diff options
| author |   Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-08-30 16:13:32 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-08-30 16:13:32 +0200 |
| commit | 5ef251b9b73ff9f62aa5ac60427af05b2b594a55 (patch) | |
| tree | 771d26b52cf2a49662138faee26c1203f1469c38 | |
| parent | Merge tag 'peci-fixes-6.0' of git://git.kernel.org/pub/scm/linux/kernel/git/iwi/linux into char-misc-linus (diff) | |
| parent | bus: mhi: host: Fix up null pointer access in mhi_irq_handler (diff) | |
| download | wireguard-linux-5ef251b9b73ff9f62aa5ac60427af05b2b594a55.tar.xz wireguard-linux-5ef251b9b73ff9f62aa5ac60427af05b2b594a55.zip | |
Merge tag 'mhi-fixes-for-v6.0' of git://git.kernel.org/pub/scm/linux/kernel/git/mani/mhi into char-misc-linus
Manivannan writes:
"A single fix targeting the MHI host stack:
- Since the commit 1227d2a20cd7 ("bus: mhi: host: Move IRQ allocation to
controller registration phase"), the MHI context gets freed during
mhi_unregister_controller(). But when the MHI IRQs are shared, the IRQ
handler may get invoked during __free_irq() if CONFIG_DEBUG_SHIRQ is set.
In that case, there will be a null pointer dereference because of trying to
use the freed context struct.
So for fixing the issue, let's check for the existence of the context struct
at the start of the handler before handling the IRQ."
* tag 'mhi-fixes-for-v6.0' of git://git.kernel.org/pub/scm/linux/kernel/git/mani/mhi:
bus: mhi: host: Fix up null pointer access in mhi_irq_handler
Diffstat (limited to '')
| -rw-r--r-- | drivers/bus/mhi/host/main.c | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/drivers/bus/mhi/host/main.c b/drivers/bus/mhi/host/main.c index f3aef77a6a4a..df0fbfee7b78 100644 --- a/drivers/bus/mhi/host/main.c +++ b/drivers/bus/mhi/host/main.c @@ -430,12 +430,25 @@ irqreturn_t mhi_irq_handler(int irq_number, void *dev) { struct mhi_event *mhi_event = dev; struct mhi_controller *mhi_cntrl = mhi_event->mhi_cntrl; - struct mhi_event_ctxt *er_ctxt = - &mhi_cntrl->mhi_ctxt->er_ctxt[mhi_event->er_index]; + struct mhi_event_ctxt *er_ctxt; struct mhi_ring *ev_ring = &mhi_event->ring; - dma_addr_t ptr = le64_to_cpu(er_ctxt->rp); + dma_addr_t ptr; void *dev_rp; + /* + * If CONFIG_DEBUG_SHIRQ is set, the IRQ handler will get invoked during __free_irq() + * and by that time mhi_ctxt() would've freed. So check for the existence of mhi_ctxt + * before handling the IRQs. + */ + if (!mhi_cntrl->mhi_ctxt) { + dev_dbg(&mhi_cntrl->mhi_dev->dev, + "mhi_ctxt has been freed\n"); + return IRQ_HANDLED; + } + + er_ctxt = &mhi_cntrl->mhi_ctxt->er_ctxt[mhi_event->er_index]; + ptr = le64_to_cpu(er_ctxt->rp); + if (!is_valid_ring_ptr(ev_ring, ptr)) { dev_err(&mhi_cntrl->mhi_dev->dev, "Event ring rp points outside of the event ring\n"); |