* [PATCH net 1/2] octeontx2-pf: clear stale mailbox IRQ state before request_irq()
2026-06-11 16:00 [PATCH net 0/2] octeontx2: quiesce stale mailbox IRQ state before request_irq() Runyu Xiao
@ 2026-06-11 16:00 ` Runyu Xiao
2026-06-11 16:00 ` [PATCH net 2/2] octeontx2-vf: " Runyu Xiao
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Runyu Xiao @ 2026-06-11 16:00 UTC (permalink / raw)
To: netdev
Cc: sgoutham, gakula, sbhatta, hkelam, bbhushan2, andrew+netdev,
davem, edumazet, kuba, pabeni, amakarov, tduszynski, linux-kernel,
jianhao.xu, runyu.xiao, stable
otx2_register_mbox_intr() currently installs the PF mailbox IRQ handler
before clearing stale mailbox interrupt state. The function itself then
comments that the local interrupt bits must be cleared first to avoid
spurious interrupts, but that clear happens only after request_irq() has
already exposed the handler to irq delivery.
A running system can reach this during PF mailbox interrupt registration
while stale or latched RVU_PF_INT state is still present. If delivery
happens in the request_irq()-to-clear window,
otx2_pfaf_mbox_intr_handler() can run before local quiesce and touch
the same pf->mbox and pf->mbox_wq carrier that probe and teardown later
reuse or destroy.
Move the stale mailbox interrupt clear ahead of request_irq(), but keep
interrupt enabling after the handler is installed. This closes the
pre-clear early-IRQ window without creating a new enable-before-handler
window.
Fixes: 5a6d7c9daef3 ("octeontx2-pf: Mailbox communication with AF")
Cc: stable@vger.kernel.org
Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn>
---
.../ethernet/marvell/octeontx2/nic/otx2_pf.c | 20 +++++++++----------
1 file changed, 9 insertions(+), 11 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
index bbf25769f499..5c3e06897a37 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
@@ -1119,9 +1119,16 @@ int otx2_register_mbox_intr(struct otx2_nic *pf, bool probe_af)
{
struct otx2_hw *hw = &pf->hw;
struct msg_req *req;
+ u64 mbox_int_mask;
char *irq_name;
int err;
+ mbox_int_mask = !is_cn20k(pf->pdev) ? BIT_ULL(0) :
+ BIT_ULL(0) | BIT_ULL(1);
+
+ /* Clear stale mailbox interrupt state before installing the handler. */
+ otx2_write64(pf, RVU_PF_INT, mbox_int_mask);
+
/* Register mailbox interrupt handler */
if (!is_cn20k(pf->pdev)) {
irq_name = &hw->irq_name[RVU_PF_INT_VEC_AFPF_MBOX * NAME_SIZE];
@@ -1147,17 +1154,8 @@ int otx2_register_mbox_intr(struct otx2_nic *pf, bool probe_af)
return err;
}
- /* Enable mailbox interrupt for msgs coming from AF.
- * First clear to avoid spurious interrupts, if any.
- */
- if (!is_cn20k(pf->pdev)) {
- otx2_write64(pf, RVU_PF_INT, BIT_ULL(0));
- otx2_write64(pf, RVU_PF_INT_ENA_W1S, BIT_ULL(0));
- } else {
- otx2_write64(pf, RVU_PF_INT, BIT_ULL(0) | BIT_ULL(1));
- otx2_write64(pf, RVU_PF_INT_ENA_W1S, BIT_ULL(0) |
- BIT_ULL(1));
- }
+ /* Enable mailbox interrupt for msgs coming from AF. */
+ otx2_write64(pf, RVU_PF_INT_ENA_W1S, mbox_int_mask);
if (!probe_af)
return 0;
--
2.34.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH net 2/2] octeontx2-vf: clear stale mailbox IRQ state before request_irq()
2026-06-11 16:00 [PATCH net 0/2] octeontx2: quiesce stale mailbox IRQ state before request_irq() Runyu Xiao
2026-06-11 16:00 ` [PATCH net 1/2] octeontx2-pf: clear " Runyu Xiao
@ 2026-06-11 16:00 ` Runyu Xiao
2026-06-13 7:20 ` [PATCH net 0/2] octeontx2: quiesce " Simon Horman
2026-06-13 22:13 ` Jakub Kicinski
3 siblings, 0 replies; 5+ messages in thread
From: Runyu Xiao @ 2026-06-11 16:00 UTC (permalink / raw)
To: netdev
Cc: sgoutham, gakula, sbhatta, hkelam, bbhushan2, andrew+netdev,
davem, edumazet, kuba, pabeni, amakarov, tduszynski, linux-kernel,
jianhao.xu, runyu.xiao, stable
otx2vf_register_mbox_intr() currently installs the VF mailbox IRQ
handler before clearing stale mailbox interrupt state. The code then says
that local interrupt bits should be cleared first to avoid spurious
interrupts, but that clear still happens only after request_irq() has
already made the handler reachable.
A running system can reach this during VF mailbox interrupt registration
while stale or latched RVU_VF_INT state is still present. If delivery
happens in the request_irq()-to-clear window,
otx2vf_vfaf_mbox_intr_handler() can run before local quiesce and touch
the same vf->mbox and vf->mbox_wq carrier that probe and teardown later
reuse or destroy.
Move the stale mailbox interrupt clear ahead of request_irq(), but keep
interrupt enabling after the handler is installed. This closes the
pre-clear early-IRQ window without creating a new enable-before-handler
window.
Fixes: 3184fb5ba96e ("octeontx2-vf: Virtual function driver support")
Cc: stable@vger.kernel.org
Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn>
---
.../ethernet/marvell/octeontx2/nic/otx2_vf.c | 22 +++++++++----------
1 file changed, 10 insertions(+), 12 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c
index 25381f079b97..5534c2c8db0f 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c
@@ -251,9 +251,17 @@ static int otx2vf_register_mbox_intr(struct otx2_nic *vf, bool probe_pf)
{
struct otx2_hw *hw = &vf->hw;
struct msg_req *req;
+ u64 mbox_int_mask;
char *irq_name;
int err;
+ mbox_int_mask = !is_cn20k(vf->pdev) ? BIT_ULL(0) :
+ BIT_ULL(0) | BIT_ULL(1) |
+ BIT_ULL(2) | BIT_ULL(3);
+
+ /* Clear stale mailbox interrupt state before installing the handler. */
+ otx2_write64(vf, RVU_VF_INT, mbox_int_mask);
+
/* Register mailbox interrupt handler */
irq_name = &hw->irq_name[RVU_VF_INT_VEC_MBOX * NAME_SIZE];
snprintf(irq_name, NAME_SIZE, "RVUVF%d AFVF Mbox", ((vf->pcifunc &
@@ -274,18 +282,8 @@ static int otx2vf_register_mbox_intr(struct otx2_nic *vf, bool probe_pf)
return err;
}
- /* Enable mailbox interrupt for msgs coming from PF.
- * First clear to avoid spurious interrupts, if any.
- */
- if (!is_cn20k(vf->pdev)) {
- otx2_write64(vf, RVU_VF_INT, BIT_ULL(0));
- otx2_write64(vf, RVU_VF_INT_ENA_W1S, BIT_ULL(0));
- } else {
- otx2_write64(vf, RVU_VF_INT, BIT_ULL(0) | BIT_ULL(1) |
- BIT_ULL(2) | BIT_ULL(3));
- otx2_write64(vf, RVU_VF_INT_ENA_W1S, BIT_ULL(0) |
- BIT_ULL(1) | BIT_ULL(2) | BIT_ULL(3));
- }
+ /* Enable mailbox interrupt for msgs coming from PF. */
+ otx2_write64(vf, RVU_VF_INT_ENA_W1S, mbox_int_mask);
if (!probe_pf)
return 0;
--
2.34.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH net 0/2] octeontx2: quiesce stale mailbox IRQ state before request_irq()
2026-06-11 16:00 [PATCH net 0/2] octeontx2: quiesce stale mailbox IRQ state before request_irq() Runyu Xiao
2026-06-11 16:00 ` [PATCH net 1/2] octeontx2-pf: clear " Runyu Xiao
2026-06-11 16:00 ` [PATCH net 2/2] octeontx2-vf: " Runyu Xiao
@ 2026-06-13 7:20 ` Simon Horman
2026-06-13 22:13 ` Jakub Kicinski
3 siblings, 0 replies; 5+ messages in thread
From: Simon Horman @ 2026-06-13 7:20 UTC (permalink / raw)
To: Runyu Xiao
Cc: netdev, sgoutham, gakula, sbhatta, hkelam, bbhushan2,
andrew+netdev, davem, edumazet, kuba, pabeni, amakarov,
tduszynski, linux-kernel, jianhao.xu
On Fri, Jun 12, 2026 at 12:00:12AM +0800, Runyu Xiao wrote:
> Both OTX2 mailbox registration paths currently install their IRQ
> handlers before clearing stale local mailbox interrupt state, even
> though the code comments already say that the clear is needed first to
> avoid spurious interrupts.
>
> This issue was found by our static analysis tool and manually audited on
> Linux v6.18.21. Directed QEMU no-device validation further showed that
> the real PF and VF mailbox handlers are already reachable in that
> pre-clear window and can touch the same mailbox and workqueue carrier
> before local quiesce has completed.
>
> This series keeps the change minimal:
>
> - clear stale mailbox interrupt state before request_irq()
> - keep interrupt enabling after the handler is installed
>
> That closes the early-IRQ window without introducing a new
> enable-before-handler window.
>
> Patch 1 fixes the PF mailbox registration path.
> Patch 2 fixes the VF mailbox registration path.
>
> Build-tested by compiling otx2_pf.o and otx2_vf.o.
>
> No OTX2 hardware was available for end-to-end runtime testing.
>
> Runyu Xiao (2):
> octeontx2-pf: clear stale mailbox IRQ state before request_irq()
> octeontx2-vf: clear stale mailbox IRQ state before request_irq()
For the series:
Reviewed-by: Simon Horman <horms@kernel.org>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net 0/2] octeontx2: quiesce stale mailbox IRQ state before request_irq()
2026-06-11 16:00 [PATCH net 0/2] octeontx2: quiesce stale mailbox IRQ state before request_irq() Runyu Xiao
` (2 preceding siblings ...)
2026-06-13 7:20 ` [PATCH net 0/2] octeontx2: quiesce " Simon Horman
@ 2026-06-13 22:13 ` Jakub Kicinski
3 siblings, 0 replies; 5+ messages in thread
From: Jakub Kicinski @ 2026-06-13 22:13 UTC (permalink / raw)
To: Runyu Xiao
Cc: netdev, sgoutham, gakula, sbhatta, hkelam, bbhushan2,
andrew+netdev, davem, edumazet, pabeni, amakarov, tduszynski,
linux-kernel, jianhao.xu, Ratheesh Kannoth
On Fri, 12 Jun 2026 00:00:12 +0800 Runyu Xiao wrote:
> Both OTX2 mailbox registration paths currently install their IRQ
> handlers before clearing stale local mailbox interrupt state, even
> though the code comments already say that the clear is needed first to
> avoid spurious interrupts.
cc Ratheesh
^ permalink raw reply [flat|nested] 5+ messages in thread