From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 69A36C47089 for ; Thu, 27 May 2021 15:08:16 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 46B7561358 for ; Thu, 27 May 2021 15:08:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236980AbhE0PJn (ORCPT ); Thu, 27 May 2021 11:09:43 -0400 Received: from mail.ispras.ru ([83.149.199.84]:60048 "EHLO mail.ispras.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236887AbhE0PIK (ORCPT ); Thu, 27 May 2021 11:08:10 -0400 Received: from localhost.localdomain (unknown [85.89.127.119]) by mail.ispras.ru (Postfix) with ESMTPSA id 688684076B37; Thu, 27 May 2021 15:06:32 +0000 (UTC) From: Dmitriy Ulitin To: Hugues Fruchet , Mauro Carvalho Chehab , Maxime Coquelin , Alexandre Torgue Cc: Dmitriy Ulitin , linux-media@vger.kernel.org, linux-stm32@st-md-mailman.stormreply.com, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org Subject: [POTENTIAL BUG] stm32: Potential NULL pointer dereference in dcmi_irq_thread() Date: Thu, 27 May 2021 18:06:25 +0300 Message-Id: <20210527150627.12995-1-ulitin@ispras.ru> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org At the moment of enabling irq handling:=0D =0D 1922 ret =3D devm_request_threaded_irq(&pdev->dev, irq, dcmi_irq_callback,= =0D 1923 dcmi_irq_thread, IRQF_ONESHOT,=0D 1924 dev_name(&pdev->dev), dcmi);=0D =0D there is still uninitialized field sd_format of struct stm32_dcmi *dcmi.=0D If an interrupt occurs in the interval between the installation of the=0D interrupt handler and the initialization of this field, NULL pointer=0D dereference happens.=0D =0D This field is dereferenced in the handler function without any check:=0D =0D 457 if (dcmi->sd_format->fourcc =3D=3D V4L2_PIX_FMT_JPEG &&=0D 458 dcmi->misr & IT_FRAME) {=0D =0D The initialization of the sd_format field happens in=0D dcmi_graph_notify_complete() via dcmi_set_default_fmt().=0D =0D Is it guaranteed that an interrupt does not occur in this interval?=0D If it is not, is it better to move interrupt handler installation=0D after initialization of this field has been completed?=0D =0D Found by Linux Driver Verification project (linuxtesting.org).=0D =0D From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 340F8C4707F for ; Thu, 27 May 2021 16:27:33 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id EED6661003 for ; Thu, 27 May 2021 16:27:32 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EED6661003 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=ispras.ru Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=KS9Yh+z3gdla1NUpjhkXHxhGANShvi62E1xFGHBwIxM=; b=bIadTSiO0d2TDW imSptIY1hHDKfLRiqtlxAaDeadB2o8HuckLJ8BQA4qCVYMAH7mXKeU72hQ6wl9g0GfbL2rLwUUf8X BRk/MDwgHz+5lEnKth1yTSZvzot/pokc7JpUaTnP/FICQ8pZ9vgwmf4+RE4gJ8ZJd/wJbmGzxQBwq W6iCu+NgGqYC08rfCVoU8pnTGHt4YvXBbHvC2MjQsFYkb0IqS1Sgv+eMVXbDT5MTNHX9crKZR/iSr 2Sv0A2B4f9cAChxfciTY0Ln4NBtv9r32glYmP8DzXvwVBe/hbEAzJkGXpQ3szNX1vs0ay/ySAmRl/ Kg13ZyBsy0aLcvLgKn5g==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1lmIo7-007aOj-HU; Thu, 27 May 2021 16:24:28 +0000 Received: from mail.ispras.ru ([83.149.199.84]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1lmHax-0072Gb-Ny for linux-arm-kernel@lists.infradead.org; Thu, 27 May 2021 15:06:49 +0000 Received: from localhost.localdomain (unknown [85.89.127.119]) by mail.ispras.ru (Postfix) with ESMTPSA id 688684076B37; Thu, 27 May 2021 15:06:32 +0000 (UTC) From: Dmitriy Ulitin To: Hugues Fruchet , Mauro Carvalho Chehab , Maxime Coquelin , Alexandre Torgue Cc: Dmitriy Ulitin , linux-media@vger.kernel.org, linux-stm32@st-md-mailman.stormreply.com, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org Subject: [POTENTIAL BUG] stm32: Potential NULL pointer dereference in dcmi_irq_thread() Date: Thu, 27 May 2021 18:06:25 +0300 Message-Id: <20210527150627.12995-1-ulitin@ispras.ru> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210527_080647_993665_46E842FC X-CRM114-Status: UNSURE ( 6.68 ) X-CRM114-Notice: Please train this message. X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org At the moment of enabling irq handling: 1922 ret = devm_request_threaded_irq(&pdev->dev, irq, dcmi_irq_callback, 1923 dcmi_irq_thread, IRQF_ONESHOT, 1924 dev_name(&pdev->dev), dcmi); there is still uninitialized field sd_format of struct stm32_dcmi *dcmi. If an interrupt occurs in the interval between the installation of the interrupt handler and the initialization of this field, NULL pointer dereference happens. This field is dereferenced in the handler function without any check: 457 if (dcmi->sd_format->fourcc == V4L2_PIX_FMT_JPEG && 458 dcmi->misr & IT_FRAME) { The initialization of the sd_format field happens in dcmi_graph_notify_complete() via dcmi_set_default_fmt(). Is it guaranteed that an interrupt does not occur in this interval? If it is not, is it better to move interrupt handler installation after initialization of this field has been completed? Found by Linux Driver Verification project (linuxtesting.org). _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel