From: sashiko-bot@kernel.org
To: "Mikhail Kshevetskiy" <mikhail.kshevetskiy@iopsys.eu>
Cc: conor+dt@kernel.org, robh@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v6 08/17] pinctrl: airoha: split driver on shared code and SoC specific drivers
Date: Sun, 28 Jun 2026 14:57:03 +0000 [thread overview]
Message-ID: <20260628145703.B2CA81F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260628143733.273651-9-mikhail.kshevetskiy@iopsys.eu>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [High] Dynamic allocation of `irq_chip` violates `IRQCHIP_IMMUTABLE` W^X protection and lacks `GPIOCHIP_IRQ_RESOURCE_HELPERS`.
Pre-existing issues:
- [High] Race condition and Use-After-Free during teardown due to early `devm_request_irq()` registration.
- [High] Missing `gpiochip_disable_irq()` and `gpiochip_enable_irq()` calls in `irq_chip` callbacks breaks pin locking.
--
commit 39c02a07ea03e1c882e3d925b659bdbc86446b63
Author: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu>
pinctrl: airoha: split driver on shared code and SoC specific drivers
Split combined an7581/an7583 source file into shared pinctrl code and SoC
specific pinctrl drivers. The initialization code was adapted to work properly
for shared and SoC specific cases.
> diff --git a/drivers/pinctrl/airoha/airoha-common.h b/drivers/pinctrl/airoha/airoha-common.h
> index bff162062b066..9a202d5bb4b13 100644
> --- a/drivers/pinctrl/airoha/airoha-common.h
> +++ b/drivers/pinctrl/airoha/airoha-common.h
> @@ -150,9 +150,12 @@ struct airoha_pinctrl {
> struct regmap *regmap;
>
> struct airoha_pinctrl_gpiochip gpiochip;
> + struct irq_chip gpio_irq_chip;
> };
[Severity: High]
Does dynamically allocating the irq_chip struct here defeat the purpose of
IRQCHIP_IMMUTABLE?
By dynamically allocating the irq_chip structure within airoha_pinctrl, it
resides in writable heap memory rather than read-only .rodata, which bypasses
the W^X protection.
> diff --git a/drivers/pinctrl/airoha/pinctrl-airoha.c b/drivers/pinctrl/airoha/pinctrl-airoha.c
> index e67c19df9f457..543475d23fde3 100644
> --- a/drivers/pinctrl/airoha/pinctrl-airoha.c
> +++ b/drivers/pinctrl/airoha/pinctrl-airoha.c
[ ... ]
> @@ -2552,9 +256,16 @@ static int airoha_pinctrl_add_gpiochip(struct airoha_pinctrl *pinctrl,
> gc->base = -1;
> gc->ngpio = AIROHA_NUM_PINS;
>
> + irq_chip->name = "airoha-gpio-irq";
> + irq_chip->irq_unmask = airoha_irq_unmask;
[Severity: High]
This is a pre-existing issue, but does airoha_irq_unmask() fail to invoke
gpiochip_enable_irq()?
When using IRQCHIP_IMMUTABLE, airoha_irq_unmask() must manually call
gpiochip_enable_irq() and airoha_irq_mask() must call gpiochip_disable_irq().
Without these calls, gpiolib never sets the GPIOD_FLAG_IRQ_IS_ENABLED bit.
Because this bit is missing, gpiod_direction_output() will not realize the pin
is actively used as an interrupt, allowing it to be successfully reconfigured
into an output pin, which can cause a hardware short-circuit.
> + irq_chip->irq_mask = airoha_irq_mask;
> + irq_chip->irq_mask_ack = airoha_irq_mask;
> + irq_chip->irq_set_type = airoha_irq_type;
> + irq_chip->flags = IRQCHIP_SET_TYPE_MASKED | IRQCHIP_IMMUTABLE;
[Severity: High]
Should GPIOCHIP_IRQ_RESOURCE_HELPERS be included here?
Without hooking .irq_request_resources, gpiolib cannot set
GPIOD_FLAG_USED_AS_IRQ. This breaks pin direction locking and can allow
userspace or another driver to reconfigure an active IRQ pin as an output,
potentially causing a hardware short-circuit.
> +
> girq->default_type = IRQ_TYPE_NONE;
> girq->handler = handle_simple_irq;
> - gpio_irq_chip_set_chip(girq, &airoha_gpio_irq_chip);
> + gpio_irq_chip_set_chip(girq, irq_chip);
>
> irq = platform_get_irq(pdev, 0);
> if (irq < 0)
[Severity: High]
This is a pre-existing issue, but can the sequence of allocations here cause
a use-after-free during teardown?
Since devm_request_irq() is called with IRQF_SHARED before adding the
gpiochip and its irqdomain later in airoha_pinctrl_add_gpiochip(), the devm
cleanup will destroy the gpiochip and irqdomain before unhooking the
interrupt.
If a shared interrupt fires from another device on the same IRQ line during
removal or probe failure, airoha_irq_handler() will dereference girq->domain
after it has been freed.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260628143733.273651-1-mikhail.kshevetskiy@iopsys.eu?part=8
next prev parent reply other threads:[~2026-06-28 14:57 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-28 14:37 [PATCH v6 00/17] pinctrl: airoha: split on shared and SoC drivers, add more SoCs Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 01/17] dt-bindings: pinctrl: airoha: update/fix device tree binding schemas Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 02/17] pinctrl: airoha: an7581: fix misprint in bitfield name Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 03/17] pinctrl: airoha: an7583: fix I2C0_SDA_PD register bit order Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 04/17] pinctrl: airoha: an7583: there is no mux to enable the second i2c bus Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 05/17] pinctrl: airoha: an7581: fix mux/conf of pcie_reset pins Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 06/17] pinctrl: airoha: an7583: fix muxing of non-gpio default pins Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 07/17] pinctrl: airoha: move common definitions to the separate header Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 08/17] pinctrl: airoha: split driver on shared code and SoC specific drivers Mikhail Kshevetskiy
2026-06-28 14:57 ` sashiko-bot [this message]
2026-06-28 14:37 ` [PATCH v6 09/17] pinctrl: airoha: an7581: remove en7581 prefix from variable names Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 10/17] pinctrl: airoha: an7583: remove an7583 prefix from variable names and definitions Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 11/17] pinctrl: airoha: an7583: rename registers to match its an7583 names Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 12/17] pinctrl: airoha: an7583: add support for npu_uart pinmux Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 13/17] pinctrl: airoha: an7583: add support for pon_alt pinmux Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 14/17] pinctrl: airoha: an7583: add support for olt pinmux Mikhail Kshevetskiy
2026-06-28 14:37 ` [PATCH v6 15/17] pinctrl: airoha: add support of en7523 SoC Mikhail Kshevetskiy
2026-06-28 14:57 ` sashiko-bot
2026-06-28 14:37 ` [PATCH v6 16/17] pinctrl: airoha: try to find chip scu node by phandle first Mikhail Kshevetskiy
2026-06-28 14:54 ` sashiko-bot
2026-06-28 14:37 ` [PATCH v6 17/17] pinctrl: airoha: add support of an7563 SoC Mikhail Kshevetskiy
2026-06-28 14:55 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260628145703.B2CA81F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=mikhail.kshevetskiy@iopsys.eu \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox