From nobody Mon Jun 8 07:23:00 2026 Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D8475366DB9 for ; Thu, 4 Jun 2026 20:36:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780605421; cv=none; b=VV/ipdhZirZjggOQvPIsDMGJsJ5hiVDKc09/IgPp5FvJ5J5A7kk5yBv1JN3u1vi3mnjkU3PFHVgUf7yb5u4x5lmTlpk/2+iZMmA4H3Mjf+2L4bFSjCZ5BV+ASypbd+0eIb2sIxJxdLl2b2VafwttxqNWnkAjB0ltDEt9JqVUteE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780605421; c=relaxed/simple; bh=317dd9absANjSuCrAQXv+YWq8qGvdqAv9Ef0rbkdF6Y=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=mYl6/5puYt8NuKZtx9m00j1RNiTfkeQyeTlDl0hezaGFPrmpAuJEbQhftdy8zUGQIWoTeqromZllBA8wuZH/iOd24xezywd8ElopYzRf2pqAAbc5ZIq78ud+a7uFOD6LNoIkjtIa9LudDul+vCTyljB6dfAU8gvFN3KWfa62tTg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=no4WyL+f; arc=none smtp.client-ip=209.85.210.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="no4WyL+f" Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-84237c55ef9so623458b3a.0 for ; Thu, 04 Jun 2026 13:36:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780605419; x=1781210219; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=FSEu/KQOdhdFHwNGT0hTQLZR1iOR8ZTNFTO5ZOxwoto=; b=no4WyL+fjD++Jn71aW4cs1V8cFeOBzboNlknOuAhPCetl1a6fO+8Ag8fftuoou2959 7pkdKnv5ul7J7gSviIC6HaA+D/5ETVaNFt4/j9cbBSJsR5a3Cq73YsEFa+oEuawdDKvj 8XDebHsQsEVaDGllKHl1xHd7j3z+pMrNRBAe5pAG2M2kj4Ug2fKr5os8vzpotBBoNPgs z4qWcjbxQEhmBKs41j+ek9n4UPp57dcjMmIpbwrXQkm8uMaehHsE1J23ZlrlScnMf3sW Pc3gLI1EreNhvnpQiei7Y+n1fSck1ErjsmgwKZgANJe/2PVvgv8qy6U3hI99Lv4/zh8a nnlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780605419; x=1781210219; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=FSEu/KQOdhdFHwNGT0hTQLZR1iOR8ZTNFTO5ZOxwoto=; b=WwXwifyvi3a4zJaiI5YYXZq/3mSoreVva8yp0etWGQISV3lhkgZ86RLUT2/gxgWzzx 44MZYsdSqCkdzwSnG4CJZHaN6KyjTZiZOTbSt6DyK/qzGXUUJ3n5QqX6WBUELbmgboed ijhuxO7hqGPtrGYWRcldw5iaZPGKZpzq35vMJtC0sVgoXIM3ZJDwQsWjVvsdGxvsGA9l 8GJwPcmiNxqOOCCVRLVD3St7ZoW280s80hkJDsQbPYPloymPiR7u854czYJGh5hLyWca UPZUQShhJj0bS+lyP0pg+HcIVyKUm9GO+oHlSW15Ib0FH0vYBRt6AB+X4iH+cpL3ZHQA DX/g== X-Forwarded-Encrypted: i=1; AFNElJ8RWSuwlrJI9vOEQpHP+efvu0XDlwz90tUHV8qpQcyopAmgwJ80WHhwUSv40tWoJGVtEjnRnqxpm7nvcn4=@vger.kernel.org X-Gm-Message-State: AOJu0YxGP47sLBbrT1ZbPEDfLJ05NdJp/QnlQ9epptcIvwOSkE25HxHD DJS0cf81f4Fm323pNmPxQ4OeNiuq4kPr3sk71s8OFNddZadhN2sXeC+9 X-Gm-Gg: Acq92OE2LiFJ/VqLaH2mKlE/9WuefLw3AZvLOz37Jf1jJejlhy18DDC76ZH6U75M9Ak ZV6HTCZRtyanz7Ti0uxNg7s0Oa2nyrKhQ/Kh1xyOvmYp+4+SKJzjQUX4MMWkyUC2/enVwzcpvKE utlmO7ig1zfwADAia1kTaK3Z/ryzbxkw9b64edVKQf5OXzID20tkaMCyb8Pz1uM0Tlv6go9F24i sDJuIXuefFGJxKyDhB8MNzwEqwsjEM//O0vHGKz/BxYRoY+6UEI9iithzNc01GgttvP/vCiv1UN xz3Y+G4FndH5u10vv1i01SQEZ5eFmUarH+pf7RMkTl7VWhqciFBiSmg52ow1cXI7r2tqVJ/Bcy1 jDUql+3Y5RmAU3wHngKfagHzATMbaCeqWIGDc3kd9RP/k8kUNR6EL513mF48B7nLS5+MpdGZ4g4 qZH5auglltPtbwv1xIJf9+CBAPuyXj1S8W1RRu5EJIL0nWf2cpFuxUscgXAy3XaLRjWCYdgZO5F xEG X-Received: by 2002:a05:6a00:acd:b0:82f:776f:a78d with SMTP id d2e1a72fcca58-842b0f9987amr265860b3a.19.1780605419056; Thu, 04 Jun 2026 13:36:59 -0700 (PDT) Received: from Ubuntu.. ([49.37.171.82]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-842828fe634sm7118257b3a.52.2026.06.04.13.36.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Jun 2026 13:36:58 -0700 (PDT) From: Manish Baing To: perex@perex.cz, tiwai@suse.com, nicolas.ferre@microchip.com, alexandre.belloni@bootlin.com, claudiu.beznea@tuxon.dev Cc: linux-sound@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, manishbaing2789@gmail.com, Sashiko AI Subject: [RFC PATCH 1/2] ASoC: sound: atmel_ac97c: Fix IRQ handler null pointer dereference Date: Thu, 4 Jun 2026 20:36:22 +0000 Message-ID: <20260604203623.162640-2-manishbaing2789@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260604203623.162640-1-manishbaing2789@gmail.com> References: <20260604203623.162640-1-manishbaing2789@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In atmel_ac97c_probe(), request_irq() is called before ioremap(). If an interrupt fires immediately, the handler atmel_ac97c_interrupt() will attempt to dereference chip->regs via ac97c_readl(), leading to a null pointer dereference and kernel panic. Move request_irq() to the end of the probe function, after memory is mapped and clocks are enabled, ensuring the hardware is fully ready before interrupts are serviced. Running make W=3D1 returns no errors. I was unable to test the patch because I do not have the hardware.The issue was flagged by the Sashiko AI bot. Link: https://sashiko.dev/#/patchset/20260530052812.115994-1-manishbaing278= 9@gmail.com?part=3D1 Reported-by: Sashiko AI Signed-off-by: Manish Baing --- sound/atmel/ac97c.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/sound/atmel/ac97c.c b/sound/atmel/ac97c.c index df0a049192de..cd74395dd222 100644 --- a/sound/atmel/ac97c.c +++ b/sound/atmel/ac97c.c @@ -734,11 +734,6 @@ static int atmel_ac97c_probe(struct platform_device *p= dev) =20 chip =3D get_chip(card); =20 - retval =3D request_irq(irq, atmel_ac97c_interrupt, 0, "AC97C", chip); - if (retval) { - dev_dbg(&pdev->dev, "unable to request irq %d\n", irq); - goto err_request_irq; - } chip->irq =3D irq; =20 spin_lock_init(&chip->lock); @@ -786,6 +781,12 @@ static int atmel_ac97c_probe(struct platform_device *p= dev) goto err_ac97_bus; } =20 + retval =3D request_irq(irq, atmel_ac97c_interrupt, 0, "AC97C", chip); + if (retval) { + dev_dbg(&pdev->dev, "unable to request irq %d\n", irq); + goto err_request_irq; + } + retval =3D snd_card_register(card); if (retval) { dev_dbg(&pdev->dev, "could not register sound card\n"); --=20 2.43.0 From nobody Mon Jun 8 07:23:00 2026 Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 435ED4C6F0C for ; Thu, 4 Jun 2026 20:37:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780605434; cv=none; b=B3cE1vShlt8bk4IOrSRy5SrRMykGWlp5GnFmGLyWEmkWm62Vkka+OjSkwi//Zry8Lfka8FBDlX1RYcfzLxUr0icYmDSyl75BAbLevMbWsJSJPjSGBd0cDI7zXvx0hS+cnjlURbVLBIGMjGZPWp7jclFsoIbLUMIdlaio79RUqp0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780605434; c=relaxed/simple; bh=sFAg+UnNZFsqoEmOnCOLpobCREe/dQvTzc8AGSIGq2Q=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Rw5QqufdRTysrb75hVBSQq6Ejkljjq0USa8RKP4wy9bAkfY/GhvGXTEgUkvzK9GK50NwS/nc5WKb6+PhMIbrE/S5+3ujWgB5mZzM1T4Sxo8XCoOMxaGSJ8cyqPMY/E+eJ+/jS0JezGZiEk+hERrbXyUNDBYBD/cvpL8wKBZG6bE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=WlVOiXZ0; arc=none smtp.client-ip=209.85.210.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="WlVOiXZ0" Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-8422f148dfcso647083b3a.3 for ; Thu, 04 Jun 2026 13:37:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780605432; x=1781210232; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6RDOJWyZ5/u9ipkjQCKV4Mf6ByGXtSeoznwE7qqlAc4=; b=WlVOiXZ0DD4y4B+nIszZnsiu+0T1TXF+d2Xw5IEsNrUTEJ+6BubaoTQXfD4X12odW4 HaGgaG3LWhyS/B9I/K1ZWqD1ugsErOlr2BNyCGWJ7b2U6fXKGiipKdIBbgYBOL/yV/rN BX/wDdzQMknYVeKv9YNtLQW6/o4czpT+JnOmw9kyxffxxOulvLsbKfjSbIq/DyRr9tJl TEb7CdpKEGvRLA4W4aOY8zD2QDycGufCPspWmhHy1TK/bEvv5PeB85DGHupKifqIcAYh hGj3SwrqDFIYsy3Qv7j6M+XqFIBYmCaEJT3F2dlGA6cEAmQjHfkzGP16XO9yufqXYu8X LjXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780605432; x=1781210232; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=6RDOJWyZ5/u9ipkjQCKV4Mf6ByGXtSeoznwE7qqlAc4=; b=khQgjXEPUWgCV66vqsMo1uLtk1uapeDJ4CfQp3F9WvCVsPq6iFddBhBZDafM7Admz2 v3CgmRWcabwDm6kdqvGp0iRIDXaVeY39OOC8/P7Gpov6B+1vlefX1OoEC3DM8khIbVDM B8TtqNZiY8kHEK+Mo70HBYVMba1IsPv7eDWRLSu3FQGROn7hF38tHdWJXsQ43vPr2z2w v9gg+Z0ZlCiPUXQTFoGvUSGn5yuCbiTihEhWJs0UhDgKsVVzzr3cuMqpA8sqNi8kb6zr W/21AExKldfnD7gBu0MkwSFSv/F4hDdyAWy47L6BUabf9KedEHY5WGIH4AnxpfOtYNZJ wp/Q== X-Forwarded-Encrypted: i=1; AFNElJ8XCeofsWPUhTyHSiOlM4m0zpjKVTIrJ5k+RTmB7Sr8Rthouh6D5KUlWakkv0OBFrIUl/S9zEBETA4sYc4=@vger.kernel.org X-Gm-Message-State: AOJu0YxdqXMrfSWcJWyZIbi1nsAheT8oVHhUELN7hN8W91weUvsd+E7I 3KedJWZwEZJSWyb6hErHv3/wWJWXlsbwn/Ppq26kWMWHC/59dCihliuz X-Gm-Gg: Acq92OHXhHAPxFwc6SHzA9HiyjIdYqLIM4x/GIf5Z1ordut+LBD/RZFNpBiU1qPpKGr XIRiNXSY7ny9O5Li3hrTN+eE6Kdqw7VsyKKk0ccAwZO+p2cZ4LspvlivcFkcQWzvXg2QaNDzAHe 0VMlzhrEzrHtIwl3Q8oIzbhz+ka7ERiQFYnvxonOHsTNrdcXEvHLBS8shtpWVYeTbsJ4TFl+dee Z+YV1ZUt7otCe7tNag97u4yd9YqUoQrkHmO3eshEw8UR3XttbdrgXEMXzyqD5XW03nsaLIla2// G7U2rybqon/8V3G0+ihVgMt4ezQackSTpcGYUoGEKUpOhSTpLEM0JfH0R1SPhfCOxvKGRJju5PV rYV1tddF0RHWLEfySOKC00yNatZ78nFRwbXsOVS37IVHaNV6Bufe+FBW4y+QwuDttExfIwhy1un IIN9qN/7458Wjp/ovxAAt5/G/glzFlUWLAytKaPsVGPfO9IljUlrKjaYjj+I9mU/U58iYBZeNwe kLL X-Received: by 2002:a05:6a00:9292:b0:842:688f:307f with SMTP id d2e1a72fcca58-842b0f51a52mr276902b3a.28.1780605432407; Thu, 04 Jun 2026 13:37:12 -0700 (PDT) Received: from Ubuntu.. ([49.37.171.82]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-842828fe634sm7118257b3a.52.2026.06.04.13.37.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Jun 2026 13:37:11 -0700 (PDT) From: Manish Baing To: perex@perex.cz, tiwai@suse.com, nicolas.ferre@microchip.com, alexandre.belloni@bootlin.com, claudiu.beznea@tuxon.dev Cc: linux-sound@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, manishbaing2789@gmail.com, Sashiko AI Subject: [RFC PATCH 2/2] ASoC: atmel: ac97c: Fix use-after-free on driver teardown Date: Thu, 4 Jun 2026 20:36:23 +0000 Message-ID: <20260604203623.162640-3-manishbaing2789@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260604203623.162640-1-manishbaing2789@gmail.com> References: <20260604203623.162640-1-manishbaing2789@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In atmel_ac97c_remove() and the probe error path, the driver disables clocks and unmaps memory before freeing the IRQ. If a stray interrupt fires during this window, the handler will attempt to access unmapped memory or unclocked hardware, resulting in a kernel panic. Reorder the teardown sequence to call free_irq() first, adhering to the standard reverse-initialization order. Running make W=3D1 returns no errors. I was unable to test the patch because I do not have the hardware.The issue was flagged by the Sashiko AI bot. Link: https://sashiko.dev/#/patchset/20260530052812.115994-1-manishbaing278= 9@gmail.com?part=3D1 Reported-by: Sashiko AI Signed-off-by: Manish Baing --- sound/atmel/ac97c.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/sound/atmel/ac97c.c b/sound/atmel/ac97c.c index cd74395dd222..b9280b644f26 100644 --- a/sound/atmel/ac97c.c +++ b/sound/atmel/ac97c.c @@ -790,7 +790,7 @@ static int atmel_ac97c_probe(struct platform_device *pd= ev) retval =3D snd_card_register(card); if (retval) { dev_dbg(&pdev->dev, "could not register sound card\n"); - goto err_ac97_bus; + goto err_snd_card_register; } =20 platform_set_drvdata(pdev, card); @@ -800,11 +800,12 @@ static int atmel_ac97c_probe(struct platform_device *= pdev) =20 return 0; =20 +err_snd_card_register: + free_irq(irq, chip); err_ac97_bus: +err_request_irq: iounmap(chip->regs); err_ioremap: - free_irq(irq, chip); -err_request_irq: snd_card_free(card); err_snd_card_new: clk_disable_unprepare(pclk); @@ -842,10 +843,10 @@ static void atmel_ac97c_remove(struct platform_device= *pdev) ac97c_writel(chip, COMR, 0); ac97c_writel(chip, MR, 0); =20 + free_irq(chip->irq, chip); clk_disable_unprepare(chip->pclk); clk_put(chip->pclk); iounmap(chip->regs); - free_irq(chip->irq, chip); =20 snd_card_free(card); } --=20 2.43.0