pdsc_teardown() frees DMA buffers but does not disable bus mastering, leaving the device able to perform DMA after the buffers are freed. This can lead to use-after-free if the device writes to freed memory. Add pci_clear_master() to pdsc_teardown() to disable bus mastering before freeing resources, ensuring all DMA is quiesced. Add pci_set_master() to pdsc_setup() to re-enable bus mastering, which is needed for the firmware recovery path since pdsc_teardown() now disables it. Fixes: 01ba61b55b20 ("pds_core: Add adminq processing and commands") Signed-off-by: Nikhil P. Rao --- v2: - Move pci_clear_master() from pdsc_stop() to pdsc_teardown() to cover error paths (Sashiko) - Add pci_set_master() to pdsc_setup() instead of pdsc_start() for recovery path (Sashiko) - Drop Reviewed-by since patch changed substantially v1: https://lore.kernel.org/netdev/20260603035245.32972-1-nikhil.rao@amd.com/ Sashiko review: https://sashiko.dev/#/patchset/20260603035245.32972-1-nikhil.rao%40amd.com drivers/net/ethernet/amd/pds_core/core.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/ethernet/amd/pds_core/core.c b/drivers/net/ethernet/amd/pds_core/core.c index 705cab7b0727..38a2446571af 100644 --- a/drivers/net/ethernet/amd/pds_core/core.c +++ b/drivers/net/ethernet/amd/pds_core/core.c @@ -446,6 +446,8 @@ int pdsc_setup(struct pdsc *pdsc, bool init) { int err; + pci_set_master(pdsc->pdev); + err = pdsc_dev_init(pdsc); if (err) return err; @@ -480,6 +482,8 @@ void pdsc_teardown(struct pdsc *pdsc, bool removing) if (pdsc->adminqcq.work.func) cancel_work_sync(&pdsc->adminqcq.work); + pci_clear_master(pdsc->pdev); + pdsc_core_uninit(pdsc); if (removing) { -- 2.43.0