From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"stable@vger.kernel.org" <stable@vger.kernel.org>
Cc: Alexandre Belloni <alexandre.belloni@free-electrons.com>,
Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL for 4.15 40/78] rtc: ac100: Fix multiple race conditions
Date: Thu, 8 Mar 2018 04:56:19 +0000 [thread overview]
Message-ID: <20180308045525.7662-40-alexander.levin@microsoft.com> (raw)
In-Reply-To: <20180308045525.7662-1-alexander.levin@microsoft.com>
From: Alexandre Belloni <alexandre.belloni@free-electrons.com>
[ Upstream commit 994ec64c0a193940be7a6fd074668b9446d3b6c3 ]
The probe function is not allowed to fail after registering the RTC because
the following may happen:
CPU0: CPU1:
sys_load_module()
do_init_module()
do_one_initcall()
cmos_do_probe()
rtc_device_register()
__register_chrdev()
cdev->owner = struct module*
open("/dev/rtc0")
rtc_device_unregister()
module_put()
free_module()
module_free(mod->module_core)
/* struct module *module is now
freed */
chrdev_open()
spin_lock(cdev_lock)
cdev_get()
try_module_get()
module_is_live()
/* dereferences already
freed struct module* */
Also, the interrupt handler: ac100_rtc_irq() is dereferencing chip->rtc but
this may still be NULL when it is called, resulting in:
Unable to handle kernel NULL pointer dereference at virtual address 00000194
pgd = (ptrval)
[00000194] *pgd=00000000
Internal error: Oops: 5 [#1] SMP ARM
Modules linked in:
CPU: 0 PID: 72 Comm: irq/71-ac100-rt Not tainted 4.15.0-rc1-next-20171201-dirty #120
Hardware name: Allwinner sun8i Family
task: (ptrval) task.stack: (ptrval)
PC is at mutex_lock+0x14/0x3c
LR is at ac100_rtc_irq+0x38/0xc8
pc : [<c06543a4>] lr : [<c04d9a2c>] psr: 60000053
sp : ee9c9f28 ip : 00000000 fp : ee9adfdc
r10: 00000000 r9 : c0a04c48 r8 : c015ed18
r7 : ee9bd600 r6 : ee9c9f28 r5 : ee9af590 r4 : c0a04c48
r3 : ef3cb3c0 r2 : 00000000 r1 : ee9af590 r0 : 00000194
Flags: nZCv IRQs on FIQs off Mode SVC_32 ISA ARM Segment none
Control: 10c5387d Table: 4000406a DAC: 00000051
Process irq/71-ac100-rt (pid: 72, stack limit = 0x(ptrval))
Stack: (0xee9c9f28 to 0xee9ca000)
9f20: 00000000 7c2fd1be c015ed18 ee9adf40 ee9c0400 ee9c0400
9f40: ee9adf40 c015ed34 ee9c8000 ee9adf64 ee9c0400 c015f040 ee9adf80 00000000
9f60: c015ee24 7c2fd1be ee9adfc0 ee9adf80 00000000 ee9c8000 ee9adf40 c015eef4
9f80: ef1eba34 c0138f14 ee9c8000 ee9adf80 c0138df4 00000000 00000000 00000000
9fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000
9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 ffffffff ffffffff
[<c06543a4>] (mutex_lock) from [<c04d9a2c>] (ac100_rtc_irq+0x38/0xc8)
[<c04d9a2c>] (ac100_rtc_irq) from [<c015ed34>] (irq_thread_fn+0x1c/0x54)
[<c015ed34>] (irq_thread_fn) from [<c015f040>] (irq_thread+0x14c/0x214)
[<c015f040>] (irq_thread) from [<c0138f14>] (kthread+0x120/0x150)
[<c0138f14>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
Solve both issues by moving to
devm_rtc_allocate_device()/rtc_register_device()
Reported-by: Quentin Schulz <quentin.schulz@free-electrons.com>
Tested-by: Quentin Schulz <quentin.schulz@free-electrons.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
drivers/rtc/rtc-ac100.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/drivers/rtc/rtc-ac100.c b/drivers/rtc/rtc-ac100.c
index 9e336184491c..0e358d4b6738 100644
--- a/drivers/rtc/rtc-ac100.c
+++ b/drivers/rtc/rtc-ac100.c
@@ -567,6 +567,12 @@ static int ac100_rtc_probe(struct platform_device *pdev)
return chip->irq;
}
+ chip->rtc = devm_rtc_allocate_device(&pdev->dev);
+ if (IS_ERR(chip->rtc))
+ return PTR_ERR(chip->rtc);
+
+ chip->rtc->ops = &ac100_rtc_ops;
+
ret = devm_request_threaded_irq(&pdev->dev, chip->irq, NULL,
ac100_rtc_irq,
IRQF_SHARED | IRQF_ONESHOT,
@@ -586,17 +592,16 @@ static int ac100_rtc_probe(struct platform_device *pdev)
/* clear counter alarm pending interrupts */
regmap_write(chip->regmap, AC100_ALM_INT_STA, AC100_ALM_INT_ENABLE);
- chip->rtc = devm_rtc_device_register(&pdev->dev, "rtc-ac100",
- &ac100_rtc_ops, THIS_MODULE);
- if (IS_ERR(chip->rtc)) {
- dev_err(&pdev->dev, "unable to register device\n");
- return PTR_ERR(chip->rtc);
- }
-
ret = ac100_rtc_register_clks(chip);
if (ret)
return ret;
+ ret = rtc_register_device(chip->rtc);
+ if (ret) {
+ dev_err(&pdev->dev, "unable to register device\n");
+ return ret;
+ }
+
dev_info(&pdev->dev, "RTC enabled\n");
return 0;
--
2.14.1
next prev parent reply other threads:[~2018-03-08 4:57 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-08 4:56 [PATCH AUTOSEL for 4.15 01/78] ipmi_si: Fix error handling of platform device Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 03/78] Bluetooth: hci_qca: Avoid setup failure on missing rampatch Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 02/78] drm/amdgpu: use polling mem to set SDMA3 wptr for VF Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 05/78] cpufreq: longhaul: Revert transition_delay_us to 200 ms Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 04/78] Bluetooth: btqcomsmd: Fix skb double free corruption Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 06/78] dt-bindings: net: add TI CC2560 Bluetooth chip Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 07/78] media: c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 08/78] drm/msm: fix leak in failed get_pages Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 09/78] net: fec: add phy_reset_after_clk_enable() support Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 10/78] dm: ensure bio submission follows a depth-first tree walk Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 11/78] IB/ipoib: Warn when one port fails to initialize Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 13/78] hv_netvsc: Fix the receive buffer size limit Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 12/78] RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo() Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 15/78] tcp: allow TLP in ECN CWR Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 14/78] hv_netvsc: Fix the TX/RX buffer default sizes Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 16/78] KVM: x86: add support for emulating UMIP Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 17/78] spi: sh-msiof: Avoid writing to registers from spi_master.setup() Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 18/78] libbpf: prefer global symbols as bpf program name source Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 19/78] rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 20/78] rtlwifi: always initialize variables given to RT_TRACE() Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 22/78] ath10k: handling qos at STA side based on AP WMM enable/disable Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 21/78] media: bt8xx: Fix err 'bt878_probe()' Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 23/78] media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 24/78] qmi_wwan: set FLAG_SEND_ZLP to avoid network initiated disconnect Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 25/78] tty: goldfish: Enable 'earlycon' only if built-in Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 26/78] serial: 8250_dw: Disable clock on error Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 28/78] watchdog: Fix potential kref imbalance when opening watchdog Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 27/78] cros_ec: fix nul-termination for firmware build info Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 29/78] watchdog: Fix kref imbalance seen if handle_boot_enabled=0 Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 30/78] platform/chrome: Use proper protocol transfer function Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 31/78] dmaengine: zynqmp_dma: Fix race condition in the probe Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 32/78] drm/tilcdc: ensure nonatomic iowrite64 is not used Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 34/78] mmc: block: fix logical error to avoid memory leak Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 33/78] mmc: avoid removing non-removable hosts during suspend Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 35/78] /dev/mem: Add bounce buffer for copy-out Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 36/78] net: phy: meson-gxl: check phy_write return value Sasha Levin
2018-03-08 10:18 ` Jerome Brunet
2018-03-08 12:34 ` Greg KH
2018-03-19 15:28 ` Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 37/78] sfp: fix EEPROM reading in the case of non-SFF8472 SFPs Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 39/78] media: s5p-mfc: Fix lock contention - request_firmware() once Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 38/78] sfp: fix non-detection of PHY Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 41/78] IB/ipoib: Avoid memory leak if the SA returns a different DGID Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 42/78] RDMA/cma: Use correct size when writing netlink stats Sasha Levin
2018-03-08 4:56 ` Sasha Levin [this message]
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 44/78] iser-target: avoid reinitializing rdma contexts for isert commands Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 43/78] IB/umem: Fix use of npages/nmap fields Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 46/78] PCI/ASPM: Calculate LTR_L1.2_THRESHOLD from device characteristics Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 45/78] bpf/cgroup: fix a verification error for a CGROUP_DEVICE type prog Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 47/78] vgacon: Set VGA struct resource types Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 48/78] omapdrm: panel: fix compatible vendor string for td028ttec1 Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 50/78] drm/omap: DMM: Check for DMM readiness after successful transaction commit Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 49/78] mmc: sdhci-xenon: wait 5ms after set 1.8V signal enable Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 51/78] pty: cancel pty slave port buf's work in tty_release Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 52/78] coresight: Fix disabling of CoreSight TPIU Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 53/78] PCI: designware-ep: Fix ->get_msi() to check MSI_EN bit Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 56/78] media: davinci: fix a debug printk Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 55/78] PCI: rcar: Handle rcar_pcie_parse_request_of_pci_ranges() failures Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 54/78] PCI: endpoint: Fix find_first_zero_bit() usage Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 58/78] dt-bindings: display: panel: Fix compatible string for Toshiba LT089AC29000 Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 57/78] clk: check ops pointer on clock register Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 60/78] pinctrl: Really force states during suspend/resume Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 59/78] clk: use round rate to bail out early in set_rate Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 62/78] iommu/vt-d: clean up pr_irq if request_threaded_irq fails Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 61/78] pinctrl: rockchip: enable clock when reading pin direction register Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 63/78] ip6_vti: adjust vti mtu according to mtu of lower device Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 64/78] ip_gre: fix error path when erspan_rcv failed Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 65/78] ip_gre: fix potential memory leak in erspan_rcv Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 66/78] soc: qcom: smsm: fix child-node lookup Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 68/78] scsi: lpfc: Fix issues connecting with nvme initiator Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 67/78] scsi: lpfc: Fix SCSI LUN discovery when SCSI and NVME enabled Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 69/78] RDMA/ocrdma: Fix permissions for OCRDMA_RESET_STATS Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 70/78] ARM: dts: aspeed-evb: Add unit name to memory node Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 71/78] nfsd4: permit layoutget of executable-only files Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 72/78] clk: at91: pmc: Wait for clocks when resuming Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 73/78] clk: Don't touch hardware when reparenting during registration Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 75/78] clk: si5351: Rename internal plls to avoid name collisions Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 74/78] clk: axi-clkgen: Correctly handle nocount bit in recalc_rate() Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 76/78] crypto: artpec6 - set correct iv size for gcm(aes) Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 77/78] hwrng: core - Clean up RNG list when last hwrng is unregistered Sasha Levin
2018-03-08 4:56 ` [PATCH AUTOSEL for 4.15 78/78] dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63 Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180308045525.7662-40-alexander.levin@microsoft.com \
--to=alexander.levin@microsoft.com \
--cc=alexandre.belloni@free-electrons.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox