* [RFC PATCH 0/2] ASoC: atmel: ac97c: Fix IRQ handling sequences
@ 2026-06-04 20:36 Manish Baing
2026-06-04 20:36 ` [RFC PATCH 1/2] ASoC: sound: atmel_ac97c: Fix IRQ handler null pointer dereference Manish Baing
2026-06-04 20:36 ` [RFC PATCH 2/2] ASoC: atmel: ac97c: Fix use-after-free on driver teardown Manish Baing
0 siblings, 2 replies; 3+ messages in thread
From: Manish Baing @ 2026-06-04 20:36 UTC (permalink / raw)
To: perex, tiwai, nicolas.ferre, alexandre.belloni, claudiu.beznea
Cc: linux-sound, linux-arm-kernel, linux-kernel, manishbaing2789
This series addresses two hardware initialization and teardown issues in
the atmel_ac97c driver flagged by the Sashiko AI bot.
The original report can be found here:
https://sashiko.dev/#/patchset/20260530052812.115994-1-manishbaing2789@gmail.com?part=1
- Patch 1 moves request_irq() to the end of probe to prevent a null pointer
dereference if an interrupt fires early.
- Patch 2 reorders the teardown sequence to free the IRQ before disabling
clocks and unmapping memory, preventing a use-after-free.
I am submitting this as an RFC because I do not have the physical hardware
to test these changes, However, my manual analysis indicates these are
valid bugs, and the series compiles cleanly with W=1.
Manish Baing (2):
ASoC: sound: atmel_ac97c: Fix IRQ handler null pointer dereference
ASoC: atmel: ac97c: Fix use-after-free on driver teardown
sound/atmel/ac97c.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
--
2.43.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* [RFC PATCH 1/2] ASoC: sound: atmel_ac97c: Fix IRQ handler null pointer dereference
2026-06-04 20:36 [RFC PATCH 0/2] ASoC: atmel: ac97c: Fix IRQ handling sequences Manish Baing
@ 2026-06-04 20:36 ` Manish Baing
2026-06-04 20:36 ` [RFC PATCH 2/2] ASoC: atmel: ac97c: Fix use-after-free on driver teardown Manish Baing
1 sibling, 0 replies; 3+ messages in thread
From: Manish Baing @ 2026-06-04 20:36 UTC (permalink / raw)
To: perex, tiwai, nicolas.ferre, alexandre.belloni, claudiu.beznea
Cc: linux-sound, linux-arm-kernel, linux-kernel, manishbaing2789,
Sashiko AI
In atmel_ac97c_probe(), request_irq() is called before ioremap().
If an interrupt fires immediately, the handler atmel_ac97c_interrupt()
will attempt to dereference chip->regs via ac97c_readl(), leading to
a null pointer dereference and kernel panic.
Move request_irq() to the end of the probe function, after memory
is mapped and clocks are enabled, ensuring the hardware is fully
ready before interrupts are serviced.
Running make W=1 returns no errors. I was unable to test the patch
because I do not have the hardware.The issue was flagged by the
Sashiko AI bot.
Link: https://sashiko.dev/#/patchset/20260530052812.115994-1-manishbaing2789@gmail.com?part=1
Reported-by: Sashiko AI <sashiko-bot@kernel•org>
Signed-off-by: Manish Baing <manishbaing2789@gmail•com>
---
sound/atmel/ac97c.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/sound/atmel/ac97c.c b/sound/atmel/ac97c.c
index df0a049192de..cd74395dd222 100644
--- a/sound/atmel/ac97c.c
+++ b/sound/atmel/ac97c.c
@@ -734,11 +734,6 @@ static int atmel_ac97c_probe(struct platform_device *pdev)
chip = get_chip(card);
- retval = request_irq(irq, atmel_ac97c_interrupt, 0, "AC97C", chip);
- if (retval) {
- dev_dbg(&pdev->dev, "unable to request irq %d\n", irq);
- goto err_request_irq;
- }
chip->irq = irq;
spin_lock_init(&chip->lock);
@@ -786,6 +781,12 @@ static int atmel_ac97c_probe(struct platform_device *pdev)
goto err_ac97_bus;
}
+ retval = request_irq(irq, atmel_ac97c_interrupt, 0, "AC97C", chip);
+ if (retval) {
+ dev_dbg(&pdev->dev, "unable to request irq %d\n", irq);
+ goto err_request_irq;
+ }
+
retval = snd_card_register(card);
if (retval) {
dev_dbg(&pdev->dev, "could not register sound card\n");
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [RFC PATCH 2/2] ASoC: atmel: ac97c: Fix use-after-free on driver teardown
2026-06-04 20:36 [RFC PATCH 0/2] ASoC: atmel: ac97c: Fix IRQ handling sequences Manish Baing
2026-06-04 20:36 ` [RFC PATCH 1/2] ASoC: sound: atmel_ac97c: Fix IRQ handler null pointer dereference Manish Baing
@ 2026-06-04 20:36 ` Manish Baing
1 sibling, 0 replies; 3+ messages in thread
From: Manish Baing @ 2026-06-04 20:36 UTC (permalink / raw)
To: perex, tiwai, nicolas.ferre, alexandre.belloni, claudiu.beznea
Cc: linux-sound, linux-arm-kernel, linux-kernel, manishbaing2789,
Sashiko AI
In atmel_ac97c_remove() and the probe error path, the driver disables
clocks and unmaps memory before freeing the IRQ. If a stray interrupt
fires during this window, the handler will attempt to access unmapped
memory or unclocked hardware, resulting in a kernel panic.
Reorder the teardown sequence to call free_irq() first, adhering to
the standard reverse-initialization order.
Running make W=1 returns no errors. I was unable to test the patch
because I do not have the hardware.The issue was flagged by the
Sashiko AI bot.
Link: https://sashiko.dev/#/patchset/20260530052812.115994-1-manishbaing2789@gmail.com?part=1
Reported-by: Sashiko AI <sashiko-bot@kernel•org>
Signed-off-by: Manish Baing <manishbaing2789@gmail•com>
---
sound/atmel/ac97c.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/sound/atmel/ac97c.c b/sound/atmel/ac97c.c
index cd74395dd222..b9280b644f26 100644
--- a/sound/atmel/ac97c.c
+++ b/sound/atmel/ac97c.c
@@ -790,7 +790,7 @@ static int atmel_ac97c_probe(struct platform_device *pdev)
retval = snd_card_register(card);
if (retval) {
dev_dbg(&pdev->dev, "could not register sound card\n");
- goto err_ac97_bus;
+ goto err_snd_card_register;
}
platform_set_drvdata(pdev, card);
@@ -800,11 +800,12 @@ static int atmel_ac97c_probe(struct platform_device *pdev)
return 0;
+err_snd_card_register:
+ free_irq(irq, chip);
err_ac97_bus:
+err_request_irq:
iounmap(chip->regs);
err_ioremap:
- free_irq(irq, chip);
-err_request_irq:
snd_card_free(card);
err_snd_card_new:
clk_disable_unprepare(pclk);
@@ -842,10 +843,10 @@ static void atmel_ac97c_remove(struct platform_device *pdev)
ac97c_writel(chip, COMR, 0);
ac97c_writel(chip, MR, 0);
+ free_irq(chip->irq, chip);
clk_disable_unprepare(chip->pclk);
clk_put(chip->pclk);
iounmap(chip->regs);
- free_irq(chip->irq, chip);
snd_card_free(card);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-04 20:37 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-04 20:36 [RFC PATCH 0/2] ASoC: atmel: ac97c: Fix IRQ handling sequences Manish Baing
2026-06-04 20:36 ` [RFC PATCH 1/2] ASoC: sound: atmel_ac97c: Fix IRQ handler null pointer dereference Manish Baing
2026-06-04 20:36 ` [RFC PATCH 2/2] ASoC: atmel: ac97c: Fix use-after-free on driver teardown Manish Baing
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox