From: Michael Tretter <m.tretter@pengutronix.de>
To: Yuri Savinykh <s02190703@gse.cs.msu.ru>
Cc: Pengutronix Kernel Team <kernel@pengutronix.de>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
ldv-project@linuxtesting.org
Subject: Re: [bug report] media: allegro: possible NULL pointer dereference.
Date: Tue, 11 May 2021 09:28:34 +0200 [thread overview]
Message-ID: <20210511072834.GC17882@pengutronix.de> (raw)
In-Reply-To: <20210508160455.86976-1-s02190703@gse.cs.msu.ru>
Hello Yuri,
On Sat, 08 May 2021 19:04:55 +0300, Yuri Savinykh wrote:
> At the moment of enabling irq handling:
>
> 3166 ret = devm_request_threaded_irq(&pdev->dev, irq,
> 3167 allegro_hardirq,
> 3168 allegro_irq_thread,
> 3169 IRQF_SHARED, dev_name(&pdev->dev), dev);
>
> there is still uninitialized field mbox_status of struct allegro_dev *dev.
> If an interrupt occurs in the interval between the installation of the
> interrupt handler and the initialization of this field, NULL pointer
> dereference happens.
>
> This field is dereferenced in the handler function without any check:
>
> 1801 static irqreturn_t allegro_irq_thread(int irq, void *data)
> 1802 {
> 1803 struct allegro_dev *dev = data;
> 1804
> 1805 allegro_mbox_notify(dev->mbox_status);
>
>
> and then:
>
> 752 static void allegro_mbox_notify(struct allegro_mbox *mbox)
> 753 {
> 754 struct allegro_dev *dev = mbox->dev;
>
> The initialization of the mbox_status field happens asynchronously in
> allegro_fw_callback() via allegro_mcu_hw_init().
>
> Is it guaranteed that an interrupt does not occur in this interval?
> If it is not, is it better to move interrupt handler installation
> after initialization of this field has been completed?
Thanks for the report. The interrupt is triggered by the firmware, which is
only loaded in allegro_fw_callback(), and is enabled only after the
initialization of mbox_status in allegro_mcu_hw_init():
3507 allegro_mcu_enable_interrupts(dev)
The interrupt handler is installed in probe(), because that's where all the
platform information is retrieved. Unfortunately, at that time, the driver is
not able to setup the mailboxes, because the mailbox configuration depends on
the firmware and is only known in allegro_fw_callback().
It might be interesting to tie the interrupt more closely to the mailboxes,
because it is actually only used to notify the driver about mails in the
mailbox, but that's something I have not yet considered worth the effort.
Michael
next prev parent reply other threads:[~2021-05-11 7:28 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-08 16:04 [bug report] media: allegro: possible NULL pointer dereference Yuri Savinykh
2021-05-11 7:28 ` Michael Tretter [this message]
2021-05-11 8:49 ` Lucas Stach
2021-05-11 9:08 ` Michael Tretter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210511072834.GC17882@pengutronix.de \
--to=m.tretter@pengutronix.de \
--cc=kernel@pengutronix.de \
--cc=ldv-project@linuxtesting.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=s02190703@gse.cs.msu.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).