From: Simon Horman <horms@kernel.org>
To: vulab@iscas.ac.cn
Cc: Simon Horman <horms@kernel.org>,
rmody@marvell.com, GR-Linux-NIC-Dev@marvell.com,
andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] bnx2: fix refcount leak in bnx2_change_ring_size()
Date: Thu, 11 Jun 2026 16:13:50 +0100 [thread overview]
Message-ID: <20260611151349.607666-2-horms@kernel.org> (raw)
In-Reply-To: <20260609074746.206312-1-vulab@iscas.ac.cn>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Full review at: https://sashiko.dev
---
bnx2: fix refcount leak in bnx2_change_ring_size()
This patch attempts to balance the intr_sem semaphore on the failure path
of bnx2_change_ring_size() by adding an atomic_dec() after the
bnx2_napi_enable()/dev_close() sequence.
> diff --git a/drivers/net/ethernet/broadcom/bnx2.c b/drivers/net/ethernet/broadcom/bnx2.c
> index f5722e929833..7f8ade29b7e5 100644
> --- a/drivers/net/ethernet/broadcom/bnx2.c
> +++ b/drivers/net/ethernet/broadcom/bnx2.c
> @@ -7360,6 +7360,7 @@ bnx2_change_ring_size(struct bnx2 *bp, u32 rx, u32 tx, bool reset_irq)
> if (rc) {
> bnx2_napi_enable(bp);
> dev_close(bp->dev);
> + atomic_dec(&bp->intr_sem);
> return rc;
> }
[Medium]
Does the commit message match the change?
The message states:
Fix this by calling bnx2_netif_start(true) in the error path to
properly release the semaphore count.
but the diff inserts a raw atomic_dec(&bp->intr_sem), not a call to
bnx2_netif_start(). These are not equivalent. bnx2_netif_start() does
an atomic_dec_and_test() and, when it transitions to zero with the
device still running, additionally calls netif_tx_wake_all_queues(),
bnx2_napi_enable(), bnx2_enable_int(), and bnx2_cnic_start():
static void
bnx2_netif_start(struct bnx2 *bp, bool start_cnic)
{
if (atomic_dec_and_test(&bp->intr_sem)) {
if (netif_running(bp->dev)) {
netif_tx_wake_all_queues(bp->dev);
...
bnx2_napi_enable(bp);
bnx2_enable_int(bp);
if (start_cnic)
bnx2_cnic_start(bp);
}
}
}
At the patch site dev_close() has not yet run, so netif_running() is
still true; calling bnx2_netif_start() here would re-enable interrupts
and NAPI on a device that is about to be torn down.
Could the commit message be updated to describe the actual change
(an atomic_dec), since this affects stable backporters reading the log?
The message also says:
bnx2_netif_stop(true) increments the semaphore at the start of the
function if the netif is running.
Looking at bnx2_disable_int_sync() (called from bnx2_netif_stop()):
static void
bnx2_disable_int_sync(struct bnx2 *bp)
{
int i;
atomic_inc(&bp->intr_sem);
if (!netif_running(bp->dev))
return;
...
}
the increment happens unconditionally before the netif_running() check,
and bnx2_netif_stop() invokes bnx2_disable_int_sync() near the end (not
the start). Should the commit message be reworded to reflect that?
[Medium]
Does the single atomic_dec actually balance intr_sem on this error path?
Tracing from the bnx2_open() baseline of intr_sem=0:
1. bnx2_netif_stop(bp, true) -> bnx2_disable_int_sync() does
atomic_inc (0 -> 1).
2. On error, bnx2_napi_enable() does not touch intr_sem.
3. dev_close(bp->dev) dispatches via ndo_stop to bnx2_close():
static int
bnx2_close(struct net_device *dev)
{
struct bnx2 *bp = netdev_priv(dev);
bnx2_disable_int_sync(bp);
...
}
which performs another atomic_inc (1 -> 2).
4. The new atomic_dec brings it from 2 to 1.
The semaphore is therefore left at +1, not 0. Compare bnx2_reset_task(),
which uses an explicit atomic_set(&bp->intr_sem, 1) before calling
bnx2_netif_start() to forcibly reset state on a similar error path.
Should this site either set intr_sem back to 0, or perform two
atomic_dec calls (one for the bnx2_netif_stop() increment and one for
the bnx2_close() increment), to fully balance the count as the changelog
claims?
In practice the residual +1 will be overwritten by the next
bnx2_open() via atomic_set(&bp->intr_sem, 0), but the patch as written
does not match its stated goal of fully releasing the count.
prev parent reply other threads:[~2026-06-11 15:14 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-09 7:47 [PATCH] bnx2: fix refcount leak in bnx2_change_ring_size() Wentao Liang
2026-06-11 15:13 ` Simon Horman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260611151349.607666-2-horms@kernel.org \
--to=horms@kernel.org \
--cc=GR-Linux-NIC-Dev@marvell.com \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rmody@marvell.com \
--cc=stable@vger.kernel.org \
--cc=vulab@iscas.ac.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox