From nobody Sun May 24 21:37:38 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 410992367B8 for ; Thu, 21 May 2026 03:14:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779333279; cv=none; b=Xs7T3oF+aZRDlvoDuCkc9fVP8lqGdBtNgAMOT1+44A5YjkTTKbO5xux6nyU1kX6PtXQNBN35IzvPADIoldSuex15KQUPtanI8tu2T8dIWI3+LCxqLRrIye93uGdhGX0eVS2kJJ/tzDa1buWCSP0axYycHXiHztJp1dMlE0iYSi0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779333279; c=relaxed/simple; bh=RYlFlG9EqGyfkP0P6WoHqkuozqOx4KiPPGMbgQhD0ug=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=nJpgn+3IIvpxeGL5A6hJ9zLprcHyRmwGRx7CwPkOtFWlg6w4OPeiXpVJjVWBe/ow+Fb+47mwl0scIwQiyVhFWa0asDzt1jIERi/3Nsys6Xtd1F2P4RFDJfCJ2Wr/sTFrl+nsdusNbVV0cukmL1bCYJO5g1XR6Y7MURI9zr7nadM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=jd2KpOch; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="jd2KpOch" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B3E1D1F000E9; Thu, 21 May 2026 03:14:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1779333273; bh=VfPr+fG7dEG6MCi4DQq4N+e56WOH/sB9y7pDZyagpG4=; h=From:To:Cc:Subject:Date; b=jd2KpOchdCS+sxTQ7ftRDpl4cxvCmKU8WPM2mm3KzOThDAniQM1CehGaiG584NB0R 5Zi14UwdkVsxWiZDAqYBYn5RVQW1bjWPfuXL2QkfYeFINhs+2C8l+tq8tjISkaEeWl pFcYrOje37s8gQ/0FrJ2gNv7CxxUPlvAr7wLrJsTNz4vSuRcNRakAVytxzlcxEhIUe bwd8b62jaZRwHQupKzFEELwS+PzxqQXxCybQ6wsKEhr1zbR7NS2zmNT+0rIIvYwTCr cNewuzHreaC1y0CUsnKxhKJ77F7Z2lysCB0SeJc4swulmwVs+fN+ocY576SJRvZhDF hzDdAUkNir6wQ== From: Dinh Nguyen To: tze.yee.ng@altera.com Cc: dinguyen@kernel.org, linux-kernel@vger.kernel.org, stable@kernel.org Subject: [PATCH] firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe Date: Wed, 20 May 2026 22:14:15 -0500 Message-ID: <20260521031415.3247663-1-dinguyen@kernel.org> X-Mailer: git-send-email 2.42.0.411.g813d9a9188 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" rsu_send_msg() can return -ETIMEDOUT when wait_for_completion_interruptible_timeout() fires while the SMC call is sti= ll pending. In stratix10_rsu_probe(), the error paths for COMMAND_RSU_DCMF_VER= SION, COMMAND_RSU_DCMF_STATUS, COMMAND_RSU_MAX_RETRY and COMMAND_RSU_GET_SPT_TABLE call stratix10_svc_free_channel() - which sets chan->scl to NULL - but then fall through and queue the next request on the same channel. The next svc kthread that runs will dereference pdata->chan->scl in its receive callback path, triggering a NULL pointer dereference identical to the one fixed by commit c45f7263100c ("firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled") for the COMMAND_RSU_STATUS path. Apply the same cleanup pattern to the remaining failure paths: remove the async client, free the channel, and return early so no further messages are queued on a channel whose scl has been cleared. This bug was spotted when Sashiko reviewed another patch: https://sashiko.dev/#/patchset/cover.1779248894.git.tze.yee.ng%40altera.com Fixes: 15847537b623 ("firmware: stratix10-rsu: Migrate RSU driver to use st= ratix10 asynchronous framework.") Cc: stable@kernel.org Assisted-by: Claude:claude-4.7-opus-high Cursor Signed-off-by: Dinh Nguyen --- drivers/firmware/stratix10-rsu.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/firmware/stratix10-rsu.c b/drivers/firmware/stratix10-= rsu.c index e1912108a0fee..840f12377f2a5 100644 --- a/drivers/firmware/stratix10-rsu.c +++ b/drivers/firmware/stratix10-rsu.c @@ -778,32 +778,39 @@ static int stratix10_rsu_probe(struct platform_device= *pdev) 0, rsu_dcmf_version_callback); if (ret) { dev_err(dev, "Error, getting DCMF version %i\n", ret); + stratix10_svc_remove_async_client(priv->chan); stratix10_svc_free_channel(priv->chan); + return ret; } =20 ret =3D rsu_send_msg(priv, COMMAND_RSU_DCMF_STATUS, 0, rsu_dcmf_status_callback); if (ret) { dev_err(dev, "Error, getting DCMF status %i\n", ret); + stratix10_svc_remove_async_client(priv->chan); stratix10_svc_free_channel(priv->chan); + return ret; } =20 ret =3D rsu_send_msg(priv, COMMAND_RSU_MAX_RETRY, 0, rsu_max_retry_callback); if (ret) { dev_err(dev, "Error, getting RSU max retry %i\n", ret); + stratix10_svc_remove_async_client(priv->chan); stratix10_svc_free_channel(priv->chan); + return ret; } =20 - ret =3D rsu_send_async_msg(dev, priv, COMMAND_RSU_GET_SPT_TABLE, 0, rsu_async_get_spt_table_callback); if (ret) { dev_err(dev, "Error, getting SPT table %i\n", ret); + stratix10_svc_remove_async_client(priv->chan); stratix10_svc_free_channel(priv->chan); + return ret; } =20 - return ret; + return 0; } =20 static void stratix10_rsu_remove(struct platform_device *pdev) --=20 2.42.0.411.g813d9a9188