From nobody Thu Apr  2 10:57:36 2026
Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com
 [209.85.214.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C5499309DCF
	for <linux-kernel@vger.kernel.org>; Wed, 11 Feb 2026 19:13:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1770837221; cv=none;
 b=VshVVcxyaMme4xcnEPwi4zruef8YTn3h/MtycH8Koqw8D2bWX2yNXpHCZLSXYpaeghMzpA3Mvf6o4ecqx7362WjXOKOcSgZihJ3FaRN4t30zzjm3Dbc2UtFTWYHzoGFzTiRVyCTMt4r8sY0Jmj22XYbc30yjjRius8fGs9d8h8Q=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1770837221; c=relaxed/simple;
	bh=GYDyxIlHoWs9Je5hGJ6w/SSpXIt90vVnZ4o8f3x2WQQ=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=pdf0iiXFIBmYcKbgoeDZbwEMttQD0Fnmm3L88QqbdfPzk4QAxYCFU1VNUhFfldMqwWWQcGdHlzv++sdSBycS1POQM8Eh1cwN+1w33mgQUHiPzzG8VGe0HAQ1RJ9wdg0OsUGlpBm3oXIUxiPwNxDDL26ZBtPqeZYDiD1lp0eGi3o=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=QGt3uRdS; arc=none smtp.client-ip=209.85.214.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="QGt3uRdS"
Received: by mail-pl1-f177.google.com with SMTP id
 d9443c01a7336-2a78fff310dso3616895ad.2
        for <linux-kernel@vger.kernel.org>;
 Wed, 11 Feb 2026 11:13:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770837220; x=1771442020;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=cR8ZQZG0WQpkht8tdaVvbicaEp+riLn3a/JDXFSqLZg=;
        b=QGt3uRdSbDCK3HfE8//003TccqNfZvUPI9w5gxFi4+DbPz+13Lfsx3ueVvD2HfFvCQ
         St0IeAj9eMSye9EdM+vww4bj+ZmTBDdGiNASgbpwelRlQQjGKezAivHrVOKeCCMI+6TW
         k3HiMSmZlJxhibtWu5zn3ENtRqi0Y2SZXHsRX+VRHhg6McKyl+1lYJ/wYDZ0etMFBy+8
         0crQiatr+fE/A1rcWMRu5DH4JFQnuqfFvu9hlQgWGDUe5Dj5pNDMkTe8Vtq9k7bxG6Ek
         bcRLsAjEA45DMK5BnR3wz2TO64WyC1coCTc8Zag6wV/V775KxkYzdpBEPZPFLzD4ausy
         1VFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770837220; x=1771442020;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=cR8ZQZG0WQpkht8tdaVvbicaEp+riLn3a/JDXFSqLZg=;
        b=L8EXEwl1txlX+iP78YXMuOXBJ2d6FB3K/ITuJ1j1Nou3drNqhj49TsnkZpzfCKXH0H
         5qO4CqUzALdSI2jVzEcqAFGa6XCHErEXysIZw55s/Jf0chi+fSzyR2PCvr2kPhnrcGeS
         eOMXvj72iF5ztIi/Kmc0vr1TIVs6LxBPeiYrnMm118npp96Whkod07dHN4MSANJw0+cn
         JKoaXWnW/LSfoxF4KBOZjr5eOETciOlcJjBGXUzfCs+27/TqrDf20d0ZPpSxWe9LaZCn
         9c18HBE35LCYnWADO9bnGl4Mzd1Xbax39aMAutt6kpKVBM7NoLf8CP8d221S+nALb4LN
         jk5g==
X-Forwarded-Encrypted: i=1;
 AJvYcCXtHPLRctijK+Y9ICpysacpaQULYP+i9P9xzDZbSK7JqS3ww5BFAycTfYM4QK/jAGMmKkSqZP/rEF9uDf0=@vger.kernel.org
X-Gm-Message-State: AOJu0YwtqFJ4W9XIfC0oVwDoPFkFaXaGQIY8IUPazJ/nRVxsL8FDhIxR
	O+RDFKvRgObtxrwWMnf/9JThtWepjPrT1T0TUaHpneUsgt+6xUZBDIXP
X-Gm-Gg: AZuq6aIu3EdzPrMdKYM6k+ukzi27K4YHlM33zMJitnqSZ1v3unlt5uQZr+9+kO3MaIu
	ytWe6FtPYHK87WDaBvW2Y15VJCv+/DVZUr3uzM8xI+7WoR07yLRvNrOnPpo2uyopk8n5TzFa+Rf
	1bPNHWGdIOCDIOTHtmjh0pLVWK6yOApQS2I6pGGgduhvuahsesgUr7FQ3FOjZpciqXnZTKCzi1O
	6dar5eM9FH//4I/OUENSOQ3+pSEZyfJ7WX88EPFglrjqUs5PReKULiTxLU61r+kkhOxUthvhl1F
	O8mxauMuaQKsJRyqQSKGcUQV5gPEsg4OeqjI7HoW8Uj8Km1PexsKPzo7PMXFyf3plbYqjh574H0
	8U+6o7iCXSTf1UczpkRqOqe9L6AljyzPx30uHTAKhjUyEDhPxuTx/3ezTkvH0vmOmk7r+o/3mhA
	zM//f2y+tYm3OS1IbFLeoRrV8r7A2v2lt8eK5G7cK0nIUZ4jcslmbpkk3I2nU28PkVeaF5/eA=
X-Received: by 2002:a17:903:2c0f:b0:2aa:d1ed:c475 with SMTP id
 d9443c01a7336-2ab39cfb586mr574285ad.9.1770837219992;
        Wed, 11 Feb 2026 11:13:39 -0800 (PST)
Received: from 3ce1e5d2d1b2.cse.ust.hk (191host009.mobilenet.cse.ust.hk.
 [143.89.191.9])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2ab2984c0a7sm29444395ad.19.2026.02.11.11.13.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 11 Feb 2026 11:13:39 -0800 (PST)
From: Chengfeng Ye <dg573847474@gmail.com>
To: kernel-team@meta.com,
	alexander.duyck@gmail.com,
	lee@trager.us,
	davem@davemloft.net,
	edumazet@google.com,
	pabeni@redhat.com,
	jacob.e.keller@intel.com,
	horms@kernel.org
Cc: netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Chengfeng Ye <dg573847474@gmail.com>
Subject: [PATCH v3] fbnic: close fw_log race between users and teardown
Date: Wed, 11 Feb 2026 19:13:29 +0000
Message-Id: <20260211191329.530886-1-dg573847474@gmail.com>
X-Mailer: git-send-email 2.25.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Fixes a theoretical race on fw_log between the teardown path and fw_log
write functions.

fw_log is written inside fbnic_fw_log_write() and can be reached from
the mailbox handler fbnic_fw_msix_intr(), but fw_log is freed before
IRQ/MBX teardown during cleanup, resulting in a potential data race of
dereferencing a freed/null variable.

Possible Interleaving Scenario:
  CPU0: fbnic_fw_msix_intr() // Entry
          fbnic_fw_log_write()
            if (fbnic_fw_log_ready())   // true
            ... preempt ...
  CPU1: fbnic_remove() // Entry
          fbnic_fw_log_free()
            vfree(log->data_start);
            log->data_start =3D NULL;
  CPU0: continues, walks log->entries or writes to log->data_start

The initialization also has an incorrect order problem, as the fw_log
is currently allocated after MBX setup during initialization.
Fix the problems by adjusting the synchronization order to put
initialization in place before the mailbox is enabled, and not cleared
until after the mailbox has been disabled.

Fixes: ecc53b1b46c89 ("eth: fbnic: Enable firmware logging")
Signed-off-by: Chengfeng Ye <dg573847474@gmail.com>
___
Changes in v3:
  - Add fixes tag
  - Include entry functions in Interleaving Scenario

Changes in v2:
  - Adjust synchronization instead of using lock protection
  - Also fix problem in initialization
---
 .../net/ethernet/meta/fbnic/fbnic_fw_log.c    |  3 ---
 drivers/net/ethernet/meta/fbnic/fbnic_pci.c   | 19 ++++++++++++-------
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/drivers/net/ethernet/meta/fbnic/fbnic_fw_log.c b/drivers/net/e=
thernet/meta/fbnic/fbnic_fw_log.c
index 85a883dba385..d8a9a7d7c237 100644
--- a/drivers/net/ethernet/meta/fbnic/fbnic_fw_log.c
+++ b/drivers/net/ethernet/meta/fbnic/fbnic_fw_log.c
@@ -51,8 +51,6 @@ int fbnic_fw_log_init(struct fbnic_dev *fbd)
 	log->data_start =3D data;
 	log->data_end =3D data + FBNIC_FW_LOG_SIZE;
=20
-	fbnic_fw_log_enable(fbd, true);
-
 	return 0;
 }
=20
@@ -63,7 +61,6 @@ void fbnic_fw_log_free(struct fbnic_dev *fbd)
 	if (!fbnic_fw_log_ready(fbd))
 		return;
=20
-	fbnic_fw_log_disable(fbd);
 	INIT_LIST_HEAD(&log->entries);
 	log->size =3D 0;
 	vfree(log->data_start);
diff --git a/drivers/net/ethernet/meta/fbnic/fbnic_pci.c b/drivers/net/ethe=
rnet/meta/fbnic/fbnic_pci.c
index 9240673c7533..e92187bc1c0f 100644
--- a/drivers/net/ethernet/meta/fbnic/fbnic_pci.c
+++ b/drivers/net/ethernet/meta/fbnic/fbnic_pci.c
@@ -307,11 +307,17 @@ static int fbnic_probe(struct pci_dev *pdev, const st=
ruct pci_device_id *ent)
 		goto free_irqs;
 	}
=20
+	err =3D fbnic_fw_log_init(fbd);
+	if (err)
+		dev_warn(fbd->dev,
+			 "Unable to initialize firmware log buffer: %d\n",
+			 err);
+
 	err =3D fbnic_fw_request_mbx(fbd);
 	if (err) {
 		dev_err(&pdev->dev,
 			"Firmware mailbox initialization failure\n");
-		goto free_irqs;
+		goto free_fw_log;
 	}
=20
 	/* Send the request to enable the FW logging to host. Note if this
@@ -319,11 +325,7 @@ static int fbnic_probe(struct pci_dev *pdev, const str=
uct pci_device_id *ent)
 	 * possible the FW is just too old to support the logging and needs
 	 * to be updated.
 	 */
-	err =3D fbnic_fw_log_init(fbd);
-	if (err)
-		dev_warn(fbd->dev,
-			 "Unable to initialize firmware log buffer: %d\n",
-			 err);
+	fbnic_fw_log_enable(fbd, true);
=20
 	fbnic_devlink_register(fbd);
 	fbnic_devlink_otp_check(fbd, "error detected during probe");
@@ -370,6 +372,8 @@ static int fbnic_probe(struct pci_dev *pdev, const stru=
ct pci_device_id *ent)
 	  * firmware updates for fixes.
 	  */
 	return 0;
+free_fw_log:
+	fbnic_fw_log_free(fbd);
 free_irqs:
 	fbnic_free_irqs(fbd);
 err_destroy_health:
@@ -404,8 +408,9 @@ static void fbnic_remove(struct pci_dev *pdev)
 	fbnic_hwmon_unregister(fbd);
 	fbnic_dbg_fbd_exit(fbd);
 	fbnic_devlink_unregister(fbd);
-	fbnic_fw_log_free(fbd);
+	fbnic_fw_log_disable(fbd);
 	fbnic_fw_free_mbx(fbd);
+	fbnic_fw_log_free(fbd);
 	fbnic_free_irqs(fbd);
=20
 	fbnic_devlink_health_destroy(fbd);
--=20
2.25.1