Devicetree
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Ivaylo Dimitrov" <ivo.g.dimitrov.75@gmail.com>
Cc: conor+dt@kernel.org, devicetree@vger.kernel.org,
	neil.armstrong@linaro.org, vkoul@kernel.org,
	linux-phy@lists.infradead.org, robh@kernel.org,
	olteanv@gmail.com
Subject: Re: [PATCH 5/5] phy: cpcap-usb: add extcon support
Date: Sat, 04 Jul 2026 07:51:35 +0000	[thread overview]
Message-ID: <20260704075136.0014E1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260704073843.1750458-6-ivo.g.dimitrov.75@gmail.com>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:

New issues:
- [High] The EXTCON_USB state is updated using `extcon_set_state` without a corresponding `extcon_set_state_sync` or `extcon_sync`, preventing registered listeners from receiving state change notifications.
- [Medium] Extcon state can become permanently desynchronized from the hardware/software state when regmap updates fail.

Pre-existing issues:
- [High] The driver's remove path races with the devres-managed threaded IRQ handler, leading to a Use-After-Free of the driver data structure.
--

commit 5e21d209058ee93304da0e1964b84339cf8709c2
Author: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>

phy: cpcap-usb: add extcon support

Register an Extcon device and report the detected cable state.
The driver already determines the type of cable attached during USB cable
detection. Export the detected state through the Extcon framework so
other drivers can consume it using a standard kernel interface.

> diff --git a/drivers/phy/motorola/phy-cpcap-usb.c b/drivers/phy/motorola/phy-cpcap-usb.c
> index 3be2b3afaaf4d..8978a95c1c199 100644
> --- a/drivers/phy/motorola/phy-cpcap-usb.c
> +++ b/drivers/phy/motorola/phy-cpcap-usb.c
> @@ -123,6 +124,7 @@ struct cpcap_phy_ddata {
>  	struct regmap *reg;
>  	struct device *dev;
>  	struct usb_phy phy;
> +	struct extcon_dev *edev;
>  	struct delayed_work detect_work;

[Severity: High]
This is a pre-existing issue, but does the remove path race with the
devres-managed threaded IRQ handler, leading to a use-after-free of this
driver data structure?

If the devres-managed IRQ thread cpcap_phy_irq_thread() fires and reads
ddata->active as 1, but is preempted before calling schedule_delayed_work():

And then the driver remove path cpcap_usb_phy_remove() executes, sets
ddata->active to 0, cancels any pending work, and returns.

Devres cleanup then begins, calling devm_irq_release() -> free_irq() ->
synchronize_irq(), which blocks waiting for the preempted IRQ thread.

When the IRQ thread resumes, it successfully queues the delayed work and
returns.

Once devm_irq_release() finishes, devres proceeds to free ddata.
The delayed work timer expires and executes cpcap_usb_detect() on the freed
ddata memory.

> [ ... ]
> @@ -226,6 +239,43 @@ static void cpcap_usb_try_musb_mailbox(struct cpcap_phy_ddata *ddata,
> [ ... ]
> +static void cpcap_usb_set_extcon(struct cpcap_phy_ddata *ddata)
> +{
> [ ... ]
> +	if (ddata->cable == EXTCON_CHG_USB_SDP)
> +		extcon_set_state(ddata->edev, EXTCON_USB, false);
> +	else if (cable == EXTCON_CHG_USB_SDP)
> +		extcon_set_state(ddata->edev, EXTCON_USB, true);

[Severity: High]
Does this prevent registered listeners from receiving state change
notifications for EXTCON_USB?

The EXTCON_USB state is updated here using extcon_set_state() without a
corresponding extcon_set_state_sync() or extcon_sync(). When the driver
changes the state to or from CPCAP_USB (which maps to EXTCON_CHG_USB_SDP),
the subsequent extcon_set_state_sync() calls only target the charger cable
ID and its specific notifier chain.

The notifier chain for EXTCON_USB might never be fired.

> +
> +	if (ddata->cable != EXTCON_NONE)
> +		extcon_set_state_sync(ddata->edev, ddata->cable, false);
> +
> +	if (cable != EXTCON_NONE)
> +		extcon_set_state_sync(ddata->edev, cable, true);
> +
> +	ddata->cable = cable;
> +}
> [ ... ]
> @@ -356,6 +411,8 @@ static void cpcap_usb_detect(struct work_struct *work)
> [ ... ]
>  	if (ddata->mode == CPCAP_IDLE)
>  		return;
>  
>  	ddata->mode = CPCAP_IDLE;
>  	cpcap_usb_try_musb_mailbox(ddata, MUSB_VBUS_OFF);
>  
>  	error = cpcap_usb_set_idle_mode(ddata);
>  	if (error)
>  		goto out_err;
>  
> +	cpcap_usb_set_extcon(ddata);
> +
>  	return;
>  
>  out_err:

[Severity: Medium]
Can the extcon state become permanently desynchronized from the hardware and
software state if a regmap update fails?

Earlier in cpcap_usb_detect(), the internal software state ddata->mode is
updated prior to hardware configuration. If the hardware register update
fails, the code branches to out_err and skips calling
cpcap_usb_set_extcon().

Because ddata->mode is already modified, subsequent executions of
cpcap_usb_detect() will take the early return path and will never retry
updating the extcon state, leaving it stale indefinitely.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260704073843.1750458-1-ivo.g.dimitrov.75@gmail.com?part=5

      reply	other threads:[~2026-07-04  7:51 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-04  7:38 [PATCH 0/5] phy: cpcap-usb: improve charger detection and export cable state Ivaylo Dimitrov
2026-07-04  7:38 ` [PATCH 1/5] phy: cpcap-usb: Prevent line glitches from triggering sysrq Ivaylo Dimitrov
2026-07-04  7:49   ` sashiko-bot
2026-07-04  7:38 ` [PATCH 2/5] phy: cpcap-usb: add DCP detection and make UART idle mode optional Ivaylo Dimitrov
2026-07-04  7:49   ` sashiko-bot
2026-07-04  7:38 ` [PATCH 3/5] dt-bindings: phy: motorola,cpcap-usb: replace se1 interrupt with chrg_det Ivaylo Dimitrov
2026-07-04  7:47   ` sashiko-bot
2026-07-04  7:38 ` [PATCH 4/5] ARM: dts: ti: cpcap-mapphone: use charger detection interrupt for CPCAP USB PHY Ivaylo Dimitrov
2026-07-04  7:48   ` sashiko-bot
2026-07-04  7:38 ` [PATCH 5/5] phy: cpcap-usb: add extcon support Ivaylo Dimitrov
2026-07-04  7:51   ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260704075136.0014E1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=ivo.g.dimitrov.75@gmail.com \
    --cc=linux-phy@lists.infradead.org \
    --cc=neil.armstrong@linaro.org \
    --cc=olteanv@gmail.com \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=vkoul@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox