| Message ID | 20221103121146.99836-1-yangyingliang@huawei.com |
|---|---|
| State | Accepted |
| Delegated to: | Andi Shyti |
| Headers | show |
| Series | [-next] i2c: amd-mp2: drop free_irq() of devm_request_irq() allocated irq | expand |
On Thu, Nov 03, 2022 at 08:11:46PM +0800, Yang Yingliang wrote: > irq allocated with devm_request_irq() will be freed in devm_irq_release(), > using free_irq() in ->remove() will causes a dangling pointer, and a > subsequent double free. So remove the free_irq() in the error path and > remove path. > > Fixes: 969864efae78 ("i2c: amd-mp2: use msix/msi if the hardware supports") > Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> > --- Elie, Shyam, are you OK with this patch? > drivers/i2c/busses/i2c-amd-mp2-pci.c | 5 +---- > 1 file changed, 1 insertion(+), 4 deletions(-) > > diff --git a/drivers/i2c/busses/i2c-amd-mp2-pci.c b/drivers/i2c/busses/i2c-amd-mp2-pci.c > index 143165300949..ef7370d3dbea 100644 > --- a/drivers/i2c/busses/i2c-amd-mp2-pci.c > +++ b/drivers/i2c/busses/i2c-amd-mp2-pci.c > @@ -327,13 +327,11 @@ static int amd_mp2_pci_init(struct amd_mp2_dev *privdata, > amd_mp2_irq_isr, irq_flag, dev_name(&pci_dev->dev), privdata); > if (rc) { > pci_err(pci_dev, "Failure requesting irq %i: %d\n", privdata->dev_irq, rc); > - goto free_irq_vectors; > + goto err_dma_mask; > } > > return rc; > > -free_irq_vectors: > - free_irq(privdata->dev_irq, privdata); > err_dma_mask: > pci_clear_master(pci_dev); > err_pci_enable: > @@ -376,7 +374,6 @@ static void amd_mp2_pci_remove(struct pci_dev *pci_dev) > pm_runtime_forbid(&pci_dev->dev); > pm_runtime_get_noresume(&pci_dev->dev); > > - free_irq(privdata->dev_irq, privdata); > pci_clear_master(pci_dev); > > amd_mp2_clear_reg(privdata); > -- > 2.25.1 >
Hi Yang, long time since this patch has been sent. On Thu, Nov 03, 2022 at 08:11:46PM +0800, Yang Yingliang wrote: > irq allocated with devm_request_irq() will be freed in devm_irq_release(), > using free_irq() in ->remove() will causes a dangling pointer, and a > subsequent double free. So remove the free_irq() in the error path and > remove path. the patch looks correct, but that's not the reason because we haven't called devm_request_irq() yet. In theory we shouldn't even need the privdata->dev_irq variable and we can safely remove it. In any case, I still would like to have an ack from Elie and Shyam. Andi > Fixes: 969864efae78 ("i2c: amd-mp2: use msix/msi if the hardware supports") > Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> > --- > drivers/i2c/busses/i2c-amd-mp2-pci.c | 5 +---- > 1 file changed, 1 insertion(+), 4 deletions(-) > > diff --git a/drivers/i2c/busses/i2c-amd-mp2-pci.c b/drivers/i2c/busses/i2c-amd-mp2-pci.c > index 143165300949..ef7370d3dbea 100644 > --- a/drivers/i2c/busses/i2c-amd-mp2-pci.c > +++ b/drivers/i2c/busses/i2c-amd-mp2-pci.c > @@ -327,13 +327,11 @@ static int amd_mp2_pci_init(struct amd_mp2_dev *privdata, > amd_mp2_irq_isr, irq_flag, dev_name(&pci_dev->dev), privdata); > if (rc) { > pci_err(pci_dev, "Failure requesting irq %i: %d\n", privdata->dev_irq, rc); > - goto free_irq_vectors; > + goto err_dma_mask; > } > > return rc; > > -free_irq_vectors: > - free_irq(privdata->dev_irq, privdata); > err_dma_mask: > pci_clear_master(pci_dev); > err_pci_enable: > @@ -376,7 +374,6 @@ static void amd_mp2_pci_remove(struct pci_dev *pci_dev) > pm_runtime_forbid(&pci_dev->dev); > pm_runtime_get_noresume(&pci_dev->dev); > > - free_irq(privdata->dev_irq, privdata); > pci_clear_master(pci_dev); > > amd_mp2_clear_reg(privdata); > -- > 2.25.1 >
Hi Yang, On Thu, Nov 03, 2022 at 08:11:46PM +0800, Yang Yingliang wrote: > irq allocated with devm_request_irq() will be freed in devm_irq_release(), > using free_irq() in ->remove() will causes a dangling pointer, and a > subsequent double free. So remove the free_irq() in the error path and > remove path. > > Fixes: 969864efae78 ("i2c: amd-mp2: use msix/msi if the hardware supports") > Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> No ack from Ellie and Shyam have come for this patch in almost two years. It still applies and it still looks correct to me. I'm merging it into i2c/i2c-host-fixes in order to have it in time for the tests before the pull requests. If Ellie and/or Shyam will have concerns, we are still in time to take it off. Andi
On 3/20/2025 16:46, Andi Shyti wrote: > Hi Yang, > > On Thu, Nov 03, 2022 at 08:11:46PM +0800, Yang Yingliang wrote: >> irq allocated with devm_request_irq() will be freed in devm_irq_release(), >> using free_irq() in ->remove() will causes a dangling pointer, and a >> subsequent double free. So remove the free_irq() in the error path and >> remove path. >> >> Fixes: 969864efae78 ("i2c: amd-mp2: use msix/msi if the hardware supports") >> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> > > No ack from Ellie and Shyam have come for this patch in almost > two years. It still applies and it still looks correct to me. > > I'm merging it into i2c/i2c-host-fixes in order to have it in > time for the tests before the pull requests. If Ellie and/or > Shyam will have concerns, we are still in time to take it off. > Sorry, I missed this. Acked-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com> Thanks, Shyam
Hi Shyam, On Thu, Mar 20, 2025 at 05:12:34PM +0530, Shyam Sundar S K wrote: > On 3/20/2025 16:46, Andi Shyti wrote: > > On Thu, Nov 03, 2022 at 08:11:46PM +0800, Yang Yingliang wrote: > >> irq allocated with devm_request_irq() will be freed in devm_irq_release(), > >> using free_irq() in ->remove() will causes a dangling pointer, and a > >> subsequent double free. So remove the free_irq() in the error path and > >> remove path. > >> > >> Fixes: 969864efae78 ("i2c: amd-mp2: use msix/msi if the hardware supports") > >> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> > > > > No ack from Ellie and Shyam have come for this patch in almost > > two years. It still applies and it still looks correct to me. > > > > I'm merging it into i2c/i2c-host-fixes in order to have it in > > time for the tests before the pull requests. If Ellie and/or > > Shyam will have concerns, we are still in time to take it off. > > > > Sorry, I missed this. > > Acked-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com> Thanks, appreciated! I added your ack. Andi
diff --git a/drivers/i2c/busses/i2c-amd-mp2-pci.c b/drivers/i2c/busses/i2c-amd-mp2-pci.c index 143165300949..ef7370d3dbea 100644 --- a/drivers/i2c/busses/i2c-amd-mp2-pci.c +++ b/drivers/i2c/busses/i2c-amd-mp2-pci.c @@ -327,13 +327,11 @@ static int amd_mp2_pci_init(struct amd_mp2_dev *privdata, amd_mp2_irq_isr, irq_flag, dev_name(&pci_dev->dev), privdata); if (rc) { pci_err(pci_dev, "Failure requesting irq %i: %d\n", privdata->dev_irq, rc); - goto free_irq_vectors; + goto err_dma_mask; } return rc; -free_irq_vectors: - free_irq(privdata->dev_irq, privdata); err_dma_mask: pci_clear_master(pci_dev); err_pci_enable: @@ -376,7 +374,6 @@ static void amd_mp2_pci_remove(struct pci_dev *pci_dev) pm_runtime_forbid(&pci_dev->dev); pm_runtime_get_noresume(&pci_dev->dev); - free_irq(privdata->dev_irq, privdata); pci_clear_master(pci_dev); amd_mp2_clear_reg(privdata);
irq allocated with devm_request_irq() will be freed in devm_irq_release(), using free_irq() in ->remove() will causes a dangling pointer, and a subsequent double free. So remove the free_irq() in the error path and remove path. Fixes: 969864efae78 ("i2c: amd-mp2: use msix/msi if the hardware supports") Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- drivers/i2c/busses/i2c-amd-mp2-pci.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-)