[RFC PATCH 0/2] ASoC: atmel: ac97c: Fix IRQ handling sequences

public inbox for linux-arm-kernel@lists.infradead.org 
 help / color / mirror / Atom feed

* [RFC PATCH 0/2] ASoC: atmel: ac97c: Fix IRQ handling sequences
@ 2026-06-04 20:36 Manish Baing
  2026-06-04 20:36 ` [RFC PATCH 1/2] ASoC: sound: atmel_ac97c: Fix IRQ handler null pointer dereference Manish Baing
  2026-06-04 20:36 ` [RFC PATCH 2/2] ASoC: atmel: ac97c: Fix use-after-free on driver teardown Manish Baing
  0 siblings, 2 replies; 3+ messages in thread
From: Manish Baing @ 2026-06-04 20:36 UTC (permalink / raw)
  To: perex, tiwai, nicolas.ferre, alexandre.belloni, claudiu.beznea
  Cc: linux-sound, linux-arm-kernel, linux-kernel, manishbaing2789

This series addresses two hardware initialization and teardown issues in 
the atmel_ac97c driver flagged by the Sashiko AI bot.
The original report can be found here:
https://sashiko.dev/#/patchset/20260530052812.115994-1-manishbaing2789@gmail.com?part=1

- Patch 1 moves request_irq() to the end of probe to prevent a null pointer
  dereference if an interrupt fires early.
- Patch 2 reorders the teardown sequence to free the IRQ before disabling
  clocks and unmapping memory, preventing a use-after-free.

I am submitting this as an RFC because I do not have the physical hardware
to test these changes, However, my manual analysis indicates these are 
valid bugs, and the series compiles cleanly with W=1.

Manish Baing (2):
  ASoC: sound: atmel_ac97c: Fix IRQ handler null pointer dereference
  ASoC: atmel: ac97c: Fix use-after-free on driver teardown

 sound/atmel/ac97c.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

-- 
2.43.0



^ permalink raw reply	[flat|nested] 3+ messages in thread

* [RFC PATCH 1/2] ASoC: sound: atmel_ac97c: Fix IRQ handler null pointer dereference
  2026-06-04 20:36 [RFC PATCH 0/2] ASoC: atmel: ac97c: Fix IRQ handling sequences Manish Baing
@ 2026-06-04 20:36 ` Manish Baing
  2026-06-04 20:36 ` [RFC PATCH 2/2] ASoC: atmel: ac97c: Fix use-after-free on driver teardown Manish Baing
  1 sibling, 0 replies; 3+ messages in thread
From: Manish Baing @ 2026-06-04 20:36 UTC (permalink / raw)
  To: perex, tiwai, nicolas.ferre, alexandre.belloni, claudiu.beznea
  Cc: linux-sound, linux-arm-kernel, linux-kernel, manishbaing2789,
	Sashiko AI

In atmel_ac97c_probe(), request_irq() is called before ioremap().
If an interrupt fires immediately, the handler atmel_ac97c_interrupt()
will attempt to dereference chip->regs via ac97c_readl(), leading to
a null pointer dereference and kernel panic.

Move request_irq() to the end of the probe function, after memory
is mapped and clocks are enabled, ensuring the hardware is fully
ready before interrupts are serviced.

Running make W=1 returns no errors. I was unable to test the patch
because I do not have the hardware.The issue was flagged by the
Sashiko AI bot.

Link: https://sashiko.dev/#/patchset/20260530052812.115994-1-manishbaing2789@gmail.com?part=1
Reported-by: Sashiko AI <sashiko-bot@kernel•org>
Signed-off-by: Manish Baing <manishbaing2789@gmail•com>
---
 sound/atmel/ac97c.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/sound/atmel/ac97c.c b/sound/atmel/ac97c.c
index df0a049192de..cd74395dd222 100644
--- a/sound/atmel/ac97c.c
+++ b/sound/atmel/ac97c.c
@@ -734,11 +734,6 @@ static int atmel_ac97c_probe(struct platform_device *pdev)
 
 	chip = get_chip(card);
 
-	retval = request_irq(irq, atmel_ac97c_interrupt, 0, "AC97C", chip);
-	if (retval) {
-		dev_dbg(&pdev->dev, "unable to request irq %d\n", irq);
-		goto err_request_irq;
-	}
 	chip->irq = irq;
 
 	spin_lock_init(&chip->lock);
@@ -786,6 +781,12 @@ static int atmel_ac97c_probe(struct platform_device *pdev)
 		goto err_ac97_bus;
 	}
 
+	retval = request_irq(irq, atmel_ac97c_interrupt, 0, "AC97C", chip);
+	if (retval) {
+		dev_dbg(&pdev->dev, "unable to request irq %d\n", irq);
+		goto err_request_irq;
+	}
+
 	retval = snd_card_register(card);
 	if (retval) {
 		dev_dbg(&pdev->dev, "could not register sound card\n");
-- 
2.43.0



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [RFC PATCH 2/2] ASoC: atmel: ac97c: Fix use-after-free on driver teardown
  2026-06-04 20:36 [RFC PATCH 0/2] ASoC: atmel: ac97c: Fix IRQ handling sequences Manish Baing
  2026-06-04 20:36 ` [RFC PATCH 1/2] ASoC: sound: atmel_ac97c: Fix IRQ handler null pointer dereference Manish Baing
@ 2026-06-04 20:36 ` Manish Baing
  1 sibling, 0 replies; 3+ messages in thread
From: Manish Baing @ 2026-06-04 20:36 UTC (permalink / raw)
  To: perex, tiwai, nicolas.ferre, alexandre.belloni, claudiu.beznea
  Cc: linux-sound, linux-arm-kernel, linux-kernel, manishbaing2789,
	Sashiko AI

In atmel_ac97c_remove() and the probe error path, the driver disables
clocks and unmaps memory before freeing the IRQ. If a stray interrupt
fires during this window, the handler will attempt to access unmapped
memory or unclocked hardware, resulting in a kernel panic.

Reorder the teardown sequence to call free_irq() first, adhering to
the standard reverse-initialization order.

Running make W=1 returns no errors. I was unable to test the patch
because I do not have the hardware.The issue was flagged by the
Sashiko AI bot.

Link: https://sashiko.dev/#/patchset/20260530052812.115994-1-manishbaing2789@gmail.com?part=1
Reported-by: Sashiko AI <sashiko-bot@kernel•org>
Signed-off-by: Manish Baing <manishbaing2789@gmail•com>
---
 sound/atmel/ac97c.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/sound/atmel/ac97c.c b/sound/atmel/ac97c.c
index cd74395dd222..b9280b644f26 100644
--- a/sound/atmel/ac97c.c
+++ b/sound/atmel/ac97c.c
@@ -790,7 +790,7 @@ static int atmel_ac97c_probe(struct platform_device *pdev)
 	retval = snd_card_register(card);
 	if (retval) {
 		dev_dbg(&pdev->dev, "could not register sound card\n");
-		goto err_ac97_bus;
+		goto err_snd_card_register;
 	}
 
 	platform_set_drvdata(pdev, card);
@@ -800,11 +800,12 @@ static int atmel_ac97c_probe(struct platform_device *pdev)
 
 	return 0;
 
+err_snd_card_register:
+	free_irq(irq, chip);
 err_ac97_bus:
+err_request_irq:
 	iounmap(chip->regs);
 err_ioremap:
-	free_irq(irq, chip);
-err_request_irq:
 	snd_card_free(card);
 err_snd_card_new:
 	clk_disable_unprepare(pclk);
@@ -842,10 +843,10 @@ static void atmel_ac97c_remove(struct platform_device *pdev)
 	ac97c_writel(chip, COMR, 0);
 	ac97c_writel(chip, MR,   0);
 
+	free_irq(chip->irq, chip);
 	clk_disable_unprepare(chip->pclk);
 	clk_put(chip->pclk);
 	iounmap(chip->regs);
-	free_irq(chip->irq, chip);
 
 	snd_card_free(card);
 }
-- 
2.43.0



^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-04 20:37 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-04 20:36 [RFC PATCH 0/2] ASoC: atmel: ac97c: Fix IRQ handling sequences Manish Baing
2026-06-04 20:36 ` [RFC PATCH 1/2] ASoC: sound: atmel_ac97c: Fix IRQ handler null pointer dereference Manish Baing
2026-06-04 20:36 ` [RFC PATCH 2/2] ASoC: atmel: ac97c: Fix use-after-free on driver teardown Manish Baing

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox