[tip: irq/urgent] irqchip/ts4800: Fix missing chained handler cleanup on remove
From: tip-bot2 for Qingshuang Fu
Date: Tue Jun 30 2026 - 12:57:14 EST
The following commit has been merged into the irq/urgent branch of tip:
Commit-ID: 98bf7e54cec07d514b3575c11896a8b12d50ecc4
Gitweb: https://git.kernel.org/tip/98bf7e54cec07d514b3575c11896a8b12d50ecc4
Author: Qingshuang Fu <fuqingshuang@xxxxxxxxxx>
AuthorDate: Tue, 23 Jun 2026 09:52:11 +08:00
Committer: Thomas Gleixner <tglx@xxxxxxxxxx>
CommitterDate: Tue, 30 Jun 2026 18:49:48 +02:00
irqchip/ts4800: Fix missing chained handler cleanup on remove
The driver installs a chained handler for the parent interrupt during probe
using irq_set_chained_handler_and_data(), but the remove function does not
clear this handler. This leaves a dangling handler that may be called when
the parent interrupt fires after the driver has been removed, potentially
accessing freed memory and causing a kernel crash.
Additionally, the parent_irq obtained via irq_of_parse_and_map() is not
stored, making it inaccessible in the remove function. Moreover, interrupt
mappings created during probe are not properly disposed.
Fix this by:
- Saving parent_irq in probe
- Clearing the chained handler with NULL in ts4800_ic_remove()
- Disposing all IRQ mappings before domain removal to prevent resource
leaks
Fixes: d01f8633d52e ("irqchip/ts4800: Add TS-4800 interrupt controller")
Signed-off-by: Qingshuang Fu <fuqingshuang@xxxxxxxxxx>
Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxx>
Link: https://patch.msgid.link/20260623015211.109382-1-fffsqian@xxxxxxx
---
drivers/irqchip/irq-ts4800.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/irqchip/irq-ts4800.c b/drivers/irqchip/irq-ts4800.c
index 2e4013c..c7c0b15 100644
--- a/drivers/irqchip/irq-ts4800.c
+++ b/drivers/irqchip/irq-ts4800.c
@@ -28,6 +28,7 @@ struct ts4800_irq_data {
void __iomem *base;
struct platform_device *pdev;
struct irq_domain *domain;
+ unsigned int parent_irq;
};
static void ts4800_irq_mask(struct irq_data *d)
@@ -134,6 +135,7 @@ static int ts4800_ic_probe(struct platform_device *pdev)
irq_set_chained_handler_and_data(parent_irq,
ts4800_ic_chained_handle_irq, data);
+ data->parent_irq = parent_irq;
platform_set_drvdata(pdev, data);
return 0;
@@ -142,6 +144,14 @@ static int ts4800_ic_probe(struct platform_device *pdev)
static void ts4800_ic_remove(struct platform_device *pdev)
{
struct ts4800_irq_data *data = platform_get_drvdata(pdev);
+ unsigned int hwirq;
+
+ irq_set_chained_handler_and_data(data->parent_irq, NULL, NULL);
+
+ for (hwirq = 0; hwirq < 8; hwirq++)
+ irq_dispose_mapping(irq_find_mapping(data->domain, hwirq));
+
+ irq_dispose_mapping(data->parent_irq);
irq_domain_remove(data->domain);
}