From: sashiko-bot@kernel.org
To: "Rosen Penev" <rosenp@gmail.com>
Cc: Frank.Li@kernel.org, dmaengine@vger.kernel.org, vkoul@kernel.org
Subject: Re: [PATCHv2 3/4] dma: fsl_raid: keep MMIO bases as void __iomem and cast at access
Date: Thu, 16 Jul 2026 20:44:30 +0000 [thread overview]
Message-ID: <20260716204430.BB5071F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260716202949.677290-4-rosenp@gmail.com>
Thank you for your contribution! Sashiko AI review found 5 potential issue(s) to consider:
Pre-existing issues:
- [High] Missing bounds check when parsing device tree Job Ring nodes.
- [High] `fsl_re_probe()` ignores the return value of `fsl_re_chan_probe()` and unconditionally increments `total_chans`, leading to a NULL pointer dereference.
- [High] DMA channels are never registered with the parent DMA device framework.
- [High] Missing cleanup for channel IRQs and platform devices in both error paths and driver removal, plus incorrect teardown order.
- [High] Potential NULL pointer dereference in `fsl_re_isr` due to premature IRQ registration.
--
--- Patch [1]: [PATCHv2 3/4] dma: fsl_raid: keep MMIO bases as void __iomem and cast at access ---
commit d9bcf292f2ff70b568c4dd2362d8ec21ba56f6cd
Author: Rosen Penev <rosenp@gmail.com>
dma: fsl_raid: keep MMIO bases as void __iomem and cast at access
The commit modifies the fsl_re_drv_private and fsl_re_chan structures to
store MMIO bases as void __iomem * instead of typed struct pointers. This
resolves sparse warnings about mismatched address spaces by ensuring typed
pointers are only introduced locally in functions that touch the registers.
Fixes: https://lore.kernel.org/oe-kbuild-all/202008111749.yy85rFMD%25lkp@intel.com/
> diff --git a/drivers/dma/fsl_raid.c b/drivers/dma/fsl_raid.c
> index 99945845d8b5e..5bc5bd499ba27 100644
> --- a/drivers/dma/fsl_raid.c
> +++ b/drivers/dma/fsl_raid.c
> @@ -656,8 +656,7 @@ static int fsl_re_chan_probe(struct platform_device *ofdev,
> goto err_free;
> }
>
> - chan->jrregs = (struct fsl_re_chan_cfg *)((u8 *)re_priv->re_regs +
> - off + ptr);
> + chan->jrregs = re_priv->base + off + ptr;
>
> /* read irq property from dts */
> chan->irq = irq_of_parse_and_map(np, 0);
[Severity: High]
This isn't a bug introduced by this patch, but the driver context seems to
be attached to the device too late.
In fsl_re_chan_probe(), request_irq() is called before dev_set_drvdata()
populates the driver data:
ret = request_irq(chan->irq, fsl_re_isr, 0, chan->name, chandev);
...
dev_set_drvdata(chandev, chan);
If an interrupt triggers immediately, fsl_re_isr() retrieves a NULL pointer
and dereferences it:
re_chan = dev_get_drvdata((struct device *)data);
irqstate = in_be32(&re_chan->jrregs->jr_interrupt_status);
Is there a vulnerable window here where an incoming interrupt could lead to
a NULL pointer dereference?
[Severity: High]
This is a pre-existing issue, but it appears the DMA channels are never
registered with the parent DMA device framework.
In fsl_re_chan_probe(), the channels are initialized, but the required list
addition to attach them to dma_dev->channels is omitted:
re_priv->re_jrs[q] = chan;
chan->chan.device = dma_dev;
...
Without adding the channel to dma_dev->channels, will
dma_async_device_register() end up registering 0 channels and leave the
driver functionally dead?
[Severity: High]
This isn't a bug introduced by this patch, but I noticed potential resource
leaks and incorrect teardown ordering.
On error paths inside fsl_re_chan_probe(), resources like requested IRQs
and platform devices are not freed:
err_free:
return ret;
Additionally, in fsl_re_remove_chan(), free_irq() or
of_platform_device_destroy() are not called.
This leaves an active unmanaged IRQ pointing to freed driver memory.
Also, in fsl_re_remove(), the driver frees ring buffers before unregistering
the async DMA device:
for (i = 0; i < re_priv->total_chans; i++)
fsl_re_remove_chan(re_priv->re_jrs[i]);
/* Unregister the driver */
dma_async_device_unregister(&re_priv->dma_dev);
Could this cause a use-after-free if the IRQ fires, and does the teardown
order violate teardown safety expectations?
[ ... ]
> @@ -763,20 +763,21 @@ static int fsl_re_probe(struct platform_device *ofdev)
> return -ENODEV;
>
> /* IOMAP the entire RAID Engine region */
> - re_priv->re_regs = devm_ioremap(dev, res->start, resource_size(res));
> - if (!re_priv->re_regs)
> + re_regs = devm_ioremap(dev, res->start, resource_size(res));
> + if (!re_regs)
> return -EBUSY;
> + re_priv->base = re_regs;
>
> /* Program the RE mode */
> - out_be32(&re_priv->re_regs->global_config, FSL_RE_NON_DPAA_MODE);
> + out_be32(&re_regs->global_config, FSL_RE_NON_DPAA_MODE);
[ ... ]
[Severity: High]
This is a pre-existing issue, but there seems to be a missing bounds check
when parsing device tree Job Ring nodes.
In fsl_re_probe(), the ridx counter is incremented indefinitely and passed
directly to fsl_re_chan_probe() without being bounded against
FSL_RE_MAX_CHANS (4):
fsl_re_chan_probe(ofdev, child, ridx++, off);
re_priv->total_chans++;
Then in fsl_re_chan_probe(), the unbounded index q is directly used to write
into the statically sized array:
re_priv->re_jrs[q] = chan;
If a malformed device tree contains more than 4 job ring child nodes,
would this cause an out-of-bounds write and memory corruption?
[Severity: High]
This isn't a bug introduced by this patch, but fsl_re_probe() appears to
ignore the return value of fsl_re_chan_probe() and unconditionally
increments total_chans.
fsl_re_chan_probe(ofdev, child, ridx++, off);
re_priv->total_chans++;
If fsl_re_chan_probe() fails and returns an error, fsl_re_probe() ignores
the error but still increments re_priv->total_chans.
Subsequent calls to fsl_re_remove_chan() on driver remove or error rollback
will then dereference a NULL pointer:
static void fsl_re_remove_chan(struct fsl_re_chan *chan)
{
tasklet_kill(&chan->irqtask);
...
Might this result in a kernel panic from a NULL pointer dereference during
teardown?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260716202949.677290-4-rosenp@gmail.com?part=1
next prev parent reply other threads:[~2026-07-16 20:44 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-16 20:29 [PATCHv2 0/4] dma: fsl_raid: fix sparse warnings and simplify probing Rosen Penev
2026-07-16 20:29 ` [PATCHv2 1/4] dma: fsl_raid: convert descriptor stores to big-endian Rosen Penev
2026-07-16 20:44 ` sashiko-bot
2026-07-16 20:49 ` Frank Li
2026-07-16 20:29 ` [PATCHv2 2/4] dma: fsl_raid: set final bit via fill_cfd_frame() argument Rosen Penev
2026-07-16 20:47 ` sashiko-bot
2026-07-16 20:57 ` Frank Li
2026-07-16 20:29 ` [PATCHv2 3/4] dma: fsl_raid: keep MMIO bases as void __iomem and cast at access Rosen Penev
2026-07-16 20:44 ` sashiko-bot [this message]
2026-07-16 21:02 ` Frank Li
2026-07-16 20:29 ` [PATCHv2 4/4] dma: fsl_raid: use devm_platform_ioremap_resource Rosen Penev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260716204430.BB5071F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=dmaengine@vger.kernel.org \
--cc=rosenp@gmail.com \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox