Linux PCI subsystem development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Yazen Ghannam" <yazen.ghannam@amd.com>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH 5/5] PCI/FLIT: Ratelimit flit error logging
Date: Tue, 14 Jul 2026 19:18:26 +0000	[thread overview]
Message-ID: <20260714191826.BA81E1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260714183950.1620016-6-yazen.ghannam@amd.com>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:

New issues:
- [Medium] Sysfs Group Directory Leak for devices without FLIT capability.
- [Medium] Missing input validation allows negative burst values, permanently suppressing flit error logs.

Pre-existing issues:
- [High] Surprise hot-unplug or malicious endpoint causes an infinite loop in `flit_isr`, leading to a hard CPU lockup.
--

--- Patch [5]: [PATCH 5/5] PCI/FLIT: Ratelimit flit error logging ---
commit 3a5e2834e7b9f5641abd9dbcf3215773fe5a6904
Author: Yazen Ghannam <yazen.ghannam@amd.com>

PCI/FLIT: Ratelimit flit error logging

This commit introduces a per-device ratelimit state for flit error logging
to prevent console log flooding. It exposes tuning parameters via per-device
sysfs attributes and applies the ratelimiter inside the interrupt handler.

> diff --git a/drivers/pci/pcie/flit.c b/drivers/pci/pcie/flit.c
> index 83cf53f392913..7cb5aff7c552c 100644
> --- a/drivers/pci/pcie/flit.c
> +++ b/drivers/pci/pcie/flit.c
[ ... ]
> +static ssize_t flit_ratelimit_burst_store(struct device *dev,
> +					  struct device_attribute *attr,
> +					  const char *buf, size_t count)
> +{
> +	struct pci_dev *pdev = to_pci_dev(dev);
> +	int burst;
> +
> +	if (!capable(CAP_SYS_ADMIN))
> +		return -EPERM;
> +
> +	if (kstrtoint(buf, 0, &burst) < 0)
> +		return -EINVAL;
> +
> +	pdev->flit_ratelimit.burst = burst;

[Severity: Medium]
Does this allow negative values to be assigned to the burst limit?

If a user writes a negative string (like "-5"), kstrtoint() will parse it
successfully into a negative integer. If burst is negative, the core
___ratelimit() check (rs->burst <= rs->printed) will permanently evaluate to
true, which would silently suppress all future flit error logs.

> +
> +	return count;
> +}
> +static DEVICE_ATTR_RW(flit_ratelimit_burst);
> +
> +static struct attribute *flit_attrs[] = {
> +	&dev_attr_flit_ratelimit_interval_ms.attr,
> +	&dev_attr_flit_ratelimit_burst.attr,
> +	NULL
> +};
> +
> +static umode_t flit_attrs_are_visible(struct kobject *kobj,
> +				      struct attribute *a, int n)
> +{
> +	struct device *dev = kobj_to_dev(kobj);
> +	struct pci_dev *pdev = to_pci_dev(dev);
> +
> +	if (!pdev->flit_cap)
> +		return 0;

[Severity: Medium]
Because this attribute group has a name (".name = "flit""), does returning 0
here leak an empty sysfs directory for devices without the FLIT capability?

Returning 0 suppresses the individual attributes, but the sysfs core will
still create an empty "/sys/bus/pci/devices/.../flit/" directory. Should
this return SYSFS_GROUP_INVISIBLE instead to suppress the entire directory?

> +
> +	return a->mode;
>  }
>  
> +const struct attribute_group flit_attr_group = {
> +	.name = "flit",
> +	.attrs = flit_attrs,
> +	.is_visible = flit_attrs_are_visible,
> +};
[ ... ]
>  	do {
>  		pci_read_config_dword(pdev, flit + PCI_FLIT_ERR_LOG1, &err_log1);
>  
>  		if (!(err_log1 & PCI_FLIT_ERR_LOG_VALID))
>  			break;
>  
>  		pci_read_config_dword(pdev, flit + PCI_FLIT_ERR_LOG2, &err_log2);
> -		pci_info(pdev, HW_ERR "  Error Log1: 0x%08x Error Log2: 0x%08x\n", err_log1, err_log2);
> +		if (print)
> +			pci_info(pdev, HW_ERR "  Error Log1: 0x%08x Error Log2: 0x%08x\n",
> +				 err_log1, err_log2);
>  		trace_flit_event(pci_name(pdev), cntr_ctrl, cntr_sta, err_log1, err_log2);
>  
>  		pci_write_config_dword(pdev, flit + PCI_FLIT_ERR_LOG1, err_log1);
> -	} while (err_log1 & PCI_FLIT_ERR_LOG_MORE);
> +	} while (err_log1 & PCI_FLIT_ERR_LOG_MORE);

[Severity: High]
This is a pre-existing issue, but is this loop safe against surprise device
hot-unplugs?

If the device is disconnected, pci_read_config_dword() will fail and assign
~0 (0xFFFFFFFF) to err_log1. Because ~0 has all bits set, the initial check
for PCI_FLIT_ERR_LOG_VALID will pass.

The loop condition checking for PCI_FLIT_ERR_LOG_MORE will also pass, creating
an unconditional infinite loop that could cause a hard CPU lockup.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260714183950.1620016-1-yazen.ghannam@amd.com?part=5

      reply	other threads:[~2026-07-14 19:18 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-14 18:39 [PATCH 0/5] PCIe Flit Logging Ext Capability Support Yazen Ghannam
2026-07-14 18:39 ` [PATCH 1/5] PCI/portdrv: Group PCI Exp Cap services into a single mask Yazen Ghannam
2026-07-14 19:11   ` sashiko-bot
2026-07-14 18:39 ` [PATCH 2/5] PCI/FLIT: Add support for Flit Logging Extended Capability Yazen Ghannam
2026-07-14 19:17   ` sashiko-bot
2026-07-14 18:39 ` [PATCH 3/5] PCI/FLIT: Negotiate _OSC control for Flit Error Logging Yazen Ghannam
2026-07-14 19:36   ` sashiko-bot
2026-07-14 18:39 ` [PATCH 4/5] PCI/FLIT: Add trace event for flit errors Yazen Ghannam
2026-07-14 19:16   ` sashiko-bot
2026-07-14 18:39 ` [PATCH 5/5] PCI/FLIT: Ratelimit flit error logging Yazen Ghannam
2026-07-14 19:18   ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260714191826.BA81E1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=linux-pci@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=yazen.ghannam@amd.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox