null pointer dereference error in time-efm32.c
Hello. My name is Yongbae Park. I would like to report a possible null pointer dereference error at efm32_clock_event_handler() in drivers/clocksource/time-efm32.c (version: 3.19-rc5). The null pointer dereference error occurs if the interrupt handler efm32_clock_event_handler() accesses ddata->evtdev.event_handler (line 106) when ddata->evtdev.event_handler is null and not defined by efm32_clockevent_init(). efm32_clockevent_init() first registers efm32_clock_event_handler() as the interrupt handler at line 228, and then defines the clockevent handler at line 230. As a consequence, the interrupt handler can be executed before the clockevent handler definition when an interrupt occurs between line 228 and line 230. The detail error scenario is the following: 186: static int __init efm32_clockevent_init(struct device_node *np) { ... 228: setup_irq(irq, _clock_event_irq); ... -- An interrupt is fired and the interrupt handler is called --- 100: static irqreturn_t efm32_clock_event_handler(int irq, void *dev_id) 101: { 102: struct efm32_clock_event_ddata *ddata = dev_id; 103: 104: writel_relaxed(TIMERn_IRQ_UF, ddata->base + TIMERn_IFC); 105: 106: ddata->evtdev.event_handler(>evtdev); // ddata->evtdev.event_handler is not defined 107: 108: return IRQ_HANDLED; 109: } -- The execution of the interrupt handler is finished -- ... 230: clockevents_config_and_register(_event_ddata.evtdev, 231: DIV_ROUND_CLOSEST(rate, 1024), 232: 0xf, 0x); To resolve the problem, I think that the interrupt handler should be registered after the clock handler registration. For your information, I give you the references to similar issues from the previous bug reports: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6bab4a8a1888729f17f4923cc5867e4674f66333 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=da64c2a8dee66ca03f4f3e15d84be7bedf73db3d Thank you. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
null pointer dereference error in time-efm32.c
Hello. My name is Yongbae Park. I would like to report a possible null pointer dereference error at efm32_clock_event_handler() in drivers/clocksource/time-efm32.c (version: 3.19-rc5). The null pointer dereference error occurs if the interrupt handler efm32_clock_event_handler() accesses ddata-evtdev.event_handler (line 106) when ddata-evtdev.event_handler is null and not defined by efm32_clockevent_init(). efm32_clockevent_init() first registers efm32_clock_event_handler() as the interrupt handler at line 228, and then defines the clockevent handler at line 230. As a consequence, the interrupt handler can be executed before the clockevent handler definition when an interrupt occurs between line 228 and line 230. The detail error scenario is the following: 186: static int __init efm32_clockevent_init(struct device_node *np) { ... 228: setup_irq(irq, efm32_clock_event_irq); ... -- An interrupt is fired and the interrupt handler is called --- 100: static irqreturn_t efm32_clock_event_handler(int irq, void *dev_id) 101: { 102: struct efm32_clock_event_ddata *ddata = dev_id; 103: 104: writel_relaxed(TIMERn_IRQ_UF, ddata-base + TIMERn_IFC); 105: 106: ddata-evtdev.event_handler(ddata-evtdev); // ddata-evtdev.event_handler is not defined 107: 108: return IRQ_HANDLED; 109: } -- The execution of the interrupt handler is finished -- ... 230: clockevents_config_and_register(clock_event_ddata.evtdev, 231: DIV_ROUND_CLOSEST(rate, 1024), 232: 0xf, 0x); To resolve the problem, I think that the interrupt handler should be registered after the clock handler registration. For your information, I give you the references to similar issues from the previous bug reports: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6bab4a8a1888729f17f4923cc5867e4674f66333 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=da64c2a8dee66ca03f4f3e15d84be7bedf73db3d Thank you. -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/