From: sashiko-bot@kernel.org
To: "Rosen Penev" <rosenp@gmail.com>
Cc: vkoul@kernel.org, dmaengine@vger.kernel.org, Frank.Li@kernel.org
Subject: Re: [PATCHv3 07/15] dmaengine: fsldma: fix request_irqs unwind freeing unregistered IRQ
Date: Tue, 09 Jun 2026 22:28:47 +0000 [thread overview]
Message-ID: <20260609222847.ADA9B1F00898@smtp.kernel.org> (raw)
In-Reply-To: <20260609221926.35538-8-rosenp@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Failure to kill the tasklet before freeing the channel structure leads to a potential Use-After-Free.
--
commit 5aba4f3ed6853fa11aefa9651d0a60e344f6e486
Author: Rosen Penev <rosenp@gmail.com>
dmaengine: fsldma: fix request_irqs unwind freeing unregistered IRQ
This commit fixes the unwind loop in fsldma_request_irqs() to skip the
failed channel by decrementing the index before the loop. This prevents
freeing an unregistered IRQ when request_irq() fails.
> diff --git a/drivers/dma/fsldma.c b/drivers/dma/fsldma.c
> --- a/drivers/dma/fsldma.c
> +++ b/drivers/dma/fsldma.c
> @@ -1085,7 +1085,7 @@ static int fsldma_request_irqs(struct fsldma_device *fdev)
> return 0;
>
> out_unwind:
> - for (/* none */; i >= 0; i--) {
> + for (i--; i >= 0; i--) {
[Severity: High]
This is a pre-existing issue, but does the cleanup process fail to kill
the tasklet before freeing the channel?
If fsldma_request_irqs() fails and triggers this unwind, the error path
eventually leads to fsldma_of_probe() calling fsl_dma_chan_remove() for
the previously initialized channels.
fsl_dma_chan_remove() unmaps registers and frees the channel memory via
kfree(chan), but it omits tasklet_kill(&chan->tasklet):
drivers/dma/fsldma.c:fsl_dma_chan_remove() {
...
irq_dispose_mapping(chan->irq);
list_del(&chan->common.device_node);
iounmap(chan->regs);
kfree(chan);
}
Since interrupts are shared via IRQF_SHARED, the interrupt handler could
schedule the tasklet at any point after request_irq() is called. If the
tasklet is scheduled just before free_irq() executes during this unwind
path, could it remain pending and run after kfree(chan), resulting in a
use-after-free?
> chan = fdev->chan[i];
> if (!chan)
> continue;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260609221926.35538-8-rosenp@gmail.com?part=1
next prev parent reply other threads:[~2026-06-09 22:28 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-09 22:19 [PATCHv3 00/15] dmaengine: fsldma: devm conversion, fixups, and cleanups Rosen Penev
2026-06-09 22:19 ` [PATCHv3 01/15] dmaengine: fsldma: kill tasklet before removing channel Rosen Penev
2026-06-09 22:31 ` sashiko-bot
2026-06-10 1:35 ` Frank Li
2026-06-09 22:19 ` [PATCHv3 02/15] dmaengine: fsldma: drop desc_lock before invoking client callback Rosen Penev
2026-06-09 22:32 ` sashiko-bot
2026-06-09 22:19 ` [PATCHv3 03/15] dmaengine: fsldma: halt DMA engine before freeing resources Rosen Penev
2026-06-10 2:46 ` Frank Li
2026-06-09 22:19 ` [PATCHv3 04/15] dmaengine: fsldma: provide device_release callback Rosen Penev
2026-06-09 22:29 ` sashiko-bot
2026-06-09 22:19 ` [PATCHv3 05/15] dmaengine: fsldma: check dma_async_device_register() return value Rosen Penev
2026-06-09 22:29 ` sashiko-bot
2026-06-09 22:19 ` [PATCHv3 06/15] dmaengine: fsldma: fix probe error path not freeing IRQs Rosen Penev
2026-06-09 22:19 ` [PATCHv3 07/15] dmaengine: fsldma: fix request_irqs unwind freeing unregistered IRQ Rosen Penev
2026-06-09 22:28 ` sashiko-bot [this message]
2026-06-09 22:19 ` [PATCHv3 08/15] dmaengine: fsldma: convert to platform_get_irq_optional() Rosen Penev
2026-06-10 2:58 ` Frank Li
2026-06-09 22:19 ` [PATCHv3 09/15] dmaengine: fsldma: use devm for kzalloc() Rosen Penev
2026-06-10 1:57 ` Frank Li
2026-06-09 22:19 ` [PATCHv3 10/15] dmaengine: fsldma: use devm_platform_ioremap_resource() Rosen Penev
2026-06-09 22:19 ` [PATCHv3 11/15] dmaengine: fsldma: convert channel allocation to devm_kzalloc() Rosen Penev
2026-06-09 22:19 ` [PATCHv3 12/15] dmaengine: fsldma: use devm for of_iomap() Rosen Penev
2026-06-10 1:53 ` Frank Li
2026-06-09 22:19 ` [PATCHv3 13/15] dmaengine: fsldma: replace irq_of_parse_and_map with of_irq_get Rosen Penev
2026-06-09 22:36 ` sashiko-bot
2026-06-09 22:19 ` [PATCHv3 14/15] dmaengine: fsldma: replace ppc-specific accessors with portable generic ones Rosen Penev
2026-06-09 22:19 ` [PATCHv3 15/15] dmaengine: fsldma: fix kernel-doc param names to match function signatures Rosen Penev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260609222847.ADA9B1F00898@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=dmaengine@vger.kernel.org \
--cc=rosenp@gmail.com \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.