[PATCH] Avoid potential NULL deref in irq_set_irq_wake()

[PATCH] Avoid potential NULL deref in irq_set_irq_wake()

[Jesper Juhl]

In kernel/irq/manage.c::irq_set_irq_wake() we call irq_get_desc_buslock() 
which may return NULL (it calls into 
__irq_get_desc_lock()-->irq_to_desc()-->radix_tree_lookup()-->radix_tree_lookup_element() 
which can return NULL in a number of different situations). If it does 
we'll dereference a NULL pointer - *Boom*.

irq_set_irq_wake() has lots of callers - I checked a few and I couldn't 
find anything that guarantees that they won't call it with some input that 
will cause irq_get_desc_buslock() to return NULL, so I think it's a good 
thing to test and -EINVAL was the most sane error code in this situation 
that I could think of.

Not all callers test the return value of irq_set_irq_wake(), but those 
that do take != 0 to mean error as far as I can see, so they should be 
fine. I guess those that don't test actually should, but that's a 
different issue.

Feedback welcome.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
---
 manage.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

 Found by the Coverity checker.
 Untested except for build test.

diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
index d64bafb..b42c15c 100644
--- a/kernel/irq/manage.c
+++ b/kernel/irq/manage.c
@@ -488,8 +488,11 @@ static int set_irq_wake_real(unsigned int irq, unsigned int on)
 int irq_set_irq_wake(unsigned int irq, unsigned int on)
 {
 	unsigned long flags;
-	struct irq_desc *desc = irq_get_desc_buslock(irq, &flags);
 	int ret = 0;
+	struct irq_desc *desc = irq_get_desc_buslock(irq, &flags);
+
+	if (!desc)
+		return -EINVAL;
 
 	/* wakeup-capable irqs can be shared between drivers that
 	 * don't need to have the same sleep mode behaviors.


-- 
Jesper Juhl <jj@chaosbits.net>       http://www.chaosbits.net/
Don't top-post http://www.catb.org/jargon/html/T/top-post.html
Plain text mails only, please.

[tip:irq/urgent] genirq: Prevent potential NULL dereference in irq_set_irq_wake()

[tip-bot for Jesper Juhl]

Commit-ID:  13863a66c9c8a663665445cf05d68de96ff31830
Gitweb:     http://git.kernel.org/tip/13863a66c9c8a663665445cf05d68de96ff31830
Author:     Jesper Juhl <jj@chaosbits.net>
AuthorDate: Thu, 9 Jun 2011 23:14:58 +0200
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Fri, 10 Jun 2011 10:53:42 +0200

genirq: Prevent potential NULL dereference in irq_set_irq_wake()

In kernel/irq/manage.c::irq_set_irq_wake() we call
irq_get_desc_buslock() which may return NULL, but the code
dereferences the result unconditionally.

irq_set_irq_wake() has lots of callers - I checked a few and I couldn't
find anything that guarantees that they won't call it with some input that
will cause irq_get_desc_buslock() to return NULL, so I think it's a good
thing to test and -EINVAL was the most sane error code in this situation
that I could think of.

Not all callers test the return value of irq_set_irq_wake(), but those
that do take != 0 to mean error as far as I can see, so they should be
fine. I guess those that don't test actually should, but that's a
different issue.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Link: http://lkml.kernel.org/r/alpine.LNX.2.00.1106092300360.17868@swampdragon.chaosbits.net
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
---
 kernel/irq/manage.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
index d64bafb..0a7840ae 100644
--- a/kernel/irq/manage.c
+++ b/kernel/irq/manage.c
@@ -491,6 +491,9 @@ int irq_set_irq_wake(unsigned int irq, unsigned int on)
 	struct irq_desc *desc = irq_get_desc_buslock(irq, &flags);
 	int ret = 0;
 
+	if (!desc)
+		return -EINVAL;
+
 	/* wakeup-capable irqs can be shared between drivers that
 	 * don't need to have the same sleep mode behaviors.
 	 */