Details

Issue of the Implementation # L0293

Brief

dmaengine: rcar-dmac: initialize all data before registering IRQ handler

Detailed Description

Consider the following case:

Thread 1:                            Thread 2:
rcar_dmac_probe
->rcar_dmac_chan_probe
             (&dmac->channels[i])
    rchan = &dmac->channels[i]
    chan = &rchan->chan
    devm_request_threaded_irq(rchan)
    chan->device = &dmac->engine    rcar_dmac_isr_channel
                                    ->rcar_dmac_isr_transfer_end(chan)
                                      ->rcar_dmac_chan_start_xfer(chan)
  engine->dev = &pdev->dev;               chan.device->dev>
  (rcar-dmac.c: line 1828)                (rcar-dmac.c: line 351)

engine->dev is NULL before its initialization in probe. Thus there might be a NULL pointer dereference in rcar_dmac_chan_start_xfer while accessing chan->chan.device->dev which is equal to (&dmac->engine)->dev.

Component

linux-kernel 4.13

Accepted

https://patchwork.kernel.org/patch/9911633/
commit

Status

Fixed in kernel 4.14-rc1

[Home]

Русский

About Us

Projects