From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
To: David Cohen <david.a.cohen@linux.intel.com>
Cc: Thomas Dahlmann <dahlmann.thomas@arcor.de>,
Felipe Balbi <balbi@ti.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-kernel@vger.kernel.org, linux-geode@lists.infradead.org,
linux-usb@vger.kernel.org
Subject: Re: [PATCH] usb: gadget: amd5536udc: fix NULL pointer dereference
Date: Fri, 11 Sep 2015 15:32:56 +0530 [thread overview]
Message-ID: <20150911100256.GA15689@sudip-pc> (raw)
In-Reply-To: <20150910180334.GA10760@psi-dev26.jf.intel.com>
On Thu, Sep 10, 2015 at 11:03:34AM -0700, David Cohen wrote:
> Hi Sudip,
>
> On Fri, Sep 04, 2015 at 05:12:23PM +0530, Sudip Mukherjee wrote:
> > We were checking if dev->regs is NULL but it was done after
> > dereferencing it. Lets reset the controller and iounmap dev->regs only
> > if it is not NULL.
> > free_irq() does not need dev->regs, so unmaping it before freeing the
> > irq should not matter.
> >
> > Signed-off-by: Sudip Mukherjee <sudip@vectorindia.org>
> > ---
> > drivers/usb/gadget/udc/amd5536udc.c | 7 ++++---
> > 1 file changed, 4 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/usb/gadget/udc/amd5536udc.c b/drivers/usb/gadget/udc/amd5536udc.c
> > index fdacddb..26066d3 100644
> > --- a/drivers/usb/gadget/udc/amd5536udc.c
> > +++ b/drivers/usb/gadget/udc/amd5536udc.c
> > @@ -3135,11 +3135,12 @@ static void udc_pci_remove(struct pci_dev *pdev)
<snip>
>
> I'm not familiar with the driver, but you're iounmap'ing before freeing
> irq. Looks fishy to me.
Well, I thought you will be able to give me some idea about how fix it. :)
Then I guess we should be on the safe side and what about the following:
diff --git a/drivers/usb/gadget/udc/amd5536udc.c b/drivers/usb/gadget/udc/amd5536udc.c
index fdacddb..82f36f6 100644
--- a/drivers/usb/gadget/udc/amd5536udc.c
+++ b/drivers/usb/gadget/udc/amd5536udc.c
@@ -3134,8 +3134,9 @@ static void udc_pci_remove(struct pci_dev *pdev)
pci_pool_destroy(dev->stp_requests);
}
- /* reset controller */
- writel(AMD_BIT(UDC_DEVCFG_SOFTRESET), &dev->regs->cfg);
+ if (dev->regs)
+ /* reset controller */
+ writel(AMD_BIT(UDC_DEVCFG_SOFTRESET), &dev->regs->cfg);
if (dev->irq_registered)
free_irq(pdev->irq, dev);
if (dev->regs)
And just for my information: for a device what might happen if I iounmap
before I free the irq? One thing I can think of is that after iounmap
just at that moment one interrupt comes and the driver tries to access
the io memory while servicing the irq.
regards
sudip
next prev parent reply other threads:[~2015-09-11 10:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-04 11:42 [PATCH] usb: gadget: amd5536udc: fix NULL pointer dereference Sudip Mukherjee
2015-09-10 18:03 ` David Cohen
2015-09-11 10:02 ` Sudip Mukherjee [this message]
2015-09-11 13:28 ` Felipe Balbi
2015-09-11 14:21 ` Sudip Mukherjee
2015-09-11 15:05 ` Felipe Balbi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150911100256.GA15689@sudip-pc \
--to=sudipm.mukherjee@gmail.com \
--cc=balbi@ti.com \
--cc=dahlmann.thomas@arcor.de \
--cc=david.a.cohen@linux.intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-geode@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox