On Thu, Apr 23, 2026 at 06:37:04PM +0200, Andrew Lunn wrote: > > The root cause is in mana_gd_init_vf_regs(), which computes: > > > > gc->shm_base = gc->bar0_va + mana_gd_r64(gc, GDMA_REG_SHM_OFFSET); > > > > without validating the offset read from hardware. If the register > > returns a garbage value that is neither within bar 0 bounds nor aligned > > to the 4-byte granularity, thus causing the alignment fault. > > Is GDMA_REG_SHM_OFFSET special? Hi Andrew, GDMA_REG_SHM_OFFSET is not special. It was simply the only register read that had no validation at all. The other two registers (GDMA_REG_DB_PAGE_SIZE, GDMA_REG_DB_PAGE_OFFSET) already have checks in place. Also shm_off becomes gc->shm_base (bar0_va + shm_off) and gc->shm_base is dereferenced via readl() (ldr w1, [x20]) in mana_smc_poll_register(), which is why it requires 4-byte alignment on arm64 device memory. Or else a misaligned shm_off propagates directly into a misaligned shm_base, causing an alignment fault (FSC=0x21). > > What if GDMA_REG_DB_PAGE_SIZE or GDMA_REG_DB_PAGE_OFFSET have returned > garbage? Are you going to die a horrible death as well? Those two already have validation in the current code:
- GDMA_REG_DB_PAGE_SIZE is checked for < SZ_4K (returns -EPROTO) - GDMA_REG_DB_PAGE_OFFSET is checked for >= bar0_size (returns -EPROTO) The same checks exist for the PF equivalents (GDMA_PF_REG_DB_PAGE_SIZE and GDMA_PF_REG_DB_PAGE_OFF) as well. > > Isn't there a way you can poll the firmware to ask it if it is ready? Unfortunately no, as there is no separate readiness register to poll. The existing recovery flow already waits MANA_SERVICE_PERIOD (10 seconds) after suspend before attempting resume. If the registers are still invalid after that, the -EPROTO triggers a PCI remove/rescan, which re-probes the device. > > And what about the PF case. Can GDMA_PF_REG_SHM_OFF also be garbage? Yes. This patch also adds bounds and alignment validation for the PF path: both GDMA_SRIOV_REG_CFG_BASE_OFF and the SHM offset read via (sriov_base_off + GDMA_PF_REG_SHM_OFF) are validated before use. > > Andrew Regards Dipayaan Roy
