lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87czdrrc95.fsf@kernel.org>
Date:   Tue, 26 Jul 2022 20:53:58 +0300
From:   Kalle Valo <kvalo@...nel.org>
To:     Manivannan Sadhasivam <mani@...nel.org>
Cc:     Qiang Yu <quic_qianyu@...cinc.com>, quic_hemantk@...cinc.com,
        loic.poulain@...aro.org, quic_jhugo@...cinc.com,
        mhi@...ts.linux.dev, linux-arm-msm@...r.kernel.org,
        linux-kernel@...r.kernel.org, quic_cang@...cinc.com,
        ath11k@...ts.infradead.org
Subject: Re: [PATCH v3 1/1] bus: mhi: host: Fix up null pointer access in mhi_irq_handler

Manivannan Sadhasivam <mani@...nel.org> writes:

> +ath11k, Kalle
>
> On Fri, Jul 22, 2022 at 11:17:18AM +0800, Qiang Yu wrote:
>> The irq handler for a shared IRQ ought to be prepared for running
>> even now it's being freed. So let's check the pointer used by
>> mhi_irq_handler to avoid null pointer access since it is probably
>> released before freeing IRQ.
>> 
>> Signed-off-by: Qiang Yu <quic_qianyu@...cinc.com>
>
> Reviewed-by: Manivannan Sadhasivam <mani@...nel.org>

This fixes the crash and my regression tests pass now, thanks. But
please see my question below.

Tested-by: Kalle Valo <kvalo@...nel.org>

>> +	/*
>> +	 * If CONFIG_DEBUG_SHIRQ is set, the IRQ handler will get invoked during __free_irq()
>> +	 * and by that time mhi_ctxt() would've freed. So check for the existence of mhi_ctxt
>> +	 * before handling the IRQs.
>> +	 */
>> +	if (!mhi_cntrl->mhi_ctxt) {
>> +		dev_dbg(&mhi_cntrl->mhi_dev->dev,
>> +			"mhi_ctxt has been freed\n");
>> +		return IRQ_HANDLED;
>> +	}

I don't see any protection accessing mhi_cntrl->mhi_ctxt, is this really
free of race conditions?

-- 
https://patchwork.kernel.org/project/linux-wireless/list/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ