Re: [PATCH v6 6/8] PCI: endpoint: pci-epf-test: Don't free doorbell IRQ unless requested

Tue, 10 Feb 2026 04:36:47 -0800 

On Mon, Feb 09, 2026 at 09:53:14PM +0900, Koichiro Den wrote:
> pci_epf_test_enable_doorbell() allocates a doorbell and then installs
> the interrupt handler with request_threaded_irq(). On failures before
> the IRQ is successfully requested (e.g. no free BAR,
> request_threaded_irq() failure), the error path jumps to
> err_doorbell_cleanup and calls pci_epf_test_doorbell_cleanup().
> 
> pci_epf_test_doorbell_cleanup() unconditionally calls free_irq() for the
> doorbell virq, which can trigger "Trying to free already-free IRQ"
> warnings when the IRQ was never requested.
> 
> Track whether the doorbell IRQ has been successfully requested and only
> call free_irq() when it has.
> 
> Fixes: eff0c286aa91 ("PCI: endpoint: pci-epf-test: Add doorbell test support")
> Signed-off-by: Koichiro Den <[email protected]>
> ---
>  drivers/pci/endpoint/functions/pci-epf-test.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/pci/endpoint/functions/pci-epf-test.c 
> b/drivers/pci/endpoint/functions/pci-epf-test.c
> index 6952ee418622..23034f548c90 100644
> --- a/drivers/pci/endpoint/functions/pci-epf-test.c
> +++ b/drivers/pci/endpoint/functions/pci-epf-test.c
> @@ -86,6 +86,7 @@ struct pci_epf_test {
>       bool                    dma_private;
>       const struct pci_epc_features *epc_features;
>       struct pci_epf_bar      db_bar;
> +     bool                    db_irq_requested;
>       size_t                  bar_size[PCI_STD_NUM_BARS];
>  };
>  
> @@ -715,7 +716,10 @@ static void pci_epf_test_doorbell_cleanup(struct 
> pci_epf_test *epf_test)
>       struct pci_epf_test_reg *reg = epf_test->reg[epf_test->test_reg_bar];
>       struct pci_epf *epf = epf_test->epf;
>  
> -     free_irq(epf->db_msg[0].virq, epf_test);
> +     if (epf_test->db_irq_requested && epf->db_msg) {
> +             free_irq(epf->db_msg[0].virq, epf_test);
> +             epf_test->db_irq_requested = false;
> +     }
>       reg->doorbell_bar = cpu_to_le32(NO_BAR);
>  
>       pci_epf_free_doorbell(epf);
> @@ -741,6 +745,8 @@ static void pci_epf_test_enable_doorbell(struct 
> pci_epf_test *epf_test,
>       if (bar < BAR_0)
>               goto err_doorbell_cleanup;
>  
> +     epf_test->db_irq_requested = false;
> +
>       ret = request_threaded_irq(epf->db_msg[0].virq, NULL,
>                                  pci_epf_test_doorbell_handler, IRQF_ONESHOT,
>                                  "pci-ep-test-doorbell", epf_test);

Another bug in pci_epf_test_enable_doorbell():

Since we reuse the BAR size, and use dynamic inbound mapping,
what if the returned DB offset is larger than epf->bar[bar].size ?

I think we need something like this before calling pci_epc_set_bar():

if (reg->doorbell_offset >= epf->bar[bar].size)
    goto err_doorbell_cleanup;



Kind regards,
Niklas

Reply via email to