From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Quentin Schulz <quentin.schulz@free-electrons.com>,
Alexandre Belloni <alexandre.belloni@free-electrons.com>,
Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.15 38/84] rtc: ac100: Fix multiple race conditions
Date: Fri, 23 Mar 2018 10:53:52 +0100 [thread overview]
Message-ID: <20180323095417.706620097@linuxfoundation.org> (raw)
In-Reply-To: <20180323095411.913234798@linuxfoundation.org>
4.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Belloni <alexandre.belloni@free-electrons.com>
[ Upstream commit 994ec64c0a193940be7a6fd074668b9446d3b6c3 ]
The probe function is not allowed to fail after registering the RTC because
the following may happen:
CPU0: CPU1:
sys_load_module()
do_init_module()
do_one_initcall()
cmos_do_probe()
rtc_device_register()
__register_chrdev()
cdev->owner = struct module*
open("/dev/rtc0")
rtc_device_unregister()
module_put()
free_module()
module_free(mod->module_core)
/* struct module *module is now
freed */
chrdev_open()
spin_lock(cdev_lock)
cdev_get()
try_module_get()
module_is_live()
/* dereferences already
freed struct module* */
Also, the interrupt handler: ac100_rtc_irq() is dereferencing chip->rtc but
this may still be NULL when it is called, resulting in:
Unable to handle kernel NULL pointer dereference at virtual address 00000194
pgd = (ptrval)
[00000194] *pgd=00000000
Internal error: Oops: 5 [#1] SMP ARM
Modules linked in:
CPU: 0 PID: 72 Comm: irq/71-ac100-rt Not tainted 4.15.0-rc1-next-20171201-dirty #120
Hardware name: Allwinner sun8i Family
task: (ptrval) task.stack: (ptrval)
PC is at mutex_lock+0x14/0x3c
LR is at ac100_rtc_irq+0x38/0xc8
pc : [<c06543a4>] lr : [<c04d9a2c>] psr: 60000053
sp : ee9c9f28 ip : 00000000 fp : ee9adfdc
r10: 00000000 r9 : c0a04c48 r8 : c015ed18
r7 : ee9bd600 r6 : ee9c9f28 r5 : ee9af590 r4 : c0a04c48
r3 : ef3cb3c0 r2 : 00000000 r1 : ee9af590 r0 : 00000194
Flags: nZCv IRQs on FIQs off Mode SVC_32 ISA ARM Segment none
Control: 10c5387d Table: 4000406a DAC: 00000051
Process irq/71-ac100-rt (pid: 72, stack limit = 0x(ptrval))
Stack: (0xee9c9f28 to 0xee9ca000)
9f20: 00000000 7c2fd1be c015ed18 ee9adf40 ee9c0400 ee9c0400
9f40: ee9adf40 c015ed34 ee9c8000 ee9adf64 ee9c0400 c015f040 ee9adf80 00000000
9f60: c015ee24 7c2fd1be ee9adfc0 ee9adf80 00000000 ee9c8000 ee9adf40 c015eef4
9f80: ef1eba34 c0138f14 ee9c8000 ee9adf80 c0138df4 00000000 00000000 00000000
9fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000
9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 ffffffff ffffffff
[<c06543a4>] (mutex_lock) from [<c04d9a2c>] (ac100_rtc_irq+0x38/0xc8)
[<c04d9a2c>] (ac100_rtc_irq) from [<c015ed34>] (irq_thread_fn+0x1c/0x54)
[<c015ed34>] (irq_thread_fn) from [<c015f040>] (irq_thread+0x14c/0x214)
[<c015f040>] (irq_thread) from [<c0138f14>] (kthread+0x120/0x150)
[<c0138f14>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
Solve both issues by moving to
devm_rtc_allocate_device()/rtc_register_device()
Reported-by: Quentin Schulz <quentin.schulz@free-electrons.com>
Tested-by: Quentin Schulz <quentin.schulz@free-electrons.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rtc/rtc-ac100.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
--- a/drivers/rtc/rtc-ac100.c
+++ b/drivers/rtc/rtc-ac100.c
@@ -567,6 +567,12 @@ static int ac100_rtc_probe(struct platfo
return chip->irq;
}
+ chip->rtc = devm_rtc_allocate_device(&pdev->dev);
+ if (IS_ERR(chip->rtc))
+ return PTR_ERR(chip->rtc);
+
+ chip->rtc->ops = &ac100_rtc_ops;
+
ret = devm_request_threaded_irq(&pdev->dev, chip->irq, NULL,
ac100_rtc_irq,
IRQF_SHARED | IRQF_ONESHOT,
@@ -586,17 +592,16 @@ static int ac100_rtc_probe(struct platfo
/* clear counter alarm pending interrupts */
regmap_write(chip->regmap, AC100_ALM_INT_STA, AC100_ALM_INT_ENABLE);
- chip->rtc = devm_rtc_device_register(&pdev->dev, "rtc-ac100",
- &ac100_rtc_ops, THIS_MODULE);
- if (IS_ERR(chip->rtc)) {
- dev_err(&pdev->dev, "unable to register device\n");
- return PTR_ERR(chip->rtc);
- }
-
ret = ac100_rtc_register_clks(chip);
if (ret)
return ret;
+ ret = rtc_register_device(chip->rtc);
+ if (ret) {
+ dev_err(&pdev->dev, "unable to register device\n");
+ return ret;
+ }
+
dev_info(&pdev->dev, "RTC enabled\n");
return 0;
next prev parent reply other threads:[~2018-03-23 9:58 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-23 9:53 [PATCH 4.15 00/84] 4.15.13-stable review Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 01/84] scsi: megaraid_sas: Do not use 32-bit atomic request descriptor for Ventura controllers Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 02/84] staging: android: ashmem: Fix possible deadlock in ashmem_ioctl Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 04/84] Bluetooth: hci_qca: Avoid setup failure on missing rampatch Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 05/84] Bluetooth: btqcomsmd: Fix skb double free corruption Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 06/84] cpufreq: longhaul: Revert transition_delay_us to 200 ms Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 07/84] media: c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 08/84] drm/msm: fix leak in failed get_pages Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 09/84] net: fec: add phy_reset_after_clk_enable() support Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 10/84] IB/ipoib: Warn when one port fails to initialize Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 12/84] hv_netvsc: Fix the receive buffer size limit Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 13/84] hv_netvsc: Fix the TX/RX buffer default sizes Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 14/84] tcp: allow TLP in ECN CWR Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 15/84] spi: sh-msiof: Avoid writing to registers from spi_master.setup() Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 16/84] libbpf: prefer global symbols as bpf program name source Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 17/84] rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 18/84] rtlwifi: always initialize variables given to RT_TRACE() Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 19/84] media: bt8xx: Fix err bt878_probe() Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 20/84] ath10k: handling qos at STA side based on AP WMM enable/disable Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 21/84] media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 23/84] tty: goldfish: Enable earlycon only if built-in Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 24/84] serial: 8250_dw: Disable clock on error Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 25/84] cros_ec: fix nul-termination for firmware build info Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 26/84] watchdog: Fix potential kref imbalance when opening watchdog Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 27/84] watchdog: Fix kref imbalance seen if handle_boot_enabled=0 Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 28/84] platform/chrome: Use proper protocol transfer function Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 29/84] dmaengine: zynqmp_dma: Fix race condition in the probe Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 30/84] drm/tilcdc: ensure nonatomic iowrite64 is not used Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 31/84] mmc: avoid removing non-removable hosts during suspend Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 32/84] mmc: block: fix logical error to avoid memory leak Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 33/84] /dev/mem: Add bounce buffer for copy-out Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 34/84] net: phy: meson-gxl: check phy_write return value Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 35/84] sfp: fix EEPROM reading in the case of non-SFF8472 SFPs Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 36/84] sfp: fix non-detection of PHY Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 37/84] media: s5p-mfc: Fix lock contention - request_firmware() once Greg Kroah-Hartman
2018-03-23 9:53 ` Greg Kroah-Hartman [this message]
2018-03-23 9:53 ` [PATCH 4.15 39/84] IB/ipoib: Avoid memory leak if the SA returns a different DGID Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 40/84] RDMA/cma: Use correct size when writing netlink stats Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 41/84] IB/umem: Fix use of npages/nmap fields Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 42/84] iser-target: avoid reinitializing rdma contexts for isert commands Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 43/84] bpf/cgroup: fix a verification error for a CGROUP_DEVICE type prog Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 44/84] PCI/ASPM: Calculate LTR_L1.2_THRESHOLD from device characteristics Greg Kroah-Hartman
2018-03-23 9:53 ` [PATCH 4.15 45/84] vgacon: Set VGA struct resource types Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 46/84] omapdrm: panel: fix compatible vendor string for td028ttec1 Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 47/84] mmc: sdhci-xenon: wait 5ms after set 1.8V signal enable Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 48/84] drm/omap: DMM: Check for DMM readiness after successful transaction commit Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 49/84] pty: cancel pty slave port bufs work in tty_release Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 50/84] coresight: Fix disabling of CoreSight TPIU Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 51/84] PCI: designware-ep: Fix ->get_msi() to check MSI_EN bit Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 52/84] PCI: endpoint: Fix find_first_zero_bit() usage Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 53/84] PCI: rcar: Handle rcar_pcie_parse_request_of_pci_ranges() failures Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 54/84] media: davinci: fix a debug printk Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 55/84] clk: check ops pointer on clock register Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 57/84] clk: use round rate to bail out early in set_rate Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 58/84] pinctrl: Really force states during suspend/resume Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 59/84] pinctrl: rockchip: enable clock when reading pin direction register Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 60/84] iommu/vt-d: clean up pr_irq if request_threaded_irq fails Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 61/84] ip6_vti: adjust vti mtu according to mtu of lower device Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 62/84] ip_gre: fix error path when erspan_rcv failed Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 63/84] ip_gre: fix potential memory leak in erspan_rcv Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 64/84] soc: qcom: smsm: fix child-node lookup Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 65/84] scsi: lpfc: Fix SCSI LUN discovery when SCSI and NVME enabled Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 66/84] scsi: lpfc: Fix issues connecting with nvme initiator Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 67/84] RDMA/ocrdma: Fix permissions for OCRDMA_RESET_STATS Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 68/84] ARM: dts: aspeed-evb: Add unit name to memory node Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 69/84] nfsd4: permit layoutget of executable-only files Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 70/84] clk: at91: pmc: Wait for clocks when resuming Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 71/84] clk: Dont touch hardware when reparenting during registration Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 72/84] clk: axi-clkgen: Correctly handle nocount bit in recalc_rate() Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 73/84] clk: si5351: Rename internal plls to avoid name collisions Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 74/84] crypto: artpec6 - set correct iv size for gcm(aes) Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 75/84] hwrng: core - Clean up RNG list when last hwrng is unregistered Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 76/84] dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63 Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 77/84] IB/mlx5: Fix integer overflows in mlx5_ib_create_srq Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 78/84] IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 79/84] RDMA/vmw_pvrdma: Fix usage of user response structures in ABI file Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 80/84] serial: 8250_pci: Dont fail on multiport card class Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 81/84] RDMA/core: Do not use invalid destination in determining port reuse Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 82/84] clk: migrate the count of orphaned clocks at init Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 83/84] RDMA/ucma: Fix access to non-initialized CM_ID object Greg Kroah-Hartman
2018-03-23 9:54 ` [PATCH 4.15 84/84] RDMA/ucma: Dont allow join attempts for unsupported AF family Greg Kroah-Hartman
2018-03-23 14:22 ` [PATCH 4.15 00/84] 4.15.13-stable review Naresh Kamboju
2018-03-23 15:08 ` Greg Kroah-Hartman
2018-03-23 16:40 ` Greg Kroah-Hartman
2018-03-24 7:52 ` Naresh Kamboju
2018-03-24 9:05 ` Greg Kroah-Hartman
2018-03-23 20:46 ` Shuah Khan
2018-03-24 0:12 ` Guenter Roeck
2018-03-24 7:47 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180323095417.706620097@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.levin@microsoft.com \
--cc=alexandre.belloni@free-electrons.com \
--cc=linux-kernel@vger.kernel.org \
--cc=quentin.schulz@free-electrons.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).