Re: [PATCHv3 8/8] dmaengine: ti: omap-dma: turn lch_map into a flexible array

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Use-After-Free due to dangling CPU PM notifier on probe failure or device unbind
--

Note: The format of this review has been altered due to recitation restrictions.
No code from the patch is directly quoted below.

commit 8df6bfe3cea1126b3e862e90d788d6cedc19c9bf
Author: Rosen Penev <rosenp@gmail.com>

dmaengine: ti: omap-dma: turn lch_map into a flexible array

This commit converts the lch_map pointer array to a C99 flexible array member 
at the end of struct omap_dmadev. The probe function is reordered to look up 
platform data and determine the logical channel count before allocation, 
collapsing two allocations into one and enabling bounds checking.

[Severity: High]
This isn't a bug introduced by this patch, but there is a pre-existing 
issue with CPU PM notifier registration in omap_dma_probe() and cleanup 
in omap_dma_remove().

In omap_dma_probe(), if of_dma_controller_register() fails, the code cleans
up some resources, but it doesn't return early. Instead, execution drops 
through to the end of the function, where it registers the CPU PM notifier 
by calling cpu_pm_register_notifier(&od->nb) before finally returning the 
error code. Since the probe failed, the memory for the device structure will 
be freed, but the notifier remains in the global chain.

Additionally, in omap_dma_remove(), cpu_pm_unregister_notifier() is only 
called if od->cfg->may_lose_context is true. However, in omap_dma_probe(), 
the notifier is registered if either needs_busy_check or may_lose_context 
is true. If a platform has needs_busy_check set but may_lose_context false, 
the notifier is never unregistered during device removal.

Could these paths leave a dangling pointer in the CPU PM notifier chain, 
resulting in a use-after-free when a subsequent power management event 
triggers the callback?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260603030754.288757-9-rosenp@gmail.com?part=1