* [PATCH 1/1] irqchip/imgpdc: fix generic IRQ chip leak and missing chained handler cleanup on remove
@ 2026-06-12 8:47 fffsqian
2026-06-17 16:14 ` Thomas Gleixner
0 siblings, 1 reply; 2+ messages in thread
From: fffsqian @ 2026-06-12 8:47 UTC (permalink / raw)
To: tglx, jhogan; +Cc: linux-kernel, Qingshuang Fu
From: Qingshuang Fu <fuqingshuang@kylinos.cn>
The driver allocates domain generic chips using
irq_alloc_domain_generic_chips() during probe and sets up chained
handlers using irq_set_chained_handler_and_data(). However, on driver
remove, the generic chips are not freed and the chained handlers are
not removed.
The generic chips remain on the global gc_list and may later be visited
by generic IRQ chip suspend, resume, or shutdown callbacks after the
driver has been removed, potentially resulting in a use-after-free and
kernel crash.
The chained handlers that were installed in probe for peripheral and
syswake IRQs are also left dangling, which can lead to spurious
interrupts accessing freed memory.
Fix by:
- Adding irq_domain_remove_generic_chips() before irq_domain_remove()
in both pdc_intc_remove() and the probe error path
- Clearing all chained handlers with NULL in pdc_intc_remove()
Fixes: b6ef9161e43a ("irq-imgpdc: add ImgTec PDC irqchip driver")
Signed-off-by: Qingshuang Fu <fuqingshuang@kylinos.cn>
---
drivers/irqchip/irq-imgpdc.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/irqchip/irq-imgpdc.c b/drivers/irqchip/irq-imgpdc.c
index e9ef2f5a7207..b5cf0beda245 100644
--- a/drivers/irqchip/irq-imgpdc.c
+++ b/drivers/irqchip/irq-imgpdc.c
@@ -457,6 +457,7 @@ static int pdc_intc_probe(struct platform_device *pdev)
return 0;
err_generic:
+ irq_domain_remove_generic_chips(priv->domain);
irq_domain_remove(priv->domain);
return ret;
}
@@ -464,7 +465,14 @@ static int pdc_intc_probe(struct platform_device *pdev)
static void pdc_intc_remove(struct platform_device *pdev)
{
struct pdc_intc_priv *priv = platform_get_drvdata(pdev);
+ unsigned int i;
+
+ for (i = 0; i < priv->nr_perips; ++i)
+ irq_set_chained_handler_and_data(priv->perip_irqs[i], NULL, NULL);
+
+ irq_set_chained_handler_and_data(priv->syswake_irq, NULL, NULL);
+ irq_domain_remove_generic_chips(priv->domain);
irq_domain_remove(priv->domain);
}
base-commit: 2b414a95b8f7307d42173ba9e580d6d3e2bcbfce
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH 1/1] irqchip/imgpdc: fix generic IRQ chip leak and missing chained handler cleanup on remove
2026-06-12 8:47 [PATCH 1/1] irqchip/imgpdc: fix generic IRQ chip leak and missing chained handler cleanup on remove fffsqian
@ 2026-06-17 16:14 ` Thomas Gleixner
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Gleixner @ 2026-06-17 16:14 UTC (permalink / raw)
To: fffsqian, jhogan; +Cc: linux-kernel, Qingshuang Fu
On Fri, Jun 12 2026 at 16:47, fffsqian@163.com wrote:
> @@ -457,6 +457,7 @@ static int pdc_intc_probe(struct platform_device *pdev)
>
> return 0;
> err_generic:
> + irq_domain_remove_generic_chips(priv->domain);
You can spare this call and the one below by setting
IRQ_DOMAIN_FLAG_DESTROY_GC in domain->flags. Then the core will remove
the chip when mopping up the domain.
> irq_domain_remove(priv->domain);
> return ret;
> }
> @@ -464,7 +465,14 @@ static int pdc_intc_probe(struct platform_device *pdev)
> static void pdc_intc_remove(struct platform_device *pdev)
> {
> struct pdc_intc_priv *priv = platform_get_drvdata(pdev);
> + unsigned int i;
> +
> + for (i = 0; i < priv->nr_perips; ++i)
for (unsigned int i = 0;
Thanks,
tglx
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-17 16:14 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-12 8:47 [PATCH 1/1] irqchip/imgpdc: fix generic IRQ chip leak and missing chained handler cleanup on remove fffsqian
2026-06-17 16:14 ` Thomas Gleixner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox