From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753107AbbBSKMJ (ORCPT <rfc822;w@1wt.eu>);
	Thu, 19 Feb 2015 05:12:09 -0500
Received: from mail-lb0-f173.google.com ([209.85.217.173]:40042 "EHLO
	mail-lb0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753073AbbBSKMG convert rfc822-to-8bit (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 19 Feb 2015 05:12:06 -0500
MIME-Version: 1.0
In-Reply-To: <CAMaOmv5O1Qd1dN9ZaODd9EsVSX+D1f0jfJ_RhMa2R0Pxiuh6_g@mail.gmail.com>
References: <CAMaOmv5O1Qd1dN9ZaODd9EsVSX+D1f0jfJ_RhMa2R0Pxiuh6_g@mail.gmail.com>
Date: Thu, 19 Feb 2015 11:12:05 +0100
Message-ID: <CABuKBeJzETCJCYu61vEnsozxcUueLvPU-vP3OkMhim+ScdTFhQ@mail.gmail.com>
Subject: Re: null pointer dereference error in mtk_timer.c
From: Matthias Brugger <matthias.bgg@gmail.com>
To: =?UTF-8?B?67CV7Jqp67Cw?= <yongbae2@gmail.com>
Cc: Daniel Lezcano <daniel.lezcano@linaro.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8BIT
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Yongbae,

2015-02-16 8:35 GMT+01:00 박용배 <yongbae2@gmail.com>:
> Hello. My name is Yongbae Park.
>
>
> I would like to report a possible null pointer dereference error at
> mtk_timer_interrupt() in drivers/clocksource/mtk_timer.c (version:
> 3.19-rc5). The null pointer dereference error occurs if the interrupt
> handler mtk_timer_interrupt() accesses evt->dev.event_handler (line 146)
> when evt->dev.event_handler is null and not defined by mtk_timer_init().
>
> mtk_timer_init() first registers mtk_timer_interrupt() as the interrupt
> handler at line 227, and then defines the clockevent handler at line 246. As
> a consequence, the interrupt handler can be executed before the clockevent
> handler definition when an interrupt occurs between line 227 and line 246.
> The detail error scenario is the following:
>
>
>
> 183: static void __init mtk_timer_init(struct device_node *node) {
>
> ...
>
> 227: if (request_irq(evt->dev.irq, mtk_timer_interrupt,
>
> 228:           IRQF_TIMER | IRQF_IRQPOLL, "mtk_timer", evt)) {
>
> ...
>
> ------ An interrupt is fired and the interrupt handler is called -------
>
>     140: static irqreturn_t mtk_timer_interrupt(int irq, void *dev_id)
>
>     141: {
>
>     142:   struct mtk_clock_event_device *evt = dev_id;
>
>     143:
>
>     144:   /* Acknowledge timer0 irq */
>
>     145:   writel(GPT_IRQ_ACK(GPT_CLK_EVT), evt->gpt_base +
> GPT_IRQ_ACK_REG);
>
>     146:   evt->dev.event_handler(&evt->dev); // evt->dev.event_handler is
> not defined
>
>     147:
>
>     148:   return IRQ_HANDLED;
>
>     149: }
>
> ------ The execution of the interrupt handler is finished ------
>
> ...
>
> 246: clockevents_config_and_register(&evt->dev, rate, 0x3,
>
> 247:             0xffffffff);
>
>
>
> To resolve the problem, I think that the interrupt handler should be
> registered after the clock handler registration.

Thanks for your hint. Actually there are two race conditions.
First we register an interrupt handler, before disabling all
interrupts by calling mtk_timer_global_reset (line 227).
An secondly we register clockevents after enabling the interrupts (line 246).

I will provide a patch for this.

Best regards,
Matthias

-- 
motzblog.wordpress.com