lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 14 Apr 2016 12:04:54 +0100
From:	Steve Twiss <stwiss.opensource@...semi.com>
To:	Alexandre Belloni <alexandre.belloni@...e-electrons.com>,
	LINUXKERNEL <linux-kernel@...r.kernel.org>,
	RTC-LINUX <rtc-linux@...glegroups.com>
CC:	Support Opensource <support.opensource@...semi.com>
Subject: [PATCH V1] rtc: da9053: fix access ordering error during RTC
 interrupt at system power on

From: Steve Twiss <stwiss.opensource@...semi.com>

This fix alters the ordering of the IRQ and device registrations in the RTC
driver probe function. This change will apply to the RTC driver that supports
both DA9052 and DA9053 PMICs.

A problem could occur with the existing RTC driver if:

A system is started from a cold boot using the PMIC RTC IRQ to initiate a
power on operation. For instance, if an RTC alarm is used to start a
platform from power off.
The existing driver IRQ is requested before the device has been properly
registered.

i.e.
ret = da9052_request_irq()
comes before
rtc->rtc = devm_rtc_device_register();

In this case, an interrupt exists before the device has been registered and
the IRQ handler can be called immediately: this can happen be before the
memory for rtc->rtc has been allocated. The IRQ handler da9052_rtc_irq()
contains the function call:

rtc_update_irq(rtc->rtc, 1, RTC_IRQF | RTC_AF);

which in turn tries to access the unavailable rtc->rtc.

The fix is to reorder the functions inside the RTC probe. The IRQ is
requested after the RTC device resource has been registered so that
da9052_request_irq() is the last thing to happen.

Signed-off-by: Steve Twiss <stwiss.opensource@...semi.com>

---
This patch applies against linux-next and v4.6-rc3

This wake-up IRQ fault is similar to the one previously fixed in the
DA9063 and DA9062 driver code.

See reference:
commit 77535acedc26627f16a1a39c1471f942689fe11e
Author: Steve Twiss <stwiss.opensource@...semi.com>
Date:   Tue Dec 8 16:28:39 2015 +0000

Regards,
Steve


 drivers/rtc/rtc-da9052.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/drivers/rtc/rtc-da9052.c b/drivers/rtc/rtc-da9052.c
index 1ba4371..a20bcf0 100644
--- a/drivers/rtc/rtc-da9052.c
+++ b/drivers/rtc/rtc-da9052.c
@@ -302,6 +302,13 @@ static int da9052_rtc_probe(struct platform_device *pdev)
 	if (ret != 0)
 		rtc_err(rtc, "Failed to disable TICKS: %d\n", ret);
 
+	device_init_wakeup(&pdev->dev, true);
+	rtc->rtc = devm_rtc_device_register(&pdev->dev, pdev->name,
+				       &da9052_rtc_ops, THIS_MODULE);
+
+	if (IS_ERR(rtc->rtc))
+		return PTR_ERR(rtc->rtc);
+
 	ret = da9052_request_irq(rtc->da9052, DA9052_IRQ_ALARM, "ALM",
 				da9052_rtc_irq, rtc);
 	if (ret != 0) {
@@ -309,11 +316,7 @@ static int da9052_rtc_probe(struct platform_device *pdev)
 		return ret;
 	}
 
-	device_init_wakeup(&pdev->dev, true);
-
-	rtc->rtc = devm_rtc_device_register(&pdev->dev, pdev->name,
-				       &da9052_rtc_ops, THIS_MODULE);
-	return PTR_ERR_OR_ZERO(rtc->rtc);
+	return 0;
 }
 
 static struct platform_driver da9052_rtc_driver = {
-- 
end-of-patch for PATCH V1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ