review.tizen.org Git - platform/kernel/linux-rpi.git/commit

author	Dmitriy Ulitin <ulitin@ispras.ru>
	Thu, 27 May 2021 15:06:26 +0000 (17:06 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 18 Nov 2021 18:16:12 +0000 (19:16 +0100)
commit	673ce2812ed4a3e22baf3fd82f8b0f4004ec2462
tree	428724bc7dca86f9c1c09e4fa9b4f7e9c3171136	tree \| snapshot
parent	25bde3ba1a34eb981c2fac9568e7aca90777e6d2	commit \| diff

media: stm32: Potential NULL pointer dereference in dcmi_irq_thread()

[ Upstream commit 548fa43a58696450c15b8f5564e99589c5144664 ]

At the moment of enabling irq handling:

1922 ret = devm_request_threaded_irq(&pdev->dev, irq, dcmi_irq_callback,
1923 dcmi_irq_thread, IRQF_ONESHOT,
1924 dev_name(&pdev->dev), dcmi);

there is still uninitialized field sd_format of struct stm32_dcmi *dcmi.
If an interrupt occurs in the interval between the installation of the
interrupt handler and the initialization of this field, NULL pointer
dereference happens.

This field is dereferenced in the handler function without any check:

457 if (dcmi->sd_format->fourcc == V4L2_PIX_FMT_JPEG &&
458 dcmi->misr & IT_FRAME) {

The patch moves interrupt handler installation
after initialization of the sd_format field that happens in
dcmi_graph_notify_complete() via dcmi_set_default_fmt().

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Dmitriy Ulitin <ulitin@ispras.ru>
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>