Re: [PATCH v2] fbnic: close fw_log race between users and teardown

Next message: Felix Gu: "Re: [PATCH] phy: ti: j721e-wiz: Fix device_node leak in wiz_get_lane_phy_types()"
Previous message: Jakub Kicinski: "Re: [PATCH net-next v3] net: mana: Add MAC address to vPort logs and clarify error messages"
In reply to: Chengfeng Ye: "[PATCH v2] fbnic: close fw_log race between users and teardown"
Next in thread: Chengfeng Ye: "Re: [PATCH v2] fbnic: close fw_log race between users and teardown"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Wed Feb 11 2026 - 13:46:34 EST

On Wed, 11 Feb 2026 15:00:22 +0000 Chengfeng Ye wrote:
> Fixes a theoretical race on fw_log between the teardown path and fw_log
> write functions.
>
> fw_log is written inside fbnic_fw_log_write() and can be reached from
> the mailbox handler fbnic_fw_msix_intr(), but fw_log is freed before
> IRQ/MBX teardown during cleanup, resulting in a potential data race of
> dereferencing a freed/null variable.
>
> Possible Interleaving scenario:
> CPU0: fbnic_fw_log_write()
> if (fbnic_fw_log_ready()) // true
> ... preempt ...
> CPU1: fbnic_fw_log_free()
> vfree(log->data_start);
> log->data_start = NULL;
> CPU0: continues, walks log->entries or writes to log->data_start

Could you be more specific about the entry points for CPU0 and CPU1?

> The initialization also has an incorrect order problem, as the fw_log
> is currently allocated after MBX setup during initialization.
> Fix the problems by adjusting the synchronization order to put
> initialization in place before the mailbox is enabled, and not cleared
> until after the mailbox has been disabled.

Since this is a fix please add a Fixes tag pointing to where the buggy
code was added.
--
pw-bot: cr