From: sashiko-bot@kernel.org
To: "Mikhail Kshevetskiy" <mikhail.kshevetskiy@iopsys.eu>
Cc: conor+dt@kernel.org, robh@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v6 08/17] pinctrl: airoha: split driver on shared code and SoC specific drivers
Date: Sun, 28 Jun 2026 14:57:03 +0000 [thread overview]
Message-ID: <20260628145703.B2CA81F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260628143733.273651-9-mikhail.kshevetskiy@iopsys.eu>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [High] Dynamic allocation of `irq_chip` violates `IRQCHIP_IMMUTABLE` W^X protection and lacks `GPIOCHIP_IRQ_RESOURCE_HELPERS`.
Pre-existing issues:
- [High] Race condition and Use-After-Free during teardown due to early `devm_request_irq()` registration.
- [High] Missing `gpiochip_disable_irq()` and `gpiochip_enable_irq()` calls in `irq_chip` callbacks breaks pin locking.
--
commit 39c02a07ea03e1c882e3d925b659bdbc86446b63
Author: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu>
pinctrl: airoha: split driver on shared code and SoC specific drivers
Split combined an7581/an7583 source file into shared pinctrl code and SoC
specific pinctrl drivers. The initialization code was adapted to work properly
for shared and SoC specific cases.
> diff --git a/drivers/pinctrl/airoha/airoha-common.h b/drivers/pinctrl/airoha/airoha-common.h
> index bff162062b066..9a202d5bb4b13 100644
> --- a/drivers/pinctrl/airoha/airoha-common.h
> +++ b/drivers/pinctrl/airoha/airoha-common.h
> @@ -150,9 +150,12 @@ struct airoha_pinctrl {
> struct regmap *regmap;
>
> struct airoha_pinctrl_gpiochip gpiochip;
> + struct irq_chip gpio_irq_chip;
> };
[Severity: High]
Does dynamically allocating the irq_chip struct here defeat the purpose of
IRQCHIP_IMMUTABLE?
By dynamically allocating the irq_chip structure within airoha_pinctrl, it
resides in writable heap memory rather than read-only .rodata, which bypasses
the W^X protection.
> diff --git a/drivers/pinctrl/airoha/pinctrl-airoha.c b/drivers/pinctrl/airoha/pinctrl-airoha.c
> index e67c19df9f457..543475d23fde3 100644
> --- a/drivers/pinctrl/airoha/pinctrl-airoha.c
> +++ b/drivers/pinctrl/airoha/pinctrl-airoha.c
[ ... ]
> @@ -2552,9 +256,16 @@ static int airoha_pinctrl_add_gpiochip(struct airoha_pinctrl *pinctrl,
> gc->base = -1;
> gc->ngpio = AIROHA_NUM_PINS;
>
> + irq_chip->name = "airoha-gpio-irq";
> + irq_chip->irq_unmask = airoha_irq_unmask;
[Severity: High]
This is a pre-existing issue, but does airoha_irq_unmask() fail to invoke
gpiochip_enable_irq()?
When using IRQCHIP_IMMUTABLE, airoha_irq_unmask() must manually call
gpiochip_enable_irq() and airoha_irq_mask() must call gpiochip_disable_irq().
Without these calls, gpiolib never sets the GPIOD_FLAG_IRQ_IS_ENABLED bit.
Because this bit is missing, gpiod_direction_output() will not realize the pin
is actively used as an interrupt, allowing it to be successfully reconfigured
into an output pin, which can cause a hardware short-circuit.
> + irq_chip->irq_mask = airoha_irq_mask;
> + irq_chip->irq_mask_ack = airoha_irq_mask;
> + irq_chip->irq_set_type = airoha_irq_type;
> + irq_chip->flags = IRQCHIP_SET_TYPE_MASKED | IRQCHIP_IMMUTABLE;
[Severity: High]
Should GPIOCHIP_IRQ_RESOURCE_HELPERS be included here?
Without hooking .irq_request_resources, gpiolib cannot set
GPIOD_FLAG_USED_AS_IRQ. This breaks pin direction locking and can allow
userspace or another driver to reconfigure an active IRQ pin as an output,
potentially causing a hardware short-circuit.
> +
> girq->default_type = IRQ_TYPE_NONE;
> girq->handler = handle_simple_irq;
> - gpio_irq_chip_set_chip(girq, &airoha_gpio_irq_chip);
> + gpio_irq_chip_set_chip(girq, irq_chip);
>
> irq = platform_get_irq(pdev, 0);
> if (irq < 0)
[Severity: High]
This is a pre-existing issue, but can the sequence of allocations here cause
a use-after-free during teardown?
Since devm_request_irq() is called with IRQF_SHARED before adding the
gpiochip and its irqdomain later in airoha_pinctrl_add_gpiochip(), the devm
cleanup will destroy the gpiochip and irqdomain before unhooking the
interrupt.
If a shared interrupt fires from another device on the same IRQ line during
removal or probe failure, airoha_irq_handler() will dereference girq->domain
after it has been freed.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260628143733.273651-1-mikhail.kshevetskiy@iopsys.eu?part=8
next prev parent reply other threads:[~2026-06-28 14:57 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-28 14:37 [PATCH v6 00/17] pinctrl: airoha: split on shared and SoC drivers, add more SoCs Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 01/17] dt-bindings: pinctrl: airoha: update/fix device tree binding schemas Mikhail Kshevetskiy
2026-06-28 19:15 ` Conor Dooley
2026-06-28 14:37 ` [PATCH v6 02/17] pinctrl: airoha: an7581: fix misprint in bitfield name Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 03/17] pinctrl: airoha: an7583: fix I2C0_SDA_PD register bit order Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 04/17] pinctrl: airoha: an7583: there is no mux to enable the second i2c bus Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 05/17] pinctrl: airoha: an7581: fix mux/conf of pcie_reset pins Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 06/17] pinctrl: airoha: an7583: fix muxing of non-gpio default pins Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 07/17] pinctrl: airoha: move common definitions to the separate header Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 08/17] pinctrl: airoha: split driver on shared code and SoC specific drivers Mikhail Kshevetskiy
2026-06-28 14:57 ` sashiko-bot [this message]
2026-06-28 14:37 ` [PATCH v6 09/17] pinctrl: airoha: an7581: remove en7581 prefix from variable names Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 10/17] pinctrl: airoha: an7583: remove an7583 prefix from variable names and definitions Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 11/17] pinctrl: airoha: an7583: rename registers to match its an7583 names Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 12/17] pinctrl: airoha: an7583: add support for npu_uart pinmux Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 13/17] pinctrl: airoha: an7583: add support for pon_alt pinmux Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 14/17] pinctrl: airoha: an7583: add support for olt pinmux Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 15/17] pinctrl: airoha: add support of en7523 SoC Mikhail Kshevetskiy
2026-06-28 14:57 ` sashiko-bot
2026-06-28 20:51 ` Rob Herring (Arm)
2026-06-28 14:37 ` [PATCH v6 16/17] pinctrl: airoha: try to find chip scu node by phandle first Mikhail Kshevetskiy
2026-06-28 14:54 ` sashiko-bot
2026-06-28 14:37 ` [PATCH v6 17/17] pinctrl: airoha: add support of an7563 SoC Mikhail Kshevetskiy
2026-06-28 14:55 ` sashiko-bot
2026-06-28 20:51 ` Rob Herring (Arm)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260628145703.B2CA81F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=mikhail.kshevetskiy@iopsys.eu \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.