Thread (6 messages) 6 messages, 3 authors, 2026-03-02

Re: [net-next,v5,3/3] net: ipa: Grab IMEM slice base/size from DTS

From: Konrad Dybcio <hidden>
Date: 2026-03-02 14:03:13
Also in: linux-arm-msm, linux-devicetree, lkml

On 2/27/26 2:54 AM, Jakub Kicinski wrote:
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.

For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
---
[...]
quoted
@@ -656,7 +659,24 @@ int ipa_mem_init(struct ipa *ipa, struct platform_device *pdev,
 	ipa->mem_addr = res->start;
 	ipa->mem_size = resource_size(res);

-	ret = ipa_imem_init(ipa, mem_data->imem_addr, mem_data->imem_size);
+	ipa_slice_np = of_parse_phandle(dev->of_node, "sram", 0);
+	if (ipa_slice_np) {
+		ret = of_address_to_resource(ipa_slice_np, 0, res);
+		of_node_put(ipa_slice_np);
+		if (ret)
+			goto err_unmap;
+
+		imem_base = res->start;
+		imem_size = resource_size(res);
                     ^^^^

Does this code corrupt the platform device's resource array? The variable
'res' was obtained from platform_get_resource_byname() earlier in this
function, which returns a pointer directly into pdev->resource[]:

drivers/base/platform.c:platform_get_resource_byname()
    return platform_get_resource(dev, type, num);
        => return &dev->resource[i];

Passing this pointer to of_address_to_resource() causes
__of_address_to_resource() to memset the entire structure to zero and then
overwrite all fields:

drivers/of/address.c:__of_address_to_resource()
    memset(r, 0, sizeof(struct resource));
    ...
    r->flags = ...
    r->name = ...
    r->start = ...
    r->end = ...

This permanently corrupts the platform device's "ipa-shared" resource entry.
While ipa->mem_addr and ipa->mem_size were saved before the corruption, the
platform device's resource array is shared kernel infrastructure.

After this corruption:
- /proc/iomem and sysfs will report incorrect resource information
- If the driver is unbound and rebound, platform_get_resource_byname(pdev,
  IORESOURCE_MEM, "ipa-shared") will fail because the resource's name field
  was overwritten with the sram DT node's full_name, causing probe to fail
  with -ENODEV

Would it be better to use a separate local variable for the
of_address_to_resource() call?
Yes, the computer proved useful once again - I tunnel-visioned-out the
prior use of 'res'.

Konrad
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help