From: Jakub Kicinski <kuba@kernel.org>
To: nihaal@cse.iitm.ac.in
Cc: Jakub Kicinski <kuba@kernel.org>,
loic.poulain@oss.qualcomm.com, ryazanov.s.a@gmail.com,
johannes@sipsolutions.net, andrew+netdev@lunn.ch,
davem@davemloft.net, edumazet@google.com, pabeni@redhat.com,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
m.chetan.kumar@intel.com, stable@vger.kernel.org
Subject: Re: [PATCH net] net: wwan: iosm: fix potential memory leaks in ipc_imem_init()
Date: Sun, 10 May 2026 10:04:51 -0700 [thread overview]
Message-ID: <20260510170451.3886726-1-kuba@kernel.org> (raw)
In-Reply-To: <20260508092141.82495-1-nihaal@cse.iitm.ac.in>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
---
net: wwan: iosm: fix potential memory leaks in ipc_imem_init()
The memory allocated in ipc_protocol_init() is not freed on the error
paths that follow in ipc_imem_init(). Fix that by calling the
corresponding release function ipc_protocol_deinit() in the error path.
> diff --git a/drivers/net/wwan/iosm/iosm_ipc_imem.c b/drivers/net/wwan/iosm/iosm_ipc_imem.c
> index 1b7bc7d63a2e8..f4edb277efd92 100644
> --- a/drivers/net/wwan/iosm/iosm_ipc_imem.c
> +++ b/drivers/net/wwan/iosm/iosm_ipc_imem.c
> @@ -1422,6 +1422,7 @@ struct iosm_imem *ipc_imem_init(struct iosm_pcie *pcie, unsigned int device_id,
> hrtimer_cancel(&ipc_imem->fast_update_timer);
> hrtimer_cancel(&ipc_imem->tdupdate_timer);
> hrtimer_cancel(&ipc_imem->startup_timer);
> + ipc_protocol_deinit(ipc_imem->ipc_protocol);
> protocol_init_fail:
> cancel_work_sync(&ipc_imem->run_state_worker);
> ipc_task_deinit(ipc_imem->ipc_task);
Could this introduce a use-after-free by destroying the protocol before
canceling the work and tasklet?
If an error occurs after the timers are started (for example, if devlink
registration fails), the hrtimer cancellation stops new timer events.
However, if the startup timer has already fired, it might have queued a
task into the ipc_task queue.
Calling ipc_protocol_deinit() here frees the ipc_protocol structure.
Since ipc_task_deinit() has not yet been called to flush the queue and
kill the tasklet, any pending tasklet may still execute.
If a queued task such as ipc_imem_tq_startup_timer_cb() runs, does it
access the freed ipc_protocol?
ipc_imem_tq_startup_timer_cb()
ipc_imem_phase_update()
ipc_imem_get_exec_stage_buffered()
ipc_protocol_get_ap_exec_stage(ipc_imem->ipc_protocol)
Would it be safer to place the ipc_protocol_deinit() call after the
tasklet and worker are fully destroyed?
--
pw-bot: cr
prev parent reply other threads:[~2026-05-10 17:04 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-08 9:21 [PATCH net] net: wwan: iosm: fix potential memory leaks in ipc_imem_init() Abdun Nihaal
2026-05-10 17:04 ` Jakub Kicinski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260510170451.3886726-1-kuba@kernel.org \
--to=kuba@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=johannes@sipsolutions.net \
--cc=linux-kernel@vger.kernel.org \
--cc=loic.poulain@oss.qualcomm.com \
--cc=m.chetan.kumar@intel.com \
--cc=netdev@vger.kernel.org \
--cc=nihaal@cse.iitm.ac.in \
--cc=pabeni@redhat.com \
--cc=ryazanov.s.a@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox