| Seq | Timestamp | Type | Name | Duration |
|---|---|---|---|---|
| 0/0 | 2026/06/25 03:30 | flow | patch-triage |
0mArgs:null Results: {
"EnableConfigs": null,
"FocusSymbols": [],
"Reasoning": "The patch modifies the Marvell Armada network buffer manager (mvneta_bm) and ethernet driver (mvneta), which are hardware-specific platform drivers for Marvell SoCs. These devices are not emulated in standard virtualized environments (like QEMU virt machines) used for fuzzing, making the code unreachable.",
"WorthFuzzing": false
} |
| 1/1 | 2026/06/25 03:30 | action | read-patch-diff |
0mArgs:null Results: {
"PatchDiff": "commit a3cc63d65cfbb436f23fe7020d0499776a658126\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate: Thu Jun 25 03:30:17 2026 +0000\n\n syz-cluster: applied patch under review\n\ndiff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c\nindex 0c061fb0ed072a..488f2663ad2c44 100644\n--- a/drivers/net/ethernet/marvell/mvneta.c\n+++ b/drivers/net/ethernet/marvell/mvneta.c\n@@ -5678,6 +5678,24 @@ static int mvneta_probe(struct platform_device *pdev)\n \t\t\t\t\t \"use SW buffer management\\n\");\n \t\t\t\tmvneta_bm_put(pp-\u003ebm_priv);\n \t\t\t\tpp-\u003ebm_priv = NULL;\n+\t\t\t} else if (!device_link_add(\u0026pdev-\u003edev,\n+\t\t\t\t\t\t \u0026pp-\u003ebm_priv-\u003epdev-\u003edev,\n+\t\t\t\t\t\t DL_FLAG_AUTOREMOVE_CONSUMER)) {\n+\t\t\t\t/*\n+\t\t\t\t * Link guarantees BM resumes before mvneta.\n+\t\t\t\t * Without it, BM may not be ready when\n+\t\t\t\t * mvneta_bm_port_init() runs on resume,\n+\t\t\t\t * causing stale buffer addresses and a crash.\n+\t\t\t\t * Fall back to SW management to be safe.\n+\t\t\t\t */\n+\t\t\t\tdev_warn(\u0026pdev-\u003edev,\n+\t\t\t\t\t \"failed to link to BM, use SW buffer management\\n\");\n+\t\t\t\tmvneta_bm_pool_destroy(pp-\u003ebm_priv,\n+\t\t\t\t\t\t pp-\u003epool_long, 1 \u003c\u003c pp-\u003eid);\n+\t\t\t\tmvneta_bm_pool_destroy(pp-\u003ebm_priv,\n+\t\t\t\t\t\t pp-\u003epool_short, 1 \u003c\u003c pp-\u003eid);\n+\t\t\t\tmvneta_bm_put(pp-\u003ebm_priv);\n+\t\t\t\tpp-\u003ebm_priv = NULL;\n \t\t\t}\n \t\t}\n \t\t/* Set RX packet offset correction for platforms, whose\ndiff --git a/drivers/net/ethernet/marvell/mvneta_bm.c b/drivers/net/ethernet/marvell/mvneta_bm.c\nindex 6bb38049491906..c23982bfc20b89 100644\n--- a/drivers/net/ethernet/marvell/mvneta_bm.c\n+++ b/drivers/net/ethernet/marvell/mvneta_bm.c\n@@ -477,6 +477,68 @@ static void mvneta_bm_remove(struct platform_device *pdev)\n \tclk_disable_unprepare(priv-\u003eclk);\n }\n \n+static int mvneta_bm_suspend(struct device *dev)\n+{\n+\tstruct mvneta_bm *priv = dev_get_drvdata(dev);\n+\tint i;\n+\n+\t/* Drain buffers and free pool resources while BM is still clocked */\n+\tfor (i = 0; i \u003c MVNETA_BM_POOLS_NUM; i++) {\n+\t\tstruct mvneta_bm_pool *bm_pool = \u0026priv-\u003ebm_pools[i];\n+\t\tint size_bytes;\n+\n+\t\tif (bm_pool-\u003etype == MVNETA_BM_FREE)\n+\t\t\tcontinue;\n+\n+\t\tmvneta_bm_bufs_free(priv, bm_pool, bm_pool-\u003eport_map);\n+\t\tif (bm_pool-\u003ehwbm_pool.buf_num)\n+\t\t\tdev_warn(\u0026priv-\u003epdev-\u003edev,\n+\t\t\t\t \"pool %d: %d buffers not freed\\n\",\n+\t\t\t\t bm_pool-\u003eid, bm_pool-\u003ehwbm_pool.buf_num);\n+\n+\t\tmvneta_bm_pool_disable(priv, bm_pool-\u003eid);\n+\n+\t\tif (bm_pool-\u003evirt_addr) {\n+\t\t\tsize_bytes = sizeof(u32) * bm_pool-\u003ehwbm_pool.size;\n+\t\t\tdma_free_coherent(\u0026priv-\u003epdev-\u003edev, size_bytes,\n+\t\t\t\t\t bm_pool-\u003evirt_addr,\n+\t\t\t\t\t bm_pool-\u003ephys_addr);\n+\t\t\tbm_pool-\u003evirt_addr = NULL;\n+\t\t}\n+\t\tbm_pool-\u003etype = MVNETA_BM_FREE;\n+\t}\n+\n+\tmvneta_bm_write(priv, MVNETA_BM_COMMAND_REG, MVNETA_BM_STOP_MASK);\n+\tclk_disable_unprepare(priv-\u003eclk);\n+\treturn 0;\n+}\n+\n+static int mvneta_bm_resume(struct device *dev)\n+{\n+\tstruct mvneta_bm *priv = dev_get_drvdata(dev);\n+\tint i, err;\n+\n+\terr = clk_prepare_enable(priv-\u003eclk);\n+\tif (err)\n+\t\treturn err;\n+\n+\t/* Reinitialize BM hardware; pools are refilled by mvneta_resume() */\n+\tmvneta_bm_default_set(priv);\n+\n+\t/* Restore pool registers lost during clock gating */\n+\tfor (i = 0; i \u003c MVNETA_BM_POOLS_NUM; i++) {\n+\t\tmvneta_bm_write(priv, MVNETA_BM_POOL_READ_PTR_REG(i), 0);\n+\t\tmvneta_bm_write(priv, MVNETA_BM_POOL_WRITE_PTR_REG(i), 0);\n+\t\tmvneta_bm_write(priv, MVNETA_BM_POOL_SIZE_REG(i),\n+\t\t\t\tpriv-\u003ebm_pools[i].hwbm_pool.size);\n+\t}\n+\n+\tmvneta_bm_write(priv, MVNETA_BM_COMMAND_REG, MVNETA_BM_START_MASK);\n+\treturn 0;\n+}\n+\n+static DEFINE_SIMPLE_DEV_PM_OPS(mvneta_bm_pm_ops, mvneta_bm_suspend, mvneta_bm_resume);\n+\n static const struct of_device_id mvneta_bm_match[] = {\n \t{ .compatible = \"marvell,armada-380-neta-bm\" },\n \t{ }\n@@ -489,6 +551,7 @@ static struct platform_driver mvneta_bm_driver = {\n \t.driver = {\n \t\t.name = MVNETA_BM_DRIVER_NAME,\n \t\t.of_match_table = mvneta_bm_match,\n+\t\t.pm = pm_sleep_ptr(\u0026mvneta_bm_pm_ops),\n \t},\n };\n \n"
} |
| 2/1 | 2026/06/25 03:30 | agent | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: {
"EnableConfigs": null,
"FocusSymbols": [],
"Reasoning": "The patch modifies the Marvell Armada network buffer manager (mvneta_bm) and ethernet driver (mvneta), which are hardware-specific platform drivers for Marvell SoCs. These devices are not emulated in standard virtualized environments (like QEMU virt machines) used for fuzzing, making the code unreachable.",
"WorthFuzzing": false
}Instruction: You are an expert Linux kernel maintainer. Your job is to review a provided patch series and determine if it makes functional changes to the kernel that should be fuzzed. IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively use your code access tools to examine the actual source code and confirm any assumptions. Return WorthFuzzing=false if the patch only contains: - Modifications to Documentation/, Kconfig files, or code comments. - Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints. - Changes to numeric constants or macros that do not functionally alter execution flow. - Code paths that are impossible to reach in virtualized environments like GCE or QEMU, even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim). If it modifies reachable core kernel logic, drivers, or architectures, use your code search tools to verify the code can be executed, then return WorthFuzzing=true. When returning WorthFuzzing=true, you MUST ALSO: 1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols. Avoid listing generic hot-path functions to prevent skewed test distributions. 2. Identify any specific CONFIG_ options required to properly test this new/modified feature. Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions. Do not list too generic configs (we already have them enabled). Only list those that specifically cover the modified code. List them in the EnableConfigs output array, and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4"). Prefer calling several tools at the same time to save round-trips. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: For your convenience, here is the diff of the changes:
commit a3cc63d65cfbb436f23fe7020d0499776a658126
Author: syz-cluster <triage@syzkaller.com>
Date: Thu Jun 25 03:30:17 2026 +0000
syz-cluster: applied patch under review
diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
index 0c061fb0ed072a..488f2663ad2c44 100644
--- a/drivers/net/ethernet/marvell/mvneta.c
+++ b/drivers/net/ethernet/marvell/mvneta.c
@@ -5678,6 +5678,24 @@ static int mvneta_probe(struct platform_device *pdev)
"use SW buffer management\n");
mvneta_bm_put(pp->bm_priv);
pp->bm_priv = NULL;
+ } else if (!device_link_add(&pdev->dev,
+ &pp->bm_priv->pdev->dev,
+ DL_FLAG_AUTOREMOVE_CONSUMER)) {
+ /*
+ * Link guarantees BM resumes before mvneta.
+ * Without it, BM may not be ready when
+ * mvneta_bm_port_init() runs on resume,
+ * causing stale buffer addresses and a crash.
+ * Fall back to SW management to be safe.
+ */
+ dev_warn(&pdev->dev,
+ "failed to link to BM, use SW buffer management\n");
+ mvneta_bm_pool_destroy(pp->bm_priv,
+ pp->pool_long, 1 << pp->id);
+ mvneta_bm_pool_destroy(pp->bm_priv,
+ pp->pool_short, 1 << pp->id);
+ mvneta_bm_put(pp->bm_priv);
+ pp->bm_priv = NULL;
}
}
/* Set RX packet offset correction for platforms, whose
diff --git a/drivers/net/ethernet/marvell/mvneta_bm.c b/drivers/net/ethernet/marvell/mvneta_bm.c
index 6bb38049491906..c23982bfc20b89 100644
--- a/drivers/net/ethernet/marvell/mvneta_bm.c
+++ b/drivers/net/ethernet/marvell/mvneta_bm.c
@@ -477,6 +477,68 @@ static void mvneta_bm_remove(struct platform_device *pdev)
clk_disable_unprepare(priv->clk);
}
+static int mvneta_bm_suspend(struct device *dev)
+{
+ struct mvneta_bm *priv = dev_get_drvdata(dev);
+ int i;
+
+ /* Drain buffers and free pool resources while BM is still clocked */
+ for (i = 0; i < MVNETA_BM_POOLS_NUM; i++) {
+ struct mvneta_bm_pool *bm_pool = &priv->bm_pools[i];
+ int size_bytes;
+
+ if (bm_pool->type == MVNETA_BM_FREE)
+ continue;
+
+ mvneta_bm_bufs_free(priv, bm_pool, bm_pool->port_map);
+ if (bm_pool->hwbm_pool.buf_num)
+ dev_warn(&priv->pdev->dev,
+ "pool %d: %d buffers not freed\n",
+ bm_pool->id, bm_pool->hwbm_pool.buf_num);
+
+ mvneta_bm_pool_disable(priv, bm_pool->id);
+
+ if (bm_pool->virt_addr) {
+ size_bytes = sizeof(u32) * bm_pool->hwbm_pool.size;
+ dma_free_coherent(&priv->pdev->dev, size_bytes,
+ bm_pool->virt_addr,
+ bm_pool->phys_addr);
+ bm_pool->virt_addr = NULL;
+ }
+ bm_pool->type = MVNETA_BM_FREE;
+ }
+
+ mvneta_bm_write(priv, MVNETA_BM_COMMAND_REG, MVNETA_BM_STOP_MASK);
+ clk_disable_unprepare(priv->clk);
+ return 0;
+}
+
+static int mvneta_bm_resume(struct device *dev)
+{
+ struct mvneta_bm *priv = dev_get_drvdata(dev);
+ int i, err;
+
+ err = clk_prepare_enable(priv->clk);
+ if (err)
+ return err;
+
+ /* Reinitialize BM hardware; pools are refilled by mvneta_resume() */
+ mvneta_bm_default_set(priv);
+
+ /* Restore pool registers lost during clock gating */
+ for (i = 0; i < MVNETA_BM_POOLS_NUM; i++) {
+ mvneta_bm_write(priv, MVNETA_BM_POOL_READ_PTR_REG(i), 0);
+ mvneta_bm_write(priv, MVNETA_BM_POOL_WRITE_PTR_REG(i), 0);
+ mvneta_bm_write(priv, MVNETA_BM_POOL_SIZE_REG(i),
+ priv->bm_pools[i].hwbm_pool.size);
+ }
+
+ mvneta_bm_write(priv, MVNETA_BM_COMMAND_REG, MVNETA_BM_START_MASK);
+ return 0;
+}
+
+static DEFINE_SIMPLE_DEV_PM_OPS(mvneta_bm_pm_ops, mvneta_bm_suspend, mvneta_bm_resume);
+
static const struct of_device_id mvneta_bm_match[] = {
{ .compatible = "marvell,armada-380-neta-bm" },
{ }
@@ -489,6 +551,7 @@ static struct platform_driver mvneta_bm_driver = {
.driver = {
.name = MVNETA_BM_DRIVER_NAME,
.of_match_table = mvneta_bm_match,
+ .pm = pm_sleep_ptr(&mvneta_bm_pm_ops),
},
};
|
| 3/2 | 2026/06/25 03:30 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 3183 output: 96 thoughts: 878 Thoughts: **Assessing the Fuzzability of a Marvell Armada Ethernet Driver Patch** Okay, so I've got this patch that touches `drivers/net/ethernet/marvell/mvneta.c` and `drivers/net/ethernet/marvell/mvneta_bm.c`. Seems like it's adding suspend/resume support to the Marvell Armada 38x Network Buffer Manager (`mvneta_bm.c`) and adding a device link in `mvneta.c`. My initial thought is, this is likely a dead end for standard fuzzing. This is a *platform* driver, specific to Marvell Armada SoCs. Let's drill down. Can I even *reach* this code in something like GCE or QEMU? These sorts of platform drivers, especially for a specific SoC like Marvell Armada, are usually a nightmare to emulate effectively, if at all. `mvneta` is for devices like "marvell,armada-370-neta", "marvell,armada-380-neta", etc., and `mvneta_bm` for "marvell,armada-380-neta-bm." Memory-mapped devices, totally off-limits in a standard QEMU x86_64 or arm64 virt environment. Right, so how *could* I get to it? The driver uses `platform_driver_register`, and the devices are brought to life via Device Tree. Hmm, maybe syzkaller could inject something with its device tree overlays? I know it *can* inject platform devices via `syz_dev_init` or similar, but my experience is that hardware-specific ethernet controllers on embedded SoCs are rarely truly fuzzed unless there's explicit support. I should check if `MVNETA` is even enabled in typical defconfigs. But, honestly, if it's a hardware-specific driver that's not emulated, it's generally considered unreachable for generic fuzzing. Just to be thorough, I should double-check if QEMU has any Marvell Armada board emulation that's usable. QEMU *does* have some, but syzkaller usually sticks to `virt` machines. And this patch is about suspend/resume... `mvneta_bm_suspend`, `mvneta_bm_resume`. Suspend/resume paths are notoriously difficult to fuzz *effectively* without the actual hardware, especially for platform devices. Back to the patch. It's adding `mvneta_bm_suspend`, `mvneta_bm_resume` and `device_link_add` in `mvneta_probe`. Is it even *worth* the effort? Right, the question to ask: "Return WorthFuzzing=false if the patch only contains... Code paths that are impossible to reach in virtualized environments..." This is a Marvell Armada ethernet controller, a platform device. Bingo. I think I'm done. Given that this is a hardware-specific platform driver for Marvell Armada SoCs, and these devices are not emulated in standard fuzzing environments, I'm going to return `WorthFuzzing=false`. It's just not reachable. Let's make sure it's all specific to the Marvell Armada code. Yep, entirely within `drivers/net/ethernet/marvell/mvneta.c` and `mvneta_bm.c`. Okay, time to call set-results. WorthFuzzing: false Reasoning: The patch modifies the Marvell Armada network buffer manager (mvneta_bm) and ethernet driver (mvneta), which are hardware-specific platform drivers for Marvell SoCs. These devices are not emulated in standard virtualized environments (like QEMU virt machines) used for fuzzing, making the code unreachable. FocusSymbols: [] EnableConfigs: [] |
| 4/2 | 2026/06/25 03:30 | tool | set-results |
0mArgs:{
"EnableConfigs": [],
"FocusSymbols": [],
"Reasoning": "The patch modifies the Marvell Armada network buffer manager (mvneta_bm) and ethernet driver (mvneta), which are hardware-specific platform drivers for Marvell SoCs. These devices are not emulated in standard virtualized environments (like QEMU virt machines) used for fuzzing, making the code unreachable.",
"WorthFuzzing": false
}Results: {
"EnableConfigs": null,
"FocusSymbols": [],
"Reasoning": "The patch modifies the Marvell Armada network buffer manager (mvneta_bm) and ethernet driver (mvneta), which are hardware-specific platform drivers for Marvell SoCs. These devices are not emulated in standard virtualized environments (like QEMU virt machines) used for fuzzing, making the code unreachable.",
"WorthFuzzing": false
} |
| Total Calls | Total Tokens | Avg Tokens | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|
| Total Calls | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|