Linux PCI subsystem development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "David Jeffery" <djeffery@redhat.com>
Cc: linux-pci@vger.kernel.org, linux-scsi@vger.kernel.org
Subject: Re: [PATCH 4/5] PCI: Enable async shutdown support
Date: Wed, 01 Jul 2026 14:07:47 +0000	[thread overview]
Message-ID: <20260701140748.5A18F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701135015.81937-5-djeffery@redhat.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

Pre-existing issues:
- [Critical] In `pci_register_host_bridge()`, a failure in `device_register(&bus->dev)` leads to a double-free of the `bridge->dev` object.
- [High] In `pci_device_add()`, failure of `device_add()` is ignored, leaving a partially-initialized device in the subsystem lists.
--

commit 32aeb814f8bbaee48b0baf0572f23452cd1e50da
Author: David Jeffery <djeffery@redhat.com>

PCI: Enable async shutdown support

This commit adds asynchronous shutdown support for PCI devices. It aims to
reduce overall shutdown time in the same way async suspend does.

> diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
> index dd0abbc63e18d..af23814464060 100644
> --- a/drivers/pci/probe.c
> +++ b/drivers/pci/probe.c
> @@ -1046,6 +1046,7 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
>  
>  	bus->bridge = get_device(&bridge->dev);
>  	device_enable_async_suspend(bus->bridge);
> +	dev_set_async_shutdown(bus->bridge);

[Severity: Critical]
This is a pre-existing issue, and was not introduced by the patch under
review, but does the error handling in pci_register_host_bridge() lead to
a double-free of the bridge->dev object?

If device_register(&bus->dev) fails, the code jumps to the unregister label:

unregister:
	put_device(&bridge->dev);
	device_del(&bridge->dev);
free:
	...
	if (bus_registered)
		put_device(&bus->dev);

Because bus_registered is set to true right before checking the error from
device_register(), the free path calls put_device(&bus->dev).

Releasing the bus triggers release_pcibus_dev(), which implicitly drops the
pci_bus->bridge reference via put_device(pci_bus->bridge). Since the code
explicitly drops the reference at the unregister label as well, does this
drop the object's refcount to 0 prematurely?

[ ... ]

> @@ -2748,6 +2749,7 @@ void pci_device_add(struct pci_dev *dev, struct pci_bus *bus)
>  	pci_reassigndev_resource_alignment(dev);
>  
>  	pci_init_capabilities(dev);
> +	dev_set_async_shutdown(&dev->dev);
>  
>  	/*
>  	 * Add the device to our list of discovered devices

[Severity: High]
This isn't a bug introduced by this patch, but I noticed the failure of
device_add() is ignored later in pci_device_add():

	ret = device_add(&dev->dev);
	WARN_ON(ret < 0);

If device_add() fails, the device remains in the bus->devices list but is
not tracked by the driver core.

When the PCI device or bus is later removed, pci_destroy_dev() unconditionally
calls device_del(&dev->dev). Calling device_del() on a device that was never
successfully added via device_add() violates the driver core API.

Could this lead to a kernel crash or NULL pointer dereference when a PCI
device is enumerated under memory pressure?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260701135015.81937-1-djeffery@redhat.com?part=4

  reply	other threads:[~2026-07-01 14:07 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01 13:50 [PATCH v18 0/5] shut down devices asynchronously David Jeffery
2026-07-01 13:50 ` [PATCH 1/5] driver core: separate function to shutdown one device David Jeffery
2026-07-01 13:58   ` sashiko-bot
2026-07-01 13:50 ` [PATCH 2/5] driver core: do not always lock parent in shutdown David Jeffery
2026-07-01 14:02   ` sashiko-bot
2026-07-01 13:50 ` [PATCH 3/5] driver core: async device shutdown infrastructure David Jeffery
2026-07-01 14:11   ` sashiko-bot
2026-07-01 13:50 ` [PATCH 4/5] PCI: Enable async shutdown support David Jeffery
2026-07-01 14:07   ` sashiko-bot [this message]
2026-07-01 13:50 ` [PATCH 5/5] scsi: " David Jeffery
2026-07-01 14:06   ` sashiko-bot
  -- strict thread matches above, loose matches on Subject: below --
2026-06-16 15:22 [PATCH v17 0/5] shut down devices asynchronously David Jeffery
2026-06-16 15:22 ` [PATCH 4/5] PCI: Enable async shutdown support David Jeffery
2026-06-16 15:38   ` sashiko-bot
2026-05-18 19:31 [PATCH v16 0/5] shut down devices asynchronously David Jeffery
2026-05-18 19:32 ` [PATCH 4/5] PCI: Enable async shutdown support David Jeffery
2026-04-29 17:50 [PATCH v15 0/5] shut down devices asynchronously David Jeffery
2026-04-29 17:50 ` [PATCH 4/5] PCI: Enable async shutdown support David Jeffery
2026-05-06 18:28   ` Bjorn Helgaas
2026-05-06 21:10     ` David Jeffery
2026-05-06 21:24       ` Bjorn Helgaas
2026-04-20 15:26 [PATCH v14 0/5] shut down devices asynchronously David Jeffery
2026-04-20 15:26 ` [PATCH 4/5] PCI: Enable async shutdown support David Jeffery
2026-04-07 15:35 [PATCH v13 0/5] shut down devices asynchronously David Jeffery
2026-04-07 15:35 ` [PATCH 4/5] PCI: Enable async shutdown support David Jeffery
2026-03-19 14:11 [PATCH v12 0/5] shut down devices asynchronously David Jeffery
2026-03-19 14:11 ` [PATCH 4/5] PCI: enable async shutdown support David Jeffery
2026-03-11 17:12 [PATCH 1/5] driver core: do not always lock parent in shutdown David Jeffery
2026-03-11 17:12 ` [PATCH 4/5] pci: enable async shutdown support David Jeffery
2026-03-11 23:08   ` Bjorn Helgaas
2026-03-12 13:46     ` David Jeffery
2026-03-12  5:09   ` Greg Kroah-Hartman
2026-03-12 13:54     ` David Jeffery

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260701140748.5A18F1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=djeffery@redhat.com \
    --cc=linux-pci@vger.kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox