From nobody Thu Apr  2 17:16:00 2026
Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com
 [209.85.210.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id AA33619D8BC
	for <linux-kernel@vger.kernel.org>; Wed, 11 Feb 2026 15:00:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1770822047; cv=none;
 b=UAV+vds0Xm/3lIYOLHigFh4pMZUyOO9sjKbx2MqfdJ8LOFi+P9qB1qLcbA8CFuq/73iXV69eihjoyU6YN5IY+eWzb2SkRzVF8cCYPVaQAw/RbCu6iRmpG+X2v1qwnwleKdxKuwO7OGyyPdsFYmXSq+rgEPgfgNTg4KpjVDMKDrk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1770822047; c=relaxed/simple;
	bh=wYUR00Nza6J+sUIZluFr59NOD6UNQPdTYKj9nWWZfFI=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=JwJWmOkuoI03l4j7EUFOfGmxIU68qn4r/JX38Dy+Nnbl4gDfkqbr1NbFGybDp4TaxpiU8Qy391UP6SkxgF+7ehxjXNJdO+EWHVG2j+zqPuWA3MLUuRYOKIDey6Wbo62j4hCcU0AJmqA3+uzRCccDaoupEOUAiHuWtEaUiEipcbo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=m03h/aqM; arc=none smtp.client-ip=209.85.210.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="m03h/aqM"
Received: by mail-pf1-f177.google.com with SMTP id
 d2e1a72fcca58-82419761545so345709b3a.0
        for <linux-kernel@vger.kernel.org>;
 Wed, 11 Feb 2026 07:00:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770822046; x=1771426846;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=6UvkuPKINAtCyF/ggWjkLz6su0VX75e5/NucynTwhnE=;
        b=m03h/aqMa0B8PjCQPNGErXqNTxqvAtFxoJIsOyICivLfobpQIEvraUhEdcdamt1a4L
         WFFl1E4rBESgVoZtHgRbp5H8MortIrbU7MTChcIQuIFEyaaZTry3SUqdC8nyK1BNdsD4
         XO9QpPzkktUHob6IoQ4Rc/LEHS5HuKE05XxT5tF6ivSMl/F7hZrkhnactYZ9PdQeKYgv
         G5pnTWeZWYumPeAgjdGzBUHt9SUtECy+hrf7PiqNL0ZRVLL3zYv/aq8kkyFh0UAUFnrx
         1PaHgCNbBnNMfjdE/XL/h3K8PgepUFh8aGRTZfjmna9w8rG0HX4ldDOI9xSu9hVQf+DA
         UcKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770822046; x=1771426846;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=6UvkuPKINAtCyF/ggWjkLz6su0VX75e5/NucynTwhnE=;
        b=AJbqEvX34bM/W6vl9LaN15lOjDJzxa0iKRIy5TQl82BvYBn1ioemTPVQXGTMBSVXPD
         r5R2Kt2T6D3XhziD4COgfKZeGh01mJNWHYxsPzOeMo3HhdRT7NydBep+lgCtO4XYuLFc
         JxPu7sWaGvuquMf+268JR2ZTVsm8pIscPqahnP8E2Uy0NDNGshKUrL3J0oBnUDU5ITGv
         uaG4rW+AxFtle8sFHmrAAdDPHuXhPdxdh4TM2D/Qn3D9JGGCz/nKflVlYPGbxS0k1DRP
         8c7XwqsqqnXa+6c4FVjMz36cCGLgDuP8aRt+W0EGInXLkAB7yz2cOPdfSWVKb/gc2Yla
         8caA==
X-Forwarded-Encrypted: i=1;
 AJvYcCVRyj8P1p1T3+ZDLb0tkuLeVT1IMRF7+DlkiMDkvLyDrfVg3oqmXH1Y0VapCpJMuZ+3CadOc7LjUNJDljA=@vger.kernel.org
X-Gm-Message-State: AOJu0YxTsCG5f5WibnG7aARgMUgm9W8LrFIrqPR4AKVoC6pgqRYIFiIL
	qKLlz3czlLbnKSWoj3N25G4mLNMkIFiIID5SxrJrBL8E+v242x+cgwTz
X-Gm-Gg: AZuq6aKfpLdClhHBsVr1zxLtC2LbXu5WLKTfiYbRu9e/9RV+AVOmEw2soCpJmO9FWnS
	3jUZQmwnRnt/UWZNwcX3KQW7+lKoneHBJOqHM0QxTRXf/jdREa+XC6lKtLcUcpKykaHPJPBLZj4
	k9aZbU4jRicctbZNQymzZzZa6ttXFDJUF6Iq/XyJYHzJvNdCWfylAVsUfGd1qrDBvWx961pxKjP
	nlXSIy7G7qPY4lgVZOEhDRP5WtV9M0SNIee7xMYflNNP8+ZdwVyDXaA/nVm8cIbLCfNWoumW178
	l6p/QYKA7T+n3C6tssEp2GLL+jgO9nRpdlFGo7tb8f0isBka/aj53YfPzJErA2SqAa39bWYm5R5
	mEWKL/QcZJtpDb5E4BRm1TmSRcxqJKaeuaNVnhvGhMSHyhRLYTLofU78z59WZj0u5eUZmJpIqj7
	OSbmnv66tdBS4cAd/q7xg7mV/8nffF5pEVriwMChXsj927Waet1HEWu4v0mNBCn4X5si80zjY=
X-Received: by 2002:a05:6a20:4310:b0:389:7889:7b7a with SMTP id
 adf61e73a8af0-394326087e2mr1751764637.8.1770822045604;
        Wed, 11 Feb 2026 07:00:45 -0800 (PST)
Received: from 3ce1e5d2d1b2.cse.ust.hk (191host009.mobilenet.cse.ust.hk.
 [143.89.191.9])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-8249e3bd627sm3164445b3a.25.2026.02.11.07.00.43
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 11 Feb 2026 07:00:45 -0800 (PST)
From: Chengfeng Ye <dg573847474@gmail.com>
To: kernel-team@meta.com,
	alexander.duyck@gmail.com,
	lee@trager.us,
	davem@davemloft.net,
	edumazet@google.com,
	pabeni@redhat.com,
	jacob.e.keller@intel.com,
	horms@kernel.org
Cc: netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Chengfeng Ye <dg573847474@gmail.com>
Subject: [PATCH v2] fbnic: close fw_log race between users and teardown
Date: Wed, 11 Feb 2026 15:00:22 +0000
Message-Id: <20260211150022.527956-1-dg573847474@gmail.com>
X-Mailer: git-send-email 2.25.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Fixes a theoretical race on fw_log between the teardown path and fw_log
write functions.

fw_log is written inside fbnic_fw_log_write() and can be reached from
the mailbox handler fbnic_fw_msix_intr(), but fw_log is freed before
IRQ/MBX teardown during cleanup, resulting in a potential data race of
dereferencing a freed/null variable.

Possible Interleaving scenario:
  CPU0: fbnic_fw_log_write()
          if (fbnic_fw_log_ready())   // true
          ... preempt ...
  CPU1: fbnic_fw_log_free()
          vfree(log->data_start);
          log->data_start =3D NULL;
  CPU0: continues, walks log->entries or writes to log->data_start

The initialization also has an incorrect order problem, as the fw_log
is currently allocated after MBX setup during initialization.
Fix the problems by adjusting the synchronization order to put
initialization in place before the mailbox is enabled, and not cleared
until after the mailbox has been disabled.

Signed-off-by: Chengfeng Ye <dg573847474@gmail.com>
---
Changes in v2:
  - Adjust synchronization instead of using lock protection
  - Also fix problem in initialization
--
 .../net/ethernet/meta/fbnic/fbnic_fw_log.c    |  3 ---
 drivers/net/ethernet/meta/fbnic/fbnic_pci.c   | 19 ++++++++++++-------
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/drivers/net/ethernet/meta/fbnic/fbnic_fw_log.c b/drivers/net/e=
thernet/meta/fbnic/fbnic_fw_log.c
index 85a883dba385..d8a9a7d7c237 100644
--- a/drivers/net/ethernet/meta/fbnic/fbnic_fw_log.c
+++ b/drivers/net/ethernet/meta/fbnic/fbnic_fw_log.c
@@ -51,8 +51,6 @@ int fbnic_fw_log_init(struct fbnic_dev *fbd)
 	log->data_start =3D data;
 	log->data_end =3D data + FBNIC_FW_LOG_SIZE;
=20
-	fbnic_fw_log_enable(fbd, true);
-
 	return 0;
 }
=20
@@ -63,7 +61,6 @@ void fbnic_fw_log_free(struct fbnic_dev *fbd)
 	if (!fbnic_fw_log_ready(fbd))
 		return;
=20
-	fbnic_fw_log_disable(fbd);
 	INIT_LIST_HEAD(&log->entries);
 	log->size =3D 0;
 	vfree(log->data_start);
diff --git a/drivers/net/ethernet/meta/fbnic/fbnic_pci.c b/drivers/net/ethe=
rnet/meta/fbnic/fbnic_pci.c
index 9240673c7533..e92187bc1c0f 100644
--- a/drivers/net/ethernet/meta/fbnic/fbnic_pci.c
+++ b/drivers/net/ethernet/meta/fbnic/fbnic_pci.c
@@ -307,11 +307,17 @@ static int fbnic_probe(struct pci_dev *pdev, const st=
ruct pci_device_id *ent)
 		goto free_irqs;
 	}
=20
+	err =3D fbnic_fw_log_init(fbd);
+	if (err)
+		dev_warn(fbd->dev,
+			 "Unable to initialize firmware log buffer: %d\n",
+			 err);
+
 	err =3D fbnic_fw_request_mbx(fbd);
 	if (err) {
 		dev_err(&pdev->dev,
 			"Firmware mailbox initialization failure\n");
-		goto free_irqs;
+		goto free_fw_log;
 	}
=20
 	/* Send the request to enable the FW logging to host. Note if this
@@ -319,11 +325,7 @@ static int fbnic_probe(struct pci_dev *pdev, const str=
uct pci_device_id *ent)
 	 * possible the FW is just too old to support the logging and needs
 	 * to be updated.
 	 */
-	err =3D fbnic_fw_log_init(fbd);
-	if (err)
-		dev_warn(fbd->dev,
-			 "Unable to initialize firmware log buffer: %d\n",
-			 err);
+	fbnic_fw_log_enable(fbd, true);
=20
 	fbnic_devlink_register(fbd);
 	fbnic_devlink_otp_check(fbd, "error detected during probe");
@@ -370,6 +372,8 @@ static int fbnic_probe(struct pci_dev *pdev, const stru=
ct pci_device_id *ent)
 	  * firmware updates for fixes.
 	  */
 	return 0;
+free_fw_log:
+	fbnic_fw_log_free(fbd);
 free_irqs:
 	fbnic_free_irqs(fbd);
 err_destroy_health:
@@ -404,8 +408,9 @@ static void fbnic_remove(struct pci_dev *pdev)
 	fbnic_hwmon_unregister(fbd);
 	fbnic_dbg_fbd_exit(fbd);
 	fbnic_devlink_unregister(fbd);
-	fbnic_fw_log_free(fbd);
+	fbnic_fw_log_disable(fbd);
 	fbnic_fw_free_mbx(fbd);
+	fbnic_fw_log_free(fbd);
 	fbnic_free_irqs(fbd);
=20
 	fbnic_devlink_health_destroy(fbd);
--=20
2.25.1