| Message ID | 20210819154818.18334-1-lutovinova@ispras.ru |
|---|---|
| State | New |
| Headers | show |
| Series | usb: dwc3: imx8mp: request irq after initializing dwc3 | expand |
Hi Nadezda, On Thu, Aug 19, 2021 at 12:48 PM Nadezda Lutovinova <lutovinova@ispras.ru> wrote: > > If IRQ occurs between calling devm_request_threaded_irq() and > initializing dwc3_imx->dwc3, then null pointer dereference occurs > since dwc3_imx->dwc3 is used in dwc3_imx8mp_interrupt(). > > The patch puts registration of the interrupt handler after > initializing of neccesery data. "necessary" > Found by Linux Driver Verification project (linuxtesting.org). > > Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru> Reviewed-by: Fabio Estevam <festevam@gmail.com>
Nadezda Lutovinova <lutovinova@ispras.ru> writes: > If IRQ occurs between calling devm_request_threaded_irq() and > initializing dwc3_imx->dwc3, then null pointer dereference occurs > since dwc3_imx->dwc3 is used in dwc3_imx8mp_interrupt(). > > The patch puts registration of the interrupt handler after > initializing of neccesery data. > > Found by Linux Driver Verification project (linuxtesting.org). > > Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru> Acked-by: Felipe Balbi <balbi@kernel.org> -- balbi
diff --git a/drivers/usb/dwc3/dwc3-imx8mp.c b/drivers/usb/dwc3/dwc3-imx8mp.c index 756faa46d33a..d328d20abfbc 100644 --- a/drivers/usb/dwc3/dwc3-imx8mp.c +++ b/drivers/usb/dwc3/dwc3-imx8mp.c @@ -152,13 +152,6 @@ static int dwc3_imx8mp_probe(struct platform_device *pdev) } dwc3_imx->irq = irq; - err = devm_request_threaded_irq(dev, irq, NULL, dwc3_imx8mp_interrupt, - IRQF_ONESHOT, dev_name(dev), dwc3_imx); - if (err) { - dev_err(dev, "failed to request IRQ #%d --> %d\n", irq, err); - goto disable_clks; - } - pm_runtime_set_active(dev); pm_runtime_enable(dev); err = pm_runtime_get_sync(dev); @@ -186,6 +179,13 @@ static int dwc3_imx8mp_probe(struct platform_device *pdev) } of_node_put(dwc3_np); + err = devm_request_threaded_irq(dev, irq, NULL, dwc3_imx8mp_interrupt, + IRQF_ONESHOT, dev_name(dev), dwc3_imx); + if (err) { + dev_err(dev, "failed to request IRQ #%d --> %d\n", irq, err); + goto depopulate; + } + device_set_wakeup_capable(dev, true); pm_runtime_put(dev);
If IRQ occurs between calling devm_request_threaded_irq() and initializing dwc3_imx->dwc3, then null pointer dereference occurs since dwc3_imx->dwc3 is used in dwc3_imx8mp_interrupt(). The patch puts registration of the interrupt handler after initializing of neccesery data. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru> --- drivers/usb/dwc3/dwc3-imx8mp.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)