Devicetree
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Songwei Chai" <songwei.chai@oss.qualcomm.com>
Cc: devicetree@vger.kernel.org, robh@kernel.org, conor+dt@kernel.org
Subject: Re: [PATCH v15 7/7] qcom-tgu: Add reset node to initialize
Date: Wed, 01 Jul 2026 07:06:08 +0000	[thread overview]
Message-ID: <20260701070609.5BD411F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260701055529.445819-8-songwei.chai@oss.qualcomm.com>

Thank you for your contribution! Sashiko AI review found 7 potential issue(s) to consider:

New issues:
- [High] A TOCTOU race condition in `reset_tgu_store` leads to a permanent PM reference leak.

Pre-existing issues:
- [High] A TOCTOU race condition in `enable_tgu_store(0)` causes a double `pm_runtime_put()`, leading to PM usage counter underflow.
- [High] A TOCTOU race condition in `enable_tgu_store(1)` allows multiple threads to enable the device concurrently, leaking PM references.
- [High] Missing `sysfs_remove_groups()` on the `tgu_probe()` error path leaves sysfs files accessible, leading to a NULL pointer dereference.
- [High] The `tgu_node_visible` function incorrectly modifies a shared global attribute name, corrupting the sysfs structure.
- [High] The PM runtime usage count is leaked if the device is unbound while enabled.
- [Medium] The function `tgu_dataset_show` reads shared array values without holding the required lock.
--

commit 609c4b01711040b0d5156593e5d5c7a06ebc7c31
Author: Songwei Chai <songwei.chai@oss.qualcomm.com>

qcom-tgu: Add reset node to initialize

Add reset node to initialize the value of
priority/condition_decode/condition_select/timer/counter nodes.

> diff --git a/drivers/hwtracing/qcom/tgu.c b/drivers/hwtracing/qcom/tgu.c
> index 6d5bf2621cb05..9fb51f2a912f9 100644
> --- a/drivers/hwtracing/qcom/tgu.c
> +++ b/drivers/hwtracing/qcom/tgu.c
[ ... ]
> @@ -420,8 +420,82 @@ static ssize_t enable_tgu_store(struct device *dev,
>  }
>  static DEVICE_ATTR_RW(enable_tgu);
>  
> +/* reset_tgu_store - Reset Trace and Gating Unit (TGU) configuration. */
> +static ssize_t reset_tgu_store(struct device *dev,
> +			       struct device_attribute *attr, const char *buf,
> +			       size_t size)
> +{
> +	struct tgu_drvdata *drvdata = dev_get_drvdata(dev);
> +	struct value_table *vt = drvdata->value_table;
> +	u32 *cond_decode = drvdata->value_table->condition_decode;
> +	unsigned long value;
> +	int i, j, ret;
> +
> +	if (kstrtoul(buf, 0, &value) || value != 1)
> +		return -EINVAL;
> +
> +	spin_lock(&drvdata->lock);
> +	if (!drvdata->enabled) {
> +		spin_unlock(&drvdata->lock);
> +		ret = pm_runtime_resume_and_get(drvdata->dev);

[Severity: High]
Does unlocking to get the PM reference introduce a TOCTOU race condition?

If a concurrent enable_tgu_store(1) enables the device and increments the
PM usage count before this thread reacquires the lock, reset_tgu_store()
will unconditionally disable the hardware and clear the enabled flag.

Since the device state is now disabled, would the PM reference acquired by
the concurrent enable_tgu_store(1) be permanently leaked?

> +		if (ret)
> +			return ret;
> +		spin_lock(&drvdata->lock);
> +	}
[ ... ]


This is a pre-existing issue, but does enable_tgu_store() have TOCTOU race
conditions?

drivers/hwtracing/qcom/tgu.c:enable_tgu_store() {
...
	if (val) {
		scoped_guard(spinlock, &drvdata->lock) {
			if (drvdata->enabled)
				return -EBUSY;
		}

		ret = pm_runtime_resume_and_get(dev);
...
	} else {
		scoped_guard(spinlock, &drvdata->lock) {
			if (!drvdata->enabled)
				return -EINVAL;
		}

		tgu_disable(dev);
		pm_runtime_put(dev);
	}
...
}

[Severity: High]
For enable_tgu_store(1), if two threads concurrently observe !drvdata->enabled
within the scoped guard, both will drop the lock and acquire PM references.
Both would then independently call tgu_enable(dev), setting the flag to true.
Would this increment the PM usage count multiple times, while disabling the
device only decrements it once?

[Severity: High]
For enable_tgu_store(0), if two threads concurrently verify
drvdata->enabled == true inside the scoped lock guard and then drop the lock,
the first thread calls tgu_disable(dev), sets the flag to false, and calls
pm_runtime_put(dev). The second thread calls tgu_disable(dev), which returns
early because the flag is now false, but then unconditionally calls
pm_runtime_put(dev). Would this double-put cause a PM usage counter underflow?


This is a pre-existing issue, but does tgu_probe() leave sysfs files
accessible if subsequent allocations fail?

drivers/hwtracing/qcom/tgu.c:tgu_probe() {
...
	ret = sysfs_create_groups(&dev->kobj, tgu_attr_groups);
	if (ret) {
...
	}

	drvdata->value_table =
		devm_kzalloc(dev, sizeof(*drvdata->value_table), GFP_KERNEL);
	if (!drvdata->value_table)
		return -ENOMEM;
...
}

[Severity: High]
If devm_kzalloc() fails, the probe returns an error, and the driver core sets
drvdata to NULL. Because sysfs_remove_groups() is not called on this error
path, the sysfs attributes remain. If a user subsequently accesses these
dangling attributes, would dev_get_drvdata(dev) return NULL, causing a panic
when dereferencing drvdata?


This is a pre-existing issue, but does tgu_node_visible() incorrectly modify
a shared global attribute name?

drivers/hwtracing/qcom/tgu.c:tgu_node_visible() {
...
	case TGU_CONDITION_SELECT:
		/* 'default' register is at the end of 'select' region */
		if (tgu_attr->reg_num == drvdata->num_condition_select - 1)
			attr->name = "default";
...
}

[Severity: High]
The attributes in tgu_attr_groups appear to be statically allocated. Since
this dynamically executes attr->name = "default", does it destructively
overwrite the shared global attribute structure, permanently altering the name
for all TGU devices?


This is a pre-existing issue, but is the PM runtime usage count leaked if the
device is unbound while enabled?

drivers/hwtracing/qcom/tgu.c:tgu_remove() {
...
static void tgu_remove(struct amba_device *adev)
{
	struct device *dev = &adev->dev;

	sysfs_remove_groups(&dev->kobj, tgu_attr_groups);

	tgu_disable(dev);
}
...
}

[Severity: High]
If the user enables the TGU via enable_tgu_store(1), a PM reference is
acquired. When the device is later unbound, tgu_remove() calls tgu_disable(),
which turns off the hardware and sets the enabled flag to false. However, it
fails to call pm_runtime_put() to balance the PM reference. Does this
permanently leak the PM reference?


This is a pre-existing issue, but does tgu_dataset_show() read shared array
values without holding the required lock?

drivers/hwtracing/qcom/tgu.c:tgu_dataset_show() {
...
	case TGU_PRIORITY0:
	case TGU_PRIORITY1:
	case TGU_PRIORITY2:
	case TGU_PRIORITY3:
		return sysfs_emit(buf, "0x%x\n",
				drvdata->value_table->priority[index]);
...
}

[Severity: Medium]
This function reads values from drvdata->value_table without acquiring
drvdata->lock. Since sysfs store operations can concurrently modify or
memset these arrays while holding the lock, does this expose a data race
where sysfs reads might observe partially written values?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260701055529.445819-1-songwei.chai@oss.qualcomm.com?part=7

      reply	other threads:[~2026-07-01  7:06 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01  5:55 [PATCH v15 0/7] Provide support for Trigger Generation Unit Songwei Chai
2026-07-01  5:55 ` [PATCH v15 1/7] dt-bindings: arm: Add support for Qualcomm TGU trace Songwei Chai
2026-07-01  6:07   ` sashiko-bot
2026-07-01  5:55 ` [PATCH v15 2/7] qcom-tgu: Add TGU driver Songwei Chai
2026-07-01  6:17   ` sashiko-bot
2026-07-01  5:55 ` [PATCH v15 3/7] qcom-tgu: Add signal priority support Songwei Chai
2026-07-01  6:25   ` sashiko-bot
2026-07-01  5:55 ` [PATCH v15 4/7] qcom-tgu: Add TGU decode support Songwei Chai
2026-07-01  6:37   ` sashiko-bot
2026-07-01  5:55 ` [PATCH v15 5/7] qcom-tgu: Add support to configure next action Songwei Chai
2026-07-01  6:45   ` sashiko-bot
2026-07-01  5:55 ` [PATCH v15 6/7] qcom-tgu: Add timer/counter functionality for TGU Songwei Chai
2026-07-01  6:54   ` sashiko-bot
2026-07-01  5:55 ` [PATCH v15 7/7] qcom-tgu: Add reset node to initialize Songwei Chai
2026-07-01  7:06   ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260701070609.5BD411F00A3A@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=songwei.chai@oss.qualcomm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox