lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20220729142221.GA9937@thinkpad>
Date:   Fri, 29 Jul 2022 19:52:21 +0530
From:   Manivannan Sadhasivam <mani@...nel.org>
To:     Kalle Valo <kvalo@...nel.org>
Cc:     Qiang Yu <quic_qianyu@...cinc.com>, quic_hemantk@...cinc.com,
        loic.poulain@...aro.org, quic_jhugo@...cinc.com,
        mhi@...ts.linux.dev, linux-arm-msm@...r.kernel.org,
        linux-kernel@...r.kernel.org, quic_cang@...cinc.com,
        ath11k@...ts.infradead.org
Subject: Re: [PATCH v3 1/1] bus: mhi: host: Fix up null pointer access in
 mhi_irq_handler

On Tue, Jul 26, 2022 at 08:53:58PM +0300, Kalle Valo wrote:
> Manivannan Sadhasivam <mani@...nel.org> writes:
> 
> > +ath11k, Kalle
> >
> > On Fri, Jul 22, 2022 at 11:17:18AM +0800, Qiang Yu wrote:
> >> The irq handler for a shared IRQ ought to be prepared for running
> >> even now it's being freed. So let's check the pointer used by
> >> mhi_irq_handler to avoid null pointer access since it is probably
> >> released before freeing IRQ.
> >> 
> >> Signed-off-by: Qiang Yu <quic_qianyu@...cinc.com>
> >
> > Reviewed-by: Manivannan Sadhasivam <mani@...nel.org>
> 
> This fixes the crash and my regression tests pass now, thanks. But
> please see my question below.
> 
> Tested-by: Kalle Valo <kvalo@...nel.org>
> 

Thanks Kalle!

> >> +	/*
> >> +	 * If CONFIG_DEBUG_SHIRQ is set, the IRQ handler will get invoked during __free_irq()
> >> +	 * and by that time mhi_ctxt() would've freed. So check for the existence of mhi_ctxt
> >> +	 * before handling the IRQs.
> >> +	 */
> >> +	if (!mhi_cntrl->mhi_ctxt) {
> >> +		dev_dbg(&mhi_cntrl->mhi_dev->dev,
> >> +			"mhi_ctxt has been freed\n");
> >> +		return IRQ_HANDLED;
> >> +	}
> 
> I don't see any protection accessing mhi_cntrl->mhi_ctxt, is this really
> free of race conditions?
> 

As Qiang said, it is safe to access mhi_ctxt here.

Thanks,
Mani

> -- 
> https://patchwork.kernel.org/project/linux-wireless/list/
> 
> https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

-- 
மணிவண்ணன் சதாசிவம்

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ