Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues: - [High] If device_register() fails in vmbus_device_register(), the error handling path panics the kernel due to a BUG_ON, and would result in a double free if the panic were bypassed. -- commit 575a138c8a50043a8fa9993f9a0f7b0f34865b8a Author: Michael Kelley <[email protected]> Drivers: hv: vmbus: Set DMA coherent mask for VMBus devices This commit fixes DMA allocation failures for VMBus devices in CoCo VMs. It ensures the coherent_dma_mask is set to 64 bits at the same time the dma_mask is configured during vmbus_device_register(). > diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c > index 23206640c6139..a6b9a33db6578 100644 > --- a/drivers/hv/vmbus_drv.c > +++ b/drivers/hv/vmbus_drv.c > @@ -2169,6 +2169,7 @@ int vmbus_device_register(struct hv_device > *child_device_obj) > child_device_obj->device.dma_parms = &child_device_obj->dma_parms; > child_device_obj->device.dma_mask = &child_device_obj->dma_mask; > dma_set_mask(&child_device_obj->device, DMA_BIT_MASK(64)); > + dma_set_coherent_mask(&child_device_obj->device, DMA_BIT_MASK(64)); > > /* > * Register with the LDM. This will kick off the driver/device [Severity: High] This is a pre-existing issue, but does the error handling path for device_register() further down in this function cause a kernel panic? If device_register() fails, the code calls put_device(): vmbus_device_register() { ... ret = device_register(&child_device_obj->device); if (ret) { pr_err("Unable to register child device\n"); put_device(&child_device_obj->device); return ret; } ... } This triggers the release callback vmbus_device_release(), which unconditionally invokes hv_process_channel_removal(). However, hv_process_channel_removal() begins with: BUG_ON(!channel->rescind); Since channel->rescind is false during initial channel offer processing, would this BUG_ON fire and crash the kernel? Additionally, if the BUG_ON were bypassed, hv_process_channel_removal() calls free_channel(channel). The error then propagates up to vmbus_add_channel_work(), which takes the err_deq_chan label and calls free_channel(newchannel) again. Does this sequence result in a double free? -- Sashiko AI review ยท https://sashiko.dev/#/patchset/[email protected]?part=1
