From: Yuri Savinykh <s02190703@gse.cs.msu.ru>
To: Michael Tretter <m.tretter@pengutronix.de>
Cc: Yuri Savinykh <s02190703@gse.cs.msu.ru>,
Pengutronix Kernel Team <kernel@pengutronix.de>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
ldv-project@linuxtesting.org
Subject: [bug report] media: allegro: possible NULL pointer dereference.
Date: Sat, 8 May 2021 19:04:55 +0300 [thread overview]
Message-ID: <20210508160455.86976-1-s02190703@gse.cs.msu.ru> (raw)
Hello,
At the moment of enabling irq handling:
3166 ret = devm_request_threaded_irq(&pdev->dev, irq,
3167 allegro_hardirq,
3168 allegro_irq_thread,
3169 IRQF_SHARED, dev_name(&pdev->dev), dev);
there is still uninitialized field mbox_status of struct allegro_dev *dev.
If an interrupt occurs in the interval between the installation of the
interrupt handler and the initialization of this field, NULL pointer
dereference happens.
This field is dereferenced in the handler function without any check:
1801 static irqreturn_t allegro_irq_thread(int irq, void *data)
1802 {
1803 struct allegro_dev *dev = data;
1804
1805 allegro_mbox_notify(dev->mbox_status);
and then:
752 static void allegro_mbox_notify(struct allegro_mbox *mbox)
753 {
754 struct allegro_dev *dev = mbox->dev;
The initialization of the mbox_status field happens asynchronously in
allegro_fw_callback() via allegro_mcu_hw_init().
Is it guaranteed that an interrupt does not occur in this interval?
If it is not, is it better to move interrupt handler installation
after initialization of this field has been completed?
Found by Linux Driver Verification project (linuxtesting.org).
next reply other threads:[~2021-05-08 16:05 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-08 16:04 Yuri Savinykh [this message]
2021-05-11 7:28 ` [bug report] media: allegro: possible NULL pointer dereference Michael Tretter
2021-05-11 8:49 ` Lucas Stach
2021-05-11 9:08 ` Michael Tretter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210508160455.86976-1-s02190703@gse.cs.msu.ru \
--to=s02190703@gse.cs.msu.ru \
--cc=kernel@pengutronix.de \
--cc=ldv-project@linuxtesting.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=m.tretter@pengutronix.de \
--cc=mchehab@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).