Thank you for your contribution! Sashiko AI review found 5 potential issue(s) to consider:
Pre-existing issues: - [High] Hardware Chip Select (CS) is left asserted indefinitely if the final message transfer is absorbed as a dummy transfer. - [High] DMA memory mapping leak on error paths in `tegra_qspi_start_dma_based_transfer`. - [High] DMA memory mapping leak upon transfer timeout or hardware error. - [High] DMA maps memory beyond the end of the SPI transfer buffer when using packed DMA transfers. - [High] Unconditional DMA unmap on error path in `tegra_qspi_dma_map_xfer`. -- commit dedc4ce6598360fa2a4de3d4413aaecfda3051a4 Author: Kaitao Cheng <[email protected]> spi: tegra210-quad: Open-code message transfer walk This commit converts the list_for_each_entry() loop in tegra_qspi_non_combined_seq_xfer() to an open-coded for-loop. This preserves semantics when consuming the next transfer in the loop body, preparing the code for future list iterator updates. > diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c > index 588a929a97850..102562893d227 100644 > --- a/drivers/spi/spi-tegra210-quad.c > +++ b/drivers/spi/spi-tegra210-quad.c > @@ -1309,7 +1309,9 @@ static int tegra_qspi_non_combined_seq_xfer(struct > tegra_qspi *tqspi, > if (tqspi->soc_data->supports_tpm) > val &= ~QSPI_TPM_WAIT_POLL_EN; > tegra_qspi_writel(tqspi, val, QSPI_GLOBAL_CONFIG); > - list_for_each_entry(transfer, &msg->transfers, transfer_list) { > + for (transfer = list_first_entry(&msg->transfers, typeof(*transfer), > transfer_list); > + !list_entry_is_head(transfer, &msg->transfers, transfer_list); > + transfer = list_next_entry(transfer, transfer_list)) { > struct spi_transfer *xfer = transfer; > u8 dummy_bytes = 0; > u32 cmd1; [Severity: High] This is a pre-existing issue, but does this logic fail to deactivate the chip select if the final transfer is absorbed as a dummy transfer? In tegra_qspi_non_combined_seq_xfer(), if the final SPI transfer in the message is a dummy transfer, the loop pointer advances to it, effectively consuming it into the current xfer: if (next_xfer->dummy_data) { ... transfer = next_xfer; } When checking if CS should be deactivated at the end of the loop body, the code uses xfer instead of the updated transfer pointer: if (list_is_last(&xfer->transfer_list, &msg->transfers)) { if (!xfer->cs_change) { tegra_qspi_transfer_end(spi); ... } } else if (xfer->cs_change) { ... Since xfer is the second-to-last transfer, list_is_last() evaluates to false. The code falls through to the else branch, and if cs_change is false, tegra_qspi_transfer_end() is skipped. The loop then terminates, leaving the hardware chip select asserted indefinitely. Could this corrupt subsequent bus communications? [Severity: High] This is a pre-existing issue, but do we leak DMA memory mappings if a transfer times out or encounters a hardware error? Looking at tegra_qspi_non_combined_seq_xfer(), if the transfer times out, tegra_qspi_handle_timeout() confirms the timeout, stops the DMA engine channels, and jumps to complete_xfer: if (tqspi->is_curr_dma_xfer) tegra_qspi_dma_stop(tqspi); ... goto complete_xfer; Similarly, if a hardware error is detected, we also jump to complete_xfer: if (tqspi->tx_status || tqspi->rx_status) { ... goto complete_xfer; } In both paths, the code exits without calling tegra_qspi_dma_unmap_xfer(). Are these DMA mappings permanently leaked? [Severity: High] This isn't a bug introduced by this patch, but does tegra_qspi_start_dma_based_transfer() leak DMA memory mappings on its error paths? When tqspi->is_packed is true, tegra_qspi_dma_map_xfer() successfully maps the TX and RX DMA buffers. If any subsequent DMA setup operations fail (like dmaengine_slave_config(), tegra_qspi_start_tx_dma(), or tegra_qspi_start_rx_dma()), the function returns the error directly: ret = dmaengine_slave_config(tqspi->rx_dma_chan, &dma_sconfig); if (ret < 0) { dev_err(tqspi->dev, "failed DMA slave config: %d\n", ret); return ret; } The caller tegra_qspi_non_combined_seq_xfer() then propagates the error and exits, never calling tegra_qspi_dma_unmap_xfer(). Does this permanently leak the DMA mapped memory and IOMMU space? [Severity: High] This is a pre-existing issue, but does the DMA mapping calculation risk crossing an unmapped physical page boundary? In tegra_qspi_dma_map_xfer(), when tqspi->is_packed is true, the mapped length is artificially inflated to a multiple of 4: len = DIV_ROUND_UP(tqspi->curr_dma_words * tqspi->bytes_per_word, 4) * 4; if (t->tx_buf) { t->tx_dma = dma_map_single(tqspi->tx_dma_dev, (void *)tx_buf, len, DMA_TO_DEVICE); Because the original client-provided buffer might be exactly t->len bytes long, mapping beyond its exact length could cross into restricted or unallocated physical memory. Could this trigger an IOMMU fault or a kernel panic? [Severity: High] This isn't a bug introduced by this patch, but does the error path in tegra_qspi_dma_map_xfer() unconditionally unmap the TX buffer even when it was never mapped? If t->tx_buf is NULL during a read-only transfer, the TX buffer mapping is correctly skipped. However, if the subsequent dma_map_single() for t->rx_buf fails, the error handling block unmaps tx_dma without checking: if (dma_mapping_error(tqspi->rx_dma_dev, t->rx_dma)) { dma_unmap_single(tqspi->tx_dma_dev, t->tx_dma, len, DMA_TO_DEVICE); return -ENOMEM; } Since t->tx_buf was NULL, t->tx_dma was never mapped by this function. Could unmapping it here violate the DMA API contract, potentially unmapping page 0 from the IOMMU or corrupting DMA tracking state? -- Sashiko AI review · https://sashiko.dev/#/patchset/[email protected]?part=10
