null pointer dereference error in time-efm32.c
Hello. My name is Yongbae Park.
I would like to report a possible null pointer dereference error at
efm32_clock_event_handler() in drivers/clocksource/time-efm32.c
(version: 3.19-rc5). The null pointer dereference error occurs if the
interrupt handler efm32_clock_event_handler() accesses
ddata->evtdev.event_handler (line 106) when
ddata->evtdev.event_handler is null and not defined by
efm32_clockevent_init().
efm32_clockevent_init() first registers efm32_clock_event_handler() as
the interrupt handler at line 228, and then defines the clockevent
handler at line 230. As a consequence, the interrupt handler can be
executed before the clockevent handler definition when an interrupt
occurs between line 228 and line 230. The detail error scenario is the
following:
186: static int __init efm32_clockevent_init(struct device_node *np) {
...
228: setup_irq(irq, &efm32_clock_event_irq);
...
-- An interrupt is fired and the interrupt handler is called ---
100: static irqreturn_t efm32_clock_event_handler(int irq, void *dev_id)
101: {
102: struct efm32_clock_event_ddata *ddata = dev_id;
103:
104: writel_relaxed(TIMERn_IRQ_UF, ddata->base + TIMERn_IFC);
105:
106: ddata->evtdev.event_handler(&ddata->evtdev); //
ddata->evtdev.event_handler is not defined
107:
108: return IRQ_HANDLED;
109: }
-- The execution of the interrupt handler is finished --
...
230: clockevents_config_and_register(&clock_event_ddata.evtdev,
231: DIV_ROUND_CLOSEST(rate, 1024),
232: 0xf, 0x);
To resolve the problem, I think that the interrupt handler should be
registered after the clock handler registration.
For your information, I give you the references to similar issues from
the previous bug reports:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6bab4a8a1888729f17f4923cc5867e4674f66333
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=da64c2a8dee66ca03f4f3e15d84be7bedf73db3d
Thank you.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
null pointer dereference error in timer-sun5i.c
Hello. My name is Yongbae Park.
I would like to report a possible null pointer dereference error at
sun5i_timer_interrupt() in drivers/clocksource/timer-sun5i.c (version:
3.19-rc5). The null pointer dereference error occurs if the interrupt
handler sun5i_timer_interrupt() accesses evt->event_handler (line 128)
when evt->event_handler is null and not defined by sun5i_timer_init().
sun5i_timer_init() first registers sun5i_timer_interrupt() as the
interrupt handler at line 181, and then defines the clockevent handler
at line 192. As a consequence, the interrupt handler can be executed
before the clockevent handler definition when an interrupt occurs
between line 181 and line 192. The detail error scenario is the
following:
145: static void __init sun5i_timer_init(struct device_node *node) {
...
181: ret = setup_irq(irq, &sun5i_timer_irq);d
...
-- An interrupt is fired and the interrupt handler is called ---
123: static irqreturn_t sun5i_timer_interrupt(int irq, void *dev_id)
124: {
125: struct clock_event_device *evt = (struct clock_event_device *)dev_id;
126:
127: writel(0x1, timer_base + TIMER_IRQ_ST_REG);
128: evt->event_handler(evt); // evt->event_handler is not defined
129:
130: return IRQ_HANDLED;
131: }
-- The execution of the interrupt handler is finished --
...
192: clockevents_config_and_register(&sun5i_clockevent, rate,
193: TIMER_SYNC_TICKS, 0x);
To resolve the problem, I think that the interrupt handler should be
registered after the clock handler registration.
For your information, I give you the references to similar issues from
the previous bug reports:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6bab4a8a1888729f17f4923cc5867e4674f66333
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=da64c2a8dee66ca03f4f3e15d84be7bedf73db3d
Thank you.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
null pointer dereference error in mtk_timer.c
Hello. My name is Yongbae Park.
I would like to report a possible null pointer dereference error at
mtk_timer_interrupt() in drivers/clocksource/mtk_timer.c (version:
3.19-rc5). The null pointer dereference error occurs if the interrupt
handler mtk_timer_interrupt() accesses evt->dev.event_handler (line
146) when evt->dev.event_handler is null and not defined by
mtk_timer_init().
mtk_timer_init() first registers mtk_timer_interrupt() as the
interrupt handler at line 227, and then defines the clockevent handler
at line 246. As a consequence, the interrupt handler can be executed
before the clockevent handler definition when an interrupt occurs
between line 227 and line 246. The detail error scenario is the
following:
183: static void __init mtk_timer_init(struct device_node *node) {
...
227: if (request_irq(evt->dev.irq, mtk_timer_interrupt,
228: IRQF_TIMER | IRQF_IRQPOLL, "mtk_timer", evt)) {
...
-- An interrupt is fired and the interrupt handler is called ---
140: static irqreturn_t mtk_timer_interrupt(int irq, void *dev_id)
141: {
142: struct mtk_clock_event_device *evt = dev_id;
143:
144: /* Acknowledge timer0 irq */
145: writel(GPT_IRQ_ACK(GPT_CLK_EVT), evt->gpt_base + GPT_IRQ_ACK_REG);
146: evt->dev.event_handler(&evt->dev); //evt->dev.event_handler
is not defined
147:
148: return IRQ_HANDLED;
149: }
-- The execution of the interrupt handler is finished --
...
246: clockevents_config_and_register(&evt->dev, rate, 0x3,
247: 0x);
To resolve the problem, I think that the interrupt handler should be
registered after the clock handler registration.
For your information, I give you the references to similar issues from
the previous bug reports:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6bab4a8a1888729f17f4923cc5867e4674f66333
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=da64c2a8dee66ca03f4f3e15d84be7bedf73db3d
Thank you.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
