A potential bug in drivers/usb/gadget/udc/m66592-udc.ko

From: Pavel Andrianov
Date: Thu Sep 08 2016 - 05:18:56 EST

Next message: Vaishali Thakkar: "Re: A potential race in drivers/iio/adc/vf610_adc.ko"
Previous message: Harish Jenny K N: "[PATCH v1 1/1] usb: gadget: f_fs: Stop ffs_closed NULL pointers."
Next in thread: Felipe Balbi: "Re: A potential bug in drivers/usb/gadget/udc/m66592-udc.ko"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

There is a potential bug in drivers/usb/gadget/udc/m66592-udc.ko.
In m66592_probe interrupts are requested at line 1612. After that initialization of common resources is continued. For example, in

-> usb_add_gadget_udc (line 1678)
-> usb_add_gadget_udc_release
-> udc_bind_to_driver
-> usb_gadget_udc_start
-> m66592_udc_start

m66592->driver is set. In interrupt handler the data is used, thus if interrupt comes before udc_start is executed, null pointer dereference occurs.
Should the call of request_irq be after complete initialization?

--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andrianov@xxxxxxxxx

Next message: Vaishali Thakkar: "Re: A potential race in drivers/iio/adc/vf610_adc.ko"
Previous message: Harish Jenny K N: "[PATCH v1 1/1] usb: gadget: f_fs: Stop ffs_closed NULL pointers."
Next in thread: Felipe Balbi: "Re: A potential bug in drivers/usb/gadget/udc/m66592-udc.ko"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]