2021-08-19 15:52:33

by Nadezda Lutovinova

[permalink] [raw]
Subject: [PATCH] usb: dwc3: imx8mp: request irq after initializing dwc3

If IRQ occurs between calling devm_request_threaded_irq() and
initializing dwc3_imx->dwc3, then null pointer dereference occurs
since dwc3_imx->dwc3 is used in dwc3_imx8mp_interrupt().

The patch puts registration of the interrupt handler after
initializing of neccesery data.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Nadezda Lutovinova <[email protected]>
---
drivers/usb/dwc3/dwc3-imx8mp.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/drivers/usb/dwc3/dwc3-imx8mp.c b/drivers/usb/dwc3/dwc3-imx8mp.c
index 756faa46d33a..d328d20abfbc 100644
--- a/drivers/usb/dwc3/dwc3-imx8mp.c
+++ b/drivers/usb/dwc3/dwc3-imx8mp.c
@@ -152,13 +152,6 @@ static int dwc3_imx8mp_probe(struct platform_device *pdev)
}
dwc3_imx->irq = irq;

- err = devm_request_threaded_irq(dev, irq, NULL, dwc3_imx8mp_interrupt,
- IRQF_ONESHOT, dev_name(dev), dwc3_imx);
- if (err) {
- dev_err(dev, "failed to request IRQ #%d --> %d\n", irq, err);
- goto disable_clks;
- }
-
pm_runtime_set_active(dev);
pm_runtime_enable(dev);
err = pm_runtime_get_sync(dev);
@@ -186,6 +179,13 @@ static int dwc3_imx8mp_probe(struct platform_device *pdev)
}
of_node_put(dwc3_np);

+ err = devm_request_threaded_irq(dev, irq, NULL, dwc3_imx8mp_interrupt,
+ IRQF_ONESHOT, dev_name(dev), dwc3_imx);
+ if (err) {
+ dev_err(dev, "failed to request IRQ #%d --> %d\n", irq, err);
+ goto depopulate;
+ }
+
device_set_wakeup_capable(dev, true);
pm_runtime_put(dev);

--
2.17.1


2021-08-19 20:18:14

by Fabio Estevam

[permalink] [raw]
Subject: Re: [PATCH] usb: dwc3: imx8mp: request irq after initializing dwc3

Hi Nadezda,

On Thu, Aug 19, 2021 at 12:48 PM Nadezda Lutovinova
<[email protected]> wrote:
>
> If IRQ occurs between calling devm_request_threaded_irq() and
> initializing dwc3_imx->dwc3, then null pointer dereference occurs
> since dwc3_imx->dwc3 is used in dwc3_imx8mp_interrupt().
>
> The patch puts registration of the interrupt handler after
> initializing of neccesery data.

"necessary"

> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Nadezda Lutovinova <[email protected]>

Reviewed-by: Fabio Estevam <[email protected]>

2021-08-20 10:08:04

by Felipe Balbi

[permalink] [raw]
Subject: Re: [PATCH] usb: dwc3: imx8mp: request irq after initializing dwc3


Nadezda Lutovinova <[email protected]> writes:

> If IRQ occurs between calling devm_request_threaded_irq() and
> initializing dwc3_imx->dwc3, then null pointer dereference occurs
> since dwc3_imx->dwc3 is used in dwc3_imx8mp_interrupt().
>
> The patch puts registration of the interrupt handler after
> initializing of neccesery data.
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Nadezda Lutovinova <[email protected]>

Acked-by: Felipe Balbi <[email protected]>

--
balbi