Re: [PATCHv3 1/6] ata: pata_mpc52xx: fix NULL pointer dereference in IRQ handler

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Rosen Penev" <rosenp@gmail.com>
Cc: cassel@kernel.org, dlemoal@kernel.org, linux-ide@vger.kernel.org
Subject: Re: [PATCHv3 1/6] ata: pata_mpc52xx: fix NULL pointer dereference in IRQ handler
Date: Fri, 12 Jun 2026 18:46:43 +0000	[thread overview]
Message-ID: <20260612184643.CF93C1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260612183227.20446-2-rosenp@gmail.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Improper resource teardown of the devm-managed BestComm DMA task IRQ, leading to Double Dispose and devres Use-After-Free.
--

commit a85012a47d328b796b5de199b02e054be9b1d391
Author: Rosen Penev <rosenp@gmail.com>

ata: pata_mpc52xx: fix NULL pointer dereference in IRQ handler

Assign priv->dmatsk before request_irq() to ensure the IRQ handler does not
dereference a NULL pointer. The handler accesses priv->dmatsk via
bcom_retrieve_buffer().

> diff --git a/drivers/ata/pata_mpc52xx.c b/drivers/ata/pata_mpc52xx.c
> index 210a63283f62b..fe445d6aaff62 100644
> --- a/drivers/ata/pata_mpc52xx.c
> +++ b/drivers/ata/pata_mpc52xx.c
> @@ -766,6 +766,8 @@ static int mpc52xx_ata_probe(struct platform_device *op)
>  		goto err1;
>  	}
>  
> +	priv->dmatsk = dmatsk;
> +
>  	task_irq = bcom_get_task_irq(dmatsk);
>  	rv = devm_request_irq(&op->dev, task_irq, &mpc52xx_ata_task_irq, 0,
>  				"ATA task", priv);
> @@ -773,7 +775,6 @@ static int mpc52xx_ata_probe(struct platform_device *op)
>  		dev_err(&op->dev, "error requesting DMA IRQ\n");
>  		goto err2;

[Severity: High]
This is a pre-existing issue, but I noticed a potential problem with the
resource teardown when jumping to the err2 label.

When failures occur later in mpc52xx_ata_probe() (like hw_init failing), the
code jumps to the err2 label and manually disposes the IRQ mapping:

drivers/ata/pata_mpc52xx.c:mpc52xx_ata_probe() {
    ...
 err2:
	irq_dispose_mapping(task_irq);
	bcom_ata_release(dmatsk);
    ...
}

Because the IRQ was successfully requested with devm_request_irq() earlier,
does manual disposal destroy the IRQ descriptor before devres runs its own
cleanup, leading to a use-after-free when the IRQ core attempts to free
the action?

Additionally, right after this manual disposal, bcom_ata_release() is called,
which delegates to bcom_task_free(). This function also disposes the mapping
natively:

drivers/dma/bestcomm/bestcomm.c:bcom_task_free() {
    ...
	/* Free everything */
	irq_dispose_mapping(tsk->irq);
	bcom_sram_free(tsk->bd);
    ...
}

Since task_irq and tsk->irq are the same, could this double disposal of the
IRQ mapping corrupt the IRQ domain state and trigger internal kernel warnings?
The same pattern appears to exist in mpc52xx_ata_remove() during module
removal.

>  	}
> -	priv->dmatsk = dmatsk;
>  
>  	/* Init the hw */
>  	rv = mpc52xx_ata_hw_init(priv);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260612183227.20446-2-rosenp@gmail.com?part=1

next prev parent reply	other threads:[~2026-06-12 18:46 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-12 18:32 [PATCHv3 0/6] ata: pata_mpc52xx: fix cleanup ordering and modernize Rosen Penev
2026-06-12 18:32 ` [PATCHv3 1/6] ata: pata_mpc52xx: fix NULL pointer dereference in IRQ handler Rosen Penev
2026-06-12 18:46   ` sashiko-bot [this message]
2026-06-12 18:32 ` [PATCHv3 2/6] ata: pata_mpc52xx: synchronize with task IRQ before resetting DMA state Rosen Penev
2026-06-12 18:32 ` [PATCHv3 3/6] ata: pata_mpc52xx: reset cached DMA direction on resume Rosen Penev
2026-06-12 18:32 ` [PATCHv3 4/6] ata: pata_mpc52xx: remove redundant irq_dispose_mapping calls Rosen Penev
2026-06-12 18:45   ` sashiko-bot
2026-06-12 18:32 ` [PATCHv3 5/6] ata: pata_mpc52xx: convert to platform_get_irq() Rosen Penev
2026-06-12 18:32 ` [PATCHv3 6/6] ata: pata_mpc52xx: convert to full devm resource management Rosen Penev

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260612184643.CF93C1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=cassel@kernel.org \
    --cc=dlemoal@kernel.org \
    --cc=linux-ide@vger.kernel.org \
    --cc=rosenp@gmail.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.