Re: [PATCH net v3] atm: fore200e: fix use-after-free in tasklets during device removal
From: kernel test robot <hidden>
Date: 2026-02-10 03:38:20
Also in:
lkml, oe-kbuild-all
Hi Duoming, kernel test robot noticed the following build warnings: [auto build test WARNING on net/main] url: https://github.com/intel-lab-lkp/linux/commits/Duoming-Zhou/atm-fore200e-fix-use-after-free-in-tasklets-during-device-removal/20260209-174706 base: net/main patch link: https://lore.kernel.org/r/20260209094512.33847-1-duoming%40zju.edu.cn patch subject: [PATCH net v3] atm: fore200e: fix use-after-free in tasklets during device removal config: i386-randconfig-141-20260210 (https://download.01.org/0day-ci/archive/20260210/202602101146.NCGz3JHc-lkp@intel.com/config) compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261) smatch version: v0.5.0-8994-gd50c5a4c If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot [off-list ref] | Closes: https://lore.kernel.org/oe-kbuild-all/202602101146.NCGz3JHc-lkp@intel.com/ (local) smatch warnings: drivers/atm/fore200e.c:367 fore200e_shutdown() warn: inconsistent indenting vim +367 drivers/atm/fore200e.c 353 354 355 static void 356 fore200e_shutdown(struct fore200e* fore200e) 357 { 358 printk(FORE200E "removing device %s at 0x%lx, IRQ %s\n", 359 fore200e->name, fore200e->phys_base, 360 fore200e_irq_itoa(fore200e->irq)); 361 362 if (fore200e->state > FORE200E_STATE_RESET) { 363 /* first, reset the board to prevent further interrupts or data transfers */ 364 fore200e_reset(fore200e, 0); 365 } 366 #ifdef FORE200E_USE_TASKLET > 367 if (fore200e->state >= FORE200E_STATE_IRQ) { 368 tasklet_kill(&fore200e->tx_tasklet); 369 tasklet_kill(&fore200e->rx_tasklet); 370 } 371 #endif 372 /* then, release all allocated resources */ 373 switch(fore200e->state) { 374 375 case FORE200E_STATE_COMPLETE: 376 kfree(fore200e->stats); 377 378 fallthrough; 379 case FORE200E_STATE_IRQ: 380 free_irq(fore200e->irq, fore200e->atm_dev); 381 382 fallthrough; 383 case FORE200E_STATE_ALLOC_BUF: 384 fore200e_free_rx_buf(fore200e); 385 386 fallthrough; 387 case FORE200E_STATE_INIT_BSQ: 388 fore200e_uninit_bs_queue(fore200e); 389 390 fallthrough; 391 case FORE200E_STATE_INIT_RXQ: 392 fore200e_dma_chunk_free(fore200e, &fore200e->host_rxq.status); 393 fore200e_dma_chunk_free(fore200e, &fore200e->host_rxq.rpd); 394 395 fallthrough; 396 case FORE200E_STATE_INIT_TXQ: 397 fore200e_dma_chunk_free(fore200e, &fore200e->host_txq.status); 398 fore200e_dma_chunk_free(fore200e, &fore200e->host_txq.tpd); 399 400 fallthrough; 401 case FORE200E_STATE_INIT_CMDQ: 402 fore200e_dma_chunk_free(fore200e, &fore200e->host_cmdq.status); 403 404 fallthrough; 405 case FORE200E_STATE_INITIALIZE: 406 /* nothing to do for that state */ 407 408 case FORE200E_STATE_START_FW: 409 /* nothing to do for that state */ 410 411 case FORE200E_STATE_RESET: 412 /* nothing to do for that state */ 413 414 case FORE200E_STATE_MAP: 415 fore200e->bus->unmap(fore200e); 416 417 fallthrough; 418 case FORE200E_STATE_CONFIGURE: 419 /* nothing to do for that state */ 420 421 case FORE200E_STATE_REGISTER: 422 /* XXX shouldn't we *start* by deregistering the device? */ 423 atm_dev_deregister(fore200e->atm_dev); 424 425 fallthrough; 426 case FORE200E_STATE_BLANK: 427 /* nothing to do for that state */ 428 break; 429 } 430 } 431 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki