From: sashiko-bot@kernel.org
To: "Chris Morgan" <macroalpha82@gmail.com>
Cc: conor+dt@kernel.org, devicetree@vger.kernel.org, robh@kernel.org
Subject: Re: [PATCH V9 08/11] iio: imu: inv_icm42607: Add Accelerometer for icm42607
Date: Sat, 30 May 2026 04:22:19 +0000 [thread overview]
Message-ID: <20260530042219.B85841F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260530031739.109063-9-macroalpha82@gmail.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] Concurrency bug and data race in FIFO flush and parsing sequence due to split locking.
- [High] Self-deadlock in system PM sleep callbacks due to recursive mutex acquisition.
- [High] Unaligned memory access exception caused by casting a misaligned packed structure member.
--
commit 60c8a604221a1456a1b6206c583d1e17204ce235
Author: Chris Morgan <macromorgan@hotmail.com>
iio: imu: inv_icm42607: Add Accelerometer for icm42607
Add icm42607 accelerometer sensor for icm42607.
> diff --git a/drivers/iio/imu/inv_icm42607/inv_icm42607_accel.c b/drivers/iio/imu/inv_icm42607/inv_icm42607_accel.c
> new file mode 100644
> index 0000000000000..43edc2923d048
> --- /dev/null
> +++ b/drivers/iio/imu/inv_icm42607/inv_icm42607_accel.c
[ ... ]
> +int inv_icm42607_accel_parse_fifo(struct iio_dev *indio_dev)
> +{
[ ... ]
> + /* parse all fifo packets */
> + for (i = 0, no = 0; i < st->fifo.count; i += size, ++no) {
> + size = inv_icm42607_fifo_decode_packet(&st->fifo.data[i],
> + &accel, &gyro, &temp, ×tamp, &odr);
> + /* quit if error or FIFO is empty */
> + if (size <= 0)
> + return size;
> +
> + /* If the packet size could cause us to overflow, return. */
> + if (i + size > st->fifo.count)
> + return -EIO;
> +
> + /* skip packet if no accel data or data is invalid */
> + if (accel == NULL || !inv_icm42607_fifo_is_data_valid(accel))
[Severity: High]
Will this cause an unaligned memory access trap on architectures with
strict alignment requirements?
The accel pointer is populated by inv_icm42607_fifo_decode_packet() which
returns the address of pack1->data. Because pack1 is a packed structure
with a 1-byte header, the pack1->data pointer sits at an odd address.
When inv_icm42607_fifo_is_data_valid() casts this misaligned pointer to a
non-packed structure and accesses 16-bit members via be16_to_cpu(), it
could trigger a hardware fault.
> + continue;
[ ... ]
> diff --git a/drivers/iio/imu/inv_icm42607/inv_icm42607_buffer.c b/drivers/iio/imu/inv_icm42607/inv_icm42607_buffer.c
> index e065d60ac1197..5b69bf895b350 100644
> --- a/drivers/iio/imu/inv_icm42607/inv_icm42607_buffer.c
> +++ b/drivers/iio/imu/inv_icm42607/inv_icm42607_buffer.c
[ ... ]
> int inv_icm42607_buffer_hwfifo_flush(struct inv_icm42607_state *st,
> unsigned int count)
> {
> + struct inv_icm42607_sensor_state *accel_st = iio_priv(st->indio_accel);
> + struct inv_sensors_timestamp *ts;
> + s64 accel_ts;
> int ret;
>
> + accel_ts = iio_get_time_ns(st->indio_accel);
> +
> ret = inv_icm42607_buffer_fifo_read(st, count);
> + if (ret)
> + return ret;
>
> - return ret;
> + if (st->fifo.nb.total == 0)
> + return 0;
> +
> + if (st->fifo.nb.accel > 0) {
> + ts = &accel_st->ts;
> + inv_sensors_timestamp_interrupt(ts, st->fifo.nb.accel, accel_ts);
[Severity: High]
Is it safe to access st->fifo.nb and update the timestamp locklessly here?
The preceding call to inv_icm42607_buffer_fifo_read() acquires and then
releases st->lock via a scoped guard before returning. Because the lock
is dropped, a concurrent sysfs hwfifo_flush or IRQ handler could interleave
here and overwrite st->fifo.data and st->fifo.nb before they are parsed,
leading to a data race and corrupted timestamp calculations.
> + ret = inv_icm42607_accel_parse_fifo(st->indio_accel);
> + if (ret)
> + return ret;
> + }
> +
> + return 0;
> }
[ ... ]
> diff --git a/drivers/iio/imu/inv_icm42607/inv_icm42607_core.c b/drivers/iio/imu/inv_icm42607/inv_icm42607_core.c
> index cf9d0c6f3f4b8..6b623fb679f34 100644
> --- a/drivers/iio/imu/inv_icm42607/inv_icm42607_core.c
> +++ b/drivers/iio/imu/inv_icm42607/inv_icm42607_core.c
[ ... ]
> @@ -383,6 +444,8 @@ static int inv_icm42607_suspend(struct device *dev)
>
> guard(mutex)(&st->lock);
>
> + st->suspended.accel = st->conf.accel.mode;
> + st->suspended.temp = st->conf.temp_en;
> if (pm_runtime_suspended(dev))
> return 0;
[Severity: High]
Could this lead to a self-deadlock?
We acquire st->lock via the scoped guard at the top of
inv_icm42607_suspend(). Shortly after this snippet, the function calls
pm_runtime_force_suspend() which synchronously executes the driver's
runtime PM suspend callback.
If the runtime suspend callback also attempts to acquire st->lock, it will
deadlock since the mutex is not recursive. The same locking structure is
present in inv_icm42607_resume() with pm_runtime_force_resume().
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260530031739.109063-1-macroalpha82@gmail.com?part=8
next prev parent reply other threads:[~2026-05-30 4:22 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-30 3:17 [PATCH V9 00/11] Add Invensense ICM42607 Chris Morgan
2026-05-30 3:17 ` [PATCH V9 01/11] dt-bindings: iio: imu: icm42600: Add mount-matrix to icm42600 Chris Morgan
2026-05-30 3:17 ` [PATCH V9 02/11] dt-bindings: iio: imu: icm42600: Add icm42607 binding Chris Morgan
2026-05-30 7:26 ` Krzysztof Kozlowski
2026-05-30 3:17 ` [PATCH V9 03/11] iio: imu: inv_icm42607: Add inv_icm42607 Core Driver Chris Morgan
2026-05-30 3:43 ` sashiko-bot
2026-05-30 3:17 ` [PATCH V9 04/11] iio: imu: inv_icm42607: Add I2C and SPI For icm42607 Chris Morgan
2026-05-30 3:51 ` sashiko-bot
2026-05-30 3:17 ` [PATCH V9 05/11] iio: imu: inv_icm42607: Add PM support for icm42607 Chris Morgan
2026-05-30 3:57 ` sashiko-bot
2026-05-30 3:17 ` [PATCH V9 06/11] iio: imu: inv_icm42607: Add Buffer " Chris Morgan
2026-05-30 4:05 ` sashiko-bot
2026-05-30 3:17 ` [PATCH V9 07/11] iio: imu: inv_icm42607: Add Temp Support in icm42607 Chris Morgan
2026-05-30 4:13 ` sashiko-bot
2026-05-30 3:17 ` [PATCH V9 08/11] iio: imu: inv_icm42607: Add Accelerometer for icm42607 Chris Morgan
2026-05-30 4:22 ` sashiko-bot [this message]
2026-05-30 3:17 ` [PATCH V9 09/11] iio: imu: inv_icm42607: Add IRQ " Chris Morgan
2026-05-30 4:23 ` sashiko-bot
2026-05-30 3:17 ` [PATCH V9 10/11] iio: imu: inv_icm42607: Add Gyroscope to icm42607 Chris Morgan
2026-05-30 4:57 ` sashiko-bot
2026-05-30 3:17 ` [PATCH V9 11/11] arm64: dts: rockchip: Add icm42607p IMU for RG-DS Chris Morgan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260530042219.B85841F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=macroalpha82@gmail.com \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox