Null-ptr-deref in xcv_init_hw()

From: Kyungwook Boo
Date: Mon Mar 03 2025 - 01:48:53 EST

Next message: Zhihang Shao: "Re: [PATCH 0/4] RISC-V CRC optimizations"
Previous message: Kyungwook Boo: "Divide-by-zero error in qed_hw_get_nvm_info()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

It seems that xcv_init_hw() can be called in bgx_probe() regardless of whether
xcv_probe() has been executed, leading to a potential null pointer dereference.

The following is a call stack example:

bgx_probe
├── xcv_init_hw
│ ├── readq_relaxed(xcv->reg_base + XCV_RESET) // NULL pointer dereference

In bgx_probe(), if the PCI device ID matched PCI_DEVICE_ID_THUNDER_RGX,
xcv_init_hw is called:

pci_read_config_word(pdev, PCI_DEVICE_ID, &sdevid);
if (sdevid != PCI_DEVICE_ID_THUNDER_RGX) {
}
else{
xcv_init_hw();
}

However, xcv_init_hw() performs an MMIO read on xcv->reg_base, which is expected
to be initialized by xcv_probe():

cfg = readq_relaxed(xcv->reg_base + XCV_RESET);

Could you check this?

Best regards,
Kyungwook Boo

Next message: Zhihang Shao: "Re: [PATCH 0/4] RISC-V CRC optimizations"
Previous message: Kyungwook Boo: "Divide-by-zero error in qed_hw_get_nvm_info()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]