From: sashiko-bot@kernel.org
To: "Vladimir Oltean" <vladimir.oltean@nxp.com>
Cc: wsa+renesas@sang-engineering.com, linux-pci@vger.kernel.org
Subject: Re: [PATCH v8 phy-next 09/31] PCI: Remove device links to PHY
Date: Thu, 07 May 2026 07:59:58 +0000 [thread overview]
Message-ID: <20260507075959.47D77C2BCB8@smtp.kernel.org> (raw)
In-Reply-To: <20260505100523.1922388-10-vladimir.oltean@nxp.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [Critical] Critical memory corruption in cdns_plat_pcie_shutdown() due to incorrect pointer cast.
- [High] Asynchronous pm_runtime_put() is called immediately before pm_runtime_disable(), cancelling suspend transitions.
- [High] Shared IRQ handlers access hardware registers without checking PM runtime state, causing spurious interrupts or bus errors.
--
commit abda94a24ef1bb0817706ae87aa20f04251c14ad
Author: Vladimir Oltean <vladimir.oltean@nxp.com>
PCI: Remove device links to PHY
This commit removes device links between the PCIe controllers and PHY
providers in the Cadence, DRA7xx, and Keystone drivers. The device links
are now redundant since the PHY core automatically adds device links to
order suspend/resume operations.
> diff --git a/drivers/pci/controller/cadence/pcie-cadence-plat.c b/drivers/pci/controller/cadence/pcie-cadence-plat.c
> index 8b12a46b56019..6fd16e09e2444 100644
> --- a/drivers/pci/controller/cadence/pcie-cadence-plat.c
> +++ b/drivers/pci/controller/cadence/pcie-cadence-plat.c
> @@ -41,7 +41,6 @@ static int cdns_plat_pcie_probe(struct platform_device *pdev)
> struct pci_host_bridge *bridge;
> struct cdns_pcie_ep *ep;
> struct cdns_pcie_rc *rc;
> - int phy_count;
> bool is_rc;
> int ret;
In cdns_plat_pcie_probe(), the driver data is initialized to point to a
struct cdns_plat_pcie object:
cdns_plat_pcie = devm_kzalloc(dev, sizeof(*cdns_plat_pcie), GFP_KERNEL);
...
platform_set_drvdata(pdev, cdns_plat_pcie);
However, in cdns_plat_pcie_shutdown(), the pointer is extracted and cast
directly to struct cdns_pcie *:
static void cdns_plat_pcie_shutdown(struct platform_device *pdev)
{
struct device *dev = &pdev->dev;
struct cdns_pcie *pcie = dev_get_drvdata(dev);
...
cdns_pcie_disable_phy(pcie);
}
Since struct cdns_plat_pcie is only 8 bytes large, but the phy_count field
is at an offset of roughly 36 bytes in struct cdns_pcie, does this lead to
an out-of-bounds read and memory corruption when cdns_pcie_disable_phy()
attempts to iterate over the PHYs?
[ ... ]
> diff --git a/drivers/pci/controller/dwc/pci-keystone.c b/drivers/pci/controller/dwc/pci-keystone.c
> index fe4836925c4e3..cab9fad212add 100644
> --- a/drivers/pci/controller/dwc/pci-keystone.c
> +++ b/drivers/pci/controller/dwc/pci-keystone.c
[ ... ]
> @@ -1337,25 +1321,18 @@ static int ks_pcie_probe(struct platform_device *pdev)
> pm_runtime_disable(dev);
> ks_pcie_disable_phy(ks_pcie);
>
> -err_link:
> - while (--i >= 0 && link[i])
> - device_link_del(link[i]);
> -
> +err:
> return ret;
> }
>
> static void ks_pcie_remove(struct platform_device *pdev)
> {
> struct keystone_pcie *ks_pcie = platform_get_drvdata(pdev);
> - struct device_link **link = ks_pcie->link;
> - int num_lanes = ks_pcie->num_lanes;
> struct device *dev = &pdev->dev;
>
> pm_runtime_put(dev);
> pm_runtime_disable(dev);
Does calling pm_runtime_put() immediately before pm_runtime_disable() cancel
the suspend transition?
pm_runtime_put() queues an asynchronous idle or suspend work item, but
calling pm_runtime_disable() immediately afterward cancels this pending
transition via __pm_runtime_barrier().
Could this leave the hardware in an active or incorrect power state from
the controller's perspective? Would it be safer to use synchronous
pm_runtime_put_sync() instead?
This asynchronous put pattern also appears in the error paths of
dra7xx_pcie_probe() and ks_pcie_probe().
While reviewing the power management handling in these drivers, I also
noticed that the shared interrupt handlers read hardware registers directly
without verifying if the device is active:
drivers/pci/controller/dwc/pci-dra7xx.c:dra7xx_pcie_irq_handler() {
...
reg = dra7xx_pcie_readl(dra7xx, PCIECTRL_DRA7XX_CONF_IRQSTATUS_MAIN);
If another device sharing the same IRQ line triggers an interrupt while the
PCIe controller is runtime suspended, will these handlers attempt to read
powered-down hardware?
Should the handlers check the PM runtime state using
pm_runtime_get_if_active() to prevent spurious interrupts or bus errors?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260505100523.1922388-1-vladimir.oltean@nxp.com?part=9
next prev parent reply other threads:[~2026-05-07 8:00 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-05 10:04 [PATCH v8 phy-next 00/31] Split Generic PHY consumer and provider API Vladimir Oltean
2026-05-05 10:04 ` [PATCH v8 phy-next 01/31] PCI: cadence: Preserve all error codes in cdns_plat_pcie_probe() Vladimir Oltean
2026-05-05 16:26 ` Bjorn Helgaas
2026-05-07 7:59 ` sashiko-bot
2026-05-07 15:50 ` Bjorn Helgaas
2026-05-05 10:04 ` [PATCH v8 phy-next 02/31] ata: add <linux/pm_runtime.h> where missing Vladimir Oltean
2026-05-07 7:59 ` sashiko-bot
2026-05-05 10:04 ` [PATCH v8 phy-next 03/31] PCI: Add missing headers transitively included by <linux/phy/phy.h> Vladimir Oltean
2026-05-05 10:04 ` [PATCH v8 phy-next 04/31] usb: add " Vladimir Oltean
2026-05-05 10:04 ` [PATCH v8 phy-next 05/31] drm: add <linux/pm_runtime.h> where missing Vladimir Oltean
2026-05-05 10:04 ` [PATCH v8 phy-next 06/31] phy: " Vladimir Oltean
2026-05-05 10:04 ` [PATCH v8 phy-next 07/31] phy: spacemit: include missing <linux/phy/phy.h> Vladimir Oltean
2026-05-05 10:05 ` [PATCH v8 phy-next 08/31] net: lan969x: include missing <linux/of.h> Vladimir Oltean
2026-05-05 10:05 ` [PATCH v8 phy-next 09/31] PCI: Remove device links to PHY Vladimir Oltean
2026-05-07 7:59 ` sashiko-bot [this message]
2026-05-07 15:47 ` Bjorn Helgaas
2026-05-08 2:14 ` Hans Zhang
2026-05-05 10:05 ` [PATCH v8 phy-next 10/31] scsi: ufs: exynos: use dedicated API for updating PHY bus width Vladimir Oltean
2026-05-07 7:59 ` sashiko-bot
2026-05-05 10:05 ` [PATCH v8 phy-next 11/31] scsi: ufs: qcom: call phy_init() before phy_power_on() Vladimir Oltean
2026-05-07 8:00 ` sashiko-bot
2026-05-05 10:05 ` [PATCH v8 phy-next 12/31] scsi: ufs: qcom: make use of QMP PHY dynamic gear switching ability Vladimir Oltean
2026-05-07 8:00 ` sashiko-bot
2026-05-05 10:05 ` [PATCH v8 phy-next 13/31] scsi: ufs: qcom: keep separate track of PHY power state Vladimir Oltean
2026-05-07 8:00 ` sashiko-bot
2026-05-05 10:05 ` [PATCH v8 phy-next 14/31] scsi: ufs: qcom: include missing <linux/interrupt.h> Vladimir Oltean
2026-05-05 10:05 ` [PATCH v8 phy-next 15/31] drm/rockchip: dw_hdmi: avoid direct dereference of phy->dev.of_node Vladimir Oltean
2026-05-07 8:00 ` sashiko-bot
2026-05-05 10:05 ` [PATCH v8 phy-next 16/31] usb: host: tegra: " Vladimir Oltean
2026-05-07 8:00 ` sashiko-bot
2026-05-05 10:05 ` [PATCH v8 phy-next 17/31] usb: gadget: tegra-xudc: " Vladimir Oltean
2026-05-07 8:00 ` sashiko-bot
2026-05-05 10:05 ` [PATCH v8 phy-next 18/31] phy: move provider API out of public <linux/phy/phy.h> Vladimir Oltean
2026-05-05 10:05 ` [PATCH v8 phy-next 19/31] phy: make phy_get_mode(), phy_get_bus_width() NULL tolerant Vladimir Oltean
2026-05-05 10:05 ` [PATCH v8 phy-next 20/31] phy: introduce phy_get_max_link_rate() helper for consumers Vladimir Oltean
2026-05-05 10:05 ` [PATCH v8 phy-next 21/31] drm/rockchip: dsi: include PHY provider header Vladimir Oltean
2026-05-07 8:00 ` sashiko-bot
2026-05-05 10:05 ` [PATCH v8 phy-next 22/31] drm: bridge: cdns-mhdp8546: use consumer API for getting PHY bus width Vladimir Oltean
2026-05-05 10:05 ` [PATCH v8 phy-next 23/31] media: sunxi: a83-mips-csi2: include PHY provider header Vladimir Oltean
2026-05-05 10:05 ` [PATCH v8 phy-next 24/31] net: renesas: rswitch: " Vladimir Oltean
2026-05-07 8:00 ` sashiko-bot
2026-05-05 10:05 ` [PATCH v8 phy-next 25/31] pinctrl: tegra-xusb: " Vladimir Oltean
2026-05-05 10:05 ` [PATCH v8 phy-next 26/31] power: supply: cpcap-charger: include missing <linux/property.h> Vladimir Oltean
2026-05-05 10:05 ` [PATCH v8 phy-next 27/31] phy: move ulpi_phy.h from include/linux/phy/ to drivers/phy/ Vladimir Oltean
2026-05-05 10:05 ` [PATCH v8 phy-next 28/31] phy: include PHY provider header (1/2) Vladimir Oltean
2026-05-05 10:05 ` [PATCH v8 phy-next 29/31] phy: include PHY provider header (2/2) Vladimir Oltean
2026-05-05 10:05 ` [PATCH v8 phy-next 30/31] phy: remove temporary provider compatibility from consumer header Vladimir Oltean
2026-05-07 8:00 ` sashiko-bot
2026-05-05 10:05 ` [PATCH v8 phy-next 31/31] MAINTAINERS: add regexes for linux-phy Vladimir Oltean
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260507075959.47D77C2BCB8@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
--cc=vladimir.oltean@nxp.com \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox