All of lore.kernel.org
 help / color / mirror / Atom feed
From: Andy Shevchenko <andriy.shevchenko@intel.com>
To: Maxwell Doose <m32285159@gmail.com>
Cc: "Jonathan Cameron" <jic23@kernel.org>,
	"David Lechner" <dlechner@baylibre.com>,
	"Nuno Sá" <nuno.sa@analog.com>,
	"Andy Shevchenko" <andy@kernel.org>,
	"Vladimir Zapolskiy" <vz@mleia.com>,
	"Piotr Wojtaszczyk" <piotr.wojtaszczyk@timesys.com>,
	"Hartmut Knaack" <knaack.h@gmx.de>,
	"open list:IIO SUBSYSTEM AND DRIVERS" <linux-iio@vger.kernel.org>,
	"moderated list:ARM/LPC32XX SOC SUPPORT"
	<linux-arm-kernel@lists.infradead.org>,
	"open list" <linux-kernel@vger.kernel.org>,
	"Sangyun Kim" <sangyun.kim@snu.ac.kr>,
	"Kyungwook Boo" <bookyungwook@gmail.com>,
	"Jaeyoung Chung" <jjy600901@snu.ac.kr>
Subject: Re: [PATCH 0/2] iio: adc: Initialize completions before requesting IRQs
Date: Mon, 15 Jun 2026 17:11:11 +0300	[thread overview]
Message-ID: <ajAH_xKO5NXOB3-R@ashevche-desk.local> (raw)
In-Reply-To: <20260613005812.160572-1-m32285159@gmail.com>

On Fri, Jun 12, 2026 at 07:58:09PM -0500, Maxwell Doose wrote:
> Hi all,
> 
> This short patch series fixes the issues raised by Jaeyoung Chung,
> Sangyun Kim, and Kyungwook Boo regarding init_completion() and spurious
> IRQs. The report is linked below [1], but I will also put it here
> inline:
> 
> "lpc32xx_adc_probe() in drivers/iio/adc/lpc32xx_adc.c and
> spear_adc_probe() in drivers/iio/adc/spear_adc.c register their
> interrupt handler with devm_request_irq() before they initialize
> st->completion with init_completion(). If an interrupt arrives after
> devm_request_irq() and before init_completion(), the handler calls
> complete() on an uninitialized completion, causing a kernel panic.
> 
> The probe path, in lpc32xx_adc_probe():
> 
>     iodev = devm_iio_device_alloc(&pdev->dev, sizeof(*st)); /* st kzalloc-zeroed */
>     ...
>     retval = devm_request_irq(&pdev->dev, irq, lpc32xx_adc_isr, 0,
>                               LPC32XXAD_NAME, st);           /* register handler */
>     ...
>     init_completion(&st->completion);                       /* initialize completion */
> 
> spear_adc_probe() has the same ordering: devm_request_irq() for
> spear_adc_isr() before init_completion(&st->completion).
> 
> Both interrupt handlers, lpc32xx_adc_isr() and spear_adc_isr(), call
> complete():
> 
>     complete(&st->completion);
> 
> If the device raises an interrupt before init_completion() runs,
> complete() acquires the uninitialized wait.lock and walks the zeroed
> task_list in swake_up_locked(). The zeroed task_list makes list_empty()
> return false, so swake_up_locked() dereferences a NULL list entry,
> triggering a KASAN wild-memory-access.
> 
> Suggested fix: move init_completion(&st->completion) above
> devm_request_irq(), so the completion is valid before the handler can run.
> 
> Reported-by: Sangyun Kim <sangyun.kim@snu.ac.kr>
> Reported-by: Kyungwook Boo <bookyungwook@gmail.com>"

Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>

-- 
With Best Regards,
Andy Shevchenko




      parent reply	other threads:[~2026-06-15 14:11 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-13  0:58 [PATCH 0/2] iio: adc: Initialize completions before requesting IRQs Maxwell Doose
2026-06-13  0:58 ` [PATCH 1/2] iio: adc: lpc32xx: Initialize completion before requesting IRQ Maxwell Doose
2026-06-13 10:09   ` Vladimir Zapolskiy
2026-06-13  0:58 ` [PATCH 2/2] iio: adc: spear: " Maxwell Doose
2026-06-13 10:10   ` Vladimir Zapolskiy
2026-06-14 13:51 ` [PATCH 0/2] iio: adc: Initialize completions before requesting IRQs Jonathan Cameron
2026-06-15 14:11 ` Andy Shevchenko [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ajAH_xKO5NXOB3-R@ashevche-desk.local \
    --to=andriy.shevchenko@intel.com \
    --cc=andy@kernel.org \
    --cc=bookyungwook@gmail.com \
    --cc=dlechner@baylibre.com \
    --cc=jic23@kernel.org \
    --cc=jjy600901@snu.ac.kr \
    --cc=knaack.h@gmx.de \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-iio@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=m32285159@gmail.com \
    --cc=nuno.sa@analog.com \
    --cc=piotr.wojtaszczyk@timesys.com \
    --cc=sangyun.kim@snu.ac.kr \
    --cc=vz@mleia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.