From: sashiko-bot@kernel.org
To: "Rosen Penev" <rosenp@gmail.com>
Cc: vkoul@kernel.org, Frank.Li@kernel.org, dmaengine@vger.kernel.org
Subject: Re: [PATCH 09/10] dmaengine: fsldma: convert to devm_request_irq
Date: Fri, 05 Jun 2026 22:11:05 +0000 [thread overview]
Message-ID: <20260605221105.DD2031F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260605220134.43295-10-rosenp@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Replacing `request_irq()` with `devm_request_irq()` without adjusting the teardown sequence introduces a fatal use-after-free race condition involving channel tasklets.
--
commit 7b8afa7a0cf79eb3a5fc201866996718ea5d9be8
Author: Rosen Penev <rosenp@gmail.com>
dmaengine: fsldma: convert to devm_request_irq
This commit converts the driver to use devm_request_irq() for managing
interrupt lifetimes. It removes explicit calls to free_irq() and the
fsldma_free_irqs() function.
> diff --git a/drivers/dma/fsldma.c b/drivers/dma/fsldma.c
> index 79a268139b9f8..01c9cd27e7951 100644
> --- a/drivers/dma/fsldma.c
> +++ b/drivers/dma/fsldma.c
[ ... ]
> @@ -1304,8 +1268,6 @@ static void fsldma_of_remove(struct platform_device *op)
> fdev = platform_get_drvdata(op);
> dma_async_device_unregister(&fdev->common);
>
> - fsldma_free_irqs(fdev);
> -
[Severity: High]
With the explicit fsldma_free_irqs() call removed, does this leave the IRQ
active while the channels are being removed?
If fsl_dma_chan_remove() is called while the IRQ is still active, it invokes
tasklet_kill(&chan->tasklet). However, if an interrupt fires during or after
this point, the IRQ handler fsldma_chan_irq() can unconditionally call
tasklet_schedule(&chan->tasklet).
Later, devres unwinds allocations by first freeing the IRQ and then
freeing the channel memory. If the locally scheduled tasklet executes
after the channel memory is freed, could this regression result in a
use-after-free and softirq list corruption?
This could also happen in the out_free_fdev error path in
fsldma_of_probe(), which calls fsl_dma_chan_remove() to kill tasklets
while successfully requested devm IRQs are still active.
> for (i = 0; i < FSL_DMA_MAX_CHANS_PER_DEVICE; i++) {
> if (fdev->chan[i])
> fsl_dma_chan_remove(fdev->chan[i]);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260605220134.43295-1-rosenp@gmail.com?part=9
next prev parent reply other threads:[~2026-06-05 22:11 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-05 22:01 [PATCH 00/10] dmaengine: fsldma: devm conversion, fixups, and cleanups Rosen Penev
2026-06-05 22:01 ` [PATCH 01/10] dmaengine: fsldma: kill tasklet before removing channel Rosen Penev
2026-06-05 22:16 ` sashiko-bot
2026-06-05 22:29 ` Frank Li
2026-06-05 22:01 ` [PATCH 02/10] dmaengine: fsldma: check dma_async_device_register() return value Rosen Penev
2026-06-05 22:01 ` [PATCH 03/10] dmaengine: fsldma: convert to platform_get_irq_optional() Rosen Penev
2026-06-05 22:01 ` [PATCH 04/10] dmaengine: fsldma: convert to devm_kzalloc and fix error path Rosen Penev
2026-06-05 22:16 ` sashiko-bot
2026-06-05 22:43 ` Frank Li
2026-06-05 22:01 ` [PATCH 05/10] dmaengine: fsldma: convert ioremap to devm_platform_ioremap_resource Rosen Penev
2026-06-05 22:16 ` sashiko-bot
2026-06-05 22:41 ` Frank Li
2026-06-05 22:01 ` [PATCH 06/10] dmaengine: fsldma: convert channel allocation to devm_kzalloc Rosen Penev
2026-06-05 22:15 ` sashiko-bot
2026-06-05 22:45 ` Frank Li
2026-06-05 22:01 ` [PATCH 07/10] dmaengine: fsldma: convert channel ioremap to devm_of_iomap Rosen Penev
2026-06-05 22:13 ` sashiko-bot
2026-06-05 22:49 ` Frank Li
2026-06-05 22:01 ` [PATCH 08/10] dmaengine: fsldma: replace irq_of_parse_and_map with of_irq_get Rosen Penev
2026-06-05 22:10 ` sashiko-bot
2026-06-05 22:01 ` [PATCH 09/10] dmaengine: fsldma: convert to devm_request_irq Rosen Penev
2026-06-05 22:11 ` sashiko-bot [this message]
2026-06-05 22:01 ` [PATCH 10/10] dmaengine: fsldma: replace ppc-specific accessors with portable generic ones Rosen Penev
2026-06-05 22:36 ` [PATCH 00/10] dmaengine: fsldma: devm conversion, fixups, and cleanups Frank Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260605221105.DD2031F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=dmaengine@vger.kernel.org \
--cc=rosenp@gmail.com \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox