| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Jul 2022 08:15:30 -0600
From: Jeffrey Hugo <quic_jhugo@...cinc.com>
To: Qiang Yu <quic_qianyu@...cinc.com>, <mani@...nel.org>,
<quic_hemantk@...cinc.com>, <loic.poulain@...aro.org>
CC: <mhi@...ts.linux.dev>, <linux-arm-msm@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <quic_cang@...cinc.com>
Subject: Re: [PATCH v1 1/1] bus: mhi: host: Fix up null pointer access in
mhi_irq_handler
On 7/20/2022 4:04 AM, Qiang Yu wrote:
> The irq handler for a shared IRQ ought to be prepared for running
> even now it's being freed. So let's check the pointer used by
> mhi_irq_handler to avoid null pointer access since it is probably
> released before freeing IRQ.
>
> Signed-off-by: Qiang Yu <quic_qianyu@...cinc.com>
> ---
> drivers/bus/mhi/host/main.c | 14 +++++++++++---
> 1 file changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/bus/mhi/host/main.c b/drivers/bus/mhi/host/main.c
> index f3aef77a..7959457 100644
> --- a/drivers/bus/mhi/host/main.c
> +++ b/drivers/bus/mhi/host/main.c
> @@ -430,12 +430,20 @@ irqreturn_t mhi_irq_handler(int irq_number, void *dev)
> {
> struct mhi_event *mhi_event = dev;
> struct mhi_controller *mhi_cntrl = mhi_event->mhi_cntrl;
> - struct mhi_event_ctxt *er_ctxt =
> - &mhi_cntrl->mhi_ctxt->er_ctxt[mhi_event->er_index];
> + struct mhi_event_ctxt *er_ctxt;
> struct mhi_ring *ev_ring = &mhi_event->ring;
> - dma_addr_t ptr = le64_to_cpu(er_ctxt->rp);
> + dma_addr_t ptr;
> void *dev_rp;
>
> + if (!mhi_cntrl->mhi_ctxt) {
> + dev_err(&mhi_cntrl->mhi_dev->dev,
> + "mhi_ctxt has been freed\n");
dev_dbg since you identified a scenario where this is expected?
> + return IRQ_HANDLED;
> + }
> +
> + er_ctxt = &mhi_cntrl->mhi_ctxt->er_ctxt[mhi_event->er_index];
> + ptr = le64_to_cpu(er_ctxt->rp);
> +
> if (!is_valid_ring_ptr(ev_ring, ptr)) {
> dev_err(&mhi_cntrl->mhi_dev->dev,
> "Event ring rp points outside of the event ring\n");
Powered by blists - more mailing lists