From: Jakub Kicinski <kuba@kernel.org>
To: vikas.gupta@broadcom.com
Cc: Jakub Kicinski <kuba@kernel.org>,
davem@davemloft.net, edumazet@google.com, pabeni@redhat.com,
andrew+netdev@lunn.ch, horms@kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, vsrama-krishna.nemani@broadcom.com,
bhargava.marreddy@broadcom.com, rajashekar.hudumula@broadcom.com,
ajit.khaparde@broadcom.com, dharmender.garg@broadcom.com,
rahul-rg.gupta@broadcom.com
Subject: Re: [PATCH net v2 1/2] bnge: fix initial HWRM sequence
Date: Thu, 16 Apr 2026 19:22:01 -0700 [thread overview]
Message-ID: <20260417022201.1807745-1-kuba@kernel.org> (raw)
In-Reply-To: <20260415151621.1104956-2-vikas.gupta@broadcom.com>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
---
bnge: fix initial HWRM sequence
This commit modifies the initial HWRM sequence to allocate the context
memory before querying resource information. This addresses an issue where
firmware might not advertise correct resources.
> diff --git a/drivers/net/ethernet/broadcom/bnge/bnge_core.c b/drivers/net/ethernet/broadcom/bnge/bnge_core.c
> --- a/drivers/net/ethernet/broadcom/bnge/bnge_core.c
> +++ b/drivers/net/ethernet/broadcom/bnge/bnge_core.c
> @@ -73,25 +73,35 @@ static int bnge_func_qcaps(struct bnge_dev *bd)
[ ... ]
> return 0;
> +
> +err_free_ctx_mem:
> + bnge_free_ctx_mem(bd);
> + return rc;
> }
Could this error path leave the firmware with active DMA pointers to freed
memory?
Looking at bnge_alloc_ctx_mem(), it configures the firmware with host DMA
addresses for the backing store via bnge_backing_store_cfg(). If a
subsequent step like bnge_hwrm_func_resc_qcaps() fails, this new error path
directly frees the context memory.
Previously, errors in this sequence triggered bnge_fw_unregister_dev(),
which safely unregistered the firmware before freeing the memory. There is
even a comment in bnge_fw_unregister_dev() documenting this requirement:
static void bnge_fw_unregister_dev(struct bnge_dev *bd)
{
/* ctx mem free after unrgtr only */
bnge_hwrm_func_drv_unrgtr(bd);
bnge_free_ctx_mem(bd);
}
Since the firmware isn't told to stop using the memory before it is freed
here, is there a risk the hardware might DMA into the freed host pages?
> @@ -132,32 +142,25 @@ static int bnge_fw_register_dev(struct bnge_dev *bd)
[ ... ]
> -err_func_unrgtr:
> - bnge_fw_unregister_dev(bd);
> +err_free_ctx_mem:
> + bnge_free_ctx_mem(bd);
> return rc;
> }
This error path appears to have the same regression. If
bnge_hwrm_func_drv_rgtr() fails after bnge_func_qcaps() has already
configured the backing store, freeing the context memory directly without
unregistering might allow the hardware to access freed memory.
--
pw-bot: cr
next prev parent reply other threads:[~2026-04-17 2:22 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-15 15:16 [PATCH net v2 0/2] bnge fixes Vikas Gupta
2026-04-15 15:16 ` [PATCH net v2 1/2] bnge: fix initial HWRM sequence Vikas Gupta
2026-04-17 2:22 ` Jakub Kicinski [this message]
2026-04-17 6:16 ` Vikas Gupta
2026-04-17 14:42 ` Jakub Kicinski
2026-04-17 15:47 ` Vikas Gupta
2026-04-15 15:16 ` [PATCH net v2 2/2] bnge: remove unsupported backing store type Vikas Gupta
2026-04-16 3:54 ` Przemek Kitszel
2026-04-16 5:22 ` Vikas Gupta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260417022201.1807745-1-kuba@kernel.org \
--to=kuba@kernel.org \
--cc=ajit.khaparde@broadcom.com \
--cc=andrew+netdev@lunn.ch \
--cc=bhargava.marreddy@broadcom.com \
--cc=davem@davemloft.net \
--cc=dharmender.garg@broadcom.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rahul-rg.gupta@broadcom.com \
--cc=rajashekar.hudumula@broadcom.com \
--cc=vikas.gupta@broadcom.com \
--cc=vsrama-krishna.nemani@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox