Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp203611pxf;
        Thu, 8 Apr 2021 00:42:15 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyZsFNinNFDiy+J9k8RM4F0eU/aXXMNomnM3aflqx6zV4G7cfxkaHxawPRIbJFO3N3Udj+d
X-Received: by 2002:a17:902:b107:b029:e8:e30c:5cb4 with SMTP id q7-20020a170902b107b02900e8e30c5cb4mr6635636plr.63.1617867735374;
        Thu, 08 Apr 2021 00:42:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1617867735; cv=none;
        d=google.com; s=arc-20160816;
        b=twvBBEqbbVoZ+bcWNdnn3cF0tcx9ns0sZdx2K9qCsCAd6Y8znl1bEMiM6P+k5cl/h0
         EuNYAAUt7Q7f8YSmSK5wwg61wEPYw7akxkTPwIUhCmiFPsLFql0WhQkffRpN/aBPZvl3
         OIKjXBSre9ZP5K73NDCU0ophXqBxPO6BNYvUxNujioig1SVNN+eUesDTbQfdYf2RGYhq
         3QdyOPb4GFIKKmbVx5h/fW/Nk/3pYPkvAJFWi/dbza1G/v6ujzeDiWRNpjNqq4/NqxHZ
         wtKW+8cbk8czvNhTZgIWkRL4LFfjFjM/8nomD42ThTAo+vjFkW3LXGQ/lzA7EBw31e9d
         ixjg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:to:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:from
         :dkim-signature;
        bh=/iFn3/Xw+GuLONd7O7BBGJtajWlm1ebWqKUTRTYbNmk=;
        b=US/4hzrW5bo5cOtgi48Y3M6yok4Mj1rL41kbmRmqj3kvUSAFJV7rg6+8LaAQ+g8KA8
         lOvyDMtqksp3zX2ZC++r0T6vcV26/odoAwqSsRNnsQ3cOtEeVLiPg2w5WKFIOX0yWIDE
         VrXrc2FL6pXNyHhb8HqkCAJgpgppwJsq1AJtd/j+K2bRFgM6D0mGHCXhyDYmCC4LrL85
         9gndBXb9NIkdQbGje3dErIJ/CyImV0lgFUsY2I2hBI7BYmkDoKA3NR1G+HrewWMIa+mB
         XoF9kS3UIc8EFZdgUEphcV7Ma3kYilJR5ihC3kFKq+MOTkqhV+o6g5du5hfen3LadiUg
         xnjw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@kernel.org header.s=k20201202 header.b=LzSMqZbJ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id l1si27252435plt.82.2021.04.08.00.42.03;
        Thu, 08 Apr 2021 00:42:15 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@kernel.org header.s=k20201202 header.b=LzSMqZbJ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230329AbhDHHk3 (ORCPT <rfc822;linux.s.jambekar@gmail.com>
        + 99 others); Thu, 8 Apr 2021 03:40:29 -0400
Received: from mail.kernel.org ([198.145.29.99]:53600 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S229566AbhDHHkT (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 8 Apr 2021 03:40:19 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 589A461155;
        Thu,  8 Apr 2021 07:40:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1617867608;
        bh=K40uSsuCJ5wtmzix6+AZWZGkHxgr6P49paxJVnSNP8E=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=LzSMqZbJsrAmXiB+7CKXvwOFpqF4CVz6an0EEj36Ih0xR2jiYTaojdaU+/Aue4MmP
         ZDhIH3CV2U1lx1GxNCdfNDq5xHeSydqeZFF9gHACf6D2/NBZZoTN4lL2HQHursLwzF
         2gAM3GR38yiTcJscrsXzIZK0FEWPWz55pqsnP86depi/5jL1/pLoAZCqo8ZrQJVDBK
         4EmKNozUE8+KX1kCEwvKDmiiFHJCPht0VUUwzPZQo7A2+tIXf6zL3RLxMnMHTow+Pl
         W4zOBo0XwwwE9amJ5udA9p/+Ooen+obokCNtdypjlFscmm+gQ0XIxJ406FGj5dHIrU
         XYziezcGuPivQ==
Received: by mail.kernel.org with local (Exim 4.94)
        (envelope-from <mchehab@kernel.org>)
        id 1lUPGo-000jU2-0N; Thu, 08 Apr 2021 09:40:06 +0200
From:   Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Cc:     linuxarm@huawei.com, mauro.chehab@huawei.com,
        Mauro Carvalho Chehab <mchehab+huawei@kernel.org>,
        Andy Gross <agross@kernel.org>,
        Bjorn Andersson <bjorn.andersson@linaro.org>,
        Mauro Carvalho Chehab <mchehab@kernel.org>,
        Stanimir Varbanov <stanimir.varbanov@linaro.org>,
        linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-media@vger.kernel.org
Subject: [PATCH 3/3] media: venus: don't de-reference NULL pointers at IRQ time
Date:   Thu,  8 Apr 2021 09:40:04 +0200
Message-Id: <73570a5dfe7b3411d256367d4a2a02169aa9b900.1617867599.git.mchehab+huawei@kernel.org>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <b6f139947e93fec1ade5faf3517dfb2b3b9bcd41.1617867599.git.mchehab+huawei@kernel.org>
References: <b6f139947e93fec1ade5faf3517dfb2b3b9bcd41.1617867599.git.mchehab+huawei@kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: Mauro Carvalho Chehab <mchehab@kernel.org>
To:     unlisted-recipients:; (no To-header on input)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Smatch is warning that:
	drivers/media/platform/qcom/venus/hfi_venus.c:1100 venus_isr() warn: variable dereferenced before check 'hdev' (see line 1097)

The logic basically does:
	hdev = to_hfi_priv(core);

with is translated to:
	hdev = core->priv;

If the IRQ code can receive a NULL pointer for hdev, there's
a bug there, as it will first try to de-reference the pointer,
and then check if it is null.

After looking at the code, it seems that this indeed can happen:
Basically, the venus IRQ thread is started with:
	devm_request_threaded_irq()
So, it will only be freed after the driver unbinds.

In order to prevent the IRQ code to work with freed data,
the logic at venus_hfi_destroy() sets core->priv to NULL,
which would make the IRQ code to ignore any pending IRQs.

There is, however a race condition, as core->priv is set
to NULL only after being freed. So, we need also to move the
core->priv = NULL to happen earlier.

Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
---
 drivers/media/platform/qcom/venus/hfi_venus.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/media/platform/qcom/venus/hfi_venus.c b/drivers/media/platform/qcom/venus/hfi_venus.c
index cebb20cf371f..ce98c523b3c6 100644
--- a/drivers/media/platform/qcom/venus/hfi_venus.c
+++ b/drivers/media/platform/qcom/venus/hfi_venus.c
@@ -1094,12 +1094,15 @@ static irqreturn_t venus_isr(struct venus_core *core)
 {
 	struct venus_hfi_device *hdev = to_hfi_priv(core);
 	u32 status;
-	void __iomem *cpu_cs_base = hdev->core->cpu_cs_base;
-	void __iomem *wrapper_base = hdev->core->wrapper_base;
+	void __iomem *cpu_cs_base;
+	void __iomem *wrapper_base;
 
 	if (!hdev)
 		return IRQ_NONE;
 
+	cpu_cs_base = hdev->core->cpu_cs_base;
+	wrapper_base = hdev->core->wrapper_base;
+
 	status = readl(wrapper_base + WRAPPER_INTR_STATUS);
 	if (IS_V6(core)) {
 		if (status & WRAPPER_INTR_STATUS_A2H_MASK ||
@@ -1650,10 +1653,10 @@ void venus_hfi_destroy(struct venus_core *core)
 {
 	struct venus_hfi_device *hdev = to_hfi_priv(core);
 
+	core->priv = NULL;
 	venus_interface_queues_release(hdev);
 	mutex_destroy(&hdev->lock);
 	kfree(hdev);
-	core->priv = NULL;
 	core->ops = NULL;
 }
 
-- 
2.30.2