From: "Arnd Bergmann" <arnd@kernel.org>
To: sashiko@lists.linux.dev
Cc: devicetree@vger.kernel.org, krzk+dt@kernel.org,
"Rob Herring" <robh@kernel.org>,
"Conor Dooley" <conor+dt@kernel.org>
Subject: Re: [PATCH 2/3] [v5 net-next] p54spi: convert to devicetree
Date: Sat, 09 May 2026 19:08:55 +0200 [thread overview]
Message-ID: <936b128b-37cf-4674-82dd-fb5708b2e1e6@app.fastmail.com> (raw)
In-Reply-To: <20260508213256.45BE6C2BCB0@smtp.kernel.org>
On Fri, May 8, 2026, at 23:32, sashiko-bot@kernel.org wrote:
>> -static int p54spi_gpio_irq = 87;
>> -module_param(p54spi_gpio_irq, int, 0444);
>> -MODULE_PARM_DESC(p54spi_gpio_irq, "gpio number for irq line");
>> -
>> static void p54spi_spi_read(struct p54s_priv *priv, u8 address,
>> void *buf, size_t len)
>> {
>
> This problem wasn't introduced by this patch, but I noticed a pre-existing
> issue in the context here. Does the p54spi_spi_read() function perform an SPI
> transfer using a stack-allocated buffer?
>
> Looking at p54spi_spi_read(), the addr variable is allocated on the stack and
> passed as a transfer buffer to spi_sync(). The SPI framework maps transfer
> buffers for DMA. Passing a stack-allocated buffer is illegal, particularly with
> CONFIG_VMAP_STACK enabled, because stack memory resides in vmalloc space and
> cannot be safely DMA-mapped.
>
> Could this cause memory corruption or a kernel panic during the transfer?
In theory it could, as passing long buffers on stack is not
allowed for SPI drivers. In practice this seems to work because
all SPI drivers that perform DMA check for short transfers and
fall back to MMIO if possible. In this case, the spi-omap2-mcspi
driver uses DMA_MIN_BYTES=160, while the on-stack transfers are
only two or four bytes and will always be done through MMIO.
The driver has other flaws that I'm not trying to address either.
>> -
>> - ret = request_irq(gpio_to_irq(p54spi_gpio_irq),
>> - p54spi_interrupt, IRQF_NO_AUTOEN, "p54spi",
>> - priv->spi);
>> + ret = request_irq(spi->irq, p54spi_interrupt, IRQF_NO_AUTOEN, "p54spi", priv->spi);
>
> Is there missing validation for spi->irq before calling request_irq()?
>
> If the device tree node lacks an interrupts property, the SPI core may set
> spi->irq to 0 or a negative error code.
>
> Passing this directly to request_irq() without validation can successfully
> hijack a core system interrupt like the system timer on some architectures,
> leading to system instability or deadlocks.
>
> Should there be a check like if (spi->irq <= 0) to fail the probe gracefully?
request_irq() fails with -EINVAL in this case, which is an appropriate
return code. This is again the same behavior as before, if an invalid
GPIO, or a GPIO that is not connected to an irqchip gets passed.
Arnd
next prev parent reply other threads:[~2026-05-09 17:09 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-07 21:24 [PATCH 0/3] [v5 net-next] wireless: p54 devicetree conversion Arnd Bergmann
2026-05-07 21:24 ` [PATCH 1/3] [v5 net-next] dt-bindings: net: add st,stlc4560/p54spi binding Arnd Bergmann
2026-05-08 15:05 ` Conor Dooley
2026-05-08 21:32 ` sashiko-bot
2026-05-09 15:56 ` Conor Dooley
2026-05-09 16:31 ` Roman Gushchin
2026-05-09 18:08 ` Conor Dooley
2026-05-07 21:24 ` [PATCH 2/3] [v5 net-next] p54spi: convert to devicetree Arnd Bergmann
2026-05-08 21:32 ` sashiko-bot
2026-05-09 17:08 ` Arnd Bergmann [this message]
2026-05-07 21:24 ` [PATCH 3/3] [v5 omap] ARM: dts: omap2: add stlc4560 spi-wireless node Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=936b128b-37cf-4674-82dd-fb5708b2e1e6@app.fastmail.com \
--to=arnd@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=krzk+dt@kernel.org \
--cc=robh@kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox