Re: [PATCH v3] net: fman: fix use-after-free on IRQF_SHARED handler after probe failure

Next message: Jarkko Sakkinen: "Re: [PATCH] tpm: tpm_i2c_nuvoton: disable IRQ on wait timeout"
Previous message: Andrew Lunn: "Re: [PATCH] fix: net: ti: cpsw_probe_dt: fix phy_node reference leak on error paths"
In reply to: &#x8D75;&#x91D1;&#x660E;: "Re: [PATCH v3] net: fman: fix use-after-free on IRQF_SHARED handler after probe failure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Simon Horman

Date: Fri Jun 26 2026 - 12:32:04 EST

On Fri, Jun 26, 2026 at 05:53:02PM +0800, 赵金明 wrote:
> Hi,
>
> The analysis is logically correct. Since fman is zero-initialized by
> kzalloc_obj(), both fman->cfg and fman->fpm_regs are NULL when
> devm_request_irq() registers the shared IRQ handler. The guard in
> fman_irq():
>
> if (!is_init_done(fman->cfg))
> return IRQ_NONE;
>
> does not protect against this case because is_init_done(NULL) returns
> true, so the handler would proceed to dereference the NULL
> fpm_regs pointer via ioread32be().
>
> However, this is a pre-existing issue unrelated to the UAF fix in this
> patch. The window is very short -- between devm_request_irq() and the
> completion of fman_init() -- and would require another device on the
> same shared IRQ line to fire an interrupt during that interval.
>
> If this should be addressed, I will send a separate patch for it.
> The current patch is focused solely on the post-IRQ-registration UAF
> on error paths.
>
> Please let me know if you would like me to handle this separately.

Thanks, I agree this can be handled separately.