dmaengine: plx_dma: KASAN null-ptr-deref in plx_dma_isr() on early IRQ

Next message: Krzysztof Kozlowski: "Re: [PATCH 2/4] dt-bindings: mmc: sdhci-msm: Document the Glymur compatible"
Previous message: Andrew Jeffery: "Re: [PATCH v5 2/2] ARM: dts: aspeed: ventura2: Add Meta ventura2 BMC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jaeyoung Chung

Date: Wed Jun 10 2026 - 07:24:05 EST

Hi,

plx_dma_create() in drivers/dma/plx_dma.c registers the interrupt
handler with request_irq() before it initializes plxdev->bar. If an
interrupt arrives in that window, plx_dma_isr() dereferences a NULL
bar, causing a kernel panic.

The probe path, in plx_dma_create():

plxdev = kzalloc_obj(*plxdev); /* plxdev->bar == NULL */
...
rc = request_irq(pci_irq_vector(pdev, 0), plx_dma_isr, 0,
KBUILD_MODNAME, plxdev); /* register interrupt handler */
...
plxdev->bar = pcim_iomap_table(pdev)[0]; /* initialize BAR pointer */

The interrupt handler, plx_dma_isr(), dereferences bar without check:

status = readw(plxdev->bar + PLX_REG_INTR_STATUS);

If the device raises an interrupt before plxdev->bar is initialized,
the handler dereferences the NULL bar, triggering a KASAN
null-ptr-deref.

Suggested fix: move the plxdev->bar assignment above request_irq(),
so the MMIO pointer is valid before the handler can run.

Reported-by: Sangyun Kim <sangyun.kim@xxxxxxxxx>
Reported-by: Kyungwook Boo <bookyungwook@xxxxxxxxx>

Thanks,
Jaeyoung Chung