[PATCH 0/2] irqchip: crossbar: fix out-of-bounds access and resource leak

[PATCH 0/2] irqchip: crossbar: fix out-of-bounds access and resource leak

[Bhargav Joshi]

This series fixes two bugs in the TI irq-crossbar driver. These bugs
were recently flagged by the Sashiko AI bot during the review process
for the DT schema conversion of ti,irq-crossbar binding.
https://lore.kernel.org/linux-devicetree/20260605210647.CCC881F00893@smtp.kernel.org/

patch 1:
 fixes crossbar_domain_free() uses crossbar source index as the index for
 cb->irq_map and cb->write(), rather than the GIC SPI index. This can
 cause out of out-of-bounds write. but irq_domain_reset_irq_data() which
 zeros d->hwirq is called before d->hwirq is read. subsequent accesses
 use hwirq=0 which is always in-bounds but writes to the wrong slot.

patch 2:
 fixes A resource leak where `irq_domain_free_irqs_parent()` was never
 called.
 

Signed-off-by: Bhargav Joshi <j.bhargav.u@gmail.com>
---
Bhargav Joshi (2):
      irqchip: crossbar: Fix out-of-bounds access in crossbar_domain_free()
      irqchip: crossbar: Fix parent domain resource leak

 drivers/irqchip/irq-crossbar.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
---
base-commit: 2d3090a8aeb596a26935db0955d46c9a5db5c6ce
change-id: 20260609-irq-crossbar-fix-43a7df653c6c

Best regards,
--  
Bhargav

[PATCH 1/2] irqchip: crossbar: Fix out-of-bounds access in crossbar_domain_free()

[Bhargav Joshi]

crossbar_domain_free() uses 'd->hwirq' (crossbar source index which can
go up to 0 to 399) as the index for cb->irq_map and cb->write(), rather
than the GIC SPI index. This can cause out of out-of-bounds write. but
irq_domain_reset_irq_data() which zeros d->hwirq is called before
d->hwirq is read. subsequent accesses use hwirq=0 which is always
in-bounds but writes to the wrong slot.

Fix this by using the GIC SPI index from the parent domain's irq_data,
moving the reset after cleanup.

Fixes: 783d31863fb82 ("irqchip: crossbar: Convert dra7 crossbar to stacked domains")

Signed-off-by: Bhargav Joshi <j.bhargav.u@gmail.com>
---
 drivers/irqchip/irq-crossbar.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/irqchip/irq-crossbar.c b/drivers/irqchip/irq-crossbar.c
index cd1134101ace..6a4718be0c58 100644
--- a/drivers/irqchip/irq-crossbar.c
+++ b/drivers/irqchip/irq-crossbar.c
@@ -158,9 +158,9 @@ static void crossbar_domain_free(struct irq_domain *domain, unsigned int virq,
 	for (i = 0; i < nr_irqs; i++) {
 		struct irq_data *d = irq_domain_get_irq_data(domain, virq + i);
 
+		cb->irq_map[d->parent_data->hwirq - GIC_IRQ_START] = IRQ_FREE;
+		cb->write(d->parent_data->hwirq - GIC_IRQ_START, cb->safe_map);
 		irq_domain_reset_irq_data(d);
-		cb->irq_map[d->hwirq] = IRQ_FREE;
-		cb->write(d->hwirq, cb->safe_map);
 	}
 	raw_spin_unlock(&cb->lock);
 }

-- 
2.54.0

[PATCH 2/2] irqchip: crossbar: Fix parent domain resource leak

[Bhargav Joshi]

irq_domain_alloc_irqs_parent() is called in allocate_gic_irq() but
irq_domain_free_irqs_parent() is never called. causing resource leak.

Fix this by calling irq_domain_free_irqs_parent() in
crossbar_domain_free().

Fixes: 783d31863fb82 ("irqchip: crossbar: Convert dra7 crossbar to stacked domains")

Signed-off-by: Bhargav Joshi <j.bhargav.u@gmail.com>
---
 drivers/irqchip/irq-crossbar.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/irqchip/irq-crossbar.c b/drivers/irqchip/irq-crossbar.c
index 6a4718be0c58..445c925b9c3d 100644
--- a/drivers/irqchip/irq-crossbar.c
+++ b/drivers/irqchip/irq-crossbar.c
@@ -163,6 +163,7 @@ static void crossbar_domain_free(struct irq_domain *domain, unsigned int virq,
 		irq_domain_reset_irq_data(d);
 	}
 	raw_spin_unlock(&cb->lock);
+	irq_domain_free_irqs_parent(domain, virq, nr_irqs);
 }
 
 static int crossbar_domain_translate(struct irq_domain *d,

-- 
2.54.0

Re: [PATCH 1/2] irqchip: crossbar: Fix out-of-bounds access in crossbar_domain_free()

[Thomas Gleixner]

On Wed, Jun 10 2026 at 02:26, Bhargav Joshi wrote:

$Subject: irqchip/crossbar: ....

> crossbar_domain_free() uses 'd->hwirq' (crossbar source index which can
> go up to 0 to 399) as the index for cb->irq_map and cb->write(), rather
> than the GIC SPI index. This can cause out of out-of-bounds write. but
> irq_domain_reset_irq_data() which zeros d->hwirq is called before
> d->hwirq is read. subsequent accesses use hwirq=0 which is always
> in-bounds but writes to the wrong slot.

So the subject line is misleading as there is no out of bounds access at
all. It's not helpful to make claims which are wrong and then not
explaining what the consequences are.

Something like this:

  irqchip/crossbar: Use correct index in crossbar_domain_free()

  crossbar_domain_free() resets the domain data and then uses the nulled
  out data::hwirq member as index to reset the irq_map[] entry and to
  write the relevant crossbar register with a safe entry. That means it
  never frees the correct index and keeps the crossbar register
  connection to the source interrupt active.

  If it would not reset the domain data, then this would be even worse
  as data::hwirq holds the source interrupt number, but both the map and
  register index need the corresponding GIC SPI number and not the
  source interrupt number. This might even result in an out of bounds
  access as the source interrupt number can be higher than the maximal
  index space.

> Fix this by using the GIC SPI index from the parent domain's irq_data,
> moving the reset after cleanup.

The ordering of the reset is not relevant at all once the proper index
is used.

> Fixes: 783d31863fb82 ("irqchip: crossbar: Convert dra7 crossbar to stacked domains")
>

Pointless newline.

> Signed-off-by: Bhargav Joshi <j.bhargav.u@gmail.com>
> ---
>  drivers/irqchip/irq-crossbar.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/irqchip/irq-crossbar.c b/drivers/irqchip/irq-crossbar.c
> index cd1134101ace..6a4718be0c58 100644
> --- a/drivers/irqchip/irq-crossbar.c
> +++ b/drivers/irqchip/irq-crossbar.c
> @@ -158,9 +158,9 @@ static void crossbar_domain_free(struct irq_domain *domain, unsigned int virq,
>  	for (i = 0; i < nr_irqs; i++) {
>  		struct irq_data *d = irq_domain_get_irq_data(domain, virq + i);
>  
> +		cb->irq_map[d->parent_data->hwirq - GIC_IRQ_START] = IRQ_FREE;
> +		cb->write(d->parent_data->hwirq - GIC_IRQ_START, cb->safe_map);

This lacks a comment explaining why this needs to access
parent_data->hwirq and what that contains.

>  		irq_domain_reset_irq_data(d);
> -		cb->irq_map[d->hwirq] = IRQ_FREE;
> -		cb->write(d->hwirq, cb->safe_map);
>  	}
>  	raw_spin_unlock(&cb->lock);
>  }

Re: [PATCH 2/2] irqchip: crossbar: Fix parent domain resource leak

[Thomas Gleixner]

On Wed, Jun 10 2026 at 02:26, Bhargav Joshi wrote:

irqchip/crossbar: ....

> irq_domain_alloc_irqs_parent() is called in allocate_gic_irq() but
> irq_domain_free_irqs_parent() is never called. causing resource leak.

"causing resource leak." is not a a sentence.

> Fix this by calling irq_domain_free_irqs_parent() in
> crossbar_domain_free().
>
> Fixes: 783d31863fb82 ("irqchip: crossbar: Convert dra7 crossbar to stacked domains")
>

No newline.

> Signed-off-by: Bhargav Joshi <j.bhargav.u@gmail.com>
> ---
>  drivers/irqchip/irq-crossbar.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/drivers/irqchip/irq-crossbar.c b/drivers/irqchip/irq-crossbar.c
> index 6a4718be0c58..445c925b9c3d 100644
> --- a/drivers/irqchip/irq-crossbar.c
> +++ b/drivers/irqchip/irq-crossbar.c
> @@ -163,6 +163,7 @@ static void crossbar_domain_free(struct irq_domain *domain, unsigned int virq,
>  		irq_domain_reset_irq_data(d);
>  	}
>  	raw_spin_unlock(&cb->lock);
> +	irq_domain_free_irqs_parent(domain, virq, nr_irqs);
>  }
>  
>  static int crossbar_domain_translate(struct irq_domain *d,