rtc: sh: fix possible race condition · tjh.dev/kernel@1097998

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

rtc: sh: fix possible race condition

The IRQ is requested before the struct rtc is allocated and registered, but
this struct is used in the IRQ handler. This may lead to a NULL pointer
dereference.

Switch to devm_rtc_allocate_device/rtc_register_device to allocate the rtc
struct before requesting the IRQ.

Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>

Alexandre Belloni 7 years ago 1097998d 9852023d

+9 -7

1 changed file

expand all

drivers

rtc

rtc-sh.c

+9 -7

drivers/rtc/rtc-sh.c

··· 530 530 rtc->clk = NULL; 531 531 } 532 532 533 + rtc->rtc_dev = devm_rtc_allocate_device(&pdev->dev); 534 + if (IS_ERR(rtc->rtc_dev)) 535 + return PTR_ERR(rtc->rtc_dev); 536 + 533 537 clk_enable(rtc->clk); 534 538 535 539 rtc->capabilities = RTC_DEF_CAPABILITIES; ··· 597 593 sh_rtc_setaie(&pdev->dev, 0); 598 594 sh_rtc_setcie(&pdev->dev, 0); 599 595 600 - rtc->rtc_dev = devm_rtc_device_register(&pdev->dev, "sh", 601 - &sh_rtc_ops, THIS_MODULE); 602 - if (IS_ERR(rtc->rtc_dev)) { 603 - ret = PTR_ERR(rtc->rtc_dev); 604 - goto err_unmap; 605 - } 606 - 596 + rtc->rtc_dev->ops = &sh_rtc_ops; 607 597 rtc->rtc_dev->max_user_freq = 256; 598 + 599 + ret = rtc_register_device(rtc->rtc_dev); 600 + if (ret) 601 + goto err_unmap; 608 602 609 603 device_init_wakeup(&pdev->dev, 1); 610 604 return 0;