From: sashiko-bot@kernel.org
To: "Alain Volmat" <alain.volmat@foss.st.com>
Cc: linux-media@vger.kernel.org
Subject: Re: [PATCH v2 02/13] media: stm32: dcmipp: make dcmipp_state & cmsr2 read common
Date: Tue, 02 Jun 2026 13:38:22 +0000 [thread overview]
Message-ID: <20260602133822.82FD51F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260602-stm32-dcmipp-pixel-pipes-support-v2-2-3c76b5f93157@foss.st.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The interrupt handler `dcmipp_irq_callback` is subject to a teardown and initialization lifecycle mismatch that causes a NULL pointer dereference during probe and a Use-After-Free during removal.
--
commit 57156bb8e4502a74fba0baeca5a498fc6151d274
Author: Alain Volmat <alain.volmat@foss.st.com>
media: stm32: dcmipp: make dcmipp_state & cmsr2 read common
This commit moves the dcmipp_state enum into a common header and centralizes
the reading of the CMSR2 interrupt status register. The core interrupt
handler now reads the register and shares the value with each subdevice.
> diff --git a/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c b/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c
> index dd784cfcaac82..b06a4931ae951 100644
> --- a/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c
> +++ b/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c
[ ... ]
> @@ -251,10 +253,15 @@ static irqreturn_t dcmipp_irq_callback(int irq, void *arg)
> struct dcmipp_ent_device *ved;
> irqreturn_t ret = IRQ_HANDLED;
> unsigned int i;
> + u32 cmsr2;
> +
> + /* Centralized read of CMSR2 */
> + cmsr2 = reg_read(dcmipp, DCMIPP_CMSR2);
>
> /* Call irq handler of each entities of pipeline */
> for (i = 0; i < dcmipp->pipe_cfg->num_ents; i++) {
> ved = dcmipp->entity[i];
> + ved->cmsr2 = cmsr2;
[Severity: High]
This is a pre-existing issue, but does this create a risk of a NULL pointer
dereference during probe or a use-after-free during removal?
In dcmipp_probe(), devm_request_threaded_irq() is called and unmasks the IRQ
before the dcmipp->entity array is allocated via devm_kcalloc():
ret = devm_request_threaded_irq(&pdev->dev, irq, dcmipp_irq_callback,
dcmipp_irq_thread, IRQF_ONESHOT,
dev_name(&pdev->dev), dcmipp);
...
dcmipp->entity = devm_kcalloc(&pdev->dev, dcmipp->pipe_cfg->num_ents,
...);
If an interrupt fires immediately, dcmipp->entity will be NULL, causing a crash
when evaluating dcmipp->entity[i].
Similarly, in dcmipp_remove(), the subdevice entities are released and their
memory freed while the devres-managed IRQ is still active:
for (i = 0; i < dcmipp->pipe_cfg->num_ents; i++)
dcmipp->pipe_cfg->ents[i].release(dcmipp->entity[i]);
If a spurious interrupt fires during or after this teardown loop, could this
assignment to ved->cmsr2 corrupt freed memory?
> if (ved->handler)
> ved->handler_ret = ved->handler(irq, ved);
> else if (ved->thread_fn)
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260602-stm32-dcmipp-pixel-pipes-support-v2-0-3c76b5f93157@foss.st.com?part=2
next prev parent reply other threads:[~2026-06-02 13:38 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-02 13:13 [PATCH v2 00/13] media: stm32: dcmipp: add support for MP2x pixel pipes Alain Volmat
2026-06-02 13:13 ` [PATCH v2 01/13] media: stm32: dcmipp: share struct dcmipp_device among subdevs Alain Volmat
2026-06-02 13:13 ` [PATCH v2 02/13] media: stm32: dcmipp: make dcmipp_state & cmsr2 read common Alain Volmat
2026-06-02 13:38 ` sashiko-bot [this message]
2026-06-02 13:14 ` [PATCH v2 03/13] media: stm32: dcmipp: bytecap: protect CMIER register access Alain Volmat
2026-06-02 13:31 ` sashiko-bot
2026-06-02 13:14 ` [PATCH v2 04/13] media: stm32: dcmipp: move common structures in dcmipp-common.h Alain Volmat
2026-06-02 13:14 ` [PATCH v2 05/13] media: stm32: dcmipp: correct swap in YUYV data with parallel input Alain Volmat
2026-06-02 13:30 ` sashiko-bot
2026-06-02 13:14 ` [PATCH v2 06/13] media: stm32: dcmipp: configure csi input of all pipes on stm32mp25 Alain Volmat
2026-06-02 13:29 ` sashiko-bot
2026-06-02 13:14 ` [PATCH v2 07/13] media: stm32: dcmipp: introduce a dcmipp global media_pipeline Alain Volmat
2026-06-02 13:14 ` [PATCH v2 08/13] media: stm32: dcmipp: add pixel pipes helper functions Alain Volmat
2026-06-02 13:14 ` [PATCH v2 09/13] media: stm32: dcmipp: addition of a dcmipp-isp subdev Alain Volmat
2026-06-02 13:29 ` sashiko-bot
2026-06-02 13:14 ` [PATCH v2 10/13] media: stm32: dcmipp: pixelproc: addition of dcmipp-pixelproc subdev Alain Volmat
2026-06-02 13:32 ` sashiko-bot
2026-06-02 13:14 ` [PATCH v2 11/13] media: stm32: dcmipp: add pixel-pipe support in bytecap Alain Volmat
2026-06-02 13:44 ` sashiko-bot
2026-06-02 13:14 ` [PATCH v2 12/13] media: stm32: dcmipp: rename bytecap into capture Alain Volmat
2026-06-02 13:39 ` sashiko-bot
2026-06-02 13:14 ` [PATCH v2 13/13] media: stm32: dcmipp: instantiate & link stm32mp25 subdevs Alain Volmat
2026-06-02 13:39 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260602133822.82FD51F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=alain.volmat@foss.st.com \
--cc=linux-media@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox