Linux s390 Architecture development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Farhan Ali" <alifm@linux.ibm.com>
Cc: "Alexander Gordeev" <agordeev@linux.ibm.com>,
	linux-s390@vger.kernel.org, linux-pci@vger.kernel.org,
	"Vasily Gorbik" <gor@linux.ibm.com>,
	"Heiko Carstens" <hca@linux.ibm.com>
Subject: Re: [PATCH v21 4/4] PCI/MSI: Enable memory decoding before restoring MSI-X messages
Date: Tue, 30 Jun 2026 17:12:54 +0000	[thread overview]
Message-ID: <20260630171255.20BD91F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260630164807.643-5-alifm@linux.ibm.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Blindly restoring a stale PCI_COMMAND value introduces a TOCTOU race window that can erase concurrent modifications to the register.
--

commit ff043ecd9c4375492e235cd366b469432d15d4f3
Author: Farhan Ali <alifm@linux.ibm.com>

PCI/MSI: Enable memory decoding before restoring MSI-X messages

This commit modifies the MSI-X restoration path to temporarily enable the 
Command register Memory bit before writing MSI-X messages. This prevents 
Unsupported Request (UR) errors if the saved device state did not have 
memory decoding enabled.

> diff --git a/drivers/pci/msi/msi.c b/drivers/pci/msi/msi.c
> index 209373c92e9e1..79c7e84d314b7 100644
> --- a/drivers/pci/msi/msi.c
> +++ b/drivers/pci/msi/msi.c
> @@ -870,6 +870,7 @@ void __pci_restore_msix_state(struct pci_dev *dev)
>  {
>  	struct msi_desc *entry;
>  	bool write_msg;
> +	u16 cmd;
>  
>  	if (!dev->msix_enabled)
>  		return;

[ ... ]

> @@ -879,6 +880,14 @@ void __pci_restore_msix_state(struct pci_dev *dev)
>  	pci_msix_clear_and_set_ctrl(dev, 0,
>  				PCI_MSIX_FLAGS_ENABLE | PCI_MSIX_FLAGS_MASKALL);
>  
> +	/*
> +	 * The restored device state may not have Memory decoding enabled
> +	 * in the Command register. Since the MSI-X was enabled for the
> +	 * device, enable Memory decoding before restoring MSI-X.
> +	 */
> +	pci_read_config_word(dev, PCI_COMMAND, &cmd);
> +	pci_write_config_word(dev, PCI_COMMAND, cmd | PCI_COMMAND_MEMORY);
> +
>  	write_msg = arch_restore_msi_irqs(dev);
>  
>  	scoped_guard (msi_descs_lock, &dev->dev) {
> @@ -889,6 +898,7 @@ void __pci_restore_msix_state(struct pci_dev *dev)
>  		}
>  	}
>  
> +	pci_write_config_word(dev, PCI_COMMAND, cmd);

[Severity: Medium]
Does unconditionally restoring the stale cmd value here introduce a race 
condition?

The function reads the PCI_COMMAND register into cmd, enables the memory bit,
and then enters a potentially sleeping section by acquiring msi_descs_lock.

If another thread or subsystem modifies PCI_COMMAND (such as changing Bus 
Mastering or INTx disable) while this lock is held, writing the stale cmd 
value back will silently overwrite and lose those concurrent modifications.

Additionally, if PCI_COMMAND_MEMORY was already enabled initially, does the 
code needlessly expose the device to this race instead of skipping the 
register modification entirely?

>  	pci_msix_clear_and_set_ctrl(dev, PCI_MSIX_FLAGS_MASKALL, 0);
>  }

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260630164807.643-1-alifm@linux.ibm.com?part=4

      reply	other threads:[~2026-06-30 17:12 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-30 16:48 [PATCH v21 0/4] [PCI] Error recovery for vfio-pci devices on s390x Farhan Ali
2026-06-30 16:48 ` [PATCH v21 1/4] PCI: Allow per function PCI slots to fix slot reset on s390 Farhan Ali
2026-06-30 17:10   ` sashiko-bot
2026-06-30 16:48 ` [PATCH v21 2/4] PCI: Avoid saving config space state if inaccessible Farhan Ali
2026-06-30 17:07   ` sashiko-bot
2026-06-30 16:48 ` [PATCH v21 3/4] PCI: Fail FLR when config space is inaccessible Farhan Ali
2026-06-30 17:13   ` sashiko-bot
2026-06-30 16:48 ` [PATCH v21 4/4] PCI/MSI: Enable memory decoding before restoring MSI-X messages Farhan Ali
2026-06-30 17:12   ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260630171255.20BD91F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=agordeev@linux.ibm.com \
    --cc=alifm@linux.ibm.com \
    --cc=gor@linux.ibm.com \
    --cc=hca@linux.ibm.com \
    --cc=linux-pci@vger.kernel.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox