The driver uses devm_dma_request_chan() which registers automatic cleanup
via devm_add_action_or_reset(). Calling dma_release_channel() manually on
the RX channel when TX channel request fails causes a double-free when
the devm cleanup runs.

Remove the unnecessary manual cleanup and simplify the error handling
since devm will properly release channels on probe failure or driver
detach.

Fixes: 34e3815ea459 ("spi: atcspi200: Add ATCSPI200 SPI controller driver")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
---
 drivers/spi/spi-atcspi200.c | 28 +++++++---------------------
 1 file changed, 7 insertions(+), 21 deletions(-)

diff --git a/drivers/spi/spi-atcspi200.c b/drivers/spi/spi-atcspi200.c
index 2075058387f3..dd19fe9f9ee7 100644
--- a/drivers/spi/spi-atcspi200.c
+++ b/drivers/spi/spi-atcspi200.c
@@ -497,31 +497,17 @@ static int atcspi_init_resources(struct platform_device *pdev,
 
 static int atcspi_configure_dma(struct atcspi_dev *spi)
 {
-	struct dma_chan *dma_chan;
-	int ret = 0;
+	spi->host->dma_rx = devm_dma_request_chan(spi->dev, "rx");
+	if (IS_ERR(spi->host->dma_rx))
+		return PTR_ERR(spi->host->dma_rx);
 
-	dma_chan = devm_dma_request_chan(spi->dev, "rx");
-	if (IS_ERR(dma_chan)) {
-		ret = PTR_ERR(dma_chan);
-		goto err_exit;
-	}
-	spi->host->dma_rx = dma_chan;
+	spi->host->dma_tx = devm_dma_request_chan(spi->dev, "tx");
+	if (IS_ERR(spi->host->dma_tx))
+		return PTR_ERR(spi->host->dma_tx);
 
-	dma_chan = devm_dma_request_chan(spi->dev, "tx");
-	if (IS_ERR(dma_chan)) {
-		ret = PTR_ERR(dma_chan);
-		goto free_rx;
-	}
-	spi->host->dma_tx = dma_chan;
 	init_completion(&spi->dma_completion);
 
-	return ret;
-
-free_rx:
-	dma_release_channel(spi->host->dma_rx);
-	spi->host->dma_rx = NULL;
-err_exit:
-	return ret;
+	return 0;
 }
 
 static int atcspi_enable_clk(struct atcspi_dev *spi)

---
base-commit: fc7b1a72c6cd5cbbd989c6c32a6486e3e4e3594d
change-id: 20260305-atcspi2000-de58894938cd

Best regards,
-- 
Felix Gu <ustc.gu@gmail.com>

On Thu, 05 Mar 2026 20:22:38 +0800, Felix Gu wrote:
> The driver uses devm_dma_request_chan() which registers automatic cleanup
> via devm_add_action_or_reset(). Calling dma_release_channel() manually on
> the RX channel when TX channel request fails causes a double-free when
> the devm cleanup runs.
> 
> Remove the unnecessary manual cleanup and simplify the error handling
> since devm will properly release channels on probe failure or driver
> detach.
> 
> [...]

Applied to

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi.git for-next

Thanks!

[1/1] spi: atcspi200: Fix double-free in atcspi_configure_dma()
      commit: ad0e9ac2d5f5ab7a773c2c07ecf06ee59db9259f

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark