* [PATCH] platform/x86: intel: punit_ipc: fix memory corruption
@ 2025-11-21 13:34 Dan Carpenter
2025-11-21 17:27 ` Ilpo Järvinen
2025-11-24 7:17 ` Andy Shevchenko
0 siblings, 2 replies; 4+ messages in thread
From: Dan Carpenter @ 2025-11-21 13:34 UTC (permalink / raw)
To: Qipeng Zha
Cc: Hans de Goede, Ilpo Järvinen, Andy Shevchenko, Darren Hart,
platform-driver-x86, linux-kernel, kernel-janitors
This passes a stack address to the IRQ handler, "&punit_ipcdev" vs
"punit_ipcdev" without the ampersand. This means that the:
complete(&ipcdev->cmd_complete);
in intel_punit_ioc() will corrupt the wrong memory.
Fixes: fdca4f16f57d ("platform:x86: add Intel P-Unit mailbox IPC driver")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
drivers/platform/x86/intel/punit_ipc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/platform/x86/intel/punit_ipc.c b/drivers/platform/x86/intel/punit_ipc.c
index bafac8aa2baf..14513010daad 100644
--- a/drivers/platform/x86/intel/punit_ipc.c
+++ b/drivers/platform/x86/intel/punit_ipc.c
@@ -250,7 +250,7 @@ static int intel_punit_ipc_probe(struct platform_device *pdev)
} else {
ret = devm_request_irq(&pdev->dev, irq, intel_punit_ioc,
IRQF_NO_SUSPEND, "intel_punit_ipc",
- &punit_ipcdev);
+ punit_ipcdev);
if (ret) {
dev_err(&pdev->dev, "Failed to request irq: %d\n", irq);
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] platform/x86: intel: punit_ipc: fix memory corruption
2025-11-21 13:34 [PATCH] platform/x86: intel: punit_ipc: fix memory corruption Dan Carpenter
@ 2025-11-21 17:27 ` Ilpo Järvinen
2025-11-21 17:51 ` Dan Carpenter
2025-11-24 7:17 ` Andy Shevchenko
1 sibling, 1 reply; 4+ messages in thread
From: Ilpo Järvinen @ 2025-11-21 17:27 UTC (permalink / raw)
To: Dan Carpenter
Cc: Qipeng Zha, Hans de Goede, Andy Shevchenko, Darren Hart,
platform-driver-x86, LKML, kernel-janitors
On Fri, 21 Nov 2025, Dan Carpenter wrote:
> This passes a stack address to the IRQ handler, "&punit_ipcdev" vs
This first part I don't get, why you think &punit_ipcdev is a stack
address? The punit_ipcdev variable is defined in the global scope:
static IPC_DEV *punit_ipcdev;
> "punit_ipcdev" without the ampersand. This means that the:
>
> complete(&ipcdev->cmd_complete);
>
> in intel_punit_ioc() will corrupt the wrong memory.
Can you please also rephrace "will corrupt the wrong memory" as it has
a bit awkward sound in it. My suggestion:
...will write to a wrong memory address corrupting it.
(I'd have done this edit myself but I wanted to ask about the stack
address claim so better you just send v2.)
The change diff itself looks correct.
> Fixes: fdca4f16f57d ("platform:x86: add Intel P-Unit mailbox IPC driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
> drivers/platform/x86/intel/punit_ipc.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/platform/x86/intel/punit_ipc.c b/drivers/platform/x86/intel/punit_ipc.c
> index bafac8aa2baf..14513010daad 100644
> --- a/drivers/platform/x86/intel/punit_ipc.c
> +++ b/drivers/platform/x86/intel/punit_ipc.c
> @@ -250,7 +250,7 @@ static int intel_punit_ipc_probe(struct platform_device *pdev)
> } else {
> ret = devm_request_irq(&pdev->dev, irq, intel_punit_ioc,
> IRQF_NO_SUSPEND, "intel_punit_ipc",
> - &punit_ipcdev);
> + punit_ipcdev);
> if (ret) {
> dev_err(&pdev->dev, "Failed to request irq: %d\n", irq);
> return ret;
>
--
i.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] platform/x86: intel: punit_ipc: fix memory corruption
2025-11-21 17:27 ` Ilpo Järvinen
@ 2025-11-21 17:51 ` Dan Carpenter
0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2025-11-21 17:51 UTC (permalink / raw)
To: Ilpo Järvinen
Cc: Qipeng Zha, Hans de Goede, Andy Shevchenko, Darren Hart,
platform-driver-x86, LKML, kernel-janitors
On Fri, Nov 21, 2025 at 07:27:54PM +0200, Ilpo Järvinen wrote:
> On Fri, 21 Nov 2025, Dan Carpenter wrote:
>
> > This passes a stack address to the IRQ handler, "&punit_ipcdev" vs
>
> This first part I don't get, why you think &punit_ipcdev is a stack
> address? The punit_ipcdev variable is defined in the global scope:
>
> static IPC_DEV *punit_ipcdev;
Ah, right. Sorry. I thought it was a local variable.
Yeah. Let me resend this.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] platform/x86: intel: punit_ipc: fix memory corruption
2025-11-21 13:34 [PATCH] platform/x86: intel: punit_ipc: fix memory corruption Dan Carpenter
2025-11-21 17:27 ` Ilpo Järvinen
@ 2025-11-24 7:17 ` Andy Shevchenko
1 sibling, 0 replies; 4+ messages in thread
From: Andy Shevchenko @ 2025-11-24 7:17 UTC (permalink / raw)
To: Dan Carpenter
Cc: Qipeng Zha, Hans de Goede, Ilpo Järvinen, Darren Hart,
platform-driver-x86, linux-kernel, kernel-janitors
On Fri, Nov 21, 2025 at 04:34:22PM +0300, Dan Carpenter wrote:
> This passes a stack address to the IRQ handler, "&punit_ipcdev" vs
> "punit_ipcdev" without the ampersand. This means that the:
>
> complete(&ipcdev->cmd_complete);
>
> in intel_punit_ioc() will corrupt the wrong memory.
Good catch, now the question, how this driver was ever tested?..
--
With Best Regards,
Andy Shevchenko
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-11-24 7:17 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-21 13:34 [PATCH] platform/x86: intel: punit_ipc: fix memory corruption Dan Carpenter
2025-11-21 17:27 ` Ilpo Järvinen
2025-11-21 17:51 ` Dan Carpenter
2025-11-24 7:17 ` Andy Shevchenko
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox