From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Qingshuang Fu <fuqingshuang@kylinos.cn>,
Thomas Gleixner <tglx@kernel.org>
Subject: [PATCH 5.15 70/95] irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove
Date: Thu, 2 Jul 2026 18:20:13 +0200 [thread overview]
Message-ID: <20260702155110.686771035@linuxfoundation.org> (raw)
In-Reply-To: <20260702155109.196223802@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qingshuang Fu <fuqingshuang@kylinos.cn>
commit 37738fdf2ab1e504d1c63ce5bc0aeb6452d8f057 upstream.
The driver allocates domain generic chips using
irq_alloc_domain_generic_chips() during probe and sets up chained
handlers using irq_set_chained_handler_and_data(). However, on driver
removal, the generic chips are not freed and the chained handlers are
not removed.
The generic chips remain on the global gc_list and may later be accessed by
generic interrupt chip suspend, resume, or shutdown callbacks after the
driver has been removed, potentially resulting in a use-after-free and
kernel crash.
The chained handlers that were installed in probe for peripheral and
syswake interrupts are also left dangling, which can lead to spurious
interrupts accessing freed memory.
Fix these issues by:
- Setting IRQ_DOMAIN_FLAG_DESTROY_GC flag in domain->flags, so the
core code automatically removes generic chips when irq_domain_remove()
is called
- Clearing all chained handlers with NULL in pdc_intc_remove()
Fixes: b6ef9161e43a ("irq-imgpdc: add ImgTec PDC irqchip driver")
Signed-off-by: Qingshuang Fu <fuqingshuang@kylinos.cn>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260618021352.661773-1-fffsqian@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/irqchip/irq-imgpdc.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/irqchip/irq-imgpdc.c
+++ b/drivers/irqchip/irq-imgpdc.c
@@ -378,6 +378,7 @@ static int pdc_intc_probe(struct platfor
dev_err(&pdev->dev, "cannot add IRQ domain\n");
return -ENOMEM;
}
+ priv->domain->flags |= IRQ_DOMAIN_FLAG_DESTROY_GC;
/*
* Set up 2 generic irq chips with 2 chip types.
@@ -465,6 +466,11 @@ static int pdc_intc_remove(struct platfo
{
struct pdc_intc_priv *priv = platform_get_drvdata(pdev);
+ for (unsigned int i = 0; i < priv->nr_perips; ++i)
+ irq_set_chained_handler_and_data(priv->perip_irqs[i], NULL, NULL);
+
+ irq_set_chained_handler_and_data(priv->syswake_irq, NULL, NULL);
+
irq_domain_remove(priv->domain);
return 0;
}
next prev parent reply other threads:[~2026-07-02 16:29 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 16:19 [PATCH 5.15 00/95] 5.15.211-rc1 review Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 01/95] fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 02/95] net/sched: act_pedit: check static offsets a priori Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 03/95] net/sched: act_pedit: rate limit datapath messages Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 04/95] net/sched: fix pedit partial COW leading to page cache corruption Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 05/95] net/sched: act_pedit: free pedit keys on bail from offset check Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 06/95] drm/amd/display: Bound VBIOS record-chain walk loops Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 07/95] ip6_vti: set netns_immutable on the fallback device Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 08/95] drm/v3d: Store the active job inside the queues state Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 09/95] drm/v3d: Skip CSD when it has zeroed workgroups Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 10/95] batman-adv: tt: reject oversized local TVLV buffers Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 11/95] batman-adv: tt: prevent TVLV entry number overflow Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 12/95] iio: light: bh1780: fix PM runtime leak on error path Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 13/95] vfio/iommu_type1: replace kfree with kvfree Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 14/95] RDMA/bnxt_re: zero shared page before exposing to userspace Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 15/95] i2c: stub: Reject I2C block transfers with invalid length Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 16/95] net: qualcomm: rmnet: fix endpoint use-after-free in rmnet_dellink() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 17/95] agp/amd64: Fix broken error propagation in agp_amd64_probe() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 18/95] xhci: fix memory leak regression when freeing xhci vdev devices depth first Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 19/95] af_unix: Reject SIOCATMARK on non-stream sockets Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 20/95] regulator: core: fix locking in regulator_resolve_supply() error path Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 21/95] vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 22/95] media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 23/95] virtiofs: fix UAF on submount umount Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 24/95] Revert "selftest/ptp: update ptp selftest to exercise the gettimex options" Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 25/95] Revert "ptp: add testptp mask test" Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 26/95] KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 27/95] kselftest/arm64: signal: Skip SVE signal test if not enough VLs supported Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 28/95] batman-adv: tp_meter: keep unacked list in ascending ordered Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 29/95] batman-adv: tp_meter: initialize dup_acks explicitly Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 30/95] batman-adv: tp_meter: initialize dec_cwnd explicitly Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 31/95] batman-adv: tp_meter: avoid window underflow Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 32/95] batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 33/95] batman-adv: tp_meter: fix fast recovery precondition Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 34/95] batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 35/95] batman-adv: tp_meter: add only finished tp_vars to lists Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 36/95] batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 37/95] batman-adv: prevent ELP transmission interval underflow Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 38/95] batman-adv: tp_meter: initialize last_recv_time during init Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 39/95] batman-adv: ensure bcast is writable before modifying TTL Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 40/95] batman-adv: fix (m|b)cast csum after decrementing TTL Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 41/95] batman-adv: frag: ensure fragment is writable before modifying TTL Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 42/95] batman-adv: frag: avoid underflow of TTL Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 43/95] batman-adv: v: prevent OGM aggregation on disabled hardif Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 44/95] batman-adv: tp_meter: restrict number of unacked list entries Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 45/95] batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 46/95] batman-adv: tp_meter: prevent parallel modifications of last_recv Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 47/95] batman-adv: tp_meter: handle overlapping packets Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 48/95] batman-adv: tt: dont merge change entries with different VIDs Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 49/95] batman-adv: tt: track roam count per VID Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 50/95] batman-adv: dat: prevent false sharing between VLANs Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 51/95] batman-adv: tvlv: enforce 2-byte alignment Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 52/95] batman-adv: tvlv: avoid race of cifsnotfound handler state Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 53/95] ring-buffer: Remove ring_buffer_read_prepare_sync() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 54/95] ntfs3: reject direct userspace writes to reserved $LX* xattrs Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 55/95] ext4: add bounds check for inline data length in ext4_read_inline_page Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 56/95] crypto: af_alg - Set merge to zero early in af_alg_sendmsg Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 57/95] mac802154: llsec: add skb_cow_data() before in-place crypto Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 58/95] KEYS: fix overflow in keyctl_pkey_params_get_2() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 59/95] keys: Pin request_key_auth payload in instantiate paths Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 60/95] wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 61/95] wifi: ath11k: fix warning when unbinding Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 62/95] wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 63/95] f2fs: validate ACL entry sizes in f2fs_acl_from_disk() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 64/95] bpf: use kvfree() for replaced sysctl write buffer Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 65/95] MIPS: DEC: Prevent initial console buffer from landing in XKPHYS Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 66/95] exfat: fix potential use-after-free in exfat_find_dir_entry() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 67/95] hdlc_ppp: sync per-proto timers before freeing hdlc state Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 68/95] tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 69/95] pNFS: Fix use-after-free in pnfs_update_layout() Greg Kroah-Hartman
2026-07-02 16:20 ` Greg Kroah-Hartman [this message]
2026-07-02 16:20 ` [PATCH 5.15 71/95] fpga: region: fix use-after-free in child_regions_with_firmware() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 72/95] ocfs2: reject oversized group bitmap descriptors Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 73/95] KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 74/95] power: reset: linkstation-poweroff: fix use-after-free in the linkstation_poweroff_init() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 75/95] fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 76/95] fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 77/95] NFSD: Fix SECINFO_NO_NAME decode error cleanup Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 78/95] nfsd: fix posix_acl leak on SETACL decode failure Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 79/95] nfsd: check get_user() return when reading princhashlen Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 80/95] NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 81/95] mptcp: fix missing wakeups in edge scenarios Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 82/95] hv: utils: handle and propagate errors in kvp_register Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 83/95] misc: fastrpc: Add dma_mask to fastrpc_channel_ctx Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 84/95] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 85/95] Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 86/95] phonet: Pass ifindex to fill_addr() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 87/95] phonet: Pass net and ifindex to phonet_address_notify() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 88/95] net: phonet: free phonet_device after RCU grace period Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 89/95] fuse: re-lock request before replacing page cache folio Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 90/95] ksmbd: reject non-VALID session in compound request branch Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 91/95] Documentation: ioctl-number: Extend "Include File" column width Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 92/95] crypto: qat - Replace kzalloc() + copy_from_user() with memdup_user() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 93/95] crypto: qat - Return pointer directly in adf_ctl_alloc_resources Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 94/95] crypto: qat - remove unused character device and IOCTLs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 95/95] dlm: prevent NPD when writing a positive value to event_done Greg Kroah-Hartman
2026-07-02 19:46 ` [PATCH 5.15 00/95] 5.15.211-rc1 review Brett A C Sheffield
2026-07-03 6:46 ` Ron Economos
2026-07-03 9:44 ` Pavel Machek
2026-07-03 13:56 ` Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702155110.686771035@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=fuqingshuang@kylinos.cn \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=tglx@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox