If IRQ occurs between calling devm_request_threaded_irq() and
allegro_firmware_request_nowait(), then null pointer dereference
occurs since dev->mbox_status wasn't initialized yet but used
in allegro_mbox_notify().
The patch puts registration of the interrupt handler after
initializing of neccesery data.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Nadezda Lutovinova <lutovinova@xxxxxxxxx>
---
.../media/platform/allegro-dvt/allegro-core.c | 24 +++++++++----------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/drivers/media/platform/allegro-dvt/allegro-core.c b/drivers/media/platform/allegro-dvt/allegro-core.c
index 887b492e4ad1..9c1997ff74e8 100644
--- a/drivers/media/platform/allegro-dvt/allegro-core.c
+++ b/drivers/media/platform/allegro-dvt/allegro-core.c
@@ -3707,18 +3707,6 @@ static int allegro_probe(struct platform_device *pdev)
return PTR_ERR(dev->sram);
}
- irq = platform_get_irq(pdev, 0);
- if (irq < 0)
- return irq;
- ret = devm_request_threaded_irq(&pdev->dev, irq,
- allegro_hardirq,
- allegro_irq_thread,
- IRQF_SHARED, dev_name(&pdev->dev), dev);
- if (ret < 0) {
- dev_err(&pdev->dev, "failed to request irq: %d\n", ret);
- return ret;
- }
-
ret = v4l2_device_register(&pdev->dev, &dev->v4l2_dev);
if (ret)
return ret;
@@ -3732,6 +3720,18 @@ static int allegro_probe(struct platform_device *pdev)
return ret;
}
+ irq = platform_get_irq(pdev, 0);
+ if (irq < 0)
+ return irq;
+ ret = devm_request_threaded_irq(&pdev->dev, irq,
+ allegro_hardirq,
+ allegro_irq_thread,
+ IRQF_SHARED, dev_name(&pdev->dev), dev);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "failed to request irq: %d\n", ret);
+ return ret;
+ }
+
return 0;
}
--
2.17.1
