From: sashiko-bot@kernel.org
To: "Radhey Shyam Pandey" <radhey.shyam.pandey@amd.com>
Cc: robh@kernel.org, conor+dt@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v2 3/3] usb: typec: tipd: add TPS66993 support
Date: Thu, 02 Jul 2026 19:21:21 +0000 [thread overview]
Message-ID: <20260702192121.E64F31F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260702190527.1820671-4-radhey.shyam.pandey@amd.com>
Thank you for your contribution! Sashiko AI review found 6 potential issue(s) to consider:
New issues:
- [Medium] For TPS66993, the driver fails to update the synthesized power status when a PD contract is established after the initial plug event.
- [Medium] Redundant I2C reads and potential dropping of plug events for legacy TPS6598x devices in the shared interrupt handler.
- [Low] Use of undeclared identifiers 'TPS_POWER_STATUS_CONNECTION_MASK' and 'TPS_POWER_STATUS_SOURCESINK_MASK' causes compilation failure.
Pre-existing issues:
- [High] The `tps->wq_poll` delayed work is queued but never canceled if the probe fails, leading to a Use-After-Free.
- [High] The `cd321x->update_work` delayed work is leaked and runs after free if probe fails after a successful connect.
- [High] The probe function exposes the Type-C port to userspace before it fully initializes the connection state, leading to a race condition with sysfs.
--
commit f75143dbec357f0c1c49269aeab93ef676edfcef
Author: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
Subject: usb: typec: tipd: add TPS66993 support
This patch adds support for the TPS66993 controller. It derives power status
from the STATUS register instead of the deprecated Power_Status register and
adds support for the APP1 mode string. The controller is configured in
polling mode.
> diff --git a/drivers/usb/typec/tipd/core.c b/drivers/usb/typec/tipd/core.c
> index a6cb233a055da..d2394d23a2dc4 100644
> --- a/drivers/usb/typec/tipd/core.c
> +++ b/drivers/usb/typec/tipd/core.c
[ ... ]
> @@ -631,6 +633,35 @@ static bool tps6598x_read_power_status(struct tps6598x *tps)
> return true;
> }
>
> +/*
> + * TPS66993 deprecated Power_Status register (0x3F). BC1.2 is not supported
> + * and the remaining bits are redundant with STATUS register (0x1A).
> + * Synthesize pwr_status from the already-read STATUS register.
> + */
> +static bool tps66993_read_power_status(struct tps6598x *tps)
> +{
> + u16 pwr_status = 0;
> +
> + /* Same masks as TPS_POWER_STATUS_CONNECTION() / SOURCESINK() / PWROPMODE() in tps6598x.h */
> + if (tps->status & TPS_STATUS_PLUG_PRESENT)
> + pwr_status |= FIELD_PREP(TPS_POWER_STATUS_CONNECTION_MASK, 1);
> +
> + /* SOURCESINK: 1=sink; STATUS.PortRole 1=source, opposite convention */
> + if (!TPS_STATUS_TO_TYPEC_PORTROLE(tps->status))
> + pwr_status |= FIELD_PREP(TPS_POWER_STATUS_SOURCESINK_MASK, 1);
[Severity: Low]
Does this code cause a compilation failure? The macros
TPS_POWER_STATUS_CONNECTION_MASK and TPS_POWER_STATUS_SOURCESINK_MASK appear
to be undeclared in the kernel tree.
[ ... ]
> @@ -1026,6 +1057,8 @@ static irqreturn_t tps6598x_interrupt(int irq, void *data)
> if (!tps6598x_read_status(tps, &status))
> goto err_unlock;
>
> + tps->status = status;
> +
> if ((event1[0] | event2[0]) & TPS_REG_INT_POWER_STATUS_UPDATE)
> if (!tps->data->read_power_status(tps))
> goto err_unlock;
> @@ -1034,9 +1067,15 @@ static irqreturn_t tps6598x_interrupt(int irq, void *data)
> if (!tps->data->read_data_status(tps))
> goto err_unlock;
>
> - /* Handle plug insert or removal */
> - if ((event1[0] | event2[0]) & TPS_REG_INT_PLUG_EVENT)
> + /*
> + * Refresh power status before connect - needed for TPS66993 which
> + * synthesizes pwr_status from STATUS and never gets POWER_STATUS_UPDATE.
> + */
> + if ((event1[0] | event2[0]) & TPS_REG_INT_PLUG_EVENT) {
> + if (!tps->data->read_power_status(tps))
> + goto err_unlock;
[Severity: Medium]
For legacy TPS6598x devices where both TPS_REG_INT_POWER_STATUS_UPDATE and
TPS_REG_INT_PLUG_EVENT can be set, does this cause redundant I2C reads since
read_power_status is called for both events?
If the second read fails, will it jump to err_unlock and silently drop the
plug event?
[Severity: Medium]
For the TPS66993, since read_power_status is now restricted to plug events in
this handler, does the driver fail to update the synthesized power status if a
PD contract is established after the initial plug event?
> + tps6598x_handle_plug_event(tps, status);
> + }
>
> err_unlock:
[ ... ]
> @@ -1810,6 +1850,8 @@ static int tps6598x_probe(struct i2c_client *client)
> goto err_clear_mask;
> }
>
> + tps->status = status;
> +
[Severity: High]
This is a pre-existing issue, but does exposing the Type-C port to userspace
via tps->data->register_port() later in this probe function create a race
condition?
Userspace sysfs writes could potentially race with the subsequent lockless
port mutations in read_power_status, read_data_status, and connect later in
this function.
[Severity: High]
This is a pre-existing issue, but if the device is probed in polling mode
and an earlier connect step fails, the delayed work tps->wq_poll is
initialized and queued:
tps6598x_probe() {
...
if (client->irq) {
...
} else {
INIT_DELAYED_WORK(&tps->wq_poll, tps6598x_poll_work);
queue_delayed_work(system_power_efficient_wq, &tps->wq_poll,
msecs_to_jiffies(POLL_INTERVAL));
}
if (ret)
goto err_disconnect;
...
}
When the code jumps to err_disconnect, tps->wq_poll is never canceled. Can
this lead to a use-after-free when the queued work executes on freed memory?
[Severity: High]
This is a pre-existing issue, but does the error path in this probe function
leak the cd321x->update_work delayed work?
If a CD321x device connects successfully during probe but a subsequent setup
step fails, the error teardown jumps to err_disconnect without calling
remove() or explicitly canceling update_work. Could this result in a
use-after-free?
> /*
> * This fwnode has a "compatible" property, but is never populated as a
> * struct device. Instead we simply parse it to read the properties.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260702190527.1820671-1-radhey.shyam.pandey@amd.com?part=3
next prev parent reply other threads:[~2026-07-02 19:21 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 19:05 [PATCH v2 0/3] usb: typec: tipd: add TPS66993 support Radhey Shyam Pandey
2026-07-02 19:05 ` [PATCH v2 1/3] dt-bindings: usb: ti,tps6598x: add TPS66993 compatible Radhey Shyam Pandey
2026-07-03 7:12 ` Krzysztof Kozlowski
2026-07-02 19:05 ` [PATCH v2 2/3] usb: typec: tipd: add read_power_status callback to tipd_data Radhey Shyam Pandey
2026-07-03 15:14 ` Heikki Krogerus
2026-07-02 19:05 ` [PATCH v2 3/3] usb: typec: tipd: add TPS66993 support Radhey Shyam Pandey
2026-07-02 19:21 ` sashiko-bot [this message]
2026-07-03 15:17 ` Heikki Krogerus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702192121.E64F31F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=radhey.shyam.pandey@amd.com \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox