From: sashiko-bot@kernel.org
To: "Alain Volmat" <alain.volmat@foss.st.com>
Cc: linux-media@vger.kernel.org
Subject: Re: [PATCH v2 02/13] media: stm32: dcmipp: make dcmipp_state & cmsr2 read common
Date: Tue, 02 Jun 2026 13:38:22 +0000 [thread overview]
Message-ID: <20260602133822.82FD51F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260602-stm32-dcmipp-pixel-pipes-support-v2-2-3c76b5f93157@foss.st.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The interrupt handler `dcmipp_irq_callback` is subject to a teardown and initialization lifecycle mismatch that causes a NULL pointer dereference during probe and a Use-After-Free during removal.
--
commit 57156bb8e4502a74fba0baeca5a498fc6151d274
Author: Alain Volmat <alain.volmat@foss.st.com>
media: stm32: dcmipp: make dcmipp_state & cmsr2 read common
This commit moves the dcmipp_state enum into a common header and centralizes
the reading of the CMSR2 interrupt status register. The core interrupt
handler now reads the register and shares the value with each subdevice.
> diff --git a/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c b/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c
> index dd784cfcaac82..b06a4931ae951 100644
> --- a/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c
> +++ b/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c
[ ... ]
> @@ -251,10 +253,15 @@ static irqreturn_t dcmipp_irq_callback(int irq, void *arg)
> struct dcmipp_ent_device *ved;
> irqreturn_t ret = IRQ_HANDLED;
> unsigned int i;
> + u32 cmsr2;
> +
> + /* Centralized read of CMSR2 */
> + cmsr2 = reg_read(dcmipp, DCMIPP_CMSR2);
>
> /* Call irq handler of each entities of pipeline */
> for (i = 0; i < dcmipp->pipe_cfg->num_ents; i++) {
> ved = dcmipp->entity[i];
> + ved->cmsr2 = cmsr2;
[Severity: High]
This is a pre-existing issue, but does this create a risk of a NULL pointer
dereference during probe or a use-after-free during removal?
In dcmipp_probe(), devm_request_threaded_irq() is called and unmasks the IRQ
before the dcmipp->entity array is allocated via devm_kcalloc():
ret = devm_request_threaded_irq(&pdev->dev, irq, dcmipp_irq_callback,
dcmipp_irq_thread, IRQF_ONESHOT,
dev_name(&pdev->dev), dcmipp);
...
dcmipp->entity = devm_kcalloc(&pdev->dev, dcmipp->pipe_cfg->num_ents,
...);
If an interrupt fires immediately, dcmipp->entity will be NULL, causing a crash
when evaluating dcmipp->entity[i].
Similarly, in dcmipp_remove(), the subdevice entities are released and their
memory freed while the devres-managed IRQ is still active:
for (i = 0; i < dcmipp->pipe_cfg->num_ents; i++)
dcmipp->pipe_cfg->ents[i].release(dcmipp->entity[i]);
If a spurious interrupt fires during or after this teardown loop, could this
assignment to ved->cmsr2 corrupt freed memory?
> if (ved->handler)
> ved->handler_ret = ved->handler(irq, ved);
> else if (ved->thread_fn)
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260602-stm32-dcmipp-pixel-pipes-support-v2-0-3c76b5f93157@foss.st.com?part=2
next prev parent reply other threads:[~2026-06-02 13:38 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-02 13:13 [PATCH v2 00/13] media: stm32: dcmipp: add support for MP2x pixel pipes Alain Volmat
2026-06-02 13:13 ` [PATCH v2 01/13] media: stm32: dcmipp: share struct dcmipp_device among subdevs Alain Volmat
2026-06-02 13:13 ` [PATCH v2 02/13] media: stm32: dcmipp: make dcmipp_state & cmsr2 read common Alain Volmat
2026-06-02 13:38 ` sashiko-bot [this message]
2026-06-02 13:14 ` [PATCH v2 03/13] media: stm32: dcmipp: bytecap: protect CMIER register access Alain Volmat
2026-06-02 13:31 ` sashiko-bot
2026-06-02 13:14 ` [PATCH v2 04/13] media: stm32: dcmipp: move common structures in dcmipp-common.h Alain Volmat
2026-06-02 13:14 ` [PATCH v2 05/13] media: stm32: dcmipp: correct swap in YUYV data with parallel input Alain Volmat
2026-06-02 13:30 ` sashiko-bot
2026-06-02 13:14 ` [PATCH v2 06/13] media: stm32: dcmipp: configure csi input of all pipes on stm32mp25 Alain Volmat
2026-06-02 13:29 ` sashiko-bot
2026-06-02 13:14 ` [PATCH v2 07/13] media: stm32: dcmipp: introduce a dcmipp global media_pipeline Alain Volmat
2026-06-02 13:14 ` [PATCH v2 08/13] media: stm32: dcmipp: add pixel pipes helper functions Alain Volmat
2026-06-02 13:14 ` [PATCH v2 09/13] media: stm32: dcmipp: addition of a dcmipp-isp subdev Alain Volmat
2026-06-02 13:29 ` sashiko-bot
2026-06-02 13:14 ` [PATCH v2 10/13] media: stm32: dcmipp: pixelproc: addition of dcmipp-pixelproc subdev Alain Volmat
2026-06-02 13:32 ` sashiko-bot
2026-06-02 13:14 ` [PATCH v2 11/13] media: stm32: dcmipp: add pixel-pipe support in bytecap Alain Volmat
2026-06-02 13:44 ` sashiko-bot
2026-06-02 13:14 ` [PATCH v2 12/13] media: stm32: dcmipp: rename bytecap into capture Alain Volmat
2026-06-02 13:39 ` sashiko-bot
2026-06-02 13:14 ` [PATCH v2 13/13] media: stm32: dcmipp: instantiate & link stm32mp25 subdevs Alain Volmat
2026-06-02 13:39 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260602133822.82FD51F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=alain.volmat@foss.st.com \
--cc=linux-media@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.