In the Linux kernel, the following vulnerability has been resolved:
serial: rp2: use 'requestfirmware' instead of 'requestfirmware_nowait'
In 'rp2probe', the driver registers 'rp2uartinterrupt' then calls 'rp2fwcb' through 'requestfirmwarenowait'. In 'rp2fwcb', if the firmware don't exists, function just return without initializing ports of 'rp2card'. But now the interrupt handler function has been registered, and when an interrupt comes, 'rp2uartinterrupt' may access those ports then causing NULL pointer dereference or other bugs.
Because the driver does some initialization work in 'rp2fwcb', in order to make the driver ready to handle interrupts, 'requestfirmware' should be used instead of asynchronous 'requestfirmware_nowait'.
This report reveals it:
INFO: trying to register non-static key. the code is fine but needs lockdep annotation. turning off the locking correctness validator. CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef-dirty #45 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59- gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> _dumpstack lib/dumpstack.c:77 [inline] dumpstack+0xec/0x156 lib/dumpstack.c:118 assignlockkey kernel/locking/lockdep.c:727 [inline] registerlockclass+0x14e5/0x1ba0 kernel/locking/lockdep.c:753 _lockacquire+0x187/0x3750 kernel/locking/lockdep.c:3303 lockacquire+0x124/0x340 kernel/locking/lockdep.c:3907 _rawspinlock include/linux/spinlockapismp.h:142 [inline] _rawspinlock+0x32/0x50 kernel/locking/spinlock.c:144 spinlock include/linux/spinlock.h:329 [inline] rp2chinterrupt drivers/tty/serial/rp2.c:466 [inline] rp2asicinterrupt.isra.9+0x15d/0x990 drivers/tty/serial/rp2.c:493 rp2uartinterrupt+0x49/0xe0 drivers/tty/serial/rp2.c:504 _handleirqeventpercpu+0xfb/0x770 kernel/irq/handle.c:149 handleirqeventpercpu+0x79/0x150 kernel/irq/handle.c:189 handleirqevent+0xac/0x140 kernel/irq/handle.c:206 handlefasteoiirq+0x232/0x5c0 kernel/irq/chip.c:725 generichandleirqdesc include/linux/irqdesc.h:155 [inline] handleirq+0x230/0x3a0 arch/x86/kernel/irq64.c:87 doIRQ+0xa7/0x1e0 arch/x86/kernel/irq.c:247 commoninterrupt+0xf/0xf arch/x86/entry/entry64.S:670 </IRQ> RIP: 0010:nativesafehalt+0x28/0x30 arch/x86/include/asm/irqflags.h:61 Code: 00 00 55 be 04 00 00 00 48 c7 c7 00 c2 2f 8c 48 89 e5 e8 fb 31 e7 f8 8b 05 75 af 8d 03 85 c0 7e 07 0f 00 2d 8a 61 65 00 fb f4 <5d> c3 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 RSP: 0018:ffff88806b71fcc8 EFLAGS: 00000246 ORIGRAX: ffffffffffffffde RAX: 0000000000000000 RBX: ffffffff8bde7e48 RCX: ffffffff88a21285 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8c2fc200 RBP: ffff88806b71fcc8 R08: fffffbfff185f840 R09: fffffbfff185f840 R10: 0000000000000001 R11: fffffbfff185f840 R12: 0000000000000002 R13: ffffffff8bea18a0 R14: 0000000000000000 R15: 0000000000000000 archsafehalt arch/x86/include/asm/paravirt.h:94 [inline] defaultidle+0x6f/0x360 arch/x86/kernel/process.c:557 archcpuidle+0xf/0x20 arch/x86/kernel/process.c:548 defaultidlecall+0x3b/0x60 kernel/sched/idle.c:93 cpuidleidlecall kernel/sched/idle.c:153 [inline] doidle+0x2ab/0x3c0 kernel/sched/idle.c:263 cpustartupentry+0xcb/0xe0 kernel/sched/idle.c:369 startsecondary+0x3b8/0x4e0 arch/x86/kernel/smpboot.c:271 secondarystartup64+0xa4/0xb0 arch/x86/kernel/head64.S:243 BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 PGD 8000000056d27067 P4D 8000000056d27067 PUD 56d28067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef-dirty #45 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59- gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:readl arch/x86/include/asm/io.h:59 [inline] RIP: 0010:rp2chinterrupt drivers/tty/serial/rp2.c:472 [inline] RIP: 0010:rp2asicinterrupt.isra.9+0x181/0x990 drivers/tty/serial/rp2.c: 493 Co ---truncated---