Devicetree
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Radhey Shyam Pandey" <radhey.shyam.pandey@amd.com>
Cc: robh@kernel.org, conor+dt@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v2 3/3] usb: typec: tipd: add TPS66993 support
Date: Thu, 02 Jul 2026 19:21:21 +0000	[thread overview]
Message-ID: <20260702192121.E64F31F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260702190527.1820671-4-radhey.shyam.pandey@amd.com>

Thank you for your contribution! Sashiko AI review found 6 potential issue(s) to consider:

New issues:
- [Medium] For TPS66993, the driver fails to update the synthesized power status when a PD contract is established after the initial plug event.
- [Medium] Redundant I2C reads and potential dropping of plug events for legacy TPS6598x devices in the shared interrupt handler.
- [Low] Use of undeclared identifiers 'TPS_POWER_STATUS_CONNECTION_MASK' and 'TPS_POWER_STATUS_SOURCESINK_MASK' causes compilation failure.

Pre-existing issues:
- [High] The `tps->wq_poll` delayed work is queued but never canceled if the probe fails, leading to a Use-After-Free.
- [High] The `cd321x->update_work` delayed work is leaked and runs after free if probe fails after a successful connect.
- [High] The probe function exposes the Type-C port to userspace before it fully initializes the connection state, leading to a race condition with sysfs.
--

commit f75143dbec357f0c1c49269aeab93ef676edfcef
Author: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
Subject: usb: typec: tipd: add TPS66993 support

This patch adds support for the TPS66993 controller. It derives power status
from the STATUS register instead of the deprecated Power_Status register and
adds support for the APP1 mode string. The controller is configured in
polling mode.

> diff --git a/drivers/usb/typec/tipd/core.c b/drivers/usb/typec/tipd/core.c
> index a6cb233a055da..d2394d23a2dc4 100644
> --- a/drivers/usb/typec/tipd/core.c
> +++ b/drivers/usb/typec/tipd/core.c

[ ... ]

> @@ -631,6 +633,35 @@ static bool tps6598x_read_power_status(struct tps6598x *tps)
>  	return true;
>  }
>  
> +/*
> + * TPS66993 deprecated Power_Status register (0x3F). BC1.2 is not supported
> + * and the remaining bits are redundant with STATUS register (0x1A).
> + * Synthesize pwr_status from the already-read STATUS register.
> + */
> +static bool tps66993_read_power_status(struct tps6598x *tps)
> +{
> +	u16 pwr_status = 0;
> +
> +	/* Same masks as TPS_POWER_STATUS_CONNECTION() / SOURCESINK() / PWROPMODE() in tps6598x.h */
> +	if (tps->status & TPS_STATUS_PLUG_PRESENT)
> +		pwr_status |= FIELD_PREP(TPS_POWER_STATUS_CONNECTION_MASK, 1);
> +
> +	/* SOURCESINK: 1=sink; STATUS.PortRole 1=source, opposite convention */
> +	if (!TPS_STATUS_TO_TYPEC_PORTROLE(tps->status))
> +		pwr_status |= FIELD_PREP(TPS_POWER_STATUS_SOURCESINK_MASK, 1);

[Severity: Low]
Does this code cause a compilation failure? The macros
TPS_POWER_STATUS_CONNECTION_MASK and TPS_POWER_STATUS_SOURCESINK_MASK appear
to be undeclared in the kernel tree.

[ ... ]

> @@ -1026,6 +1057,8 @@ static irqreturn_t tps6598x_interrupt(int irq, void *data)
>  	if (!tps6598x_read_status(tps, &status))
>  		goto err_unlock;
>  
> +	tps->status = status;
> +
>  	if ((event1[0] | event2[0]) & TPS_REG_INT_POWER_STATUS_UPDATE)
>  		if (!tps->data->read_power_status(tps))
>  			goto err_unlock;
> @@ -1034,9 +1067,15 @@ static irqreturn_t tps6598x_interrupt(int irq, void *data)
>  		if (!tps->data->read_data_status(tps))
>  			goto err_unlock;
>  
> -	/* Handle plug insert or removal */
> -	if ((event1[0] | event2[0]) & TPS_REG_INT_PLUG_EVENT)
> +	/*
> +	 * Refresh power status before connect - needed for TPS66993 which
> +	 * synthesizes pwr_status from STATUS and never gets POWER_STATUS_UPDATE.
> +	 */
> +	if ((event1[0] | event2[0]) & TPS_REG_INT_PLUG_EVENT) {
> +		if (!tps->data->read_power_status(tps))
> +			goto err_unlock;

[Severity: Medium]
For legacy TPS6598x devices where both TPS_REG_INT_POWER_STATUS_UPDATE and
TPS_REG_INT_PLUG_EVENT can be set, does this cause redundant I2C reads since
read_power_status is called for both events?

If the second read fails, will it jump to err_unlock and silently drop the
plug event?

[Severity: Medium]
For the TPS66993, since read_power_status is now restricted to plug events in
this handler, does the driver fail to update the synthesized power status if a
PD contract is established after the initial plug event?

> +		tps6598x_handle_plug_event(tps, status);
> +	}
>  
>  err_unlock:

[ ... ]

> @@ -1810,6 +1850,8 @@ static int tps6598x_probe(struct i2c_client *client)
>  		goto err_clear_mask;
>  	}
>  
> +	tps->status = status;
> +

[Severity: High]
This is a pre-existing issue, but does exposing the Type-C port to userspace
via tps->data->register_port() later in this probe function create a race
condition?

Userspace sysfs writes could potentially race with the subsequent lockless
port mutations in read_power_status, read_data_status, and connect later in
this function.

[Severity: High]
This is a pre-existing issue, but if the device is probed in polling mode
and an earlier connect step fails, the delayed work tps->wq_poll is
initialized and queued:

tps6598x_probe() {
	...
	if (client->irq) {
		...
	} else {
		INIT_DELAYED_WORK(&tps->wq_poll, tps6598x_poll_work);
		queue_delayed_work(system_power_efficient_wq, &tps->wq_poll,
				   msecs_to_jiffies(POLL_INTERVAL));
	}

	if (ret)
		goto err_disconnect;
	...
}

When the code jumps to err_disconnect, tps->wq_poll is never canceled. Can
this lead to a use-after-free when the queued work executes on freed memory?

[Severity: High]
This is a pre-existing issue, but does the error path in this probe function
leak the cd321x->update_work delayed work?

If a CD321x device connects successfully during probe but a subsequent setup
step fails, the error teardown jumps to err_disconnect without calling
remove() or explicitly canceling update_work. Could this result in a
use-after-free?

>  	/*
>  	 * This fwnode has a "compatible" property, but is never populated as a
>  	 * struct device. Instead we simply parse it to read the properties.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260702190527.1820671-1-radhey.shyam.pandey@amd.com?part=3

  reply	other threads:[~2026-07-02 19:21 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02 19:05 [PATCH v2 0/3] usb: typec: tipd: add TPS66993 support Radhey Shyam Pandey
2026-07-02 19:05 ` [PATCH v2 1/3] dt-bindings: usb: ti,tps6598x: add TPS66993 compatible Radhey Shyam Pandey
2026-07-03  7:12   ` Krzysztof Kozlowski
2026-07-02 19:05 ` [PATCH v2 2/3] usb: typec: tipd: add read_power_status callback to tipd_data Radhey Shyam Pandey
2026-07-03 15:14   ` Heikki Krogerus
2026-07-02 19:05 ` [PATCH v2 3/3] usb: typec: tipd: add TPS66993 support Radhey Shyam Pandey
2026-07-02 19:21   ` sashiko-bot [this message]
2026-07-03 15:17   ` Heikki Krogerus

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260702192121.E64F31F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=radhey.shyam.pandey@amd.com \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox