From: Simon Horman <horms@kernel.org>
To: wei.fang@nxp.com
Cc: 'Simon Horman' <horms@kernel.org>,
claudiu.manoil@nxp.com, vladimir.oltean@nxp.com,
xiaoning.wang@nxp.com, andrew+netdev@lunn.ch,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, imx@lists.linux.dev
Subject: Re: [PATCH v3 net] net: enetc: fix VSI mailbox timeout handling and DMA lifecycle
Date: Thu, 30 Apr 2026 18:09:22 +0100 [thread overview]
Message-ID: <20260430170922.1729686-1-horms@kernel.org> (raw)
In-Reply-To: <20260429081930.3259824-1-wei.fang@nxp.com>
From: 'Simon Horman' <horms@kernel.org>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Full review at: https://sashiko.dev
---
Subject: net: enetc: fix VSI mailbox timeout handling and DMA lifecycle
This commit attempts to fix a use-after-free issue in the VSI mailbox
send path by deferring the freeing of the DMA buffer if the hardware is
still processing the message. The DMA buffer information is stored in the
si structure and freed on the next send or when the driver is removed.
[ ... ]
> diff --git a/drivers/net/ethernet/freescale/enetc/enetc_vf.c b/drivers/net/ethernet/freescale/enetc/enetc_vf.c
> --- a/drivers/net/ethernet/freescale/enetc/enetc_vf.c
> +++ b/drivers/net/ethernet/freescale/enetc/enetc_vf.c
[ ... ]
> @@ -259,6 +282,7 @@ static void enetc_vf_remove(struct pci_dev *pdev)
> {
> struct enetc_si *si = pci_get_drvdata(pdev);
> struct enetc_ndev_priv *priv;
> + struct enetc_msg_swbd msg;
>
> priv = netdev_priv(si->ndev);
> unregister_netdev(si->ndev);
> @@ -270,7 +294,9 @@ static void enetc_vf_remove(struct pci_dev *pdev)
>
> free_netdev(si->ndev);
>
> + msg = si->msg;
> enetc_pci_remove(pdev);
> + enetc_msg_dma_free(&pdev->dev, &msg);
Is it possible for the mailbox to still be busy here?
The commit addresses the use-after-free in the send path by checking the
mailbox busy status before freeing the previous buffer. However, during
driver teardown, enetc_msg_dma_free() is called unconditionally.
If a prior message sent via enetc_msg_vsi_send() times out and the hardware
is still accessing the buffer, and then the driver is unbound, could this
cause the hardware to read from freed DMA memory?
Should the teardown path wait for the mailbox to become idle or ensure the
hardware is safely reset before freeing the buffer?
> }
next prev parent reply other threads:[~2026-04-30 17:09 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-29 8:19 [PATCH v3 net] net: enetc: fix VSI mailbox timeout handling and DMA lifecycle Wei Fang
2026-04-30 17:09 ` Simon Horman [this message]
2026-05-01 1:16 ` Wei Fang
2026-05-01 1:20 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260430170922.1729686-1-horms@kernel.org \
--to=horms@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=claudiu.manoil@nxp.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=imx@lists.linux.dev \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=vladimir.oltean@nxp.com \
--cc=wei.fang@nxp.com \
--cc=xiaoning.wang@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox