Null-ptr-deref in xcv_init_hw()
Kyungwook Boo
bookyungwook at gmail.com
Sun Mar 2 22:48:42 PST 2025
Hello,
It seems that xcv_init_hw() can be called in bgx_probe() regardless of whether
xcv_probe() has been executed, leading to a potential null pointer dereference.
The following is a call stack example:
bgx_probe
├── xcv_init_hw
│ ├── readq_relaxed(xcv->reg_base + XCV_RESET) // NULL pointer dereference
In bgx_probe(), if the PCI device ID matched PCI_DEVICE_ID_THUNDER_RGX,
xcv_init_hw is called:
pci_read_config_word(pdev, PCI_DEVICE_ID, &sdevid);
if (sdevid != PCI_DEVICE_ID_THUNDER_RGX) {
}
else{
xcv_init_hw();
}
However, xcv_init_hw() performs an MMIO read on xcv->reg_base, which is expected
to be initialized by xcv_probe():
cfg = readq_relaxed(xcv->reg_base + XCV_RESET);
Could you check this?
Best regards,
Kyungwook Boo
More information about the linux-arm-kernel
mailing list