From: sashiko-bot@kernel.org
To: "Luca Leonardo Scorcia" <l.scorcia@gmail.com>
Cc: conor+dt@kernel.org, devicetree@vger.kernel.org,
linux-input@vger.kernel.org, dmitry.torokhov@gmail.com,
robh@kernel.org
Subject: Re: [PATCH v8 5/9] mfd: mt6397: Add support for MT6392 PMIC
Date: Sat, 20 Jun 2026 20:20:27 +0000 [thread overview]
Message-ID: <20260620202027.60DA61F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260620200032.334192-6-l.scorcia@gmail.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
Pre-existing issues:
- [High] Missing unregister_pm_notifier() causes Use-After-Free of PM notifier block on probe error and driver unbind.
- [High] The IRQ domain is created with a hardcoded size of MT6397_IRQ_NR (32), which breaks PMICs like MT6328 that use a third interrupt register (hwirqs 32-47).
- [High] `mt6397_irq_pm_notifier` modifies IRQ mask registers concurrently with running tasks, causing race conditions.
--
commit 15d5fe2891c82970874377c126d0244fd87f5699
Author: Fabien Parent <parent.f@gmail.com>
mfd: mt6397: Add support for MT6392 PMIC
Align the MT6397 PMIC driver to other MFD drivers by passing only an
identifier through mt6397_of_match[*].data and add support for the MT6392
PMIC and its regulator, RTC, keys and pinctrl devices.
> diff --git a/drivers/mfd/mt6397-core.c b/drivers/mfd/mt6397-core.c
> index ccd97d66d7f1c..f683e878543e1 100644
> --- a/drivers/mfd/mt6397-core.c
> +++ b/drivers/mfd/mt6397-core.c
[ ... ]
> @@ -278,6 +311,7 @@ static int mt6397_probe(struct platform_device *pdev)
> unsigned int id = 0;
> struct mt6397_chip *pmic;
> const struct chip_data *pmic_core;
> + int chip_variant;
>
> pmic = devm_kzalloc(&pdev->dev, sizeof(*pmic), GFP_KERNEL);
> if (!pmic)
> @@ -293,9 +327,36 @@ static int mt6397_probe(struct platform_device *pdev)
> if (!pmic->regmap)
> return -ENODEV;
>
> - pmic_core = of_device_get_match_data(&pdev->dev);
> - if (!pmic_core)
> + chip_variant = (unsigned int)(uintptr_t)device_get_match_data(&pdev->dev);
> + switch (chip_variant) {
[ ... ]
> + case MT6392_CHIP_ID:
> + pmic_core = &mt6392_core;
> + break;
[ ... ]
[Severity: High]
This isn't a bug introduced by this patch, but looking at the error path of
mt6397_probe() in drivers/mfd/mt6397-core.c:
ret = pmic_core->irq_init(pmic);
if (ret)
return ret;
ret = devm_mfd_add_devices(&pdev->dev, PLATFORM_DEVID_NONE,
pmic_core->cells, pmic_core->cell_size,
NULL, 0, pmic->irq_domain);
if (ret) {
irq_domain_remove(pmic->irq_domain);
dev_err(&pdev->dev, "failed to add child devices: %d\n", ret);
}
return ret;
Since mt6397_irq_init() registers a PM notifier with register_pm_notifier(),
if devm_mfd_add_devices() fails (or when the driver is unbound), the devres
cleanup will automatically free the pmic structure containing the pm_nb
notifier block.
Because unregister_pm_notifier() is never called in this error path or in a
remove callback, will this leave a dangling pointer in the PM subsystem that
causes a Use-After-Free during the next suspend/resume cycle?
> diff --git a/drivers/mfd/mt6397-irq.c b/drivers/mfd/mt6397-irq.c
> index 5d2e5459f7444..80ea5b92d232f 100644
> --- a/drivers/mfd/mt6397-irq.c
> +++ b/drivers/mfd/mt6397-irq.c
[ ... ]
> @@ -203,6 +205,12 @@ int mt6397_irq_init(struct mt6397_chip *chip)
> chip->int_status[0] = MT6397_INT_STATUS0;
> chip->int_status[1] = MT6397_INT_STATUS1;
> break;
> + case MT6392_CHIP_ID:
> + chip->int_con[0] = MT6392_INT_CON0;
> + chip->int_con[1] = MT6392_INT_CON1;
> + chip->int_status[0] = MT6392_INT_STATUS0;
> + chip->int_status[1] = MT6392_INT_STATUS1;
> + break;
>
> default:
> dev_err(chip->dev, "unsupported chip: 0x%x\n", chip->chip_id);
[Severity: High]
This is a pre-existing issue, but further down in mt6397_irq_init() in
drivers/mfd/mt6397-irq.c, the linear IRQ domain is allocated with a hardcoded
size:
chip->irq_domain = irq_domain_create_linear(dev_fwnode(chip->dev), MT6397_IRQ_NR,
&mt6397_irq_domain_ops, chip);
Since MT6397_IRQ_NR is 32, but PMICs like MT6328 use a third interrupt
status register for hardware IRQs 32-47:
if (mt6397->int_status[2])
mt6397_irq_handle_reg(mt6397, mt6397->int_status[2], 32);
Won't irq_find_mapping() silently fail to find a mapping for any interrupts
at index 32 or higher, breaking functionality for those higher-numbered
interrupts?
[Severity: High]
This is also a pre-existing issue, but mt6397_irq_pm_notifier() in
drivers/mfd/mt6397-irq.c writes directly to the PMIC's interrupt control
registers without locking:
case PM_SUSPEND_PREPARE:
regmap_write(chip->regmap,
chip->int_con[0], chip->wake_mask[0]);
Because PM_SUSPEND_PREPARE runs before user tasks are frozen, running tasks
can concurrently request or enable an IRQ. When this happens,
mt6397_irq_sync_unlock() will acquire irqlock and write irq_masks_cur
to the same registers:
regmap_write(mt6397->regmap, mt6397->int_con[0],
mt6397->irq_masks_cur[0]);
Could this concurrent modification overwrite the suspend configuration
established by the notifier, leading to lost wakeup sources or spurious
interrupts?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260620200032.334192-1-l.scorcia@gmail.com?part=5
next prev parent reply other threads:[~2026-06-20 20:20 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-20 19:56 [PATCH v8 0/9] Add support for MT6392 PMIC Luca Leonardo Scorcia
2026-06-20 19:56 ` [PATCH v8 1/9] dt-bindings: mfd: mt6397: Add " Luca Leonardo Scorcia
2026-06-20 20:14 ` sashiko-bot
2026-06-20 19:56 ` [PATCH v8 2/9] dt-bindings: input: mtk-pmic-keys: Add MT6392 PMIC keys Luca Leonardo Scorcia
2026-06-20 19:56 ` [PATCH v8 3/9] regulator: dt-bindings: Add MediaTek MT6392 PMIC Luca Leonardo Scorcia
2026-06-20 20:15 ` sashiko-bot
2026-06-20 19:56 ` [PATCH v8 4/9] mfd: mt6397: Use MFD_CELL_* to describe sub-devices Luca Leonardo Scorcia
2026-06-20 19:56 ` [PATCH v8 5/9] mfd: mt6397: Add support for MT6392 PMIC Luca Leonardo Scorcia
2026-06-20 20:20 ` sashiko-bot [this message]
2026-06-20 19:56 ` [PATCH v8 6/9] input: keyboard: mtk-pmic-keys: Add MT6392 support Luca Leonardo Scorcia
2026-06-20 20:16 ` sashiko-bot
2026-06-20 19:56 ` [PATCH v8 7/9] pinctrl: mediatek: mt6397: Add MediaTek MT6392 Luca Leonardo Scorcia
2026-06-20 20:16 ` sashiko-bot
2026-06-20 19:56 ` [PATCH v8 8/9] regulator: Add MediaTek MT6392 regulator Luca Leonardo Scorcia
2026-06-20 20:13 ` sashiko-bot
2026-06-20 19:56 ` [PATCH v8 9/9] arm64: dts: mediatek: Add MediaTek MT6392 PMIC dtsi Luca Leonardo Scorcia
2026-06-20 20:19 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260620202027.60DA61F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=l.scorcia@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.