From: sashiko-bot@kernel.org
To: "Grégoire Layet" <gregoire.layet@9elements.com>
Cc: robh@kernel.org, conor+dt@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v3 6/7] ARM: dts: aspeed: g6: Change vuart compatible string for ast2600
Date: Tue, 23 Jun 2026 14:42:28 +0000 [thread overview]
Message-ID: <20260623144228.6A2481F000E9@smtp.kernel.org> (raw)
In-Reply-To: <30aedaa9ffd5ba2d763d8802a07b77ef2d5bfcf0.1782224060.git.gregoire.layet@9elements.com>
Thank you for your contribution! Sashiko AI review found 6 potential issue(s) to consider:
New issues:
- [High] Newly introduced error path completely bypasses all probe cleanup.
- [High] Modifying a static global array when MSI allocation fails causes state corruption.
- [High] Assuming index 16 and 17 are unconditionally valid for partially allocated MSI vectors.
- [Medium] Device Tree Binding Schema Validation Failure
- [Medium] Using the 'clocks' property as a syscon phandle violates DT semantics.
Pre-existing issues:
- [High] Probe error paths fail to unregister the 8250 serial port, leading to Use-After-Free.
--
commit cd4f0040d97e2d9918c8ecf27108ed2de48871b7
Author: Grégoire Layet <gregoire.layet@9elements.com>
ARM: dts: aspeed: g6: Change vuart compatible string for ast2600
Use the ast2600 compatible string.
This makes it more precise and enables specific ast2600 properties.
Still use the ast2500 compatible string as a fallback.
> diff --git a/Documentation/devicetree/bindings/serial/8250.yaml b/Documentation/devicetree/bindings/serial/8250.yaml
> index bb7b9c87a8072..b03797f4674d4 100644
> --- a/Documentation/devicetree/bindings/serial/8250.yaml
> +++ b/Documentation/devicetree/bindings/serial/8250.yaml
> @@ -23,7 +23,17 @@ allOf:
> then:
> properties:
> compatible:
> - const: aspeed,ast2500-vuart
> + anyOf:
> + - const: aspeed,ast2500-vuart
> + - const: aspeed,ast2600-vuart
[ ... ]
> diff --git a/arch/arm/boot/dts/aspeed/aspeed-g6.dtsi b/arch/arm/boot/dts/aspeed/aspeed-g6.dtsi
> index 189bc3bbb47c9..5ff52697e8bb4 100644
> --- a/arch/arm/boot/dts/aspeed/aspeed-g6.dtsi
> +++ b/arch/arm/boot/dts/aspeed/aspeed-g6.dtsi
> @@ -698,7 +698,7 @@ emmc: sdhci@1e750100 {
> };
>
> vuart1: serial@1e787000 {
> - compatible = "aspeed,ast2500-vuart";
> + compatible = "aspeed,ast2600-vuart", "aspeed,ast2500-vuart";
[Severity: Medium]
Will this pass device tree schema validation (dtbs_check)? The binding in
8250.yaml defines the compatible property as anyOf with single const strings,
meaning it expects exactly one of those strings. The device tree uses an array
of two strings. Should the schema be updated with an items array definition to
accept this combination?
[ ... ]
> diff --git a/drivers/soc/aspeed/aspeed-host-bmc-dev.c b/drivers/soc/aspeed/aspeed-host-bmc-dev.c
> new file mode 100644
> index 0000000000000..3160b6aedb5b6
> --- /dev/null
> +++ b/drivers/soc/aspeed/aspeed-host-bmc-dev.c
[ ... ]
> +static int vuart_msi_index[2] = { 16, 17 };
[ ... ]
> +static void aspeed_pci_setup_irq_resource(struct pci_dev *pdev)
> +{
> + struct aspeed_pci_bmc_dev *pci_bmc_dev = pci_get_drvdata(pdev);
> +
> + pci_bmc_dev->msi_idx_table = vuart_msi_index;
> +
> + if (pci_alloc_irq_vectors(pdev, 1, BMC_MULTI_MSI, PCI_IRQ_INTX | PCI_IRQ_MSI) <= 1)
> + /* If pci_alloc fail, set all msi index to the first vector */
> + memset(pci_bmc_dev->msi_idx_table, 0, sizeof(vuart_msi_index));
[Severity: High]
Does this code inadvertently corrupt global state for all driver instances?
Since pci_bmc_dev->msi_idx_table points to vuart_msi_index (a static global
array), calling memset on it will permanently zero out the MSI indices
system-wide if any device fails to allocate multiple MSI vectors.
Also, does the threshold check protect against partial allocations falling
short of index 17?
If pci_alloc_irq_vectors() successfully allocates an intermediate number of
vectors (e.g., 4 or 8), the '<= 1' check evaluates to false. The driver
retains indices 16 and 17 and attempts to fetch them via pci_irq_vector()
below, which triggers an out-of-bounds warning and returns -EINVAL.
[ ... ]
> +static int aspeed_pci_bmc_device_setup_vuart(struct pci_dev *pdev, int idx)
> +{
> + struct aspeed_pci_bmc_dev *pci_bmc_dev = pci_get_drvdata(pdev);
[ ... ]
> + uart->port.irq = pci_irq_vector(pdev, pci_bmc_dev->msi_idx_table[idx]);
[Severity: High]
If a partial allocation leaves us with fewer vectors than the index stored in
msi_idx_table[idx], pci_irq_vector() returns a negative error code like
-EINVAL. Could this error code be incorrectly passed as the IRQ number here,
causing interrupt registration to fail later?
[ ... ]
> diff --git a/drivers/tty/serial/8250/8250_aspeed_vuart.c b/drivers/tty/serial/8250/8250_aspeed_vuart.c
> index 26fc0464f1cc2..e204e26fa173b 100644
> --- a/drivers/tty/serial/8250/8250_aspeed_vuart.c
> +++ b/drivers/tty/serial/8250/8250_aspeed_vuart.c
[ ... ]
> +static int aspeed_ast2600_vuart_over_pci_set_enabled(struct platform_device *pdev)
> +{
> + struct device *dev = &pdev->dev;
[ ... ]
> + scu = syscon_regmap_lookup_by_phandle(dev->of_node, "clocks");
[Severity: Medium]
Is it semantically correct to use the "clocks" property as a syscon phandle?
The "clocks" property specifies clock providers and specifiers, not raw syscon
phandles. Piggybacking on this to extract a syscon regmap leverages an
implementation detail of syscon_regmap_lookup_by_phandle() and violates
device tree semantics.
[ ... ]
> @@ -540,6 +617,15 @@ static int aspeed_vuart_probe(struct platform_device *pdev)
> aspeed_vuart_set_host_tx_discard(vuart, true);
> platform_set_drvdata(pdev, vuart);
>
> + if (of_device_is_compatible(dev->of_node, "aspeed,ast2600-vuart") &&
> + of_property_read_bool(dev->of_node, "aspeed,vuart-over-pci")) {
> + rc = aspeed_ast2600_vuart_over_pci_set_enabled(pdev);
> + if (rc) {
> + dev_err(dev, "could not enable VUART over PCI\n");
> + return rc;
[Severity: High]
Does returning directly here skip probe cleanup? Bypassing the err_sysfs_remove
label leaves sysfs groups, timers, and the 8250 serial port registered while
devres frees the underlying vuart structure. Does this leak the sysfs groups
and timers, and potentially cause a use-after-free if the 8250 core accesses
the unregistered port?
> + }
> + }
> +
> return 0;
>
> err_sysfs_remove:
> sysfs_remove_group(&vuart->dev->kobj, &aspeed_vuart_attr_group);
> return rc;
[Severity: High]
This isn't a bug introduced by this patch, but does the err_sysfs_remove path
fail to unregister the 8250 port? If probe fails after port registration,
serial8250_unregister_port() is missed. The 8250 core will later dereference
the freed vuart pointer via port.private_data, causing a use-after-free.
--
Sashiko AI review · https://sashiko.dev/#/patchset/cover.1782224059.git.gregoire.layet@9elements.com?part=6
next prev parent reply other threads:[~2026-06-23 14:42 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-02 14:42 [PATCH v1 0/2] soc: aspeed: Add BMC and host driver for PCIe BMC device Grégoire Layet
2026-06-02 14:42 ` [PATCH v1 1/2] soc: aspeed: add BMC-side PCIe BMC device driver Grégoire Layet
2026-06-02 14:42 ` [PATCH v1 2/2] soc: aspeed: add host-side " Grégoire Layet
2026-06-02 15:49 ` Andrew Lunn
2026-06-03 13:43 ` Grégoire Layet
2026-06-03 14:30 ` Andrew Lunn
2026-06-04 0:44 ` Andrew Jeffery
2026-06-04 0:46 ` Andrew Jeffery
2026-06-08 14:51 ` [PATCH v2 0/2] soc: aspeed: Add BMC and host driver for PCIe BMC device Grégoire Layet
2026-06-08 14:51 ` [PATCH v2 1/2] soc: aspeed: add BMC-side PCIe BMC device driver Grégoire Layet
2026-06-10 12:33 ` Andrew Jeffery
2026-06-11 8:40 ` Grégoire Layet
2026-06-12 9:21 ` Grégoire Layet
2026-06-16 0:16 ` Andrew Jeffery
2026-06-17 6:40 ` Grégoire Layet
2026-06-18 0:58 ` Andrew Jeffery
2026-06-08 14:51 ` [PATCH v2 2/2] soc: aspeed: add host-side " Grégoire Layet
2026-06-10 12:51 ` Andrew Jeffery
2026-06-11 8:41 ` Grégoire Layet
2026-06-08 18:05 ` [PATCH v2 0/2] soc: aspeed: Add BMC and host driver for PCIe BMC device Andrew Lunn
2026-06-09 13:34 ` Grégoire Layet
2026-06-23 14:25 ` [PATCH v3 0/7] " Grégoire Layet
2026-06-23 14:25 ` [PATCH v3 1/7] dt-bindings: serial: 8250: aspeed: add compatible string for ast2600 Grégoire Layet
2026-06-23 14:35 ` sashiko-bot
2026-06-23 14:25 ` [PATCH v3 2/7] dt-bindings: serial: 8250: aspeed: add aspeed,vuart-over-pci bool prop Grégoire Layet
2026-06-23 14:38 ` sashiko-bot
2026-06-23 14:25 ` [PATCH v3 3/7] serial: 8250_aspeed_vuart: add aspeed,ast2600-vuart compatible string Grégoire Layet
2026-06-23 14:41 ` sashiko-bot
2026-06-23 14:25 ` [PATCH v3 4/7] serial: 8250_aspeed_vuart: add VUART over PCI Grégoire Layet
2026-06-23 14:41 ` sashiko-bot
2026-06-23 14:25 ` [PATCH v3 5/7] soc: aspeed: add host-side PCIe BMC device driver Grégoire Layet
2026-06-23 14:40 ` sashiko-bot
2026-06-23 14:25 ` [PATCH v3 6/7] ARM: dts: aspeed: g6: Change vuart compatible string for ast2600 Grégoire Layet
2026-06-23 14:42 ` sashiko-bot [this message]
2026-06-23 14:25 ` [PATCH v3 7/7] ARM: dts: aspeed: g6: add aspeed,vuart-over-pci prop to vuart3 and 4 Grégoire Layet
2026-06-23 14:44 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260623144228.6A2481F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=gregoire.layet@9elements.com \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.