[PATCH v7 03/23] drm: bridge: dw_hdmi: Free IRQ before CEC adapter is unregistered
sashiko-bot at kernel.org
sashiko-bot at kernel.org
Mon May 18 11:33:27 PDT 2026
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Freeing the shared IRQ before masking the hardware interrupt source creates a race condition that can lead to an unhandled interrupt storm, permanently disabling the shared IRQ line.
--
commit 860a0518c5583dda606c670b609794b60e6bc07b
Author: Jonas Karlman <jonas at kwiboo.se>
drm: bridge: dw_hdmi: Free IRQ before CEC adapter is unregistered
This commit explicitly frees the IRQ before the CEC adapter is unregistered
to prevent a use-after-free issue. This addresses a KASAN slab-use-after-free
report triggered during device unbind when the devres release action frees
the IRQ.
> diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c
> index 9549dabde941c..67a2a242d3ca9 100644
> --- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c
> +++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c
> @@ -309,6 +309,7 @@ static void dw_hdmi_cec_remove(struct platform_device *pdev)
> struct dw_hdmi_cec *cec = platform_get_drvdata(pdev);
>
> cec_notifier_cec_adap_unregister(cec->notify, cec->adap);
> + devm_free_irq(&pdev->dev, cec->irq, cec->adap);
Does this sequence create a race condition that could result in an unhandled
interrupt storm?
The dw-hdmi-cec driver shares this IRQ line with the main dw-hdmi driver.
By freeing the IRQ handler before calling cec_unregister_adapter(), the
hardware CEC interrupts might still be unmasked and active.
If the CEC hardware asserts an interrupt during this window, the shared IRQ
line will go high. The remaining handlers on that line won't clear the CEC
interrupt, returning IRQ_NONE.
This could lead to an interrupt storm, causing the kernel to permanently
disable the shared IRQ line and break the main dw-hdmi driver's functionality.
Should the CEC hardware interrupts be explicitly masked before
devm_free_irq() is called?
> cec_unregister_adapter(cec->adap);
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260518180206.2480119-1-jonas@kwiboo.se?part=3
More information about the linux-amlogic
mailing list