From: Manish Baing <manishbaing2789@gmail•com>
To: perex@perex•cz, tiwai@suse•com, nicolas.ferre@microchip•com,
alexandre.belloni@bootlin•com, claudiu.beznea@tuxon•dev
Cc: linux-sound@vger•kernel.org,
linux-arm-kernel@lists•infradead.org,
linux-kernel@vger•kernel.org, manishbaing2789@gmail•com,
Sashiko AI <sashiko-bot@kernel•org>
Subject: [RFC PATCH 2/2] ASoC: atmel: ac97c: Fix use-after-free on driver teardown
Date: Thu, 4 Jun 2026 20:36:23 +0000 [thread overview]
Message-ID: <20260604203623.162640-3-manishbaing2789@gmail.com> (raw)
In-Reply-To: <20260604203623.162640-1-manishbaing2789@gmail.com>
In atmel_ac97c_remove() and the probe error path, the driver disables
clocks and unmaps memory before freeing the IRQ. If a stray interrupt
fires during this window, the handler will attempt to access unmapped
memory or unclocked hardware, resulting in a kernel panic.
Reorder the teardown sequence to call free_irq() first, adhering to
the standard reverse-initialization order.
Running make W=1 returns no errors. I was unable to test the patch
because I do not have the hardware.The issue was flagged by the
Sashiko AI bot.
Link: https://sashiko.dev/#/patchset/20260530052812.115994-1-manishbaing2789@gmail.com?part=1
Reported-by: Sashiko AI <sashiko-bot@kernel•org>
Signed-off-by: Manish Baing <manishbaing2789@gmail•com>
---
sound/atmel/ac97c.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/sound/atmel/ac97c.c b/sound/atmel/ac97c.c
index cd74395dd222..b9280b644f26 100644
--- a/sound/atmel/ac97c.c
+++ b/sound/atmel/ac97c.c
@@ -790,7 +790,7 @@ static int atmel_ac97c_probe(struct platform_device *pdev)
retval = snd_card_register(card);
if (retval) {
dev_dbg(&pdev->dev, "could not register sound card\n");
- goto err_ac97_bus;
+ goto err_snd_card_register;
}
platform_set_drvdata(pdev, card);
@@ -800,11 +800,12 @@ static int atmel_ac97c_probe(struct platform_device *pdev)
return 0;
+err_snd_card_register:
+ free_irq(irq, chip);
err_ac97_bus:
+err_request_irq:
iounmap(chip->regs);
err_ioremap:
- free_irq(irq, chip);
-err_request_irq:
snd_card_free(card);
err_snd_card_new:
clk_disable_unprepare(pclk);
@@ -842,10 +843,10 @@ static void atmel_ac97c_remove(struct platform_device *pdev)
ac97c_writel(chip, COMR, 0);
ac97c_writel(chip, MR, 0);
+ free_irq(chip->irq, chip);
clk_disable_unprepare(chip->pclk);
clk_put(chip->pclk);
iounmap(chip->regs);
- free_irq(chip->irq, chip);
snd_card_free(card);
}
--
2.43.0
prev parent reply other threads:[~2026-06-04 20:37 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-04 20:36 [RFC PATCH 0/2] ASoC: atmel: ac97c: Fix IRQ handling sequences Manish Baing
2026-06-04 20:36 ` [RFC PATCH 1/2] ASoC: sound: atmel_ac97c: Fix IRQ handler null pointer dereference Manish Baing
2026-06-04 20:36 ` Manish Baing [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260604203623.162640-3-manishbaing2789@gmail.com \
--to=manishbaing2789@gmail$(echo .)com \
--cc=alexandre.belloni@bootlin$(echo .)com \
--cc=claudiu.beznea@tuxon$(echo .)dev \
--cc=linux-arm-kernel@lists$(echo .)infradead.org \
--cc=linux-kernel@vger$(echo .)kernel.org \
--cc=linux-sound@vger$(echo .)kernel.org \
--cc=nicolas.ferre@microchip$(echo .)com \
--cc=perex@perex$(echo .)cz \
--cc=sashiko-bot@kernel$(echo .)org \
--cc=tiwai@suse$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox