From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 45368C433EF for ; Tue, 9 Nov 2021 01:08:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3197761B2E for ; Tue, 9 Nov 2021 01:08:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241854AbhKIBL1 (ORCPT ); Mon, 8 Nov 2021 20:11:27 -0500 Received: from mail.kernel.org ([198.145.29.99]:39222 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239078AbhKIBJY (ORCPT ); Mon, 8 Nov 2021 20:09:24 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id DCC7F61A79; Tue, 9 Nov 2021 01:04:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1636419855; bh=+ZCuS/jyle/F5oQcp3L8uoU1f3CFUz1vHNZQeW79T8k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AZPx8TTscN0BWTMzGep4T+WWkRo1WpFDSqG/GME755uSez3eyRW93nq2s9ErJefLF 504Mv48DAdkJZPHIetyjMi7O5HkGvwrVHdcdfnnjhAGWTceUMHjsCqr7tm53Ct/1pR kX7GTqph0NGHtOp0N6WXqoF2aBVynAMA8Ybh21hDSdPgITcAsPvuNTaWLBgm4zaDC0 vnXdMcfozXcIrQ6bUKchslAyAcVSOsoA5hAWTtZIGPKph36s9iWe2THGVEn/W+0UxS cT8Xyao7DDImn2UVvhJtcHOfFQyn8QGS0Ko8+sts7mk+k901TuZovCcRx4MRWP1Tsd xtiH1w9KVIgTA== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Dmitriy Ulitin , Alexey Khoroshilov , Sakari Ailus , Mauro Carvalho Chehab , Sasha Levin , hugues.fruchet@foss.st.com, mchehab@kernel.org, mcoquelin.stm32@gmail.com, alexandre.torgue@foss.st.com, linux-media@vger.kernel.org, linux-stm32@st-md-mailman.stormreply.com, linux-arm-kernel@lists.infradead.org Subject: [PATCH AUTOSEL 5.10 030/101] media: stm32: Potential NULL pointer dereference in dcmi_irq_thread() Date: Mon, 8 Nov 2021 12:47:20 -0500 Message-Id: <20211108174832.1189312-30-sashal@kernel.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211108174832.1189312-1-sashal@kernel.org> References: <20211108174832.1189312-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Dmitriy Ulitin [ Upstream commit 548fa43a58696450c15b8f5564e99589c5144664 ] At the moment of enabling irq handling: 1922 ret = devm_request_threaded_irq(&pdev->dev, irq, dcmi_irq_callback, 1923 dcmi_irq_thread, IRQF_ONESHOT, 1924 dev_name(&pdev->dev), dcmi); there is still uninitialized field sd_format of struct stm32_dcmi *dcmi. If an interrupt occurs in the interval between the installation of the interrupt handler and the initialization of this field, NULL pointer dereference happens. This field is dereferenced in the handler function without any check: 457 if (dcmi->sd_format->fourcc == V4L2_PIX_FMT_JPEG && 458 dcmi->misr & IT_FRAME) { The patch moves interrupt handler installation after initialization of the sd_format field that happens in dcmi_graph_notify_complete() via dcmi_set_default_fmt(). Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Dmitriy Ulitin Signed-off-by: Alexey Khoroshilov Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin --- drivers/media/platform/stm32/stm32-dcmi.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/drivers/media/platform/stm32/stm32-dcmi.c b/drivers/media/platform/stm32/stm32-dcmi.c index fd1c41cba52fc..233e4d3feacd9 100644 --- a/drivers/media/platform/stm32/stm32-dcmi.c +++ b/drivers/media/platform/stm32/stm32-dcmi.c @@ -135,6 +135,7 @@ struct stm32_dcmi { int sequence; struct list_head buffers; struct dcmi_buf *active; + int irq; struct v4l2_device v4l2_dev; struct video_device *vdev; @@ -1720,6 +1721,14 @@ static int dcmi_graph_notify_complete(struct v4l2_async_notifier *notifier) return ret; } + ret = devm_request_threaded_irq(dcmi->dev, dcmi->irq, dcmi_irq_callback, + dcmi_irq_thread, IRQF_ONESHOT, + dev_name(dcmi->dev), dcmi); + if (ret) { + dev_err(dcmi->dev, "Unable to request irq %d\n", dcmi->irq); + return ret; + } + return 0; } @@ -1881,6 +1890,8 @@ static int dcmi_probe(struct platform_device *pdev) if (irq <= 0) return irq ? irq : -ENXIO; + dcmi->irq = irq; + dcmi->res = platform_get_resource(pdev, IORESOURCE_MEM, 0); if (!dcmi->res) { dev_err(&pdev->dev, "Could not get resource\n"); @@ -1893,14 +1904,6 @@ static int dcmi_probe(struct platform_device *pdev) return PTR_ERR(dcmi->regs); } - ret = devm_request_threaded_irq(&pdev->dev, irq, dcmi_irq_callback, - dcmi_irq_thread, IRQF_ONESHOT, - dev_name(&pdev->dev), dcmi); - if (ret) { - dev_err(&pdev->dev, "Unable to request irq %d\n", irq); - return ret; - } - mclk = devm_clk_get(&pdev->dev, "mclk"); if (IS_ERR(mclk)) { if (PTR_ERR(mclk) != -EPROBE_DEFER) -- 2.33.0