Re: [PATCH v19 1/7] coresight: core: refactor ctcu_get_active_port and make it generic

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Jie Gan" <jie.gan@oss.qualcomm.com>
Cc: devicetree@vger.kernel.org, conor+dt@kernel.org, robh@kernel.org
Subject: Re: [PATCH v19 1/7] coresight: core: refactor ctcu_get_active_port and make it generic
Date: Thu, 25 Jun 2026 11:07:02 +0000	[thread overview]
Message-ID: <20260625110702.E6BD91F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260625-enable-byte-cntr-for-ctcu-v19-1-8fbbf22e8381@oss.qualcomm.com>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:

New issues:
- [High] Lockless iteration over `pdata->in_conns` array introduces a TOCTOU race condition and potential Use-After-Free.

Pre-existing issues:
- [High] Missing bounds check for Device Tree-provided `port_num` leads to out-of-bounds array access in CTCU trace ID configuration.
- [High] Unsafe direct dereference of sparse array elements in `tpda_get_element_size`.
--

commit f655e6df0885045f179728cb52f455717556ac67
Author: Jie Gan <jie.gan@oss.qualcomm.com>

coresight: core: refactor ctcu_get_active_port and make it generic

This patch removes ctcu_get_active_port from the CTCU module and adds it to
the core framework as coresight_get_in_port. It allows retrieving the active
input port number generically for a given device.

> diff --git a/drivers/hwtracing/coresight/coresight-core.c b/drivers/hwtracing/coresight/coresight-core.c
> index 6d65c43d574fd..7a7a85acdca0d 100644
> --- a/drivers/hwtracing/coresight/coresight-core.c
> +++ b/drivers/hwtracing/coresight/coresight-core.c
> @@ -773,6 +773,33 @@ struct coresight_device *coresight_get_sink(struct coresight_path *path)
[ ... ]
> +int coresight_get_in_port(struct coresight_device *csdev,
> +			  struct coresight_device *remote)
> +{
> +	struct coresight_platform_data *pdata = remote->pdata;
> +	int i;
> +
> +	for (i = 0; i < pdata->nr_inconns; ++i) {
> +		if (!pdata->in_conns[i])
> +			continue;
> +
> +		if (pdata->in_conns[i]->src_dev == csdev)

[Severity: High]
Can this sequence cause a race condition leading to a NULL pointer
dereference?

The array element is read twice. First, to check if it's NULL, and then
again to access src_dev. If a concurrent device unbind operation like
coresight_remove_conns() sets the element to NULL between these reads, the
second access might trigger a panic.

Should we use READ_ONCE() to load the pointer into a local variable first?

> +			return pdata->in_conns[i]->dest_port;
> +	}
> +
> +	return -EINVAL;
> +}
> +EXPORT_SYMBOL_GPL(coresight_get_in_port);
> +
>  u32 coresight_get_sink_id(struct coresight_device *csdev)
>  {
>  	if (!csdev->ea)
> diff --git a/drivers/hwtracing/coresight/coresight-ctcu-core.c b/drivers/hwtracing/coresight/coresight-ctcu-core.c
> index 9043cad42f01e..e8720026c9e3f 100644
> --- a/drivers/hwtracing/coresight/coresight-ctcu-core.c
> +++ b/drivers/hwtracing/coresight/coresight-ctcu-core.c
[ ... ]
> @@ -145,7 +128,7 @@ static int ctcu_set_etr_traceid(struct coresight_device *csdev, struct coresight
>  		return -EINVAL;
>  	}
>  
> -	port_num = ctcu_get_active_port(sink, csdev);
> +	port_num = coresight_get_in_port(sink, csdev);
>  	if (port_num < 0)
>  		return -EINVAL;

[Severity: High]
This isn't a bug introduced by this patch, but does the returned
port_num need to be bounds-checked before being used?

The port_num originates from device tree properties, and if it exceeds
ETR_MAX_NUM (2), it leads to out-of-bounds array accesses in
__ctcu_set_etr_traceid() when indexing into drvdata->atid_offset and
drvdata->traceid_refcnt:

__ctcu_set_etr_traceid()
    ...
    atid_offset = drvdata->atid_offset[port_num];
    ...
    refcnt = drvdata->traceid_refcnt[port_num][traceid];

Would it be safer to validate port_num against the array bounds after
retrieving it?

>  
[ ... ]

[Severity: High]
This is a pre-existing issue not introduced by this patch, but while
looking at the sparse in_conns array usage, I noticed a similar issue in
tpda_get_element_size().

Does this code dereference the sparse array element before checking if it
is valid?

drivers/hwtracing/coresight/coresight-tpda.c:tpda_get_element_size() {
    ...
    for (i = 0; i < csdev->pdata->nr_inconns; i++) {
        in = csdev->pdata->in_conns[i]->src_dev;
        if (!in)
            continue;
    ...
}

If a component is unbound and the connection is removed by
coresight_remove_conns(), csdev->pdata->in_conns[i] could be NULL,
causing a panic before the check is reached.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260625-enable-byte-cntr-for-ctcu-v19-0-8fbbf22e8381@oss.qualcomm.com?part=1

next prev parent reply	other threads:[~2026-06-25 11:07 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-25 10:45 [PATCH v19 0/7] coresight: ctcu: Enable byte-cntr function for TMC ETR Jie Gan
2026-06-25 10:45 ` [PATCH v19 1/7] coresight: core: refactor ctcu_get_active_port and make it generic Jie Gan
2026-06-25 11:07   ` sashiko-bot [this message]
2026-06-25 10:45 ` [PATCH v19 2/7] coresight: tmc: add create/clean functions for etr_buf_list Jie Gan
2026-06-25 11:06   ` sashiko-bot
2026-06-25 10:45 ` [PATCH v19 3/7] coresight: tmc: introduce tmc_sysfs_ops to wrap sysfs read operations Jie Gan
2026-06-25 11:00   ` sashiko-bot
2026-06-25 10:45 ` [PATCH v19 4/7] coresight: etr: add a new function to retrieve the CTCU device Jie Gan
2026-06-25 10:45 ` [PATCH v19 5/7] dt-bindings: arm: add an interrupt property for Coresight CTCU Jie Gan
2026-06-25 10:45 ` [PATCH v19 6/7] coresight: ctcu: enable byte-cntr for TMC ETR devices Jie Gan
2026-06-25 11:09   ` sashiko-bot
2026-06-25 13:51     ` Jie Gan
2026-06-25 10:45 ` [PATCH v19 7/7] arm64: dts: qcom: lemans: add interrupts to CTCU device Jie Gan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260625110702.E6BD91F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=jie.gan@oss.qualcomm.com \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.