Re: [PATCH for-next 0/4] RDMA/hns: Introduce delay-destruction mechanism

[Junxian Huang <huangjunxian6@hisilicon.com>]

On 2025/2/26 20:47, Leon Romanovsky wrote:
> On Wed, Feb 26, 2025 at 05:46:12PM +0800, Junxian Huang wrote:
>>
>>
>> On 2025/2/20 22:10, Jason Gunthorpe wrote:
>>> On Thu, Feb 20, 2025 at 11:48:49AM +0800, Junxian Huang wrote:
>>>
>>>> Driver notifies HW about the memory release with mailbox. The procedure
>>>> of a mailbox is:
>>>> 	a) driver posts the mailbox to FW
>>>> 	b) FW writes the mailbox data into HW
>>>>
>>>> In this scenario, step a) will fail due to the FW reset, HW won't get
>>>> notified and thus may lead to UAF.
>>>
>>> That's just wrong, a FW reset must fully stop and sanitize the HW as
>>> well. You can't have HW running rouge with no way for FW to control it
>>> anymore.
>>>
>>
>> I agree, but there is a small time gap between the start of FW reset
>> and the stop of HW. Please see my earlier reply today.
> 
> So stop HW before continuing FW reset.

FW reset is a passive behavior, not triggered by FW itself and cannot
be predicted by FW either. If the FW is being reset, usually it is
already crashed and can't function normally due to some fatal errors.
When FW starts to reset, there are some necessary initialization
before it can take control of HW again. So there's always a time gap.

Thanks,
Junxian

> 
> Thanks
> 
>>
>> Thanks,
>> Junxian
>>
>>> Jason
>