The devm for the IRQ was placed on the chip, not the pdev. This can cause the irq to be still callable after the pdev has been cleaned up (eg priv kfree'd).
Found by CONFIG_DEBUG_SHIRQ=y Reported-by: Stefan Berger <[email protected]> Fixes: 233a065e0cd0 ("tpm: Get rid of chip->pdev") Signed-off-by: Jason Gunthorpe <[email protected]> Tested-by: Stefan Berger <[email protected]> --- drivers/char/tpm/tpm_tis.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c index a6b2d460bfc0..d88827046a42 100644 --- a/drivers/char/tpm/tpm_tis.c +++ b/drivers/char/tpm/tpm_tis.c @@ -387,7 +387,7 @@ static void disable_interrupts(struct tpm_chip *chip) intmask &= ~TPM_GLOBAL_INT_ENABLE; iowrite32(intmask, priv->iobase + TPM_INT_ENABLE(priv->locality)); - devm_free_irq(&chip->dev, priv->irq, chip); + devm_free_irq(chip->dev.parent, priv->irq, chip); priv->irq = 0; chip->flags &= ~TPM_CHIP_FLAG_IRQ; } @@ -604,7 +604,7 @@ static int tpm_tis_probe_irq_single(struct tpm_chip *chip, u32 intmask, struct priv_data *priv = dev_get_drvdata(&chip->dev); u8 original_int_vec; - if (devm_request_irq(&chip->dev, irq, tis_int_handler, flags, + if (devm_request_irq(chip->dev.parent, irq, tis_int_handler, flags, dev_name(&chip->dev), chip) != 0) { dev_info(&chip->dev, "Unable to request irq: %d for probe\n", irq); -- 2.1.4
