tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

bus: mhi: host: Fix up null pointer access in mhi_irq_handler

The irq handler for a shared IRQ ought to be prepared for running
even now it's being freed. So let's check the pointer used by
mhi_irq_handler to avoid null pointer access since it is probably
released before freeing IRQ.

Fixes: 1227d2a20cd7 ("bus: mhi: host: Move IRQ allocation to controller registration phase")
Signed-off-by: Qiang Yu <quic_qianyu@quicinc.com>
Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
Tested-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/1658459838-30802-1-git-send-email-quic_qianyu@quicinc.com
[mani: added fixes tag]
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>

authored by

Qiang Yu and committed by
Manivannan Sadhasivam acc5495b 568035b0

+16 -3
+16 -3
drivers/bus/mhi/host/main.c
··· 430 430 { 431 431 struct mhi_event *mhi_event = dev; 432 432 struct mhi_controller *mhi_cntrl = mhi_event->mhi_cntrl; 433 - struct mhi_event_ctxt *er_ctxt = 434 - &mhi_cntrl->mhi_ctxt->er_ctxt[mhi_event->er_index]; 433 + struct mhi_event_ctxt *er_ctxt; 435 434 struct mhi_ring *ev_ring = &mhi_event->ring; 436 - dma_addr_t ptr = le64_to_cpu(er_ctxt->rp); 435 + dma_addr_t ptr; 437 436 void *dev_rp; 437 + 438 + /* 439 + * If CONFIG_DEBUG_SHIRQ is set, the IRQ handler will get invoked during __free_irq() 440 + * and by that time mhi_ctxt() would've freed. So check for the existence of mhi_ctxt 441 + * before handling the IRQs. 442 + */ 443 + if (!mhi_cntrl->mhi_ctxt) { 444 + dev_dbg(&mhi_cntrl->mhi_dev->dev, 445 + "mhi_ctxt has been freed\n"); 446 + return IRQ_HANDLED; 447 + } 448 + 449 + er_ctxt = &mhi_cntrl->mhi_ctxt->er_ctxt[mhi_event->er_index]; 450 + ptr = le64_to_cpu(er_ctxt->rp); 438 451 439 452 if (!is_valid_ring_ptr(ev_ring, ptr)) { 440 453 dev_err(&mhi_cntrl->mhi_dev->dev,