Re: [PATCH v2 2/4] PCI: rzg3s-host: Use shared reset controls for power domain resets

Devicetree
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: Prabhakar <prabhakar.csengg@gmail.com>
Cc: linux-pci@vger.kernel.org, conor+dt@kernel.org, robh@kernel.org,
	devicetree@vger.kernel.org, wsa+renesas@sang-engineering.com
Subject: Re: [PATCH v2 2/4] PCI: rzg3s-host: Use shared reset controls for power domain resets
Date: Mon, 18 May 2026 16:42:46 +0000	[thread overview]
Message-ID: <20260518164247.330B4C2BCB7@smtp.kernel.org> (raw)
In-Reply-To: <20260518155324.168948-3-prabhakar.mahadev-lad.rj@bp.renesas.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Critical] Missing chained IRQ handler cleanup in error paths leads to Use-After-Free of the host structure.
- [High] The `rzg3s_pcie_resume_noirq` callback unconditionally executes `fsleep(5000)` while local interrupts are disabled, leading to a system hang or scheduling BUG.
--

commit 41ddeeaac37e089f4b9cce52ea971db3b995ab04
Author: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>

PCI: rzg3s-host: Use shared reset controls for power domain resets

Switch to shared reset controls for PCIe power resets to prepare for
RZ/V2H(P) support. On this platform, multiple PCIe controllers share
the same reset line, requiring shared ownership of the reset control.

> diff --git a/drivers/pci/controller/pcie-rzg3s-host.c b/drivers/pci/controller/pcie-rzg3s-host.c
> index d86e7516dcc29..a5192e4b58dfb 100644
> --- a/drivers/pci/controller/pcie-rzg3s-host.c
> +++ b/drivers/pci/controller/pcie-rzg3s-host.c

[ ... ]

While reviewing this code, I noticed a potential regression that was not
introduced by this patch.

In rzg3s_pcie_init_irqdomain(), the driver loops over PCI_NUM_INTX and
installs chained handlers for INTx interrupts:

drivers/pci/controller/pcie-rzg3s-host.c:rzg3s_pcie_init_irqdomain() {
    ...
	for (int i = 0; i < PCI_NUM_INTX; i++) {
        ...
		irq_set_chained_handler_and_data(irq, rzg3s_pcie_intx_irq_handler,
						 host);
    ...
}

However, if an error occurs later in the initialization sequence, the error
handling paths do not tear down these chained handlers by calling
irq_set_chained_handler_and_data(irq, NULL, NULL).

Since the host structure is allocated via devm_pci_alloc_host_bridge(), it is
automatically freed when the probe function fails.

If any of the mapped INTx interrupts trigger after probe failure, the kernel
will execute the stale rzg3s_pcie_intx_irq_handler which dereferences the
freed host pointer.

Can this lead to a use-after-free regression on the host structure?

I also noticed another issue in the resume path:

drivers/pci/controller/pcie-rzg3s-host.c:rzg3s_pcie_resume_noirq() {
    ...
	ret = rzg3s_pcie_power_resets_deassert(host);
    ...
}

drivers/pci/controller/pcie-rzg3s-host.c:rzg3s_pcie_power_resets_deassert() {
    ...
	fsleep(5000);
    ...
}

rzg3s_pcie_resume_noirq() is registered as a .resume_noirq PM callback via
NOIRQ_SYSTEM_SLEEP_PM_OPS.

The PM core executes noirq phase callbacks with local CPU interrupts explicitly
disabled.

Within rzg3s_pcie_resume_noirq(), the driver calls
rzg3s_pcie_power_resets_deassert(), which unconditionally executes
fsleep(5000).

For a 5000us delay, fsleep() delegates to usleep_range(), which uses
schedule_hrtimeout() and sleeps the task.

Because timer interrupts are disabled on the local CPU in the noirq phase,
the hrtimer may never fire to wake the task.

Could sleeping with interrupts disabled here trigger a scheduling bug or lead
to a silent system hang regression during resume?

If a delay is strictly required in the noirq phase, should a busy-wait
function like mdelay(5) be used instead?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260518155324.168948-1-prabhakar.mahadev-lad.rj@bp.renesas.com?part=2

next prev parent reply	other threads:[~2026-05-18 16:42 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-18 15:53 [PATCH v2 0/4] Add PCIe support for RZ/V2H(P) SoC Prabhakar
2026-05-18 15:53 ` [PATCH v2 1/4] dt-bindings: PCI: renesas,r9a08g045-pcie: Add RZ/V2H(P) support Prabhakar
2026-05-18 16:12   ` sashiko-bot
2026-05-19  6:57   ` Geert Uytterhoeven
2026-05-18 15:53 ` [PATCH v2 2/4] PCI: rzg3s-host: Use shared reset controls for power domain resets Prabhakar
2026-05-18 16:42   ` sashiko-bot [this message]
2026-05-18 15:53 ` [PATCH v2 3/4] PCI: rzg3s-host: Prepare System Controller handling for multiple controllers Prabhakar
2026-05-18 15:53 ` [PATCH v2 4/4] PCI: rzg3s-host: Add support for RZ/V2H(P) SoC Prabhakar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260518164247.330B4C2BCB7@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=linux-pci@vger.kernel.org \
    --cc=prabhakar.csengg@gmail.com \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=wsa+renesas@sang-engineering.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox