From: sashiko-bot@kernel.org
To: "Alexandre MINETTE via B4 Relay"
<devnull+contact.alex-min.fr@kernel.org>
Cc: conor+dt@kernel.org, robh@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v4 4/6] mfd: qcom-pm8xxx: register PM8921 USB ID extcon
Date: Tue, 09 Jun 2026 10:52:12 +0000 [thread overview]
Message-ID: <20260609105213.CCE521F0089B@smtp.kernel.org> (raw)
In-Reply-To: <20260609-mainline-send-v1-sending-v4-4-83768fbf404d@alex-min.fr>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [High] The dynamically registered child platform device 'usb_extcon' is unregistered twice during driver removal, resulting in a use-after-free and double free.
Pre-existing issues:
- [High] The IRQ domain is freed explicitly while the devm-managed parent IRQ handler is still active, leading to a potential use-after-free if the interrupt fires before devres cleanup finishes.
--
commit c974699adaea81fa53001bda7b03087f8ea67b97
Author: Alexandre MINETTE <contact@alex-min.fr>
Date: Tue Jun 9 08:13:47 2026 +0000
mfd: qcom-pm8xxx: register PM8921 USB ID extcon
This commit registers a child platform device for the USB ID interrupt on
PM8921 to act as an extcon provider. It shares the PMIC's devicetree node
and cleans up the child device upon driver removal or probe failure.
> diff --git a/drivers/mfd/qcom-pm8xxx.c b/drivers/mfd/qcom-pm8xxx.c
> index 0cf374c015ce7..884fc99a1488f 100644
> --- a/drivers/mfd/qcom-pm8xxx.c
> +++ b/drivers/mfd/qcom-pm8xxx.c
[ ... ]
> @@ -570,9 +630,22 @@ static int pm8xxx_probe(struct platform_device *pdev)
>
> irq_set_irq_wake(irq, 1);
>
> + if (data->usb_id_irq) {
> + rc = pm8xxx_add_usb_extcon(pdev, chip, data->usb_id_irq);
> + if (rc)
> + goto err_domain;
> + }
> +
> rc = of_platform_populate(pdev->dev.of_node, NULL, NULL, &pdev->dev);
> if (rc)
> - irq_domain_remove(chip->irqdomain);
> + goto err_extcon;
> +
> + return 0;
> +
> +err_extcon:
> + pm8xxx_remove_usb_extcon(chip);
> +err_domain:
> + irq_domain_remove(chip->irqdomain);
>
> return rc;
> }
> @@ -582,6 +655,7 @@ static void pm8xxx_remove(struct platform_device *pdev)
> struct pm_irq_chip *chip = platform_get_drvdata(pdev);
>
> of_platform_depopulate(&pdev->dev);
> + pm8xxx_remove_usb_extcon(chip);
[Severity: High]
Does this cause a double-free of the usb_extcon platform device?
When of_platform_depopulate() runs, it iterates over all children and invokes
of_platform_device_destroy(). Because usb_extcon is registered with
pdevinfo.of_node_reused = true and shares the parent's of_node (which has the
OF_POPULATED flag set), of_platform_device_destroy() will assume it created
the device and unregister usb_extcon.
Calling pm8xxx_remove_usb_extcon() immediately afterward will call
platform_device_unregister() on the already freed usb_extcon pointer,
resulting in a use-after-free.
> irq_domain_remove(chip->irqdomain);
[Severity: High]
This is a pre-existing issue, but does this explicitly free the IRQ domain
while the parent interrupt handler is still active?
In pm8xxx_probe(), the parent interrupt is requested via devm_request_irq().
This means the devres cleanup mechanism won't free the IRQ until
devres_release_all() runs, which happens after pm8xxx_remove() completes.
If a hardware interrupt triggers during the window between this
irq_domain_remove() call and devres cleanup, will pm8xxx_irq_handler() call
generic_handle_domain_irq() and dereference the freed chip->irqdomain?
> }
>
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260609-mainline-send-v1-sending-v4-0-83768fbf404d@alex-min.fr?part=4
next prev parent reply other threads:[~2026-06-09 10:52 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-09 8:13 [PATCH v4 0/6] Add Samsung Galaxy S4 support Alexandre MINETTE via B4 Relay
2026-06-09 8:13 ` [PATCH v4 1/6] dt-bindings: arm: qcom: Add Samsung Galaxy S4 Alexandre MINETTE via B4 Relay
2026-06-09 8:13 ` [PATCH v4 2/6] pinctrl: qcom: Register functions before enabling pinctrl Alexandre MINETTE via B4 Relay
2026-06-09 10:27 ` sashiko-bot
2026-06-09 8:13 ` [PATCH v4 3/6] ARM: dts: qcom: apq8064: Fix USB controller clocks Alexandre MINETTE via B4 Relay
2026-06-09 10:39 ` sashiko-bot
2026-06-09 8:13 ` [PATCH v4 4/6] mfd: qcom-pm8xxx: register PM8921 USB ID extcon Alexandre MINETTE via B4 Relay
2026-06-09 10:52 ` sashiko-bot [this message]
2026-06-09 8:13 ` [PATCH v4 5/6] extcon: qcom-spmi-misc: match PM8xxx USB ID platform device Alexandre MINETTE via B4 Relay
2026-06-09 11:03 ` sashiko-bot
2026-06-09 8:13 ` [PATCH v4 6/6] ARM: dts: qcom: Add Samsung Galaxy S4 Alexandre MINETTE via B4 Relay
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260609105213.CCE521F0089B@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=devnull+contact.alex-min.fr@kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox