tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

usb: dwc3: imx8mp: request irq after initializing dwc3

If IRQ occurs between calling devm_request_threaded_irq() and
initializing dwc3_imx->dwc3, then null pointer dereference occurs
since dwc3_imx->dwc3 is used in dwc3_imx8mp_interrupt().

The patch puts registration of the interrupt handler after
initializing of neccesery data.

Found by Linux Driver Verification project (linuxtesting.org).

Reviewed-by: Fabio Estevam <festevam@gmail.com>
Acked-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
Link: https://lore.kernel.org/r/20210819154818.18334-1-lutovinova@ispras.ru
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Nadezda Lutovinova and committed by
Greg Kroah-Hartman 6a48d0ae 4720f1bf

+7 -7
+7 -7
drivers/usb/dwc3/dwc3-imx8mp.c
··· 152 152 } 153 153 dwc3_imx->irq = irq; 154 154 155 - err = devm_request_threaded_irq(dev, irq, NULL, dwc3_imx8mp_interrupt, 156 - IRQF_ONESHOT, dev_name(dev), dwc3_imx); 157 - if (err) { 158 - dev_err(dev, "failed to request IRQ #%d --> %d\n", irq, err); 159 - goto disable_clks; 160 - } 161 - 162 155 pm_runtime_set_active(dev); 163 156 pm_runtime_enable(dev); 164 157 err = pm_runtime_get_sync(dev); ··· 178 185 goto depopulate; 179 186 } 180 187 of_node_put(dwc3_np); 188 + 189 + err = devm_request_threaded_irq(dev, irq, NULL, dwc3_imx8mp_interrupt, 190 + IRQF_ONESHOT, dev_name(dev), dwc3_imx); 191 + if (err) { 192 + dev_err(dev, "failed to request IRQ #%d --> %d\n", irq, err); 193 + goto depopulate; 194 + } 181 195 182 196 device_set_wakeup_capable(dev, true); 183 197 pm_runtime_put(dev);