Devicetree
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Pavitrakumar Managutte" <pavitrakumarm@vayavyalabs.com>
Cc: devicetree@vger.kernel.org, conor+dt@kernel.org, robh@kernel.org
Subject: Re: [PATCH v15 3/4] crypto: spacc - Add SPAcc AUTODETECT Support
Date: Wed, 01 Jul 2026 12:48:45 +0000	[thread overview]
Message-ID: <20260701124846.2A5291F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701122941.2149121-4-pavitrakumarm@vayavyalabs.com>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:

New issues:
- [Critical] Abandoned autodetect jobs leave the SPAcc hardware engine performing active DMA operations into freed or reused memory buffers.
- [High] spacc_autodetect() ignores fatal error codes (-EINTR, -ETIMEDOUT) and unconditionally returns 0, falsely reporting success on failures.

Pre-existing issues:
- [High] Error paths in `spacc_open` increment `spacc->ctx_sem` incorrectly (sometimes twice), permanently artificially inflating the hardware context count.
--

commit 150bf09c88aa2a0a8786c39974aa1382292a056f
Author: Pavitrakumar Managutte <pavitrakumarm@vayavyalabs.com>

crypto: spacc - Add SPAcc AUTODETECT Support

SPAcc is configurable and it supports the below modes:
1. AUTODETECT configuration - Autodetects the supported algos.
2. Static configuration - The algo support is defined statically.

> diff --git a/drivers/crypto/dwc-spacc/spacc_core.c b/drivers/crypto/dwc-spacc/spacc_core.c
> index 68a309ee10d47..3e50488afeccd 100644
> --- a/drivers/crypto/dwc-spacc/spacc_core.c
> +++ b/drivers/crypto/dwc-spacc/spacc_core.c
[ ... ]
> @@ -557,6 +1460,311 @@ int spacc_close(struct spacc_device *dev, int handle)
[ ... ]
> +static int spacc_check_modes(struct spacc_device *spacc, int algo_mode,
> +			      int keysz_idx, void *virt, char *key,
> +			      struct pdu_ddt *ddt)
> +{
[ ... ]
> +	rc = spacc_open(spacc, enc, hash, -1, 0, NULL, NULL);

[Severity: High]
This is a pre-existing issue, but calling spacc_open() here can trigger a
double semaphore increment on its error path. If spacc_open() encounters an
unsupported mode, it jumps to err_release_job which calls
spacc_job_release(). Since spacc_job_release() internally calls
spacc_ctx_release() and issues an up() on the semaphore, falling through
to err_release_sem will execute a second up() on ctx_sem:

spacc_open() {
    ...
err_release_job:
    spacc_job_release(spacc, job_idx);
err_release_sem:
    if (!ctx_reused)
        up(&spacc->ctx_sem);
}

Could this double increment permanently inflate the context count and
eventually lead to concurrent allocations of the same hardware slot?

> +	if (rc < 0) {
> +		spacc->config.modes[algo_mode] &= ~(1 << keysz_idx);
> +		return 0;
> +	}
[ ... ]
> +	if (err == 0) {
> +		long ret;
> +
> +		ret = wait_event_interruptible_timeout(job->waitq,
> +				job->job_done,
> +				msecs_to_jiffies(SPACC_AUTODETECT_TIMEOUT_MS));
> +		if (ret == 0) {
> +			/* no response; caller disables the whole mode */
> +			spacc_close(spacc, rc);
> +			return -ETIMEDOUT;
> +		} else if (ret == -ERESTARTSYS) {
> +			/* load interrupted; caller aborts and fails probe */
> +			spacc_close(spacc, rc);
> +			return -EINTR;
> +		}

[Severity: Critical]
If wait_event_interruptible_timeout() times out or is interrupted, the
job is abandoned and we return here, but spacc_close() only clears the
software state. Is there a risk that the hardware engine continues
performing DMA into the buffers, leading to memory corruption when the
caller immediately frees the ddt and virt buffers?

> +
> +		job->job_done = 0;
> +		err = job->job_err;
> +	}
[ ... ]
> +int spacc_autodetect(struct spacc_device *spacc)
> +{
[ ... ]
> +			if (ret == -ETIMEDOUT) {
> +				/*
> +				 * No response for this algorithm. Disable the
> +				 * whole mode (never ship a half-validated algo)
> +				 * and move on. Several timeouts in a row mean
> +				 * the engine is dead: fail loudly rather than
> +				 * silently registering a crippled device.
> +				 */
> +				spacc->config.modes[x] = 0;
> +
> +				if (++timeouts
> +					>= SPACC_AUTODETECT_MAX_TIMEOUTS) {
> +					dev_err(spacc->dptr,
> +						"SPAcc unresponsive: timeout");
> +					err = -ETIMEDOUT;
> +					goto out_free_dma;
> +				}
> +
> +				break;	/* skip this mode's other keysizes */
> +			}
> +
> +			/* engine answered — reset the dead-engine streak */
> +			timeouts = 0;
> +		}
> +	}
> +
> +out_free_dma:
> +	pdu_ddt_free(&ddt);
> +	dma_free_coherent(get_ddt_device(),
> +			SPACC_TEST_DMA_BUFF_SIZE, virt, dma);
> +	spacc->autodetect = false;
> +
> +	return 0;
> +}

[Severity: High]
When returning from an error path via the out_free_dma label, does this
unconditionally return 0 and drop the recorded error code? It looks like
failures from spacc_check_modes() might be silently swallowed here,
causing the driver probe to report success even when hardware
initialization fails.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260701122941.2149121-1-pavitrakumarm@vayavyalabs.com?part=3

  reply	other threads:[~2026-07-01 12:48 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01 12:29 [PATCH v15 0/4] crypto: spacc - Add SPAcc Crypto Driver Pavitrakumar Managutte
2026-07-01 12:29 ` [PATCH v15 1/4] dt-bindings: crypto: Document support for SPAcc Pavitrakumar Managutte
2026-07-01 12:29 ` [PATCH v15 2/4] crypto: spacc - Add SPAcc ahash support Pavitrakumar Managutte
2026-07-01 12:55   ` sashiko-bot
2026-07-01 12:29 ` [PATCH v15 3/4] crypto: spacc - Add SPAcc AUTODETECT Support Pavitrakumar Managutte
2026-07-01 12:48   ` sashiko-bot [this message]
2026-07-01 12:29 ` [PATCH v15 4/4] crypto: spacc - Add SPAcc Kconfig and Makefile Pavitrakumar Managutte
2026-07-01 13:00   ` sashiko-bot
2026-07-02 19:18   ` Julian Braha

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260701124846.2A5291F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=pavitrakumarm@vayavyalabs.com \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox