From: "Arnd Bergmann" <arnd@arndb.de>
To: "Simon Horman" <horms@kernel.org>, "Arnd Bergmann" <arnd@kernel.org>
Cc: Netdev <netdev@vger.kernel.org>,
"Aaro Koskinen" <aaro.koskinen@iki.fi>,
"Andreas Kemnade" <andreas@kemnade.info>,
"Bartosz Golaszewski" <brgl@kernel.org>,
"Benoît Cousson" <bcousson@baylibre.com>,
"David S . Miller" <davem@davemloft.net>,
"Dmitry Torokhov" <dmitry.torokhov@gmail.com>,
"Eric Dumazet" <edumazet@google.com>,
"Felipe Balbi" <balbi@kernel.org>,
"Jakub Kicinski" <kuba@kernel.org>,
"Johannes Berg" <johannes@sipsolutions.net>,
"Kevin Hilman" <khilman@baylibre.com>,
krzk+dt@kernel.org, "Linus Walleij" <linusw@kernel.org>,
"Paolo Abeni" <pabeni@redhat.com>,
"Rob Herring" <robh+dt@kernel.org>,
"Roger Quadros" <rogerq@kernel.org>,
"Tony Lindgren" <tony@atomide.com>,
linux-wireless@vger.kernel.org, devicetree@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
"open list:GPIO SUBSYSTEM" <linux-gpio@vger.kernel.org>,
Linux-OMAP <linux-omap@vger.kernel.org>,
"Krzysztof Kozlowski" <krzk@kernel.org>
Subject: Re: [PATCH 2/3] [v5 net-next] p54spi: convert to devicetree
Date: Mon, 11 May 2026 21:45:18 +0200 [thread overview]
Message-ID: <edc4d6d6-7a43-442e-adb5-148e37402924@app.fastmail.com> (raw)
In-Reply-To: <20260511161243.49098-3-horms@kernel.org>
On Mon, May 11, 2026, at 18:12, Simon Horman wrote:
>
> Simon says: As a pre-existing issue I don't think we need to be concerned
> about this in the scope of this patch-set. But it may
> be a potential for follow-up.
>
> This problem wasn't introduced by this patch, but I noticed a pre-existing
> issue in the context here. Does the p54spi_spi_read() function perform an SPI
> transfer using a stack-allocated buffer?
>
> Looking at p54spi_spi_read(), the addr variable is allocated on the stack and
> passed as a transfer buffer to spi_sync(). The SPI framework maps transfer
> buffers for DMA. Passing a stack-allocated buffer is illegal, particularly with
> CONFIG_VMAP_STACK enabled, because stack memory resides in vmalloc space and
> cannot be safely DMA-mapped.
>
> Could this cause memory corruption or a kernel panic during the transfer?
I already commented on this earlier: This is indeed a theoretical
bug, but it works in practice because DMA-capable SPI controllers
tend to all use MMIO for short transfers instead of DMA.
SPI is very fragile this way, and I do have some patches to improve
that overall, but it seems out of scope for this one driver.
>> -
>> - gpio_direction_output(p54spi_gpio_power, 0);
>> - gpio_direction_input(p54spi_gpio_irq);
>> -
>> - ret = request_irq(gpio_to_irq(p54spi_gpio_irq),
>> - p54spi_interrupt, IRQF_NO_AUTOEN, "p54spi",
>> - priv->spi);
>> + ret = request_irq(spi->irq, p54spi_interrupt, IRQF_NO_AUTOEN, "p54spi", priv->spi);
>
> Simon says: This one seems more concerning in the context of this patch-set.
>
> Is there missing validation for spi->irq before calling request_irq()?
>
> If the device tree node lacks an interrupts property, the SPI core may set
> spi->irq to 0 or a negative error code.
>
> Passing this directly to request_irq() without validation can successfully
> hijack a core system interrupt like the system timer on some architectures,
> leading to system instability or deadlocks.
>
> Should there be a check like if (spi->irq <= 0) to fail the probe gracefully?
I also commented on this: request_irq() already fails gracefully
with -EINVAL when presented with an invalid IRQ. IRQ 0 is guaranteed
to be invalid on any target that uses devicetree.
Arnd
next prev parent reply other threads:[~2026-05-11 19:45 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-07 21:24 [PATCH 0/3] [v5 net-next] wireless: p54 devicetree conversion Arnd Bergmann
2026-05-07 21:24 ` [PATCH 1/3] [v5 net-next] dt-bindings: net: add st,stlc4560/p54spi binding Arnd Bergmann
2026-05-08 15:05 ` Conor Dooley
2026-05-07 21:24 ` [PATCH 2/3] [v5 net-next] p54spi: convert to devicetree Arnd Bergmann
2026-05-11 11:30 ` Bartosz Golaszewski
2026-05-11 16:12 ` Simon Horman
2026-05-11 19:45 ` Arnd Bergmann [this message]
2026-05-12 9:40 ` Simon Horman
2026-05-07 21:24 ` [PATCH 3/3] [v5 omap] ARM: dts: omap2: add stlc4560 spi-wireless node Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=edc4d6d6-7a43-442e-adb5-148e37402924@app.fastmail.com \
--to=arnd@arndb.de \
--cc=aaro.koskinen@iki.fi \
--cc=andreas@kemnade.info \
--cc=arnd@kernel.org \
--cc=balbi@kernel.org \
--cc=bcousson@baylibre.com \
--cc=brgl@kernel.org \
--cc=davem@davemloft.net \
--cc=devicetree@vger.kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=johannes@sipsolutions.net \
--cc=khilman@baylibre.com \
--cc=krzk+dt@kernel.org \
--cc=krzk@kernel.org \
--cc=kuba@kernel.org \
--cc=linusw@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-gpio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-omap@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=robh+dt@kernel.org \
--cc=rogerq@kernel.org \
--cc=tony@atomide.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox