Re: [PATCH net] net: ibm: emac: Fix NULL pointer dereference in emac_probe

Next message: Nick: "Re: [REGRESSION] Toshiba Fn keys + lidswitch"
Previous message: Liu Mingyu: "[PATCH v2 2/2] keys: Add KUnit coverage for KEYCTL_MOVE keep guard"
In reply to: Andrew Lunn: "Re: [PATCH net] net: ibm: emac: Fix NULL pointer dereference in emac_probe"
Next in thread: Andrew Lunn: "Re: [PATCH net] net: ibm: emac: Fix NULL pointer dereference in emac_probe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Rosen Penev

Date: Sun May 31 2026 - 16:52:44 EST

On Sun, May 31, 2026 at 7:39 AM Andrew Lunn <andrew@xxxxxxx> wrote:
>
> On Sat, May 30, 2026 at 07:22:19PM -0700, Rosen Penev wrote:
> > Move devm_request_irq() after devm_platform_ioremap_resource() so that
> > dev->emacp is mapped before the interrupt handler can fire. An early
> > interrupt hitting emac_irq() would dereference the NULL dev->emacp and
> > crash.
>
> Please add an explanation how this can happen, given that iser is
> written in open() not probe().
https://sashiko.dev/#/patchset/20260517033621.1839397-1-rosenp%40gmail.com

Also, does requesting the hardware interrupt before mapping the device I/O
registers create a NULL pointer dereference regression in emac_probe()?
The hardware interrupt is requested and enabled via devm_request_irq()
before the device I/O registers are mapped via
devm_platform_ioremap_resource().
If an interrupt is asserted early, emac_irq() will execute immediately and
attempt to read the ISR register by dereferencing dev->emacp. Since
dev->emacp is still NULL at this point, this would cause a kernel panic.
>
> > Fixes: dcc34ef7c834 ("net: ibm: emac: manage emac_irq with devm")
This is mine btw.
>
> Is this actually bothering people?
It's bothering the bot. The problem here is any other commit will also
trigger this nonsense. Having devm_platform_ioremap_resource earlier
like this is more consistent with other drivers as well.
>
> Andrew