Re: [PATCH v4 2/6] pinctrl: qcom: Register functions before enabling pinctrl

Devicetree
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Alexandre MINETTE via B4 Relay"
	<devnull+contact.alex-min.fr@kernel.org>
Cc: conor+dt@kernel.org, devicetree@vger.kernel.org, robh@kernel.org
Subject: Re: [PATCH v4 2/6] pinctrl: qcom: Register functions before enabling pinctrl
Date: Tue, 09 Jun 2026 10:27:18 +0000	[thread overview]
Message-ID: <20260609102718.CCAC21F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260609-mainline-send-v1-sending-v4-2-83768fbf404d@alex-min.fr>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Global function pointer `pm_power_off` and `poweroff_pctrl` state are left pointing to freed memory if probe fails.
--

commit 4cee21ced39b9add5c750146fde36a08b79745d3
Author: Alexandre MINETTE <contact@alex-min.fr>

pinctrl: qcom: Register functions before enabling pinctrl

This patch changes the initialization sequence in the Qualcomm pinctrl
driver by registering the pinctrl device with devm_pinctrl_register_and_init,
adding the SoC pin functions, and only then enabling the device to prevent
invalid function map table lookups.

> diff --git a/drivers/pinctrl/qcom/pinctrl-msm.c b/drivers/pinctrl/qcom/pinctrl-msm.c
> --- a/drivers/pinctrl/qcom/pinctrl-msm.c
> +++ b/drivers/pinctrl/qcom/pinctrl-msm.c
[ ... ]
> @@ -1593,11 +1593,11 @@ int msm_pinctrl_probe(struct platform_device *pdev,
>  	pctrl->desc.pins = pctrl->soc->pins;
>  	pctrl->desc.npins = pctrl->soc->npins;
>  
> -	pctrl->pctrl = devm_pinctrl_register(&pdev->dev, &pctrl->desc, pctrl);
[ ... ]
> +	ret = devm_pinctrl_register_and_init(&pdev->dev, &pctrl->desc,
> +					     pctrl, &pctrl->pctrl);
> +	if (ret)
> +		return dev_err_probe(&pdev->dev, ret,
> +				     "Couldn't register pinctrl driver\n");

[Severity: High]
This is a pre-existing issue, but since the failure paths are being
restructured here, what happens to the pm_power_off global pointer if this
registration (or the subsequent pinctrl_enable call) fails?

Earlier in msm_pinctrl_probe(), a call to msm_pinctrl_setup_pm_reset()
assigns the dynamically allocated pctrl to the global poweroff_pctrl pointer
and sets the global pm_power_off to msm_ps_hold_poweroff.

If probe fails here or later:

msm_pinctrl_probe()
    msm_pinctrl_setup_pm_reset(pctrl); 
    ...
    ret = devm_pinctrl_register_and_init(...)
    if (ret)
        return dev_err_probe(...);

The pctrl structure is managed by devres and will be freed upon probe
failure, leaving the global poweroff_pctrl pointing to freed memory. If the
system subsequently initiates a shutdown, msm_ps_hold_poweroff() will
dereference the freed memory, leading to a use-after-free.

Would it make sense to update msm_pinctrl_setup_pm_reset() to use
devm_register_sys_off_handler() with SYS_OFF_MODE_POWER_OFF instead of
directly assigning the pm_power_off global pointer?

>  
>  	for (i = 0; i < soc_data->nfunctions; i++) {
>  		func = &soc_data->functions[i];

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260609-mainline-send-v1-sending-v4-0-83768fbf404d@alex-min.fr?part=2

next prev parent reply	other threads:[~2026-06-09 10:27 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-09  8:13 [PATCH v4 0/6] Add Samsung Galaxy S4 support Alexandre MINETTE via B4 Relay
2026-06-09  8:13 ` [PATCH v4 1/6] dt-bindings: arm: qcom: Add Samsung Galaxy S4 Alexandre MINETTE via B4 Relay
2026-06-09  8:13 ` [PATCH v4 2/6] pinctrl: qcom: Register functions before enabling pinctrl Alexandre MINETTE via B4 Relay
2026-06-09 10:27   ` sashiko-bot [this message]
2026-06-09  8:13 ` [PATCH v4 3/6] ARM: dts: qcom: apq8064: Fix USB controller clocks Alexandre MINETTE via B4 Relay
2026-06-09 10:39   ` sashiko-bot
2026-06-09  8:13 ` [PATCH v4 4/6] mfd: qcom-pm8xxx: register PM8921 USB ID extcon Alexandre MINETTE via B4 Relay
2026-06-09 10:52   ` sashiko-bot
2026-06-09  8:13 ` [PATCH v4 5/6] extcon: qcom-spmi-misc: match PM8xxx USB ID platform device Alexandre MINETTE via B4 Relay
2026-06-09 11:03   ` sashiko-bot
2026-06-09  8:13 ` [PATCH v4 6/6] ARM: dts: qcom: Add Samsung Galaxy S4 Alexandre MINETTE via B4 Relay

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260609102718.CCAC21F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=devnull+contact.alex-min.fr@kernel.org \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox