On Fri, Jun 05, 2026 at 03:01:25PM -0700, Rosen Penev wrote: > > Add tasklet_kill() in fsl_dma_chan_remove() to prevent a race > where the tasklet, scheduled by the IRQ handler, runs after > the channel has been torn down. With the recent devm conversions > the channel struct is no longer freed in the remove path, so > this is not a use-after-free crash fix, but rather correct > shutdown sequencing to avoid the tasklet operating on a > logically-removed channel.
Use below commit should be enough, needn't talk about use-after-free Call tasklet_kill() in fsl_dma_chan_remove() to prevent a race where a tasklet scheduled from the IRQ handler can run after the channel has been torn down. Frank > > Assisted-by: opencode:big-pickle > Signed-off-by: Rosen Penev <[email protected]> > --- > drivers/dma/fsldma.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/dma/fsldma.c b/drivers/dma/fsldma.c > index 22d62d958abd..0e2f84862261 100644 > --- a/drivers/dma/fsldma.c > +++ b/drivers/dma/fsldma.c > @@ -1205,6 +1205,7 @@ static int fsl_dma_chan_probe(struct fsldma_device > *fdev, > > static void fsl_dma_chan_remove(struct fsldma_chan *chan) > { > + tasklet_kill(&chan->tasklet); > irq_dispose_mapping(chan->irq); > list_del(&chan->common.device_node); > iounmap(chan->regs); > -- > 2.54.0 >
