From: sashiko-bot@kernel.org
To: "Caleb James DeLisle" <cjd@cjdns.fr>
Cc: krzk+dt@kernel.org, conor+dt@kernel.org,
devicetree@vger.kernel.org, robh@kernel.org
Subject: Re: [PATCH v2 3/5] clocksource/timer-econet-en751221: Always map all membase blocks
Date: Thu, 14 May 2026 12:30:03 +0000 [thread overview]
Message-ID: <20260514123004.10908C2BCB3@smtp.kernel.org> (raw)
In-Reply-To: <20260514000601.3430262-4-cjd@cjdns.fr>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Unconditional iteration up to a compile-time constant array size causes timer initialization to fail on hardware with fewer timer blocks, breaking boot.
- [High] The per-CPU timer interrupt is unmasked before the clockevent device is registered, creating a race window that can lead to a NULL pointer dereference.
--
commit 1a3827645212808ad5c364c42807919047db1da2
Author: Caleb James DeLisle <cjd@cjdns.fr>
clocksource/timer-econet-en751221: Always map all membase blocks
This commit simplifies the logic by unconditionally mapping all timer memory
blocks up to ARRAY_SIZE(econet_timer.membase), instead of computing the
number of blocks dynamically based on the number of possible CPUs.
> diff --git a/drivers/clocksource/timer-econet-en751221.c b/drivers/clocksource/timer-econet-en751221.c
> index 5def3e536b21c..e79069d9a826d 100644
> --- a/drivers/clocksource/timer-econet-en751221.c
> +++ b/drivers/clocksource/timer-econet-en751221.c
> @@ -173,7 +173,6 @@ static int __init cevt_init(struct device_node *np)
>
> static int __init timer_init(struct device_node *np)
> {
> - int num_blocks = DIV_ROUND_UP(num_possible_cpus(), 2);
> struct clk *clk;
> int ret;
[ ... ]
> @@ -185,7 +184,7 @@ static int __init timer_init(struct device_node *np)
>
> econet_timer.freq_hz = clk_get_rate(clk);
>
> - for (int i = 0; i < num_blocks; i++) {
> + for (int i = 0; i < ARRAY_SIZE(econet_timer.membase); i++) {
> econet_timer.membase[i] = of_iomap(np, i);
> if (!econet_timer.membase[i]) {
> pr_err("%pOFn: failed to map register [%d]\n", np, i);
Could this cause a regression on systems with fewer timer blocks, like the
EN751221 (34Kc) which only has 1 block?
Since ARRAY_SIZE(econet_timer.membase) is based on CONFIG_NR_CPUS, it
expands to a compile-time constant that can exceed the actual number of
hardware blocks.
If a kernel is built with CONFIG_NR_CPUS=4 or higher, this loop will attempt
to map 2 or more blocks. On a system with only 1 timer block and 1 reg entry
in its device tree, of_iomap(np, 1) will fail and return NULL.
Because the error path unconditionally returns -ENXIO and aborts timer
initialization, could this completely break booting on these platforms?
This isn't a regression introduced by this commit, but looking at
cevt_init_cpu():
drivers/clocksource/timer-econet-en751221.c:cevt_init_cpu() {
...
enable_percpu_irq(cd->irq, IRQ_TYPE_NONE);
/* Do this last because it synchronously configures the timer */
clockevents_config_and_register(cd, econet_timer.freq_hz,
ECONET_MIN_DELTA, ECONET_MAX_DELTA);
...
}
Is it possible for a timer interrupt to fire immediately after
enable_percpu_irq() is called?
If an interrupt fires before clockevents_config_and_register() completes,
could the interrupt handler dereference a NULL dev->event_handler(dev)?
Calling clockevents_config_and_register() before unmasking the interrupt
might close this potential race window.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260514000601.3430262-1-cjd@cjdns.fr?part=3
next prev parent reply other threads:[~2026-05-14 12:30 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-14 0:05 [PATCH v2 0/5] clocksource/timer-econet-en751221: Support irq number per timer Caleb James DeLisle
2026-05-14 0:05 ` [PATCH v2 1/5] dt-bindings: timer: econet: Update EN751627 for multi-IRQ Caleb James DeLisle
2026-05-14 11:42 ` sashiko-bot
2026-05-14 15:22 ` Caleb James DeLisle
2026-05-14 18:22 ` Conor Dooley
2026-05-14 0:05 ` [PATCH v2 2/5] clocksource/timer-econet-en751221: Move generic logic out of cevt_init Caleb James DeLisle
2026-05-14 12:05 ` sashiko-bot
2026-05-14 15:57 ` Caleb James DeLisle
2026-05-14 0:05 ` [PATCH v2 3/5] clocksource/timer-econet-en751221: Always map all membase blocks Caleb James DeLisle
2026-05-14 12:30 ` sashiko-bot [this message]
2026-05-14 16:52 ` Caleb James DeLisle
2026-05-14 0:06 ` [PATCH v2 4/5] clocksource/timer-econet-en751221: Unmap io mem on probe error Caleb James DeLisle
2026-05-14 12:56 ` sashiko-bot
2026-05-14 16:56 ` Caleb James DeLisle
2026-05-14 0:06 ` [PATCH v2 5/5] clocksource/timer-econet-en751221: Support irq number per timer Caleb James DeLisle
2026-05-14 16:18 ` sashiko-bot
2026-05-14 20:32 ` Caleb James DeLisle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260514123004.10908C2BCB3@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=cjd@cjdns.fr \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=krzk+dt@kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.