From patchwork Thu Apr 8 07:40:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mauro Carvalho Chehab X-Patchwork-Id: 12190207 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E2AFEC43460 for ; Thu, 8 Apr 2021 07:40:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B6F7861164 for ; Thu, 8 Apr 2021 07:40:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230213AbhDHHkV (ORCPT ); Thu, 8 Apr 2021 03:40:21 -0400 Received: from mail.kernel.org ([198.145.29.99]:53600 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229566AbhDHHkT (ORCPT ); Thu, 8 Apr 2021 03:40:19 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 589A461155; Thu, 8 Apr 2021 07:40:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1617867608; bh=K40uSsuCJ5wtmzix6+AZWZGkHxgr6P49paxJVnSNP8E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LzSMqZbJsrAmXiB+7CKXvwOFpqF4CVz6an0EEj36Ih0xR2jiYTaojdaU+/Aue4MmP ZDhIH3CV2U1lx1GxNCdfNDq5xHeSydqeZFF9gHACf6D2/NBZZoTN4lL2HQHursLwzF 2gAM3GR38yiTcJscrsXzIZK0FEWPWz55pqsnP86depi/5jL1/pLoAZCqo8ZrQJVDBK 4EmKNozUE8+KX1kCEwvKDmiiFHJCPht0VUUwzPZQo7A2+tIXf6zL3RLxMnMHTow+Pl W4zOBo0XwwwE9amJ5udA9p/+Ooen+obokCNtdypjlFscmm+gQ0XIxJ406FGj5dHIrU XYziezcGuPivQ== Received: by mail.kernel.org with local (Exim 4.94) (envelope-from ) id 1lUPGo-000jU2-0N; Thu, 08 Apr 2021 09:40:06 +0200 From: Mauro Carvalho Chehab Cc: linuxarm@huawei.com, mauro.chehab@huawei.com, Mauro Carvalho Chehab , Andy Gross , Bjorn Andersson , Mauro Carvalho Chehab , Stanimir Varbanov , linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org Subject: [PATCH 3/3] media: venus: don't de-reference NULL pointers at IRQ time Date: Thu, 8 Apr 2021 09:40:04 +0200 Message-Id: <73570a5dfe7b3411d256367d4a2a02169aa9b900.1617867599.git.mchehab+huawei@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: References: MIME-Version: 1.0 Sender: Mauro Carvalho Chehab To: unlisted-recipients:; (no To-header on input) Precedence: bulk List-ID: X-Mailing-List: linux-arm-msm@vger.kernel.org Smatch is warning that: drivers/media/platform/qcom/venus/hfi_venus.c:1100 venus_isr() warn: variable dereferenced before check 'hdev' (see line 1097) The logic basically does: hdev = to_hfi_priv(core); with is translated to: hdev = core->priv; If the IRQ code can receive a NULL pointer for hdev, there's a bug there, as it will first try to de-reference the pointer, and then check if it is null. After looking at the code, it seems that this indeed can happen: Basically, the venus IRQ thread is started with: devm_request_threaded_irq() So, it will only be freed after the driver unbinds. In order to prevent the IRQ code to work with freed data, the logic at venus_hfi_destroy() sets core->priv to NULL, which would make the IRQ code to ignore any pending IRQs. There is, however a race condition, as core->priv is set to NULL only after being freed. So, we need also to move the core->priv = NULL to happen earlier. Signed-off-by: Mauro Carvalho Chehab Acked-by: Stanimir Varbanov --- drivers/media/platform/qcom/venus/hfi_venus.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/media/platform/qcom/venus/hfi_venus.c b/drivers/media/platform/qcom/venus/hfi_venus.c index cebb20cf371f..ce98c523b3c6 100644 --- a/drivers/media/platform/qcom/venus/hfi_venus.c +++ b/drivers/media/platform/qcom/venus/hfi_venus.c @@ -1094,12 +1094,15 @@ static irqreturn_t venus_isr(struct venus_core *core) { struct venus_hfi_device *hdev = to_hfi_priv(core); u32 status; - void __iomem *cpu_cs_base = hdev->core->cpu_cs_base; - void __iomem *wrapper_base = hdev->core->wrapper_base; + void __iomem *cpu_cs_base; + void __iomem *wrapper_base; if (!hdev) return IRQ_NONE; + cpu_cs_base = hdev->core->cpu_cs_base; + wrapper_base = hdev->core->wrapper_base; + status = readl(wrapper_base + WRAPPER_INTR_STATUS); if (IS_V6(core)) { if (status & WRAPPER_INTR_STATUS_A2H_MASK || @@ -1650,10 +1653,10 @@ void venus_hfi_destroy(struct venus_core *core) { struct venus_hfi_device *hdev = to_hfi_priv(core); + core->priv = NULL; venus_interface_queues_release(hdev); mutex_destroy(&hdev->lock); kfree(hdev); - core->priv = NULL; core->ops = NULL; }