From: sashiko-bot@kernel.org
To: "Farhan Ali" <alifm@linux.ibm.com>
Cc: "Alexander Gordeev" <agordeev@linux.ibm.com>,
linux-s390@vger.kernel.org, linux-pci@vger.kernel.org,
"Vasily Gorbik" <gor@linux.ibm.com>,
"Heiko Carstens" <hca@linux.ibm.com>
Subject: Re: [PATCH v21 4/4] PCI/MSI: Enable memory decoding before restoring MSI-X messages
Date: Tue, 30 Jun 2026 17:12:54 +0000 [thread overview]
Message-ID: <20260630171255.20BD91F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260630164807.643-5-alifm@linux.ibm.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Blindly restoring a stale PCI_COMMAND value introduces a TOCTOU race window that can erase concurrent modifications to the register.
--
commit ff043ecd9c4375492e235cd366b469432d15d4f3
Author: Farhan Ali <alifm@linux.ibm.com>
PCI/MSI: Enable memory decoding before restoring MSI-X messages
This commit modifies the MSI-X restoration path to temporarily enable the
Command register Memory bit before writing MSI-X messages. This prevents
Unsupported Request (UR) errors if the saved device state did not have
memory decoding enabled.
> diff --git a/drivers/pci/msi/msi.c b/drivers/pci/msi/msi.c
> index 209373c92e9e1..79c7e84d314b7 100644
> --- a/drivers/pci/msi/msi.c
> +++ b/drivers/pci/msi/msi.c
> @@ -870,6 +870,7 @@ void __pci_restore_msix_state(struct pci_dev *dev)
> {
> struct msi_desc *entry;
> bool write_msg;
> + u16 cmd;
>
> if (!dev->msix_enabled)
> return;
[ ... ]
> @@ -879,6 +880,14 @@ void __pci_restore_msix_state(struct pci_dev *dev)
> pci_msix_clear_and_set_ctrl(dev, 0,
> PCI_MSIX_FLAGS_ENABLE | PCI_MSIX_FLAGS_MASKALL);
>
> + /*
> + * The restored device state may not have Memory decoding enabled
> + * in the Command register. Since the MSI-X was enabled for the
> + * device, enable Memory decoding before restoring MSI-X.
> + */
> + pci_read_config_word(dev, PCI_COMMAND, &cmd);
> + pci_write_config_word(dev, PCI_COMMAND, cmd | PCI_COMMAND_MEMORY);
> +
> write_msg = arch_restore_msi_irqs(dev);
>
> scoped_guard (msi_descs_lock, &dev->dev) {
> @@ -889,6 +898,7 @@ void __pci_restore_msix_state(struct pci_dev *dev)
> }
> }
>
> + pci_write_config_word(dev, PCI_COMMAND, cmd);
[Severity: Medium]
Does unconditionally restoring the stale cmd value here introduce a race
condition?
The function reads the PCI_COMMAND register into cmd, enables the memory bit,
and then enters a potentially sleeping section by acquiring msi_descs_lock.
If another thread or subsystem modifies PCI_COMMAND (such as changing Bus
Mastering or INTx disable) while this lock is held, writing the stale cmd
value back will silently overwrite and lose those concurrent modifications.
Additionally, if PCI_COMMAND_MEMORY was already enabled initially, does the
code needlessly expose the device to this race instead of skipping the
register modification entirely?
> pci_msix_clear_and_set_ctrl(dev, PCI_MSIX_FLAGS_MASKALL, 0);
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260630164807.643-1-alifm@linux.ibm.com?part=4
prev parent reply other threads:[~2026-06-30 17:12 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 16:48 [PATCH v21 0/4] [PCI] Error recovery for vfio-pci devices on s390x Farhan Ali
2026-06-30 16:48 ` [PATCH v21 1/4] PCI: Allow per function PCI slots to fix slot reset on s390 Farhan Ali
2026-06-30 17:10 ` sashiko-bot
2026-06-30 16:48 ` [PATCH v21 2/4] PCI: Avoid saving config space state if inaccessible Farhan Ali
2026-06-30 17:07 ` sashiko-bot
2026-06-30 16:48 ` [PATCH v21 3/4] PCI: Fail FLR when config space is inaccessible Farhan Ali
2026-06-30 17:13 ` sashiko-bot
2026-06-30 16:48 ` [PATCH v21 4/4] PCI/MSI: Enable memory decoding before restoring MSI-X messages Farhan Ali
2026-06-30 17:12 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260630171255.20BD91F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=agordeev@linux.ibm.com \
--cc=alifm@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=linux-pci@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox