From: sashiko-bot@kernel.org
To: "Weigang He" <geoffreyhe2@gmail.com>
Cc: Frank.Li@kernel.org, imx@lists.linux.dev
Subject: Re: [PATCH 2/2] ARM: imx: fix device_node refcount leaks in imx7_src_init()
Date: Wed, 10 Jun 2026 05:13:56 +0000 [thread overview]
Message-ID: <20260610051357.1E6221F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260610050625.2229221-3-geoffreyhe2@gmail.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] Missing error handling for failed device tree mappings in imx7_src_init() leaves global pointers NULL, which are unconditionally dereferenced later during SMP bring-up.
- [High] Missing return after WARN_ON(!src_base) in imx_src_init() leads to a null pointer dereference if of_iomap() fails.
--
commit 0e3cdec3032f0f9a0628861c081a3260cfa7ce52
Author: Weigang He <geoffreyhe2@gmail.com>
ARM: imx: fix device_node refcount leaks in imx7_src_init()
This commit fixes device_node refcount leaks in imx7_src_init(). It releases
the references acquired by of_find_compatible_node() immediately after
mapping the base addresses.
> diff --git a/arch/arm/mach-imx/src.c b/arch/arm/mach-imx/src.c
> index f28bfb653a88f..c3c80b4c3d53b 100644
> --- a/arch/arm/mach-imx/src.c
> +++ b/arch/arm/mach-imx/src.c
> @@ -196,6 +196,7 @@ void __init imx7_src_init(void)
> return;
>
> src_base = of_iomap(np, 0);
> + of_node_put(np);
> if (!src_base)
> return;
[Severity: High]
This is a pre-existing issue, but returning early here leaves the global
static pointers src_base and gpc_base uninitialized (NULL).
Later, when the SMP subsystem brings up secondary CPUs, imx_boot_secondary()
calls imx_enable_cpu() and imx_set_cpu_jump(), which unconditionally
dereference these NULL pointers:
arch/arm/mach-imx/src.c:imx_enable_cpu() {
...
val = readl_relaxed(src_base + SRC_A7RCR1);
...
}
Will this cause a kernel panic during SMP bring-up if these mappings fail?
[ ... ]
[Severity: High]
This is also a pre-existing issue in the same file, but does imx_src_init()
missing a return after WARN_ON(!src_base) lead to a null pointer dereference?
arch/arm/mach-imx/src.c:imx_src_init() {
...
WARN_ON(!src_base);
/*
* force warm reset sources to generate cold reset
* for a more reliable restart
*/
spin_lock(&scr_lock);
val = readl_relaxed(src_base + SRC_SCR);
...
}
If of_iomap() fails and returns NULL, execution continues and triggers an
immediate NULL pointer dereference. Should this function return after the
warning?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260610050625.2229221-1-geoffreyhe2@gmail.com?part=2
prev parent reply other threads:[~2026-06-10 5:13 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-10 5:06 [PATCH 0/2] ARM: imx: fix device_node refcount leaks in src.c Weigang He
2026-06-10 5:06 ` [PATCH 1/2] ARM: imx: fix device_node refcount leak in imx_src_init() Weigang He
2026-06-10 5:16 ` sashiko-bot
2026-06-10 5:06 ` [PATCH 2/2] ARM: imx: fix device_node refcount leaks in imx7_src_init() Weigang He
2026-06-10 5:13 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260610051357.1E6221F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=geoffreyhe2@gmail.com \
--cc=imx@lists.linux.dev \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.