From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S965945AbcIHMFF (ORCPT <rfc822;w@1wt.eu>);
        Thu, 8 Sep 2016 08:05:05 -0400
Received: from mga05.intel.com ([192.55.52.43]:54557 "EHLO mga05.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S934485AbcIHMFD (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 8 Sep 2016 08:05:03 -0400
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.30,300,1470726000"; 
   d="asc'?scan'208";a="758397074"
From: Felipe Balbi <felipe.balbi@linux.intel.com>
To: Pavel Andrianov <andrianov@ispras.ru>
Cc: Michal Nazarewicz <mina86@mina86.com>, linux-kernel@vger.kernel.org,
        ldv-project@linuxtesting.org,
        Vaishali Thakkar <vaishali.thakkar@oracle.com>
Subject: Re: A potential bug in drivers/usb/gadget/udc/m66592-udc.ko
In-Reply-To: <7e61bfab-513e-da45-acd6-f3f3998d46e6@ispras.ru>
References: <7e61bfab-513e-da45-acd6-f3f3998d46e6@ispras.ru>
User-Agent: Notmuch/0.22.1+63~g994277e (https://notmuchmail.org) Emacs/25.1.3 (x86_64-pc-linux-gnu)
Date: Thu, 08 Sep 2016 15:04:15 +0300
Message-ID: <87lgz2ha2o.fsf@linux.intel.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
        micalg=pgp-sha256; protocol="application/pgp-signature"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable


Hi,

Pavel Andrianov <andrianov@ispras.ru> writes:
> Hi!
>
> There is a potential bug in drivers/usb/gadget/udc/m66592-udc.ko.
> In m66592_probe interrupts are requested at line 1612. After that=20
> initialization of common resources is continued. For example, in
>
> -> usb_add_gadget_udc (line 1678)
>    -> usb_add_gadget_udc_release
>      -> udc_bind_to_driver
>        -> usb_gadget_udc_start
>          -> m66592_udc_start
>
> m66592->driver is set. In interrupt handler the data is used, thus if=20
> interrupt comes before udc_start is executed, null pointer dereference=20
> occurs.
> Should the call of request_irq be after complete initialization?

interrupts will only fire after we connect data pullups, that's done by
=2D>pullup() method waaaaaaaay later ;-)

=2D-=20
balbi

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJX0VO/AAoJEMy+uJnhGpkGdekP/1V2AX8LewjnmC4e//S1kBjp
Jm6vbOEqHYKpbGV0+haXy5nmc/EOn1MeIg56nS30YDz4rua7fMDJTMmTZEqzqgb4
D66CkuvFRO6Q9539A/OVyRO8Tf3LQFl9VbFjdUkINy8f7esUKH2mTCo5bzZbYs+Q
6b2PTOwW96tOpT54ZHmPoBnc1lvNq13M/rpzSkfe/qVP4OUuU6qNmtrFSIBhYIYD
i9AxIKbmYHZGYeXE0wHf1akL2+N2T1VX6JAl/X+dH/VgZ/5zLa3zBntRUQTEuDTn
q25eCkRZT08TMO30HSTTF7wgyT+phfA5MHUgn0XaPYXdPu4Xeo7puQn0bC8WnJSO
lmE6c2NoB7WPQoq6bV96AJXojvy9pBkPW4Mrs40vc+LiG1NzKK2TGlVMb+E2Pl9I
lpyeGo3P5FqLWpQey+w3plSkG3sKru4FHHbMLpEGDjN6XzEuq4YrftWKPVO5JeOs
6UVbOXBNpPcHMHgLogSV/CQ4rTHZYXaUda/7geqZDYH1jHvs5K3hySSRQPYRMZr1
jKWjUOehhxQK0nBTXlYuBZ4mt3zGi8M6II+qcJQohieARdz9hYVXDBp/azW+36nN
710dfDtwOeeT4HIaOHYC3djEVDeTuRXNc//M5MKICsM7nkpX/nAvWA3DVf9W2G+Y
lpENfWoCDgnv3k6rh07U
=L3d+
-----END PGP SIGNATURE-----
--=-=-=--