[ldv-project] [POTENTIAL BUG] stm32: Potential NULL pointer dereference in dcmi_irq_thread()

Dmitriy Ulitin ulitin at ispras.ru
Mon May 31 21:25:34 MSK 2021


At the moment of enabling irq handling:

1922 ret = devm_request_threaded_irq(&pdev->dev, irq, dcmi_irq_callback,
1923			dcmi_irq_thread, IRQF_ONESHOT,
1924			dev_name(&pdev->dev), dcmi);

there is still uninitialized field sd_format of struct stm32_dcmi *dcmi.
If an interrupt occurs in the interval between the installation of the
interrupt handler and the initialization of this field, NULL pointer
dereference happens.

This field is dereferenced in the handler function without any check:

457 if (dcmi->sd_format->fourcc == V4L2_PIX_FMT_JPEG &&
458	    dcmi->misr & IT_FRAME) {

The initialization of the sd_format field happens in
dcmi_graph_notify_complete() via dcmi_set_default_fmt().

Is it guaranteed that an interrupt does not occur in this interval?
If it is not, is it better to move interrupt handler installation
after initialization of this field has been completed?

Found by Linux Driver Verification project (linuxtesting.org).




More information about the ldv-project mailing list