From nobody Tue Feb 10 06:04:44 2026
Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com
 [209.85.216.43])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E27BC37E2F7
	for <linux-kernel@vger.kernel.org>; Mon,  9 Feb 2026 16:39:37 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.43
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1770655178; cv=none;
 b=ekElzEL63AQ2DkR1wJDg+ZtPEFyxgolOoSKCZ3//3uV9qMcgb5D9bnIBZbMdjMXamJl8TZGeGV1mbUPIV92fyC0s/6jznXDcbkpd6MvN6SPHKotRhZUt/BaqgeEgSDRj047CDAtjR+W+FGtawcAWTdmLAwHh53zcsg+Hxis5eKQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1770655178; c=relaxed/simple;
	bh=LoBEqPy8I+2czfLoGnPGRGZnQbST8g0CRKGE1oLtWIE=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=Nl37NnyKqLELDbEICX2e9PhBHiEkS0a89Xq6z/v7XTHo4CWHa+ndKZ5vXheaS2P8VNMBHjf1pnCHs7Ez234/1IqH8daxh6tznrWuu/HLZxoz8f928mNgkZZNBljoVy2bqSs1k61bOkLBGtNtdoupXhjQyXi7/ijY3csbQoM5Pt0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=BVVj18rY; arc=none smtp.client-ip=209.85.216.43
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="BVVj18rY"
Received: by mail-pj1-f43.google.com with SMTP id
 98e67ed59e1d1-3538952a464so423317a91.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 09 Feb 2026 08:39:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770655177; x=1771259977;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=DjornqGgioX/jnYpst1ow5ojhAPXQxplwWvTiLVkT34=;
        b=BVVj18rYLVg4Kgx0wKCLzI2WyU/f1n3cOvzG1Jgrq9pEZVjXBM7eTI3to1bknsfQWa
         UT3XAE/RWt8yl1kZwXvcdP+MULaH/u0lT0vdeGQLNuTxkGID+WojtNl7Z67kWgCwFYQX
         W2oFmyZk1JKfmQ4ayNakbEgBZ5XRu1DWGOTaVuzGNr0yDIeoJYz1AmnzVt2z7AVhswvW
         2477TtTmL1oGQjNYIjqbd8WnNNFFf8Bh7Com4KVBB4dlbtBhozT+Wnxd9C4CJNKph955
         JGHZwYy0Qhv3SYizI1J8KP91FIro9hMxi8mqb0DTMlP3+IRoLoi7fi1mfVhb4BkR6gVJ
         AP9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770655177; x=1771259977;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=DjornqGgioX/jnYpst1ow5ojhAPXQxplwWvTiLVkT34=;
        b=RNrRNQEAWsnTIa6i7zohaLDTa1lB1XpxUsjDduKDa+89pXpO/Hyun/xFQDQ/oT2z9s
         hWjximN0uOdW4Km+PV9+BCHvk+LhHFiKmZVdBSMl9otGTPs07cxXqbqYWKxi7OBFEAKs
         6ObXDyFk1l49BvL3MkU1C73r/ZzLKXV6Y/mlL24ZAbVI7FK1uc2HVJqHdMkbjtrGqy6S
         5pr2t0Ck26rMrrH5TTfH6nqi27oMtEchYvkWd5WcN1HQzV92pJT+coon8q7VBDKZ5jjJ
         ZXBf7sbow0R6+AOqWtfau7DybQLY8qu/mKXnSPYEbUW7ScIx6Q+IcsQLvDmKYQIXFKG2
         Mkgw==
X-Forwarded-Encrypted: i=1;
 AJvYcCW+7UfR8iRSnzBOYWVQVVfsBgAhA32b2mpepuk6haez37vgYuVkGdh4OD88Gchob54rPtfAajkqjSWH4Jk=@vger.kernel.org
X-Gm-Message-State: AOJu0Yxqnl/2R0Dnf58ke8YQuXglE/JbhErT+6KlIJMOLlIBcktaVtoP
	S4YcrzB3Keu5rcSl7K6Cj5ZLyIpRhd4IdfTOwg3YRbR//4p0F4SlzlWh
X-Gm-Gg: AZuq6aLbujs9EnH7Q2IPO/zKC3ph6LMzoNdiSiLar216TU4JdKmaK5p2T8sCsAuRosD
	zaUFenQ2s2Nii4pQRHtqxw8ycKYU1PGmbHPTAHrsxEr3ArYPB3hNeS0HmAF80m4XBVTKLUptqeF
	A7GmEheX0Guqso1RgOOlsIM3kEvZHQbeuIdi08bEbprjKaCLZgOFeFLplV3PFZ9WXul7dfj2CBh
	wgXdoyJWNoyIY6wylqyG29Kzow2eJdn7q6ens+cuAeVcyaxU0CYPgRU2WZoxKD914BlRyFgfM6z
	u/yNjhtConxXbuCWCP+EGf1N/GswI38F9vlAtnhhrgbqSoV1N3X126zZc73f38iQU4rqfv4n+UL
	bMZkLsBOgrnhwKB8VD21ISK3vzdUhAA/IAEVU6BEDBUgwz44MPfcBCQtZW/B01akofn7jqFbF+f
	VagXpCUMs/ZViOfvYgMErzXQzKdAbDFbEckGtEoZYcxzdahZIepI+2wwZRRWw=
X-Received: by 2002:a17:90b:564d:b0:340:b8f2:24fa with SMTP id
 98e67ed59e1d1-354b3c659c8mr7145374a91.2.1770655176912;
        Mon, 09 Feb 2026 08:39:36 -0800 (PST)
Received: from 3ce1e5d2d1b2.cse.ust.hk (191host009.mobilenet.cse.ust.hk.
 [143.89.191.9])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-35662e531desm15794a91.2.2026.02.09.08.39.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 09 Feb 2026 08:39:36 -0800 (PST)
From: Chengfeng Ye <dg573847474@gmail.com>
To: kernel-team@meta.com,
	andrew+netdev@lunn.ch,
	davem@davemloft.net,
	edumazet@google.com,
	pabeni@redhat.com,
	jacob.e.keller@intel.com,
	lee@trager.us,
	horms@kernel.org
Cc: netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Chengfeng Ye <dg573847474@gmail.com>
Subject: [PATCH] fbnic: close fw_log race between users and teardown
Date: Mon,  9 Feb 2026 16:38:54 +0000
Message-Id: <20260209163854.521415-1-dg573847474@gmail.com>
X-Mailer: git-send-email 2.25.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Fixes a theoretical race on fw_log between the teardown path and fw_log
show/write functions.

The fw_log null check was performed outside the lock in both
fbnic_dbg_fw_log_show() and fbnic_fw_log_write() (called from debugfs
paths or mailbox threaded IRQ handler). Concurrent teardown in
fbnic_fw_log_free() could clear and free the log buffer after the check
because there is no proper synchronization, leading to list traversal or
buffer access on freed memory.

fbnic_fw_log_write() can be reached from the mailbox handler
fbnic_fw_msix_intr(), but fbnic_fw_log_free() runs before IRQ/MBX
teardown. fbnic_dbg_fw_log_show() runs via debugfs and seems to be
not synchronized with removal either.

Possible Interleaving scenario:
  CPU0: fbnic_dbg_fw_log_show() or fbnic_fw_log_write()
          if (fbnic_fw_log_ready())   // true
          ... preempt ...
  CPU1: fbnic_fw_log_free()
          vfree(log->data_start);
          log->data_start =3D NULL;
  CPU0: continues, walks log->entries or writes to log->data_start

Move readiness checks under the fw_log spinlock, and clear the log state
under the same lock in fbnic_fw_log_free() before freeing the buffer.
This makes readers/writers mutually exclusive with teardown.

Signed-off-by: Chengfeng Ye <dg573847474@gmail.com>
---
 .../net/ethernet/meta/fbnic/fbnic_debugfs.c   |  8 ++++---
 .../net/ethernet/meta/fbnic/fbnic_fw_log.c    | 21 +++++++++++++------
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/drivers/net/ethernet/meta/fbnic/fbnic_debugfs.c b/drivers/net/=
ethernet/meta/fbnic/fbnic_debugfs.c
index b7238dd967fe..4171dde590fc 100644
--- a/drivers/net/ethernet/meta/fbnic/fbnic_debugfs.c
+++ b/drivers/net/ethernet/meta/fbnic/fbnic_debugfs.c
@@ -176,11 +176,13 @@ static int fbnic_dbg_fw_log_show(struct seq_file *s, =
void *v)
 	struct fbnic_fw_log_entry *entry;
 	unsigned long flags;
=20
-	if (!fbnic_fw_log_ready(fbd))
-		return -ENXIO;
-
 	spin_lock_irqsave(&fbd->fw_log.lock, flags);
=20
+	if (!fbnic_fw_log_ready(fbd)) {
+		spin_unlock_irqrestore(&fbd->fw_log.lock, flags);
+		return -ENXIO;
+	}
+
 	list_for_each_entry_reverse(entry, &fbd->fw_log.entries, list) {
 		seq_printf(s, FBNIC_FW_LOG_FMT, entry->index,
 			   (entry->timestamp / (MSEC_PER_SEC * 60 * 60 * 24)),
diff --git a/drivers/net/ethernet/meta/fbnic/fbnic_fw_log.c b/drivers/net/e=
thernet/meta/fbnic/fbnic_fw_log.c
index 85a883dba385..d371932435e5 100644
--- a/drivers/net/ethernet/meta/fbnic/fbnic_fw_log.c
+++ b/drivers/net/ethernet/meta/fbnic/fbnic_fw_log.c
@@ -59,16 +59,24 @@ int fbnic_fw_log_init(struct fbnic_dev *fbd)
 void fbnic_fw_log_free(struct fbnic_dev *fbd)
 {
 	struct fbnic_fw_log *log =3D &fbd->fw_log;
-
-	if (!fbnic_fw_log_ready(fbd))
-		return;
+	unsigned long flags;
+	void *data;
=20
 	fbnic_fw_log_disable(fbd);
+
+	spin_lock_irqsave(&log->lock, flags);
+	if (!fbnic_fw_log_ready(fbd)) {
+		spin_unlock_irqrestore(&log->lock, flags);
+		return;
+	}
+	data =3D log->data_start;
 	INIT_LIST_HEAD(&log->entries);
 	log->size =3D 0;
-	vfree(log->data_start);
 	log->data_start =3D NULL;
 	log->data_end =3D NULL;
+	spin_unlock_irqrestore(&log->lock, flags);
+
+	vfree(data);
 }
=20
 int fbnic_fw_log_write(struct fbnic_dev *fbd, u64 index, u32 timestamp,
@@ -80,13 +88,14 @@ int fbnic_fw_log_write(struct fbnic_dev *fbd, u64 index=
, u32 timestamp,
 	unsigned long flags;
 	void *entry_end;
=20
+	spin_lock_irqsave(&log->lock, flags);
+
 	if (!fbnic_fw_log_ready(fbd)) {
+		spin_unlock_irqrestore(&log->lock, flags);
 		dev_err(fbd->dev, "Firmware sent log entry without being requested!\n");
 		return -ENOSPC;
 	}
=20
-	spin_lock_irqsave(&log->lock, flags);
-
 	if (list_empty(&log->entries)) {
 		entry =3D log->data_start;
 	} else {
--=20
2.25.1