From: sashiko-bot@kernel.org
To: "Viacheslav Bocharov" <v@baodeep.com>
Cc: neil.armstrong@linaro.org, linux-amlogic@lists.infradead.org
Subject: Re: [PATCH v3 2/2] pinctrl: meson: restore non-sleeping GPIO access
Date: Tue, 30 Jun 2026 10:46:39 +0000 [thread overview]
Message-ID: <20260630104639.F3A671F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260630101545.800625-3-v@baodeep.com>
Thank you for your contribution! Sashiko AI review found 5 potential issue(s) to consider:
New issues:
- [High] Setting `can_sleep = false` without enabling raw spinlocks in the regmap configuration will cause panics on PREEMPT_RT kernels when called from atomic context.
Pre-existing issues:
- [High] The driver leaks the registered `gpio_chip` and causes a use-after-free on device unbind due to the lack of devres management for the GPIO chip.
- [High] Concurrent probes will race to modify the global static `meson_regmap_config` structure, potentially leading to corrupted regmap initialization.
- [High] Setting a GPIO to output temporarily exposes the old driven value before setting the new value, causing an output glitch.
- [Medium] The return value of `regmap_read()` is ignored in `meson_gpio_get()`, potentially evaluating uninitialized stack memory.
--
commit b08edbdcf628b329dd9c5cf2f8f1fd105ba240d1
Author: Viacheslav Bocharov <v@baodeep.com>
pinctrl: meson: restore non-sleeping GPIO access
Commit 28f240683871 ("pinctrl: meson: mark the GPIO controller as
sleeping") set gpio_chip.can_sleep = true to work around
gpio-shared-proxy holding a spinlock across a sleeping pinctrl config
path. That locking bug is now fixed in the shared-proxy itself ("gpio:
shared-proxy: always serialize with a sleeping mutex"), so the
controller-wide workaround is no longer needed; the meson GPIO
controller does not sleep.
[ ... ]
Link: https://lore.kernel.org/all/20260105150509.56537-1-bartosz.golaszewski@oss.qualcomm.com/
> diff --git a/drivers/pinctrl/meson/pinctrl-meson.c b/drivers/pinctrl/meson/pinctrl-meson.c
> index 4507dc8b5563c..18295b15ecd9d 100644
> --- a/drivers/pinctrl/meson/pinctrl-meson.c
> +++ b/drivers/pinctrl/meson/pinctrl-meson.c
> @@ -619,7 +619,7 @@ static int meson_gpiolib_register(struct meson_pinctrl *pc)
> pc->chip.set = meson_gpio_set;
> pc->chip.base = -1;
> pc->chip.ngpio = pc->data->num_pins;
> - pc->chip.can_sleep = true;
> + pc->chip.can_sleep = false;
[Severity: High]
Does setting can_sleep to false without configuring the regmap to use raw
spinlocks cause panics on PREEMPT_RT kernels?
When atomic consumers like w1-gpio acquire a raw lock and disable IRQs, they
then call gpiod_set_value(). Since meson_regmap_config does not set
use_raw_spinlock = true, the MMIO regmap uses a standard spinlock_t which
sleeps on PREEMPT_RT. Taking a sleeping lock with interrupts disabled will
crash the system.
>
> ret = gpiochip_add_data(&pc->chip, pc);
[Severity: High]
This is a pre-existing issue, but does this leak the registered gpio_chip and
cause a use-after-free on device unbind?
Because the platform driver lacks a .remove callback and uses
gpiochip_add_data() instead of devm_gpiochip_add_data(), the GPIO chip
remains registered after struct meson_pinctrl is freed by devres.
> if (ret) {
> dev_err(pc->dev, "can't add gpio chip %s\n",
drivers/pinctrl/meson/pinctrl-meson.c:meson_map_resource() {
...
meson_regmap_config.max_register = resource_size(&res) - 4;
meson_regmap_config.name = devm_kasprintf(pc->dev, GFP_KERNEL,
"%pOFn-%s", node,
name);
...
}
[Severity: High]
This is a pre-existing issue, but will concurrent probes race to modify the
global static meson_regmap_config structure?
Multiple Meson pinctrl instances probing concurrently can modify these fields
without synchronization, potentially leading to out-of-bounds register
accesses or use-after-free of strings.
drivers/pinctrl/meson/pinctrl-meson.c:meson_pinconf_set_output_drive() {
...
ret = meson_pinconf_set_output(pc, pin, true);
if (ret)
return ret;
return meson_pinconf_set_drive(pc, pin, high);
}
[Severity: High]
This is a pre-existing issue, but could setting the GPIO direction to output
before setting the desired output value cause a physical glitch on the GPIO
line?
During the window between the two regmap updates, the pin is driven with
whatever stale value was previously in the output register.
drivers/pinctrl/meson/pinctrl-meson.c:meson_gpio_get() {
...
meson_calc_reg_and_bit(bank, gpio, MESON_REG_IN, ®, &bit);
regmap_read(pc->reg_gpio, reg, &val);
return !!(val & BIT(bit));
}
[Severity: Medium]
This is a pre-existing issue, but is it possible for regmap_read() to fail
here?
If the register access fails, the return value is ignored. The uninitialized
stack variable val is then evaluated, resulting in non-deterministic GPIO
state being reported to consumers.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260630101545.800625-1-v@baodeep.com?part=2
_______________________________________________
linux-amlogic mailing list
linux-amlogic@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-amlogic
next prev parent reply other threads:[~2026-06-30 10:46 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 10:15 [PATCH v3 0/2] gpio: fix sleeping-in-atomic in shared-proxy; restore meson non-sleeping Viacheslav Bocharov
2026-06-30 10:15 ` [PATCH v3 1/2] gpio: shared-proxy: always serialize with a sleeping mutex Viacheslav Bocharov
2026-06-30 10:15 ` [PATCH v3 2/2] pinctrl: meson: restore non-sleeping GPIO access Viacheslav Bocharov
2026-06-30 10:46 ` sashiko-bot [this message]
2026-06-30 14:03 ` (subset) [PATCH v3 0/2] gpio: fix sleeping-in-atomic in shared-proxy; restore meson non-sleeping Bartosz Golaszewski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260630104639.F3A671F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-amlogic@lists.infradead.org \
--cc=neil.armstrong@linaro.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=v@baodeep.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox