From: sashiko-bot@kernel.org
To: "Pavitrakumar Managutte" <pavitrakumarm@vayavyalabs.com>
Cc: devicetree@vger.kernel.org, conor+dt@kernel.org, robh@kernel.org
Subject: Re: [PATCH v15 3/4] crypto: spacc - Add SPAcc AUTODETECT Support
Date: Wed, 01 Jul 2026 12:48:45 +0000 [thread overview]
Message-ID: <20260701124846.2A5291F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701122941.2149121-4-pavitrakumarm@vayavyalabs.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [Critical] Abandoned autodetect jobs leave the SPAcc hardware engine performing active DMA operations into freed or reused memory buffers.
- [High] spacc_autodetect() ignores fatal error codes (-EINTR, -ETIMEDOUT) and unconditionally returns 0, falsely reporting success on failures.
Pre-existing issues:
- [High] Error paths in `spacc_open` increment `spacc->ctx_sem` incorrectly (sometimes twice), permanently artificially inflating the hardware context count.
--
commit 150bf09c88aa2a0a8786c39974aa1382292a056f
Author: Pavitrakumar Managutte <pavitrakumarm@vayavyalabs.com>
crypto: spacc - Add SPAcc AUTODETECT Support
SPAcc is configurable and it supports the below modes:
1. AUTODETECT configuration - Autodetects the supported algos.
2. Static configuration - The algo support is defined statically.
> diff --git a/drivers/crypto/dwc-spacc/spacc_core.c b/drivers/crypto/dwc-spacc/spacc_core.c
> index 68a309ee10d47..3e50488afeccd 100644
> --- a/drivers/crypto/dwc-spacc/spacc_core.c
> +++ b/drivers/crypto/dwc-spacc/spacc_core.c
[ ... ]
> @@ -557,6 +1460,311 @@ int spacc_close(struct spacc_device *dev, int handle)
[ ... ]
> +static int spacc_check_modes(struct spacc_device *spacc, int algo_mode,
> + int keysz_idx, void *virt, char *key,
> + struct pdu_ddt *ddt)
> +{
[ ... ]
> + rc = spacc_open(spacc, enc, hash, -1, 0, NULL, NULL);
[Severity: High]
This is a pre-existing issue, but calling spacc_open() here can trigger a
double semaphore increment on its error path. If spacc_open() encounters an
unsupported mode, it jumps to err_release_job which calls
spacc_job_release(). Since spacc_job_release() internally calls
spacc_ctx_release() and issues an up() on the semaphore, falling through
to err_release_sem will execute a second up() on ctx_sem:
spacc_open() {
...
err_release_job:
spacc_job_release(spacc, job_idx);
err_release_sem:
if (!ctx_reused)
up(&spacc->ctx_sem);
}
Could this double increment permanently inflate the context count and
eventually lead to concurrent allocations of the same hardware slot?
> + if (rc < 0) {
> + spacc->config.modes[algo_mode] &= ~(1 << keysz_idx);
> + return 0;
> + }
[ ... ]
> + if (err == 0) {
> + long ret;
> +
> + ret = wait_event_interruptible_timeout(job->waitq,
> + job->job_done,
> + msecs_to_jiffies(SPACC_AUTODETECT_TIMEOUT_MS));
> + if (ret == 0) {
> + /* no response; caller disables the whole mode */
> + spacc_close(spacc, rc);
> + return -ETIMEDOUT;
> + } else if (ret == -ERESTARTSYS) {
> + /* load interrupted; caller aborts and fails probe */
> + spacc_close(spacc, rc);
> + return -EINTR;
> + }
[Severity: Critical]
If wait_event_interruptible_timeout() times out or is interrupted, the
job is abandoned and we return here, but spacc_close() only clears the
software state. Is there a risk that the hardware engine continues
performing DMA into the buffers, leading to memory corruption when the
caller immediately frees the ddt and virt buffers?
> +
> + job->job_done = 0;
> + err = job->job_err;
> + }
[ ... ]
> +int spacc_autodetect(struct spacc_device *spacc)
> +{
[ ... ]
> + if (ret == -ETIMEDOUT) {
> + /*
> + * No response for this algorithm. Disable the
> + * whole mode (never ship a half-validated algo)
> + * and move on. Several timeouts in a row mean
> + * the engine is dead: fail loudly rather than
> + * silently registering a crippled device.
> + */
> + spacc->config.modes[x] = 0;
> +
> + if (++timeouts
> + >= SPACC_AUTODETECT_MAX_TIMEOUTS) {
> + dev_err(spacc->dptr,
> + "SPAcc unresponsive: timeout");
> + err = -ETIMEDOUT;
> + goto out_free_dma;
> + }
> +
> + break; /* skip this mode's other keysizes */
> + }
> +
> + /* engine answered — reset the dead-engine streak */
> + timeouts = 0;
> + }
> + }
> +
> +out_free_dma:
> + pdu_ddt_free(&ddt);
> + dma_free_coherent(get_ddt_device(),
> + SPACC_TEST_DMA_BUFF_SIZE, virt, dma);
> + spacc->autodetect = false;
> +
> + return 0;
> +}
[Severity: High]
When returning from an error path via the out_free_dma label, does this
unconditionally return 0 and drop the recorded error code? It looks like
failures from spacc_check_modes() might be silently swallowed here,
causing the driver probe to report success even when hardware
initialization fails.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260701122941.2149121-1-pavitrakumarm@vayavyalabs.com?part=3
next prev parent reply other threads:[~2026-07-01 12:48 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-01 12:29 [PATCH v15 0/4] crypto: spacc - Add SPAcc Crypto Driver Pavitrakumar Managutte
2026-07-01 12:29 ` [PATCH v15 1/4] dt-bindings: crypto: Document support for SPAcc Pavitrakumar Managutte
2026-07-01 12:29 ` [PATCH v15 2/4] crypto: spacc - Add SPAcc ahash support Pavitrakumar Managutte
2026-07-01 12:55 ` sashiko-bot
2026-07-01 12:29 ` [PATCH v15 3/4] crypto: spacc - Add SPAcc AUTODETECT Support Pavitrakumar Managutte
2026-07-01 12:48 ` sashiko-bot [this message]
2026-07-01 12:29 ` [PATCH v15 4/4] crypto: spacc - Add SPAcc Kconfig and Makefile Pavitrakumar Managutte
2026-07-01 13:00 ` sashiko-bot
2026-07-02 19:18 ` Julian Braha
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260701124846.2A5291F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=pavitrakumarm@vayavyalabs.com \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox