From: sashiko-bot@kernel.org
To: "Ivaylo Dimitrov" <ivo.g.dimitrov.75@gmail.com>
Cc: vkoul@kernel.org, linux-phy@lists.infradead.org,
devicetree@vger.kernel.org, conor+dt@kernel.org,
neil.armstrong@linaro.org, olteanv@gmail.com, robh@kernel.org
Subject: Re: [PATCH 1/5] phy: cpcap-usb: Prevent line glitches from triggering sysrq
Date: Sat, 04 Jul 2026 07:49:07 +0000 [thread overview]
Message-ID: <20260704074908.3D0471F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260704073843.1750458-2-ivo.g.dimitrov.75@gmail.com>
Thank you for your contribution! Sashiko AI review found 5 potential issue(s) to consider:
New issues:
- [High] The global SysRq support mask is permanently altered if an error occurs during UART mode configuration.
- [High] Flawed bitwise logic fails to effectively disable SysRq in system configurations that use specific feature masks, leaving the system vulnerable to glitches.
- [High] The driver modifies global system configuration to mask a local hardware glitch, introducing system-wide side effects and race conditions.
Pre-existing issues:
- [High] A Use-After-Free vulnerability exists because devres-managed IRQs can queue delayed work on freed memory after `remove()` completes.
- [High] Hardware teardown in `remove()` races with the background worker, leading to undefined hardware state.
--
commit d89e10225f70bc2771f7d996decb42920d32fe88
Author: Tony Lindgren <tony@atomide.com>
phy: cpcap-usb: Prevent line glitches from triggering sysrq
This commit attempts to prevent random sysrq events when switching from USB
to debug serial port mode. It temporarily disables sysrq during mode changes
to mask line glitches.
> diff --git a/drivers/phy/motorola/phy-cpcap-usb.c b/drivers/phy/motorola/phy-cpcap-usb.c
> --- a/drivers/phy/motorola/phy-cpcap-usb.c
> +++ b/drivers/phy/motorola/phy-cpcap-usb.c
[ ... ]
> @@ -413,7 +414,12 @@ static int cpcap_usb_gpio_set_mode(struct cpcap_phy_ddata *ddata,
>
> static int cpcap_usb_set_uart_mode(struct cpcap_phy_ddata *ddata)
> {
> - int error;
> + int sysrq, error;
> +
> + /* Disable sysrq to prevent random sysrq events on line glitches */
> + sysrq = sysrq_mask();
> + if (sysrq & 1)
> + sysrq_toggle_support(sysrq & ~1);
[Severity: High]
Does modifying the global sysrq state here create a race condition?
If an administrator concurrently modifies the sysrq settings via
/proc/sys/kernel/sysrq, will the restoration call at the end of this
function blindly overwrite their new state?
[Severity: High]
Will this correctly disable sysrq if the system is configured with a
specific feature mask?
If the administrator clears the SYSRQ_ENABLE_ALL bit (bit 0) but leaves
other features enabled, sysrq & 1 evaluates to 0, bypassing the disablement.
If bit 0 and other bits are set, sysrq & ~1 disables the 'enable all' flag
but leaves the specific logging/dumping features actively enabled.
[ ... ]
> @@ -448,6 +454,9 @@ static int cpcap_usb_set_uart_mode(struct cpcap_phy_ddata *ddata)
> if (error)
> goto out_err;
>
> + if (sysrq & 1)
> + sysrq_toggle_support(sysrq);
> +
> return 0;
>
> out_err:
[Severity: High]
Does this error path permanently alter the sysrq support mask?
If a failure occurs during the GPIO or pinctrl mode configuration, the
function jumps to out_err and bypasses the restoration of the sysrq state.
Could this permanently disable sysrq features system-wide?
[Severity: High]
This is a pre-existing issue, but is there a use-after-free vulnerability
during device teardown?
Looking at cpcap_phy_irq_thread():
drivers/phy/motorola/phy-cpcap-usb.c:cpcap_phy_irq_thread() {
if (!atomic_read(&ddata->active))
return IRQ_NONE;
schedule_delayed_work(&ddata->detect_work, msecs_to_jiffies(1));
}
And in cpcap_usb_phy_remove(), cancel_delayed_work_sync() is called, but
because devm_request_threaded_irq() is used, the IRQ is freed after
remove() finishes.
If the IRQ thread is preempted immediately after reading ddata->active,
can it resume during free_irq(), and queue detect_work on freed memory
after devres frees ddata?
[Severity: High]
This is a pre-existing issue, but does the hardware teardown in
cpcap_usb_phy_remove() race with the background worker?
Looking at cpcap_usb_phy_remove():
drivers/phy/motorola/phy-cpcap-usb.c:cpcap_usb_phy_remove() {
cpcap_usb_set_idle_mode(ddata);
cpcap_usb_try_musb_mailbox(ddata, MUSB_VBUS_OFF);
usb_remove_phy(&ddata->phy);
cancel_delayed_work_sync(&ddata->detect_work);
}
The driver attempts to force an idle state before stopping the background
worker cpcap_usb_detect().
Since the worker thread doesn't check ddata->active, could it concurrently
modify the same regmap registers and pinctrl states, leaving the hardware
in an undefined state?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260704073843.1750458-1-ivo.g.dimitrov.75@gmail.com?part=1
next prev parent reply other threads:[~2026-07-04 7:49 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-04 7:38 [PATCH 0/5] phy: cpcap-usb: improve charger detection and export cable state Ivaylo Dimitrov
2026-07-04 7:38 ` [PATCH 1/5] phy: cpcap-usb: Prevent line glitches from triggering sysrq Ivaylo Dimitrov
2026-07-04 7:49 ` sashiko-bot [this message]
2026-07-04 7:38 ` [PATCH 2/5] phy: cpcap-usb: add DCP detection and make UART idle mode optional Ivaylo Dimitrov
2026-07-04 7:49 ` sashiko-bot
2026-07-04 7:38 ` [PATCH 3/5] dt-bindings: phy: motorola,cpcap-usb: replace se1 interrupt with chrg_det Ivaylo Dimitrov
2026-07-04 7:47 ` sashiko-bot
2026-07-04 7:38 ` [PATCH 4/5] ARM: dts: ti: cpcap-mapphone: use charger detection interrupt for CPCAP USB PHY Ivaylo Dimitrov
2026-07-04 7:48 ` sashiko-bot
2026-07-04 7:38 ` [PATCH 5/5] phy: cpcap-usb: add extcon support Ivaylo Dimitrov
2026-07-04 7:51 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260704074908.3D0471F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=ivo.g.dimitrov.75@gmail.com \
--cc=linux-phy@lists.infradead.org \
--cc=neil.armstrong@linaro.org \
--cc=olteanv@gmail.com \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox