clocksource: mtk: Fix race conditions in probe code

commit d4a19eb3b15a4ba98f627182f48d5bc0cffae670 upstream. We have two race conditions in the probe code which could lead to a null pointer dereference in the interrupt handler. The interrupt handler accesses the clockevent device, which may not yet be registered. First race condition happens when the interrupt handler gets registered before the interrupts get disabled. The second race condition happens when the interrupts get enabled, but the clockevent device is not yet registered. Fix that by disabling the interrupts before we register the interrupt and enable the interrupts after the clockevent device got registered. Reported-by: Gongbae Park <yongbae2@gmail.com> Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com> Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

clocksource: mtk: Fix race conditions in probe code
commit d4a19eb3b15a4ba98f627182f48d5bc0cffae670 upstream. We have two race conditions in the probe code which could lead to a null pointer dereference in the interrupt handler. The interrupt handler accesses the clockevent device, which may not yet be registered. First race condition happens when the interrupt handler gets registered before the interrupts get disabled. The second race condition happens when the interrupts get enabled, but the clockevent device is not yet registered. Fix that by disabling the interrupts before we register the interrupt and enable the interrupts after the clockevent device got registered. Reported-by: Gongbae Park <yongbae2@gmail.com> Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com> Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Matthias Brugger · Greg Kroah-Hartman
1 parent 32effd19f6
Showing 1 changed file with 5 additions and 4 deletions Side-by-side Diff
drivers/clocksource/mtk_timer.c
@@ -224,6 +224,8 @@
 	}
 	rate = clk_get_rate(clk);
  
+	mtk_timer_global_reset(evt);
+
 	if (request_irq(evt->dev.irq, mtk_timer_interrupt,
 			IRQF_TIMER | IRQF_IRQPOLL, "mtk_timer", evt)) {
 		pr_warn("failed to setup irq %d\n", evt->dev.irq);
@@ -232,8 +234,6 @@
  
 	evt->ticks_per_jiffy = DIV_ROUND_UP(rate, HZ);
  
-	mtk_timer_global_reset(evt);
-
 	/* Configure clock source */
 	mtk_timer_setup(evt, GPT_CLK_SRC, TIMER_CTRL_OP_FREERUN);
 	clocksource_mmio_init(evt->gpt_base + TIMER_CNT_REG(GPT_CLK_SRC),
  
@@ -241,10 +241,11 @@
  
 	/* Configure clock event */
 	mtk_timer_setup(evt, GPT_CLK_EVT, TIMER_CTRL_OP_REPEAT);
-	mtk_timer_enable_irq(evt, GPT_CLK_EVT);
-
 	clockevents_config_and_register(&evt->dev, rate, 0x3,
 					0xffffffff);
+
+	mtk_timer_enable_irq(evt, GPT_CLK_EVT);
+
 	return;
  
 err_clk_disable:
...	...	@@ -224,6 +224,8 @@
224	224	}
225	225	rate = clk_get_rate(clk);
226	226
	227	+ mtk_timer_global_reset(evt);
	228	+
227	229	if (request_irq(evt->dev.irq, mtk_timer_interrupt,
228	230	IRQF_TIMER \| IRQF_IRQPOLL, "mtk_timer", evt)) {
229	231	pr_warn("failed to setup irq %d\n", evt->dev.irq);
...	...	@@ -232,8 +234,6 @@
232	234
233	235	evt->ticks_per_jiffy = DIV_ROUND_UP(rate, HZ);
234	236
235		- mtk_timer_global_reset(evt);
236		-
237	237	/* Configure clock source */
238	238	mtk_timer_setup(evt, GPT_CLK_SRC, TIMER_CTRL_OP_FREERUN);
239	239	clocksource_mmio_init(evt->gpt_base + TIMER_CNT_REG(GPT_CLK_SRC),
240	240
...	...	@@ -241,10 +241,11 @@
241	241
242	242	/* Configure clock event */
243	243	mtk_timer_setup(evt, GPT_CLK_EVT, TIMER_CTRL_OP_REPEAT);
244		- mtk_timer_enable_irq(evt, GPT_CLK_EVT);
245		-
246	244	clockevents_config_and_register(&evt->dev, rate, 0x3,
247	245	0xffffffff);
	246	+
	247	+ mtk_timer_enable_irq(evt, GPT_CLK_EVT);
	248	+
248	249	return;
249	250
250	251	err_clk_disable: