From: sashiko-bot@kernel.org
To: "Kaitao Cheng" <kaitao.cheng@linux.dev>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v2 02/14] firewire: core: Open-code topology list walk
Date: Tue, 09 Jun 2026 06:53:33 +0000 [thread overview]
Message-ID: <20260609065333.9FA4D1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260609061347.93688-3-kaitao.cheng@linux.dev>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] Memory leak in `build_tree()` where dynamically allocated `fw_node` subtrees on the local `stack` list are leaked when returning `NULL` on error paths.
- [High] Unconditional dereference of `card->root_node` in `fw_core_handle_bus_reset()` leading to a kernel panic if `build_tree()` fails on the first bus reset.
--
commit 814723ea200ca545cf7dcf5b3f733df13cc3c3f2
Author: Kaitao Cheng <chengkaitao@kylinos.cn>
firewire: core: Open-code topology list walk
This commit open-codes the topology list walk in for_each_fw_node() to
defer looking up the next node until after children are appended. It
preserves breadth-first traversal semantics while preparing the code
for a future list iterator update.
> diff --git a/drivers/firewire/core-topology.c b/drivers/firewire/core-topology.c
> index bb2d2db30795e..df2ac0dab1060 100644
> --- a/drivers/firewire/core-topology.c
> +++ b/drivers/firewire/core-topology.c
[ ... ]
drivers/firewire/core-topology.c:build_tree() {
...
if (child_port_count > stack_depth) {
fw_err(card, "topology stack underflow\n");
return NULL;
}
...
}
[Severity: High]
This is a pre-existing issue, but does this code leak the dynamically
allocated fw_node subtrees on the local stack list when returning NULL?
Since the stack list goes out of scope on this error path, it seems the
attached nodes are abandoned without being freed.
drivers/firewire/core-topology.c:fw_core_handle_bus_reset() {
...
scoped_guard(spinlock, &card->topology_map.lock) {
update_topology_map(card->topology_map.buffer, sizeof(card->topology_map.buffer),
card->root_node->node_id, self_ids, self_id_count);
}
...
}
[Severity: High]
This is a pre-existing issue, but can this sequence cause a panic?
If build_tree() fails and returns NULL during the first bus reset,
card->root_node would be left as NULL. Would passing
card->root_node->node_id unconditionally to update_topology_map() then
result in a NULL pointer dereference?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260609064122.95825-1-kaitao.cheng@linux.dev?part=2
next prev parent reply other threads:[~2026-06-09 6:53 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-09 6:13 [PATCH v2 00/14] list: Prepare entry iterators to cache cursor state Kaitao Cheng
2026-06-09 6:13 ` [PATCH v2 01/14] drbd: Open-code transfer log list walk Kaitao Cheng
2026-06-09 6:53 ` sashiko-bot
2026-06-09 6:13 ` [PATCH v2 02/14] firewire: core: Open-code topology " Kaitao Cheng
2026-06-09 6:53 ` sashiko-bot [this message]
2026-06-09 6:25 ` [PATCH v2 03/14] drm/bridge: Open-code bridge chain list walks Kaitao Cheng
2026-06-09 6:25 ` [PATCH v2 04/14] drm/i915/gt: Open-code active timeline walk Kaitao Cheng
2026-06-09 7:00 ` Andy Shevchenko
2026-06-09 6:25 ` [PATCH v2 05/14] drm/i915: Open-code DFS dependency list walk Kaitao Cheng
2026-06-09 6:25 ` [PATCH v2 06/14] drm/ttm: Open-code reservation " Kaitao Cheng
2026-06-09 6:51 ` sashiko-bot
2026-06-09 6:25 ` [PATCH v2 07/14] spi: fsi: Open-code message transfer walk Kaitao Cheng
2026-06-09 7:02 ` Andy Shevchenko
2026-06-09 6:25 ` [PATCH v2 08/14] spi: stm32-ospi: " Kaitao Cheng
2026-06-09 6:57 ` sashiko-bot
2026-06-09 6:25 ` [PATCH v2 09/14] spi: stm32-qspi: " Kaitao Cheng
2026-06-09 6:55 ` sashiko-bot
2026-06-09 6:38 ` [PATCH v2 10/14] spi: tegra210-quad: " Kaitao Cheng
2026-06-09 6:38 ` [PATCH v2 11/14] locking/locktorture: Open-code ww mutex list walk Kaitao Cheng
2026-06-09 6:54 ` sashiko-bot
2026-06-09 6:38 ` [PATCH v2 12/14] locking/ww_mutex: Open-code stress reorder " Kaitao Cheng
2026-06-09 6:57 ` [PATCH v2 10/14] spi: tegra210-quad: Open-code message transfer walk sashiko-bot
2026-06-09 6:41 ` [PATCH v2 13/14] ASoC: dapm: Open-code widget invalidation walk Kaitao Cheng
2026-06-09 6:41 ` [PATCH v2 14/14] list: Cache cursors in entry iterators Kaitao Cheng
2026-06-09 6:59 ` sashiko-bot
2026-06-09 6:55 ` [PATCH v2 13/14] ASoC: dapm: Open-code widget invalidation walk sashiko-bot
2026-06-09 6:47 ` [PATCH v2 00/14] list: Prepare entry iterators to cache cursor state Andy Shevchenko
2026-06-09 7:05 ` Andy Shevchenko
2026-06-09 10:33 ` Christian König
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260609065333.9FA4D1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=kaitao.cheng@linux.dev \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.