Re: [PATCH v4 2/6] pinctrl: qcom: Register functions before enabling pinctrl

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Alexandre MINETTE via B4 Relay"
	<devnull+contact.alex-min.fr@kernel.org>
Cc: conor+dt@kernel.org, devicetree@vger.kernel.org, robh@kernel.org
Subject: Re: [PATCH v4 2/6] pinctrl: qcom: Register functions before enabling pinctrl
Date: Tue, 09 Jun 2026 10:27:18 +0000	[thread overview]
Message-ID: <20260609102718.CCAC21F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260609-mainline-send-v1-sending-v4-2-83768fbf404d@alex-min.fr>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Global function pointer `pm_power_off` and `poweroff_pctrl` state are left pointing to freed memory if probe fails.
--

commit 4cee21ced39b9add5c750146fde36a08b79745d3
Author: Alexandre MINETTE <contact@alex-min.fr>

pinctrl: qcom: Register functions before enabling pinctrl

This patch changes the initialization sequence in the Qualcomm pinctrl
driver by registering the pinctrl device with devm_pinctrl_register_and_init,
adding the SoC pin functions, and only then enabling the device to prevent
invalid function map table lookups.

> diff --git a/drivers/pinctrl/qcom/pinctrl-msm.c b/drivers/pinctrl/qcom/pinctrl-msm.c
> --- a/drivers/pinctrl/qcom/pinctrl-msm.c
> +++ b/drivers/pinctrl/qcom/pinctrl-msm.c
[ ... ]
> @@ -1593,11 +1593,11 @@ int msm_pinctrl_probe(struct platform_device *pdev,
>  	pctrl->desc.pins = pctrl->soc->pins;
>  	pctrl->desc.npins = pctrl->soc->npins;
>  
> -	pctrl->pctrl = devm_pinctrl_register(&pdev->dev, &pctrl->desc, pctrl);
[ ... ]
> +	ret = devm_pinctrl_register_and_init(&pdev->dev, &pctrl->desc,
> +					     pctrl, &pctrl->pctrl);
> +	if (ret)
> +		return dev_err_probe(&pdev->dev, ret,
> +				     "Couldn't register pinctrl driver\n");

[Severity: High]
This is a pre-existing issue, but since the failure paths are being
restructured here, what happens to the pm_power_off global pointer if this
registration (or the subsequent pinctrl_enable call) fails?

Earlier in msm_pinctrl_probe(), a call to msm_pinctrl_setup_pm_reset()
assigns the dynamically allocated pctrl to the global poweroff_pctrl pointer
and sets the global pm_power_off to msm_ps_hold_poweroff.

If probe fails here or later:

msm_pinctrl_probe()
    msm_pinctrl_setup_pm_reset(pctrl); 
    ...
    ret = devm_pinctrl_register_and_init(...)
    if (ret)
        return dev_err_probe(...);

The pctrl structure is managed by devres and will be freed upon probe
failure, leaving the global poweroff_pctrl pointing to freed memory. If the
system subsequently initiates a shutdown, msm_ps_hold_poweroff() will
dereference the freed memory, leading to a use-after-free.

Would it make sense to update msm_pinctrl_setup_pm_reset() to use
devm_register_sys_off_handler() with SYS_OFF_MODE_POWER_OFF instead of
directly assigning the pm_power_off global pointer?

>  
>  	for (i = 0; i < soc_data->nfunctions; i++) {
>  		func = &soc_data->functions[i];

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260609-mainline-send-v1-sending-v4-0-83768fbf404d@alex-min.fr?part=2

next prev parent reply	other threads:[~2026-06-09 10:27 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-09  8:13 [PATCH v4 0/6] Add Samsung Galaxy S4 support Alexandre MINETTE via B4 Relay
2026-06-09  8:13 ` Alexandre MINETTE
2026-06-09  8:13 ` [PATCH v4 1/6] dt-bindings: arm: qcom: Add Samsung Galaxy S4 Alexandre MINETTE via B4 Relay
2026-06-09  8:13   ` Alexandre MINETTE
2026-06-09  8:13 ` [PATCH v4 2/6] pinctrl: qcom: Register functions before enabling pinctrl Alexandre MINETTE via B4 Relay
2026-06-09  8:13   ` Alexandre MINETTE
2026-06-09 10:27   ` sashiko-bot [this message]
2026-06-09  8:13 ` [PATCH v4 3/6] ARM: dts: qcom: apq8064: Fix USB controller clocks Alexandre MINETTE via B4 Relay
2026-06-09  8:13   ` Alexandre MINETTE
2026-06-09 10:39   ` sashiko-bot
2026-06-09  8:13 ` [PATCH v4 4/6] mfd: qcom-pm8xxx: register PM8921 USB ID extcon Alexandre MINETTE via B4 Relay
2026-06-09  8:13   ` Alexandre MINETTE
2026-06-09 10:52   ` sashiko-bot
2026-06-09  8:13 ` [PATCH v4 5/6] extcon: qcom-spmi-misc: match PM8xxx USB ID platform device Alexandre MINETTE via B4 Relay
2026-06-09  8:13   ` Alexandre MINETTE
2026-06-09 11:03   ` sashiko-bot
2026-06-09  8:13 ` [PATCH v4 6/6] ARM: dts: qcom: Add Samsung Galaxy S4 Alexandre MINETTE via B4 Relay
2026-06-09  8:13   ` Alexandre MINETTE
2026-06-09 16:42   ` David Heidelberg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260609102718.CCAC21F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=devnull+contact.alex-min.fr@kernel.org \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.