From: ZhaoJinming <zhaojinming@uniontech.com>
To: madalin.bucur@nxp.com, sean.anderson@linux.dev
Cc: netdev@vger.kernel.org, andrew+netdev@lunn.ch,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, igal.liberman@freescale.com,
linux-kernel@vger.kernel.org,
ZhaoJinming <zhaojinming@uniontech.com>
Subject: [PATCH net v2 2/2] net: fman: add error cleanup path in fman_probe
Date: Fri, 3 Jul 2026 15:43:24 +0800 [thread overview]
Message-ID: <20260703074324.907294-2-zhaojinming@uniontech.com> (raw)
In-Reply-To: <20260703074324.907294-1-zhaojinming@uniontech.com>
fman_init() and devm_request_irq() failure paths in fman_probe()
do not free fman and its sub-resources (keygen, muram allocations,
state, cfg), causing memory leaks on probe failure.
Add fman_muram_finish() to properly tear down a MURAM partition
(gen_pool_destroy + iounmap + kfree), complementing the existing
fman_muram_init().
Add fman_free_resources() that releases all fman sub-resources
in the correct order:
- devm_free_irq() for any already-registered IRQ handlers
- kfree(fman->keygen)
- free_init_resources() for MURAM CAM/FIFO allocations
- kfree(fman->cfg)
- fman_muram_finish(fman->muram) for the MURAM management object
- kfree(fman->state)
- kfree(fman)
Use two goto labels in fman_probe():
- err_irq: main IRQ registered but err_irq failed -- free main IRQ
then fall through to release resources
- err_no_irq: no IRQ registered -- just release resources
The IRQ handlers must be explicitly freed before kfree(fman) to
avoid a window where a shared-IRQ spurious firing could dereference
the freed dev_id.
Note: fman_config() is not changed -- it already frees fman
internally on all its error paths, so fman_probe() must not touch
fman after fman_config() fails.
v2:
- add explicit devm_free_irq() before kfree(fman) to eliminate
a potential UAF window on the cleanup path
- add fman_muram_finish() for complete MURAM teardown
- add kfree(fman->cfg) to release config structure
Fixes: 414fd46e7762 ("fsl/fman: Add FMan support")
Signed-off-by: ZhaoJinming <zhaojinming@uniontech.com>
---
drivers/net/ethernet/freescale/fman/fman.c | 31 +++++++++++++++++--
.../net/ethernet/freescale/fman/fman_muram.c | 15 +++++++++
.../net/ethernet/freescale/fman/fman_muram.h | 2 ++
3 files changed, 45 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/freescale/fman/fman.c b/drivers/net/ethernet/freescale/fman/fman.c
index 6947f3bc7c87..752c0df0e17c 100644
--- a/drivers/net/ethernet/freescale/fman/fman.c
+++ b/drivers/net/ethernet/freescale/fman/fman.c
@@ -2806,6 +2806,24 @@ static struct fman *read_dts_node(struct platform_device *of_dev)
return ERR_PTR(err);
}
+static void fman_free_resources(struct fman *fman, struct device *dev,
+ bool irq_registered)
+{
+ /* Free IRQs first while fman is still valid */
+ if (irq_registered) {
+ if (fman->dts_params.err_irq != 0)
+ devm_free_irq(dev, fman->dts_params.err_irq, fman);
+ devm_free_irq(dev, fman->dts_params.irq, fman);
+ }
+
+ kfree(fman->keygen);
+ free_init_resources(fman);
+ kfree(fman->cfg);
+ fman_muram_finish(fman->muram);
+ kfree(fman->state);
+ kfree(fman);
+}
+
static int fman_probe(struct platform_device *of_dev)
{
struct fman *fman;
@@ -2821,12 +2839,13 @@ static int fman_probe(struct platform_device *of_dev)
err = fman_config(fman);
if (err) {
dev_err(dev, "%s: FMan config failed\n", __func__);
+ /* fman_config() frees fman internally on all error paths */
return -EINVAL;
}
if (fman_init(fman) != 0) {
dev_err(dev, "%s: FMan init failed\n", __func__);
- return -EINVAL;
+ goto err_no_irq;
}
/* Register IRQ handlers only after initialization is complete.
@@ -2844,7 +2863,7 @@ static int fman_probe(struct platform_device *of_dev)
if (err < 0) {
dev_err(dev, "%s: irq %d allocation failed (error = %d)\n",
__func__, fman->dts_params.irq, err);
- return err;
+ goto err_no_irq;
}
if (fman->dts_params.err_irq != 0) {
@@ -2854,7 +2873,7 @@ static int fman_probe(struct platform_device *of_dev)
if (err < 0) {
dev_err(dev, "%s: irq %d allocation failed (error = %d)\n",
__func__, fman->dts_params.err_irq, err);
- return err;
+ goto err_irq;
}
}
@@ -2883,6 +2902,12 @@ static int fman_probe(struct platform_device *of_dev)
dev_dbg(dev, "FMan%d probed\n", fman->dts_params.id);
return 0;
+
+err_irq:
+ devm_free_irq(dev, fman->dts_params.irq, fman);
+err_no_irq:
+ fman_free_resources(fman, dev, false);
+ return err ?: -EINVAL;
}
static const struct of_device_id fman_match[] = {
diff --git a/drivers/net/ethernet/freescale/fman/fman_muram.c b/drivers/net/ethernet/freescale/fman/fman_muram.c
index 6ac7c2b0cb19..6c2b4f7a02b8 100644
--- a/drivers/net/ethernet/freescale/fman/fman_muram.c
+++ b/drivers/net/ethernet/freescale/fman/fman_muram.c
@@ -129,3 +129,18 @@ void fman_muram_free_mem(struct muram_info *muram, unsigned long offset,
gen_pool_free(muram->pool, addr, size);
}
+
+/**
+ * fman_muram_finish
+ * @muram: FM-MURAM module pointer.
+ *
+ * Frees all resources associated with a MURAM partition.
+ */
+void fman_muram_finish(struct muram_info *muram)
+{
+ if (!muram)
+ return;
+ iounmap(muram->vbase);
+ gen_pool_destroy(muram->pool);
+ kfree(muram);
+}
diff --git a/drivers/net/ethernet/freescale/fman/fman_muram.h b/drivers/net/ethernet/freescale/fman/fman_muram.h
index 3643af61bae2..a5cb544c0f08 100644
--- a/drivers/net/ethernet/freescale/fman/fman_muram.h
+++ b/drivers/net/ethernet/freescale/fman/fman_muram.h
@@ -23,4 +23,6 @@ unsigned long fman_muram_alloc(struct muram_info *muram, size_t size);
void fman_muram_free_mem(struct muram_info *muram, unsigned long offset,
size_t size);
+void fman_muram_finish(struct muram_info *muram);
+
#endif /* __FM_MURAM_EXT */
--
2.20.1
prev parent reply other threads:[~2026-07-03 7:46 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-03 7:43 [PATCH net v2 1/2] net: fman: move IRQ registration after init to prevent NULL deref and UAF ZhaoJinming
2026-07-03 7:43 ` ZhaoJinming [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260703074324.907294-2-zhaojinming@uniontech.com \
--to=zhaojinming@uniontech.com \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=igal.liberman@freescale.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=madalin.bucur@nxp.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sean.anderson@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox