* [PATCH] clockevent: sun4i: Fix race condition in the probe code
@ 2014-11-18 22:59 Maxime Ripard
2014-11-19 9:21 ` Daniel Lezcano
0 siblings, 1 reply; 3+ messages in thread
From: Maxime Ripard @ 2014-11-18 22:59 UTC (permalink / raw)
To: Daniel Lezcano, Thomas Gleixner
Cc: linux-kernel, linux-arm-kernel, Roman Byshko, Maxime Ripard, stable
The interrupts were activated and the handler registered before the clockevent
was registered in the probe function.
The interrupt handler, however, was making the assumption that the clockevent
device was registered.
That could cause a null pointer dereferenc if the timer interrupt was firing
during this narrow window.
Fix that by moving the clockevent registration before the interrupt is enabled.
Reported-by: Roman Byshko <rbyshko@gmail.com>
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Cc: stable@vger.kernel.org
---
drivers/clocksource/sun4i_timer.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/clocksource/sun4i_timer.c b/drivers/clocksource/sun4i_timer.c
index efb17c3ee120..f4a9c0058b4d 100644
--- a/drivers/clocksource/sun4i_timer.c
+++ b/drivers/clocksource/sun4i_timer.c
@@ -182,6 +182,12 @@ static void __init sun4i_timer_init(struct device_node *node)
/* Make sure timer is stopped before playing with interrupts */
sun4i_clkevt_time_stop(0);
+ sun4i_clockevent.cpumask = cpu_possible_mask;
+ sun4i_clockevent.irq = irq;
+
+ clockevents_config_and_register(&sun4i_clockevent, rate,
+ TIMER_SYNC_TICKS, 0xffffffff);
+
ret = setup_irq(irq, &sun4i_timer_irq);
if (ret)
pr_warn("failed to setup irq %d\n", irq);
@@ -189,12 +195,6 @@ static void __init sun4i_timer_init(struct device_node *node)
/* Enable timer0 interrupt */
val = readl(timer_base + TIMER_IRQ_EN_REG);
writel(val | TIMER_IRQ_EN(0), timer_base + TIMER_IRQ_EN_REG);
-
- sun4i_clockevent.cpumask = cpu_possible_mask;
- sun4i_clockevent.irq = irq;
-
- clockevents_config_and_register(&sun4i_clockevent, rate,
- TIMER_SYNC_TICKS, 0xffffffff);
}
CLOCKSOURCE_OF_DECLARE(sun4i, "allwinner,sun4i-a10-timer",
sun4i_timer_init);
--
2.1.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] clockevent: sun4i: Fix race condition in the probe code
2014-11-18 22:59 [PATCH] clockevent: sun4i: Fix race condition in the probe code Maxime Ripard
@ 2014-11-19 9:21 ` Daniel Lezcano
0 siblings, 0 replies; 3+ messages in thread
From: Daniel Lezcano @ 2014-11-19 9:21 UTC (permalink / raw)
To: Maxime Ripard, Thomas Gleixner
Cc: linux-kernel, linux-arm-kernel, Roman Byshko, stable
On 11/18/2014 11:59 PM, Maxime Ripard wrote:
> The interrupts were activated and the handler registered before the clockevent
> was registered in the probe function.
>
> The interrupt handler, however, was making the assumption that the clockevent
> device was registered.
>
> That could cause a null pointer dereferenc if the timer interrupt was firing
> during this narrow window.
>
> Fix that by moving the clockevent registration before the interrupt is enabled.
>
> Reported-by: Roman Byshko <rbyshko@gmail.com>
> Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
> Cc: stable@vger.kernel.org
Applied to my tree as 3.18 fix.
Thanks !
-- Daniel
> ---
> drivers/clocksource/sun4i_timer.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/clocksource/sun4i_timer.c b/drivers/clocksource/sun4i_timer.c
> index efb17c3ee120..f4a9c0058b4d 100644
> --- a/drivers/clocksource/sun4i_timer.c
> +++ b/drivers/clocksource/sun4i_timer.c
> @@ -182,6 +182,12 @@ static void __init sun4i_timer_init(struct device_node *node)
> /* Make sure timer is stopped before playing with interrupts */
> sun4i_clkevt_time_stop(0);
>
> + sun4i_clockevent.cpumask = cpu_possible_mask;
> + sun4i_clockevent.irq = irq;
> +
> + clockevents_config_and_register(&sun4i_clockevent, rate,
> + TIMER_SYNC_TICKS, 0xffffffff);
> +
> ret = setup_irq(irq, &sun4i_timer_irq);
> if (ret)
> pr_warn("failed to setup irq %d\n", irq);
> @@ -189,12 +195,6 @@ static void __init sun4i_timer_init(struct device_node *node)
> /* Enable timer0 interrupt */
> val = readl(timer_base + TIMER_IRQ_EN_REG);
> writel(val | TIMER_IRQ_EN(0), timer_base + TIMER_IRQ_EN_REG);
> -
> - sun4i_clockevent.cpumask = cpu_possible_mask;
> - sun4i_clockevent.irq = irq;
> -
> - clockevents_config_and_register(&sun4i_clockevent, rate,
> - TIMER_SYNC_TICKS, 0xffffffff);
> }
> CLOCKSOURCE_OF_DECLARE(sun4i, "allwinner,sun4i-a10-timer",
> sun4i_timer_init);
>
--
<http://www.linaro.org/> Linaro.org │ Open source software for ARM SoCs
Follow Linaro: <http://www.facebook.com/pages/Linaro> Facebook |
<http://twitter.com/#!/linaroorg> Twitter |
<http://www.linaro.org/linaro-blog/> Blog
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH] clockevent: sun4i: Fix race condition in the probe code
2014-11-19 9:47 [GIT PULL] clockevents: 3.18 fix Daniel Lezcano
@ 2014-11-19 9:49 ` Daniel Lezcano
0 siblings, 0 replies; 3+ messages in thread
From: Daniel Lezcano @ 2014-11-19 9:49 UTC (permalink / raw)
To: tglx; +Cc: linux-kernel, maxime.ripard
From: Maxime Ripard <maxime.ripard@free-electrons.com>
The interrupts were activated and the handler registered before the clockevent
was registered in the probe function.
The interrupt handler, however, was making the assumption that the clockevent
device was registered.
That could cause a null pointer dereference if the timer interrupt was firing
during this narrow window.
Fix that by moving the clockevent registration before the interrupt is enabled.
Reported-by: Roman Byshko <rbyshko@gmail.com>
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
---
drivers/clocksource/sun4i_timer.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/clocksource/sun4i_timer.c b/drivers/clocksource/sun4i_timer.c
index efb17c3..f4a9c00 100644
--- a/drivers/clocksource/sun4i_timer.c
+++ b/drivers/clocksource/sun4i_timer.c
@@ -182,6 +182,12 @@ static void __init sun4i_timer_init(struct device_node *node)
/* Make sure timer is stopped before playing with interrupts */
sun4i_clkevt_time_stop(0);
+ sun4i_clockevent.cpumask = cpu_possible_mask;
+ sun4i_clockevent.irq = irq;
+
+ clockevents_config_and_register(&sun4i_clockevent, rate,
+ TIMER_SYNC_TICKS, 0xffffffff);
+
ret = setup_irq(irq, &sun4i_timer_irq);
if (ret)
pr_warn("failed to setup irq %d\n", irq);
@@ -189,12 +195,6 @@ static void __init sun4i_timer_init(struct device_node *node)
/* Enable timer0 interrupt */
val = readl(timer_base + TIMER_IRQ_EN_REG);
writel(val | TIMER_IRQ_EN(0), timer_base + TIMER_IRQ_EN_REG);
-
- sun4i_clockevent.cpumask = cpu_possible_mask;
- sun4i_clockevent.irq = irq;
-
- clockevents_config_and_register(&sun4i_clockevent, rate,
- TIMER_SYNC_TICKS, 0xffffffff);
}
CLOCKSOURCE_OF_DECLARE(sun4i, "allwinner,sun4i-a10-timer",
sun4i_timer_init);
--
1.9.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-11-19 9:49 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-11-18 22:59 [PATCH] clockevent: sun4i: Fix race condition in the probe code Maxime Ripard
2014-11-19 9:21 ` Daniel Lezcano
2014-11-19 9:47 [GIT PULL] clockevents: 3.18 fix Daniel Lezcano
2014-11-19 9:49 ` [PATCH] clockevent: sun4i: Fix race condition in the probe code Daniel Lezcano
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).