On Fri, Feb 03, 2023 at 01:18:28PM +0300, Anastasia Belova wrote:
> Before dereferencing dev->driver check it for NULL.
>
> If an interrupt handler is called after assigning
> NULL to dev->driver, but before resetting dev->int_enable,
> NULL-pointer will be dereferenced.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Anastasia Belova <abelova@xxxxxxxxxxxxx>
> ---
> drivers/usb/gadget/udc/goku_udc.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/gadget/udc/goku_udc.c b/drivers/usb/gadget/udc/goku_udc.c
> index bdc56b24b5c9..896bba8b47f1 100644
> --- a/drivers/usb/gadget/udc/goku_udc.c
> +++ b/drivers/usb/gadget/udc/goku_udc.c
> @@ -1616,8 +1616,9 @@ static irqreturn_t goku_irq(int irq, void *_dev)
> pm_next:
> if (stat & INT_USBRESET) { /* hub reset done */
> ACK(INT_USBRESET);
> - INFO(dev, "USB reset done, gadget %s\n",
> - dev->driver->driver.name);
> + if (dev->driver)
> + INFO(dev, "USB reset done, gadget %s\n",
> + dev->driver->driver.name);
How can this ever happen? Can you trigger this somehow? If not, I
don't think this is going to be possible (also what's up with printk
from an irq handler???)
Odds are, no one actually has this hardware anymore, right?
thanks,
greg k-h
