[PATCH AUTOSEL for 4.14 35/67] rtc: ac100: Fix multiple race conditions

2018-03-07 Thread Sasha Levin 
From: Alexandre Belloni 

[ Upstream commit 994ec64c0a193940be7a6fd074668b9446d3b6c3 ]

The probe function is not allowed to fail after registering the RTC because
the following may happen:

CPU0:CPU1:
sys_load_module()
 do_init_module()
  do_one_initcall()
   cmos_do_probe()
rtc_device_register()
 __register_chrdev()
 cdev->owner = struct module*
 open("/dev/rtc0")
rtc_device_unregister()
  module_put()
  free_module()
   module_free(mod->module_core)
   /* struct module *module is now
  freed */
  chrdev_open()
   spin_lock(cdev_lock)
   cdev_get()
try_module_get()
 module_is_live()
 /* dereferences already
freed struct module* */

Also, the interrupt handler: ac100_rtc_irq() is dereferencing chip->rtc but
this may still be NULL when it is called, resulting in:
Unable to handle kernel NULL pointer dereference at virtual address 0194
pgd = (ptrval)
[0194] *pgd=
Internal error: Oops: 5 [#1] SMP ARM
Modules linked in:
CPU: 0 PID: 72 Comm: irq/71-ac100-rt Not tainted 4.15.0-rc1-next-20171201-dirty 
#120
Hardware name: Allwinner sun8i Family
task: (ptrval) task.stack: (ptrval)
PC is at mutex_lock+0x14/0x3c
LR is at ac100_rtc_irq+0x38/0xc8
pc : []lr : []psr: 6053
sp : ee9c9f28  ip :   fp : ee9adfdc
r10:   r9 : c0a04c48  r8 : c015ed18
r7 : ee9bd600  r6 : ee9c9f28  r5 : ee9af590  r4 : c0a04c48
r3 : ef3cb3c0  r2 :   r1 : ee9af590  r0 : 0194
Flags: nZCv  IRQs on  FIQs off  Mode SVC_32  ISA ARM  Segment none
Control: 10c5387d  Table: 4000406a  DAC: 0051
Process irq/71-ac100-rt (pid: 72, stack limit = 0x(ptrval))
Stack: (0xee9c9f28 to 0xee9ca000)
9f20:    7c2fd1be c015ed18 ee9adf40 ee9c0400 ee9c0400
9f40: ee9adf40 c015ed34 ee9c8000 ee9adf64 ee9c0400 c015f040 ee9adf80 
9f60: c015ee24 7c2fd1be ee9adfc0 ee9adf80  ee9c8000 ee9adf40 c015eef4
9f80: ef1eba34 c0138f14 ee9c8000 ee9adf80 c0138df4   
9fa0:    c01010e8    
9fc0:        
9fe0:     0013   
[] (mutex_lock) from [] (ac100_rtc_irq+0x38/0xc8)
[] (ac100_rtc_irq) from [] (irq_thread_fn+0x1c/0x54)
[] (irq_thread_fn) from [] (irq_thread+0x14c/0x214)
[] (irq_thread) from [] (kthread+0x120/0x150)
[] (kthread) from [] (ret_from_fork+0x14/0x2c)

Solve both issues by moving to
devm_rtc_allocate_device()/rtc_register_device()

Reported-by: Quentin Schulz 
Tested-by: Quentin Schulz 
Signed-off-by: Alexandre Belloni 
Signed-off-by: Sasha Levin 
---
 drivers/rtc/rtc-ac100.c | 19 ---
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/drivers/rtc/rtc-ac100.c b/drivers/rtc/rtc-ac100.c
index 9e336184491c..0e358d4b6738 100644
--- a/drivers/rtc/rtc-ac100.c
+++ b/drivers/rtc/rtc-ac100.c
@@ -567,6 +567,12 @@ static int ac100_rtc_probe(struct platform_device *pdev)
return chip->irq;
}
 
+   chip->rtc = devm_rtc_allocate_device(>dev);
+   if (IS_ERR(chip->rtc))
+   return PTR_ERR(chip->rtc);
+
+   chip->rtc->ops = _rtc_ops;
+
ret = devm_request_threaded_irq(>dev, chip->irq, NULL,
ac100_rtc_irq,
IRQF_SHARED | IRQF_ONESHOT,
@@ -586,17 +592,16 @@ static int ac100_rtc_probe(struct platform_device *pdev)
/* clear counter alarm pending interrupts */
regmap_write(chip->regmap, AC100_ALM_INT_STA, AC100_ALM_INT_ENABLE);
 
-   chip->rtc = devm_rtc_device_register(>dev, "rtc-ac100",
-_rtc_ops, THIS_MODULE);
-   if (IS_ERR(chip->rtc)) {
-   dev_err(>dev, "unable to register device\n");
-   return PTR_ERR(chip->rtc);
-   }
-
ret = ac100_rtc_register_clks(chip);
if (ret)
return ret;
 
+   ret = rtc_register_device(chip->rtc);
+   if (ret) {
+   dev_err(>dev, "unable to register device\n");
+   return ret;
+   }
+
dev_info(>dev, "RTC enabled\n");
 
return 0;
-- 
2.14.1

[PATCH AUTOSEL for 4.14 35/67] rtc: ac100: Fix multiple race conditions

2018-03-07 Thread Sasha Levin 
From: Alexandre Belloni 

[ Upstream commit 994ec64c0a193940be7a6fd074668b9446d3b6c3 ]

The probe function is not allowed to fail after registering the RTC because
the following may happen:

CPU0:CPU1:
sys_load_module()
 do_init_module()
  do_one_initcall()
   cmos_do_probe()
rtc_device_register()
 __register_chrdev()
 cdev->owner = struct module*
 open("/dev/rtc0")
rtc_device_unregister()
  module_put()
  free_module()
   module_free(mod->module_core)
   /* struct module *module is now
  freed */
  chrdev_open()
   spin_lock(cdev_lock)
   cdev_get()
try_module_get()
 module_is_live()
 /* dereferences already
freed struct module* */

Also, the interrupt handler: ac100_rtc_irq() is dereferencing chip->rtc but
this may still be NULL when it is called, resulting in:
Unable to handle kernel NULL pointer dereference at virtual address 0194
pgd = (ptrval)
[0194] *pgd=
Internal error: Oops: 5 [#1] SMP ARM
Modules linked in:
CPU: 0 PID: 72 Comm: irq/71-ac100-rt Not tainted 4.15.0-rc1-next-20171201-dirty 
#120
Hardware name: Allwinner sun8i Family
task: (ptrval) task.stack: (ptrval)
PC is at mutex_lock+0x14/0x3c
LR is at ac100_rtc_irq+0x38/0xc8
pc : []lr : []psr: 6053
sp : ee9c9f28  ip :   fp : ee9adfdc
r10:   r9 : c0a04c48  r8 : c015ed18
r7 : ee9bd600  r6 : ee9c9f28  r5 : ee9af590  r4 : c0a04c48
r3 : ef3cb3c0  r2 :   r1 : ee9af590  r0 : 0194
Flags: nZCv  IRQs on  FIQs off  Mode SVC_32  ISA ARM  Segment none
Control: 10c5387d  Table: 4000406a  DAC: 0051
Process irq/71-ac100-rt (pid: 72, stack limit = 0x(ptrval))
Stack: (0xee9c9f28 to 0xee9ca000)
9f20:    7c2fd1be c015ed18 ee9adf40 ee9c0400 ee9c0400
9f40: ee9adf40 c015ed34 ee9c8000 ee9adf64 ee9c0400 c015f040 ee9adf80 
9f60: c015ee24 7c2fd1be ee9adfc0 ee9adf80  ee9c8000 ee9adf40 c015eef4
9f80: ef1eba34 c0138f14 ee9c8000 ee9adf80 c0138df4   
9fa0:    c01010e8    
9fc0:        
9fe0:     0013   
[] (mutex_lock) from [] (ac100_rtc_irq+0x38/0xc8)
[] (ac100_rtc_irq) from [] (irq_thread_fn+0x1c/0x54)
[] (irq_thread_fn) from [] (irq_thread+0x14c/0x214)
[] (irq_thread) from [] (kthread+0x120/0x150)
[] (kthread) from [] (ret_from_fork+0x14/0x2c)

Solve both issues by moving to
devm_rtc_allocate_device()/rtc_register_device()

Reported-by: Quentin Schulz 
Tested-by: Quentin Schulz 
Signed-off-by: Alexandre Belloni 
Signed-off-by: Sasha Levin 
---
 drivers/rtc/rtc-ac100.c | 19 ---
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/drivers/rtc/rtc-ac100.c b/drivers/rtc/rtc-ac100.c
index 9e336184491c..0e358d4b6738 100644
--- a/drivers/rtc/rtc-ac100.c
+++ b/drivers/rtc/rtc-ac100.c
@@ -567,6 +567,12 @@ static int ac100_rtc_probe(struct platform_device *pdev)
return chip->irq;
}
 
+   chip->rtc = devm_rtc_allocate_device(>dev);
+   if (IS_ERR(chip->rtc))
+   return PTR_ERR(chip->rtc);
+
+   chip->rtc->ops = _rtc_ops;
+
ret = devm_request_threaded_irq(>dev, chip->irq, NULL,
ac100_rtc_irq,
IRQF_SHARED | IRQF_ONESHOT,
@@ -586,17 +592,16 @@ static int ac100_rtc_probe(struct platform_device *pdev)
/* clear counter alarm pending interrupts */
regmap_write(chip->regmap, AC100_ALM_INT_STA, AC100_ALM_INT_ENABLE);
 
-   chip->rtc = devm_rtc_device_register(>dev, "rtc-ac100",
-_rtc_ops, THIS_MODULE);
-   if (IS_ERR(chip->rtc)) {
-   dev_err(>dev, "unable to register device\n");
-   return PTR_ERR(chip->rtc);
-   }
-
ret = ac100_rtc_register_clks(chip);
if (ret)
return ret;
 
+   ret = rtc_register_device(chip->rtc);
+   if (ret) {
+   dev_err(>dev, "unable to register device\n");
+   return ret;
+   }
+
dev_info(>dev, "RTC enabled\n");
 
return 0;
-- 
2.14.1