read_dts_node() registers shared interrupt handlers via devm_request_irq() with fman as the dev_id, passing it to fman_irq() and fman_err_irq(). At registration time, fman is only partially initialized -- kzalloc_obj() zero-initializes all fields, so fman->cfg and fman->fpm_regs are NULL. The handlers guard against incomplete initialization via: if (!is_init_done(fman->cfg)) return IRQ_NONE; However, is_init_done(NULL) returns true (intended to indicate that fman_init() has completed and cfg has been freed). This means when cfg is NULL before fman_config() allocates it, the guard does not take effect: is_init_done(NULL) -> returns true !true -> false guard skipped -> proceeds to dereference NULL fpm_regs If another device on the same shared IRQ line fires during the window between devm_request_irq() and fman_init(), the handler accesses NULL fman->fpm_regs via ioread32be(), causing a crash. The window includes of_platform_populate() which can be slow. Add an irq_ready flag to struct fman that is set to true only after fman_init() completes in fman_probe(). Check this flag at the start of fman_irq() and fman_err_irq() before any register access. Use READ_ONCE()/WRITE_ONCE() for the flag accesses since it is a cross-context shared variable written in process context and read in interrupt context. This issue was identified in code review during the discussion of a separate IRQF_SHARED UAF fix patch: https://lore.kernel.org/netdev/20260626162323.GE1310988@horms.kernel.org/ Signed-off-by: ZhaoJinming --- drivers/net/ethernet/freescale/fman/fman.c | 5 +++++ drivers/net/ethernet/freescale/fman/fman.h | 1 + 2 files changed, 6 insertions(+) diff --git a/drivers/net/ethernet/freescale/fman/fman.c b/drivers/net/ethernet/freescale/fman/fman.c index 013273a2de32..f14cb02d85a4 100644 --- a/drivers/net/ethernet/freescale/fman/fman.c +++ b/drivers/net/ethernet/freescale/fman/fman.c @@ -2510,6 +2510,8 @@ static irqreturn_t fman_err_irq(int irq, void *handle) struct fman_fpm_regs __iomem *fpm_rg; irqreturn_t single_ret, ret = IRQ_NONE; + if (!READ_ONCE(fman->irq_ready)) + return IRQ_NONE; if (!is_init_done(fman->cfg)) return IRQ_NONE; @@ -2608,6 +2610,8 @@ static irqreturn_t fman_irq(int irq, void *handle) struct fman_fpm_regs __iomem *fpm_rg; irqreturn_t single_ret, ret = IRQ_NONE; + if (!READ_ONCE(fman->irq_ready)) + return IRQ_NONE; if (!is_init_done(fman->cfg)) return IRQ_NONE; @@ -2845,6 +2849,7 @@ static int fman_probe(struct platform_device *of_dev) dev_err(dev, "%s: FMan init failed\n", __func__); return -EINVAL; } + WRITE_ONCE(fman->irq_ready, true); if (fman->dts_params.err_irq == 0) { fman_set_exception(fman, FMAN_EX_DMA_BUS_ERROR, false); diff --git a/drivers/net/ethernet/freescale/fman/fman.h b/drivers/net/ethernet/freescale/fman/fman.h index 74eb62eba0d7..ce06d5867a50 100644 --- a/drivers/net/ethernet/freescale/fman/fman.h +++ b/drivers/net/ethernet/freescale/fman/fman.h @@ -314,6 +314,7 @@ struct fman { struct fman_state_struct *state; struct fman_cfg *cfg; + bool irq_ready; /* true after fman_init() completes */ struct muram_info *muram; struct fman_keygen *keygen; /* cam section in muram */ -- 2.20.1