On Wed, 2016-04-27 at 10:58 -0600, Jason Gunthorpe wrote: > The devm for the IRQ was placed on the chip, not the pdev. This can > cause the irq to be still callable after the pdev has been cleaned up > (eg priv kfree'd). > > Found by CONFIG_DEBUG_SHIRQ=y > > Reported-by: Stefan Berger <[email protected]> > Fixes: 233a065e0cd0 ("tpm: Get rid of chip->pdev") > Signed-off-by: Jason Gunthorpe <[email protected]> > Tested-by: Stefan Berger <[email protected]>
Reviewed-by: Jarkko Sakkinen <[email protected]> /Jarkko > --- > drivers/char/tpm/tpm_tis.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c > index a6b2d460bfc0..d88827046a42 100644 > --- a/drivers/char/tpm/tpm_tis.c > +++ b/drivers/char/tpm/tpm_tis.c > @@ -387,7 +387,7 @@ static void disable_interrupts(struct tpm_chip *chip) > intmask &= ~TPM_GLOBAL_INT_ENABLE; > iowrite32(intmask, > priv->iobase + TPM_INT_ENABLE(priv->locality)); > - devm_free_irq(&chip->dev, priv->irq, chip); > + devm_free_irq(chip->dev.parent, priv->irq, chip); > priv->irq = 0; > chip->flags &= ~TPM_CHIP_FLAG_IRQ; > } > @@ -604,7 +604,7 @@ static int tpm_tis_probe_irq_single(struct tpm_chip > *chip, u32 > intmask, > struct priv_data *priv = dev_get_drvdata(&chip->dev); > u8 original_int_vec; > > - if (devm_request_irq(&chip->dev, irq, tis_int_handler, flags, > + if (devm_request_irq(chip->dev.parent, irq, tis_int_handler, flags, > dev_name(&chip->dev), chip) != 0) { > dev_info(&chip->dev, "Unable to request irq: %d for probe\n", > irq);
