If dma_async_device_register() fails after fsldma_request_irqs() succeeded, the error path jumped to out_free_fdev which only removed channels but never freed the already-registered IRQs. A subsequent interrupt would access freed memory.
Fix by adding an out_free_irqs label that calls fsldma_free_irqs() before falling through to the existing channel cleanup. Assisted-by: opencode:big-pickle Signed-off-by: Rosen Penev <[email protected]> --- drivers/dma/fsldma.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/dma/fsldma.c b/drivers/dma/fsldma.c index 3009e1531292..4475d50a94f5 100644 --- a/drivers/dma/fsldma.c +++ b/drivers/dma/fsldma.c @@ -1306,10 +1306,12 @@ static int fsldma_of_probe(struct platform_device *op) err = dma_async_device_register(&fdev->common); if (err) { dev_err(fdev->dev, "unable to register DMA device\n"); - goto out_free_fdev; + goto out_free_irqs; } return 0; +out_free_irqs: + fsldma_free_irqs(fdev); out_free_fdev: for (i = 0; i < FSL_DMA_MAX_CHANS_PER_DEVICE; i++) { if (fdev->chan[i]) -- 2.54.0
