4/5] PCI: Enable async shutdown support
Date: Wed, 01 Jul 2026 14:07:47 +0000 [thread overview]
Message-ID: <20260701140748.5A18F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701135015.81937-5-djeffery@redhat.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [Critical] In `pci_register_host_bridge()`, a failure in `device_register(&bus->dev)` leads to a double-free of the `bridge->dev` object.
- [High] In `pci_device_add()`, failure of `device_add()` is ignored, leaving a partially-initialized device in the subsystem lists.
--
commit 32aeb814f8bbaee48b0baf0572f23452cd1e50da
Author: David Jeffery <djeffery@redhat.com>
PCI: Enable async shutdown support
This commit adds asynchronous shutdown support for PCI devices. It aims to
reduce overall shutdown time in the same way async suspend does.
> diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
> index dd0abbc63e18d..af23814464060 100644
> --- a/drivers/pci/probe.c
> +++ b/drivers/pci/probe.c
> @@ -1046,6 +1046,7 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
>
> bus->bridge = get_device(&bridge->dev);
> device_enable_async_suspend(bus->bridge);
> + dev_set_async_shutdown(bus->bridge);
[Severity: Critical]
This is a pre-existing issue, and was not introduced by the patch under
review, but does the error handling in pci_register_host_bridge() lead to
a double-free of the bridge->dev object?
If device_register(&bus->dev) fails, the code jumps to the unregister label:
unregister:
put_device(&bridge->dev);
device_del(&bridge->dev);
free:
...
if (bus_registered)
put_device(&bus->dev);
Because bus_registered is set to true right before checking the error from
device_register(), the free path calls put_device(&bus->dev).
Releasing the bus triggers release_pcibus_dev(), which implicitly drops the
pci_bus->bridge reference via put_device(pci_bus->bridge). Since the code
explicitly drops the reference at the unregister label as well, does this
drop the object's refcount to 0 prematurely?
[ ... ]
> @@ -2748,6 +2749,7 @@ void pci_device_add(struct pci_dev *dev, struct pci_bus *bus)
> pci_reassigndev_resource_alignment(dev);
>
> pci_init_capabilities(dev);
> + dev_set_async_shutdown(&dev->dev);
>
> /*
> * Add the device to our list of discovered devices
[Severity: High]
This isn't a bug introduced by this patch, but I noticed the failure of
device_add() is ignored later in pci_device_add():
ret = device_add(&dev->dev);
WARN_ON(ret < 0);
If device_add() fails, the device remains in the bus->devices list but is
not tracked by the driver core.
When the PCI device or bus is later removed, pci_destroy_dev() unconditionally
calls device_del(&dev->dev). Calling device_del() on a device that was never
successfully added via device_add() violates the driver core API.
Could this lead to a kernel crash or NULL pointer dereference when a PCI
device is enumerated under memory pressure?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260701135015.81937-1-djeffery@redhat.com?part=4
next prev parent reply other threads:[~2026-07-01 14:07 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-01 13:50 [PATCH v18 0/5] shut down devices asynchronously David Jeffery
2026-07-01 13:50 ` [PATCH 1/5] driver core: separate function to shutdown one device David Jeffery
2026-07-01 13:58 ` sashiko-bot
2026-07-01 13:50 ` [PATCH 2/5] driver core: do not always lock parent in shutdown David Jeffery
2026-07-01 14:02 ` sashiko-bot
2026-07-01 13:50 ` [PATCH 3/5] driver core: async device shutdown infrastructure David Jeffery
2026-07-01 14:11 ` sashiko-bot
2026-07-01 13:50 ` [PATCH 4/5] PCI: Enable async shutdown support David Jeffery
2026-07-01 14:07 ` sashiko-bot [this message]
2026-07-01 13:50 ` [PATCH 5/5] scsi: " David Jeffery
2026-07-01 14:06 ` sashiko-bot
-- strict thread matches above, loose matches on Subject: below --
2026-06-16 15:22 [PATCH v17 0/5] shut down devices asynchronously David Jeffery
2026-06-16 15:22 ` [PATCH 4/5] PCI: Enable async shutdown support David Jeffery
2026-06-16 15:38 ` sashiko-bot
2026-05-18 19:31 [PATCH v16 0/5] shut down devices asynchronously David Jeffery
2026-05-18 19:32 ` [PATCH 4/5] PCI: Enable async shutdown support David Jeffery
2026-04-29 17:50 [PATCH v15 0/5] shut down devices asynchronously David Jeffery
2026-04-29 17:50 ` [PATCH 4/5] PCI: Enable async shutdown support David Jeffery
2026-05-06 18:28 ` Bjorn Helgaas
2026-05-06 21:10 ` David Jeffery
2026-05-06 21:24 ` Bjorn Helgaas
2026-04-20 15:26 [PATCH v14 0/5] shut down devices asynchronously David Jeffery
2026-04-20 15:26 ` [PATCH 4/5] PCI: Enable async shutdown support David Jeffery
2026-04-07 15:35 [PATCH v13 0/5] shut down devices asynchronously David Jeffery
2026-04-07 15:35 ` [PATCH 4/5] PCI: Enable async shutdown support David Jeffery
2026-03-19 14:11 [PATCH v12 0/5] shut down devices asynchronously David Jeffery
2026-03-19 14:11 ` [PATCH 4/5] PCI: enable async shutdown support David Jeffery
2026-03-11 17:12 [PATCH 1/5] driver core: do not always lock parent in shutdown David Jeffery
2026-03-11 17:12 ` [PATCH 4/5] pci: enable async shutdown support David Jeffery
2026-03-11 23:08 ` Bjorn Helgaas
2026-03-12 13:46 ` David Jeffery
2026-03-12 5:09 ` Greg Kroah-Hartman
2026-03-12 13:54 ` David Jeffery
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260701140748.5A18F1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=djeffery@redhat.com \
--cc=linux-pci@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox