From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id BA405CD98C5 for ; Sat, 13 Jun 2026 10:09:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding: Content-Type:In-Reply-To:From:References:Cc:To:Subject:MIME-Version:Date: Message-ID:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=P0BXYzjr6w3+jMq0yJXiRdx6FfTaAxNl+69lgFc2F8I=; b=tGK/QjW9pR1RTQNIk1FZf8bKCu Tn4AO4b5ZWnF2HdsWFnRgt5hDm3JLE7A8CUwimk2aVeQ0IqFv8kBXMK51m9zqZLSqOnCYazMbSKb1 CQMZXpzF7eSz4SCK3T2cXjL7O15db+uLhjcdEQ833A9dn5AYX2T0aw6vDaR30fBb2dm6irRVMukww Rg4QdINNYZHh6VKw3BJknUTE0Vrwib/bgifn8v2WsXA+SgI7eAHvAoKN0qnQutEe5i9KKsdKv5IrS Vj5hZTRM9G5vtUh17ZAp7sc0yhrgXTvTr46ExM3Wh+XQp+fVe39St7bVrdSSzvgq6PP1LBVq9Kjye nAtYnq/g==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.99.1 #2 (Red Hat Linux)) id 1wYLJ9-0000000CAUD-02gM; Sat, 13 Jun 2026 10:09:43 +0000 Received: from sea.source.kernel.org ([2600:3c0a:e001:78e:0:1991:8:25]) by bombadil.infradead.org with esmtps (Exim 4.99.1 #2 (Red Hat Linux)) id 1wYLJ7-0000000CAU0-2aZL for linux-arm-kernel@lists.infradead.org; Sat, 13 Jun 2026 10:09:41 +0000 Received: from smtp.kernel.org (quasi.space.kernel.org [100.103.45.18]) by sea.source.kernel.org (Postfix) with ESMTP id 04AE0441A1; Sat, 13 Jun 2026 10:09:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 380091F000E9; Sat, 13 Jun 2026 10:09:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1781345380; bh=P0BXYzjr6w3+jMq0yJXiRdx6FfTaAxNl+69lgFc2F8I=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=XJW6+AhicnUYOl3N/Dzk15xgcsI8aNcbwr49UynaoV3W4bH06gntgEoRkTwEthGe4 Hk+koZqHRBoLVDO2W09cbHsrAMAvaNNYdSR5ukgaq07Wd4dEOtI1S4U561eU8fh0Tm fjiTLKFzq6WzOyZEyWwDBFv6Ka6jQS4TO05lfrkhzjm4utpQv3axEosdhkdhPaCJs6 Aapbxm2654LCsnHqr1ckZXWYIhhvmgJLVEP+uqnQ2nuKELFMXB4axdLZaM9Ox7V7j8 fAGioQtAJVar6lzDdQd2cAKg4aeNkN2IzECOmqKeyIn/wkP/Y9PrcIRNDP2KOmi+os 9t1BOraK/eR1w== Message-ID: <77f52421-42ea-499a-aa57-a834825a8829@kernel.org> Date: Sat, 13 Jun 2026 13:09:31 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH 1/2] iio: adc: lpc32xx: Initialize completion before requesting IRQ To: Maxwell Doose , Jonathan Cameron , David Lechner , =?UTF-8?Q?Nuno_S=C3=A1?= , Andy Shevchenko , Piotr Wojtaszczyk , Hartmut Knaack , "open list:IIO SUBSYSTEM AND DRIVERS" , "moderated list:ARM/LPC32XX SOC SUPPORT" , open list Cc: Sangyun Kim , Kyungwook Boo , Jaeyoung Chung References: <20260613005812.160572-1-m32285159@gmail.com> <20260613005812.160572-2-m32285159@gmail.com> From: Vladimir Zapolskiy In-Reply-To: <20260613005812.160572-2-m32285159@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 6/13/26 03:58, Maxwell Doose wrote: > In the report from Jaeyoung Chung: > > "lpc32xx_adc_probe() in drivers/iio/adc/lpc32xx_adc.c registers its > interrupt handler with devm_request_irq() before it initializes > st->completion with init_completion(). If an interrupt arrives after > devm_request_irq() and before init_completion(), the handler calls > complete() on an uninitialized completion, causing a kernel panic. > > The probe path, in lpc32xx_adc_probe(): > > iodev = devm_iio_device_alloc(&pdev->dev, sizeof(*st)); /* st kzalloc-zeroed */ > ... > retval = devm_request_irq(&pdev->dev, irq, lpc32xx_adc_isr, 0, > LPC32XXAD_NAME, st); /* register handler */ > ... > init_completion(&st->completion); /* initialize completion */ > > lpc32xx_adc_isr() calls complete(): > > complete(&st->completion); > > If the device raises an interrupt before init_completion() runs, > complete() acquires the uninitialized wait.lock and walks the zeroed > task_list in swake_up_locked(). The zeroed task_list makes list_empty() > return false, so swake_up_locked() dereferences a NULL list entry, > triggering a KASAN wild-memory-access." > > Fix the chance of a spurious IRQ causing an uninitialized pointer > dereference by moving init_completion() above devm_request_irq(). > > Fixes: 7901b2a1453e ("staging:iio:adc:lpc32xx rename local state structure to _state") > Reported-by: Sangyun Kim > Reported-by: Kyungwook Boo > Reported-by: Jaeyoung Chung > Closes: https://lore.kernel.org/linux-iio/20260610115700.774689-1-jjy600901@snu.ac.kr/ > Signed-off-by: Maxwell Doose > --- > drivers/iio/adc/lpc32xx_adc.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/iio/adc/lpc32xx_adc.c b/drivers/iio/adc/lpc32xx_adc.c > index 43a7bc8158b5..db3a602327ff 100644 > --- a/drivers/iio/adc/lpc32xx_adc.c > +++ b/drivers/iio/adc/lpc32xx_adc.c > @@ -179,6 +179,8 @@ static int lpc32xx_adc_probe(struct platform_device *pdev) > if (irq < 0) > return irq; > > + init_completion(&st->completion); > + > retval = devm_request_irq(&pdev->dev, irq, lpc32xx_adc_isr, 0, > LPC32XXAD_NAME, st); > if (retval < 0) { > @@ -197,8 +199,6 @@ static int lpc32xx_adc_probe(struct platform_device *pdev) > > platform_set_drvdata(pdev, iodev); > > - init_completion(&st->completion); > - > iodev->name = LPC32XXAD_NAME; > iodev->info = &lpc32xx_adc_iio_info; > iodev->modes = INDIO_DIRECT_MODE; Reviewed-by: Vladimir Zapolskiy -- Best wishes, Vladimir