* [POTENTIAL BUG] stm32: Potential NULL pointer dereference in dcmi_irq_thread()
@ 2021-05-27 15:06 ` Dmitriy Ulitin
0 siblings, 0 replies; 4+ messages in thread
From: Dmitriy Ulitin @ 2021-05-27 15:06 UTC (permalink / raw)
To: Hugues Fruchet, Mauro Carvalho Chehab, Maxime Coquelin, Alexandre Torgue
Cc: Dmitriy Ulitin, linux-media, linux-stm32, linux-arm-kernel,
linux-kernel, ldv-project
At the moment of enabling irq handling:
1922 ret = devm_request_threaded_irq(&pdev->dev, irq, dcmi_irq_callback,
1923 dcmi_irq_thread, IRQF_ONESHOT,
1924 dev_name(&pdev->dev), dcmi);
there is still uninitialized field sd_format of struct stm32_dcmi *dcmi.
If an interrupt occurs in the interval between the installation of the
interrupt handler and the initialization of this field, NULL pointer
dereference happens.
This field is dereferenced in the handler function without any check:
457 if (dcmi->sd_format->fourcc == V4L2_PIX_FMT_JPEG &&
458 dcmi->misr & IT_FRAME) {
The initialization of the sd_format field happens in
dcmi_graph_notify_complete() via dcmi_set_default_fmt().
Is it guaranteed that an interrupt does not occur in this interval?
If it is not, is it better to move interrupt handler installation
after initialization of this field has been completed?
Found by Linux Driver Verification project (linuxtesting.org).
^ permalink raw reply [flat|nested] 4+ messages in thread
* [POTENTIAL BUG] stm32: Potential NULL pointer dereference in dcmi_irq_thread()
@ 2021-05-27 15:06 ` Dmitriy Ulitin
0 siblings, 0 replies; 4+ messages in thread
From: Dmitriy Ulitin @ 2021-05-27 15:06 UTC (permalink / raw)
To: Hugues Fruchet, Mauro Carvalho Chehab, Maxime Coquelin, Alexandre Torgue
Cc: Dmitriy Ulitin, linux-media, linux-stm32, linux-arm-kernel,
linux-kernel, ldv-project
At the moment of enabling irq handling:
1922 ret = devm_request_threaded_irq(&pdev->dev, irq, dcmi_irq_callback,
1923 dcmi_irq_thread, IRQF_ONESHOT,
1924 dev_name(&pdev->dev), dcmi);
there is still uninitialized field sd_format of struct stm32_dcmi *dcmi.
If an interrupt occurs in the interval between the installation of the
interrupt handler and the initialization of this field, NULL pointer
dereference happens.
This field is dereferenced in the handler function without any check:
457 if (dcmi->sd_format->fourcc == V4L2_PIX_FMT_JPEG &&
458 dcmi->misr & IT_FRAME) {
The initialization of the sd_format field happens in
dcmi_graph_notify_complete() via dcmi_set_default_fmt().
Is it guaranteed that an interrupt does not occur in this interval?
If it is not, is it better to move interrupt handler installation
after initialization of this field has been completed?
Found by Linux Driver Verification project (linuxtesting.org).
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 4+ messages in thread
* stm32: Potential NULL pointer dereference in dcmi_irq_thread()
2021-05-27 15:06 ` Dmitriy Ulitin
@ 2021-05-27 15:06 ` Dmitriy Ulitin
-1 siblings, 0 replies; 4+ messages in thread
From: Dmitriy Ulitin @ 2021-05-27 15:06 UTC (permalink / raw)
To: Hugues Fruchet, Mauro Carvalho Chehab, Maxime Coquelin, Alexandre Torgue
Cc: Dmitriy Ulitin, linux-media, linux-stm32, linux-arm-kernel,
linux-kernel, ldv-project, Alexey Khoroshilov
At the moment of enabling irq handling:
1922 ret = devm_request_threaded_irq(&pdev->dev, irq, dcmi_irq_callback,
1923 dcmi_irq_thread, IRQF_ONESHOT,
1924 dev_name(&pdev->dev), dcmi);
there is still uninitialized field sd_format of struct stm32_dcmi *dcmi.
If an interrupt occurs in the interval between the installation of the
interrupt handler and the initialization of this field, NULL pointer
dereference happens.
This field is dereferenced in the handler function without any check:
457 if (dcmi->sd_format->fourcc == V4L2_PIX_FMT_JPEG &&
458 dcmi->misr & IT_FRAME) {
The patch moves interrupt handler installation
after initialization of the sd_format field that happens in
dcmi_graph_notify_complete() via dcmi_set_default_fmt().
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Dmitriy Ulitin <ulitin@ispras.ru>
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
---
drivers/media/platform/stm32/stm32-dcmi.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/drivers/media/platform/stm32/stm32-dcmi.c b/drivers/media/platform/stm32/stm32-dcmi.c
index d9b4ad0abf0c..ada0c01dc1b1 100644
--- a/drivers/media/platform/stm32/stm32-dcmi.c
+++ b/drivers/media/platform/stm32/stm32-dcmi.c
@@ -128,6 +128,7 @@ struct stm32_dcmi {
int sequence;
struct list_head buffers;
struct dcmi_buf *active;
+ int irq;
struct v4l2_device v4l2_dev;
struct video_device *vdev;
@@ -1752,6 +1753,14 @@ static int dcmi_graph_notify_complete(struct v4l2_async_notifier *notifier)
return ret;
}
+ ret = devm_request_threaded_irq(dcmi->dev, dcmi->irq, dcmi_irq_callback,
+ dcmi_irq_thread, IRQF_ONESHOT,
+ dev_name(dcmi->dev), dcmi);
+ if (ret) {
+ dev_err(dcmi->dev, "Unable to request irq %d\n", dcmi->irq);
+ return ret;
+ }
+
return 0;
}
@@ -1906,6 +1915,8 @@ static int dcmi_probe(struct platform_device *pdev)
irq = platform_get_irq(pdev, 0);
if (irq <= 0)
return irq ? irq : -ENXIO;
+
+ dcmi->irq = irq;
dcmi->res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
if (!dcmi->res) {
@@ -1919,14 +1930,6 @@ static int dcmi_probe(struct platform_device *pdev)
return PTR_ERR(dcmi->regs);
}
- ret = devm_request_threaded_irq(&pdev->dev, irq, dcmi_irq_callback,
- dcmi_irq_thread, IRQF_ONESHOT,
- dev_name(&pdev->dev), dcmi);
- if (ret) {
- dev_err(&pdev->dev, "Unable to request irq %d\n", irq);
- return ret;
- }
-
mclk = devm_clk_get(&pdev->dev, "mclk");
if (IS_ERR(mclk)) {
if (PTR_ERR(mclk) != -EPROBE_DEFER)
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* stm32: Potential NULL pointer dereference in dcmi_irq_thread()
@ 2021-05-27 15:06 ` Dmitriy Ulitin
0 siblings, 0 replies; 4+ messages in thread
From: Dmitriy Ulitin @ 2021-05-27 15:06 UTC (permalink / raw)
To: Hugues Fruchet, Mauro Carvalho Chehab, Maxime Coquelin, Alexandre Torgue
Cc: Dmitriy Ulitin, linux-media, linux-stm32, linux-arm-kernel,
linux-kernel, ldv-project, Alexey Khoroshilov
At the moment of enabling irq handling:
1922 ret = devm_request_threaded_irq(&pdev->dev, irq, dcmi_irq_callback,
1923 dcmi_irq_thread, IRQF_ONESHOT,
1924 dev_name(&pdev->dev), dcmi);
there is still uninitialized field sd_format of struct stm32_dcmi *dcmi.
If an interrupt occurs in the interval between the installation of the
interrupt handler and the initialization of this field, NULL pointer
dereference happens.
This field is dereferenced in the handler function without any check:
457 if (dcmi->sd_format->fourcc == V4L2_PIX_FMT_JPEG &&
458 dcmi->misr & IT_FRAME) {
The patch moves interrupt handler installation
after initialization of the sd_format field that happens in
dcmi_graph_notify_complete() via dcmi_set_default_fmt().
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Dmitriy Ulitin <ulitin@ispras.ru>
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
---
drivers/media/platform/stm32/stm32-dcmi.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/drivers/media/platform/stm32/stm32-dcmi.c b/drivers/media/platform/stm32/stm32-dcmi.c
index d9b4ad0abf0c..ada0c01dc1b1 100644
--- a/drivers/media/platform/stm32/stm32-dcmi.c
+++ b/drivers/media/platform/stm32/stm32-dcmi.c
@@ -128,6 +128,7 @@ struct stm32_dcmi {
int sequence;
struct list_head buffers;
struct dcmi_buf *active;
+ int irq;
struct v4l2_device v4l2_dev;
struct video_device *vdev;
@@ -1752,6 +1753,14 @@ static int dcmi_graph_notify_complete(struct v4l2_async_notifier *notifier)
return ret;
}
+ ret = devm_request_threaded_irq(dcmi->dev, dcmi->irq, dcmi_irq_callback,
+ dcmi_irq_thread, IRQF_ONESHOT,
+ dev_name(dcmi->dev), dcmi);
+ if (ret) {
+ dev_err(dcmi->dev, "Unable to request irq %d\n", dcmi->irq);
+ return ret;
+ }
+
return 0;
}
@@ -1906,6 +1915,8 @@ static int dcmi_probe(struct platform_device *pdev)
irq = platform_get_irq(pdev, 0);
if (irq <= 0)
return irq ? irq : -ENXIO;
+
+ dcmi->irq = irq;
dcmi->res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
if (!dcmi->res) {
@@ -1919,14 +1930,6 @@ static int dcmi_probe(struct platform_device *pdev)
return PTR_ERR(dcmi->regs);
}
- ret = devm_request_threaded_irq(&pdev->dev, irq, dcmi_irq_callback,
- dcmi_irq_thread, IRQF_ONESHOT,
- dev_name(&pdev->dev), dcmi);
- if (ret) {
- dev_err(&pdev->dev, "Unable to request irq %d\n", irq);
- return ret;
- }
-
mclk = devm_clk_get(&pdev->dev, "mclk");
if (IS_ERR(mclk)) {
if (PTR_ERR(mclk) != -EPROBE_DEFER)
--
2.25.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-05-27 16:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-27 15:06 [POTENTIAL BUG] stm32: Potential NULL pointer dereference in dcmi_irq_thread() Dmitriy Ulitin
2021-05-27 15:06 ` Dmitriy Ulitin
2021-05-27 15:06 ` Dmitriy Ulitin
2021-05-27 15:06 ` Dmitriy Ulitin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.