From: sashiko-bot@kernel.org
To: "Pengpeng Hou" <pengpeng@iscas.ac.cn>
Cc: linux-sunxi@lists.linux.dev
Subject: Re: [PATCH] bus: sunxi-rsb: fail hardware init on soft-reset timeout
Date: Thu, 25 Jun 2026 00:45:27 +0000 [thread overview]
Message-ID: <20260625004527.DBC261F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260625003416.15841-1-pengpeng@iscas.ac.cn>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [High] Asserting the hardware reset line on soft-reset timeout during system resume leaves the IP in reset, which causes a fatal bus hang when child devices subsequently attempt to access the controller.
Pre-existing issues:
- [High] If a malformed Device Tree explicitly sets `clock-frequency = <0>;`, it causes a kernel panic due to division by zero.
- [High] The IRQ handler is requested before the hardware is initialized and its module clock is enabled, risking a fatal bus error.
--
commit 1ad9a12cbc21560f6a2fb1e0bd342a6de275080c
Author: Pengpeng Hou <pengpeng@iscas.ac.cn>
bus: sunxi-rsb: fail hardware init on soft-reset timeout
This commit adds a check for the controller soft reset in sunxi_rsb_hw_init.
If the reset times out, the code now asserts the hardware reset line,
disables the clock, and returns a timeout error instead of continuing.
> diff --git a/drivers/bus/sunxi-rsb.c b/drivers/bus/sunxi-rsb.c
> index daf0ea563e477..f83224dea804d 100644
> --- a/drivers/bus/sunxi-rsb.c
> +++ b/drivers/bus/sunxi-rsb.c
> @@ -669,8 +669,12 @@ static int sunxi_rsb_hw_init(struct sunxi_rsb *rsb)
>
> /* reset the controller */
> writel(RSB_CTRL_SOFT_RST, rsb->regs + RSB_CTRL);
> - readl_poll_timeout(rsb->regs + RSB_CTRL, reg,
> - !(reg & RSB_CTRL_SOFT_RST), 1000, 100000);
> + ret = readl_poll_timeout(rsb->regs + RSB_CTRL, reg,
> + !(reg & RSB_CTRL_SOFT_RST), 1000, 100000);
> + if (ret) {
> + dev_err(dev, "soft reset timed out\n");
> + goto err_reset_assert;
> + }
>
> /*
> * Clock frequency and delay calculation code is from
[ ... ]
> @@ -696,6 +700,8 @@ static int sunxi_rsb_hw_init(struct sunxi_rsb *rsb)
>
> return 0;
>
> +err_reset_assert:
> + reset_control_assert(rsb->rstc);
[Severity: High]
If sunxi_rsb_hw_init() fails due to this soft-reset timeout during system
resume, it asserts the hardware reset line and returns an error:
drivers/bus/sunxi-rsb.c:sunxi_rsb_resume() {
struct sunxi_rsb *rsb = dev_get_drvdata(dev);
return sunxi_rsb_hw_init(rsb);
}
The PM core logs the resume error but continues system resume. When child
devices, such as PMICs, are subsequently resumed, they attempt to access the
RSB bus to restore registers. The driver's runtime resume callback only
enables the clock, which means the driver will attempt MMIO access while the
controller is still held in hardware reset.
Will writing to an IP block held in hardware reset cause a synchronous
external abort and fatal bus hang on Allwinner SoCs?
> err_clk_disable:
> clk_disable_unprepare(rsb->clk);
>
[Severity: High]
This isn't a bug introduced by this patch, but if a malformed Device Tree
explicitly sets clock-frequency = <0>, sunxi_rsb_probe() successfully reads
the 0 and bypasses the upper boundary check:
drivers/bus/sunxi-rsb.c:sunxi_rsb_probe() {
...
if (of_property_read_u32(np, "clock-frequency", &clk_freq)) {
...
} else if (clk_freq > RSB_MAX_FREQ) {
...
}
...
}
Later, sunxi_rsb_hw_init() uses this unchecked value as a divisor:
drivers/bus/sunxi-rsb.c:sunxi_rsb_hw_init() {
...
clk_div = p_clk_freq / rsb->clk_freq / 2;
...
}
Can this cause a fatal division by zero exception when rsb->clk_freq is 0?
[Severity: High]
This is a pre-existing issue, but devm_request_irq() is called before
sunxi_rsb_hw_init() initializes the hardware and enables its module clock:
drivers/bus/sunxi-rsb.c:sunxi_rsb_probe() {
...
ret = devm_request_irq(dev, irq, sunxi_rsb_irq, 0, RSB_CTRL_NAME, rsb);
if (ret)
return dev_err_probe(...);
ret = sunxi_rsb_hw_init(rsb);
...
}
If an interrupt fires immediately from a pending state from a previous boot
stage, sunxi_rsb_irq() will execute and access the RSB_INTS register using
readl() before the clock is enabled:
drivers/bus/sunxi-rsb.c:sunxi_rsb_irq() {
...
status = readl(rsb->regs + RSB_INTS);
...
}
Could accessing unclocked or reset MMIO space on Allwinner SoCs cause a fatal
synchronous external abort here?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260625003416.15841-1-pengpeng@iscas.ac.cn?part=1
prev parent reply other threads:[~2026-06-25 0:45 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 0:34 [PATCH] bus: sunxi-rsb: fail hardware init on soft-reset timeout Pengpeng Hou
2026-06-25 0:45 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260625004527.DBC261F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-sunxi@lists.linux.dev \
--cc=pengpeng@iscas.ac.cn \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.