Re: [PATCH] goku_udc: Add check for NULL in goku_irq
From: Анастасия Белова
Date: Wed Feb 15 2023 - 08:40:18 EST
03.02.2023 13:45, Greg Kroah-Hartman пишет:
On Fri, Feb 03, 2023 at 01:18:28PM +0300, Anastasia Belova wrote:
Before dereferencing dev->driver check it for NULL.
If an interrupt handler is called after assigning
NULL to dev->driver, but before resetting dev->int_enable,
NULL-pointer will be dereferenced.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Anastasia Belova <abelova@xxxxxxxxxxxxx>
---
drivers/usb/gadget/udc/goku_udc.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/udc/goku_udc.c b/drivers/usb/gadget/udc/goku_udc.c
index bdc56b24b5c9..896bba8b47f1 100644
--- a/drivers/usb/gadget/udc/goku_udc.c
+++ b/drivers/usb/gadget/udc/goku_udc.c
@@ -1616,8 +1616,9 @@ static irqreturn_t goku_irq(int irq, void *_dev)
pm_next:
if (stat & INT_USBRESET) { /* hub reset done */
ACK(INT_USBRESET);
- INFO(dev, "USB reset done, gadget %s\n",
- dev->driver->driver.name);
+ if (dev->driver)
+ INFO(dev, "USB reset done, gadget %s\n",
+ dev->driver->driver.name);
How can this ever happen? Can you trigger this somehow? If not, I
don't think this is going to be possible (also what's up with printk
from an irq handler???)
Unfortunately, I can't find the way to trigger this at the moment.
What about printk, should trace_printk be used instead?
Odds are, no one actually has this hardware anymore, right?
Despite of this, such vulnerability should be fixed because
there is a possibility to exploit it.
thanks,
greg k-h
Best regards,
Anastasia Belova