From: sashiko-bot@kernel.org
To: "Weigang He" <geoffreyhe2@gmail.com>
Cc: Frank.Li@kernel.org, imx@lists.linux.dev
Subject: Re: [PATCH 2/2] ARM: imx: fix device_node refcount leaks in imx7_src_init()
Date: Wed, 10 Jun 2026 05:13:56 +0000 [thread overview]
Message-ID: <20260610051357.1E6221F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260610050625.2229221-3-geoffreyhe2@gmail.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] Missing error handling for failed device tree mappings in imx7_src_init() leaves global pointers NULL, which are unconditionally dereferenced later during SMP bring-up.
- [High] Missing return after WARN_ON(!src_base) in imx_src_init() leads to a null pointer dereference if of_iomap() fails.
--
commit 0e3cdec3032f0f9a0628861c081a3260cfa7ce52
Author: Weigang He <geoffreyhe2@gmail.com>
ARM: imx: fix device_node refcount leaks in imx7_src_init()
This commit fixes device_node refcount leaks in imx7_src_init(). It releases
the references acquired by of_find_compatible_node() immediately after
mapping the base addresses.
> diff --git a/arch/arm/mach-imx/src.c b/arch/arm/mach-imx/src.c
> index f28bfb653a88f..c3c80b4c3d53b 100644
> --- a/arch/arm/mach-imx/src.c
> +++ b/arch/arm/mach-imx/src.c
> @@ -196,6 +196,7 @@ void __init imx7_src_init(void)
> return;
>
> src_base = of_iomap(np, 0);
> + of_node_put(np);
> if (!src_base)
> return;
[Severity: High]
This is a pre-existing issue, but returning early here leaves the global
static pointers src_base and gpc_base uninitialized (NULL).
Later, when the SMP subsystem brings up secondary CPUs, imx_boot_secondary()
calls imx_enable_cpu() and imx_set_cpu_jump(), which unconditionally
dereference these NULL pointers:
arch/arm/mach-imx/src.c:imx_enable_cpu() {
...
val = readl_relaxed(src_base + SRC_A7RCR1);
...
}
Will this cause a kernel panic during SMP bring-up if these mappings fail?
[ ... ]
[Severity: High]
This is also a pre-existing issue in the same file, but does imx_src_init()
missing a return after WARN_ON(!src_base) lead to a null pointer dereference?
arch/arm/mach-imx/src.c:imx_src_init() {
...
WARN_ON(!src_base);
/*
* force warm reset sources to generate cold reset
* for a more reliable restart
*/
spin_lock(&scr_lock);
val = readl_relaxed(src_base + SRC_SCR);
...
}
If of_iomap() fails and returns NULL, execution continues and triggers an
immediate NULL pointer dereference. Should this function return after the
warning?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260610050625.2229221-1-geoffreyhe2@gmail.com?part=2
prev parent reply other threads:[~2026-06-10 5:13 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-10 5:06 [PATCH 0/2] ARM: imx: fix device_node refcount leaks in src.c Weigang He
2026-06-10 5:06 ` [PATCH 1/2] ARM: imx: fix device_node refcount leak in imx_src_init() Weigang He
2026-06-10 5:16 ` sashiko-bot
2026-06-10 5:06 ` [PATCH 2/2] ARM: imx: fix device_node refcount leaks in imx7_src_init() Weigang He
2026-06-10 5:13 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260610051357.1E6221F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=geoffreyhe2@gmail.com \
--cc=imx@lists.linux.dev \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox