On Sun, 2018-09-09 at 22:38 +0200, Alexandre Belloni wrote:
> The IRQ is requested before the struct rtc is allocated and registered, but
> this struct is used in the IRQ handler. This may lead to a NULL pointer
> dereference.
>
> Switch to devm_rtc_allocate_device/rtc_register_device to allocate the rtc
> before requesting the IRQ.
>
> Cc: Eddie Huang <eddie.huang@xxxxxxxxxxxx>
> Cc: Sean Wang <sean.wang@xxxxxxxxxxxx>
> Signed-off-by: Alexandre Belloni <alexandre.belloni@xxxxxxxxxxx>
> ---
> drivers/rtc/rtc-mt6397.c | 13 ++++++++-----
> 1 file changed, 8 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/rtc/rtc-mt6397.c b/drivers/rtc/rtc-mt6397.c
> index 385f8303bb41..e9a25ec4d434 100644
> --- a/drivers/rtc/rtc-mt6397.c
> +++ b/drivers/rtc/rtc-mt6397.c
> @@ -332,6 +332,10 @@ static int mtk_rtc_probe(struct platform_device *pdev)
>
> platform_set_drvdata(pdev, rtc);
>
> + rtc->rtc_dev = devm_rtc_allocate_device(rtc->dev);
> + if (IS_ERR(rtc->rtc_dev))
> + return PTR_ERR(rtc->rtc_dev);
> +
> ret = request_threaded_irq(rtc->irq, NULL,
> mtk_rtc_irq_handler_thread,
> IRQF_ONESHOT | IRQF_TRIGGER_HIGH,
> @@ -344,11 +348,11 @@ static int mtk_rtc_probe(struct platform_device *pdev)
>
> device_init_wakeup(&pdev->dev, 1);
>
> - rtc->rtc_dev = rtc_device_register("mt6397-rtc", &pdev->dev,
> - &mtk_rtc_ops, THIS_MODULE);
> - if (IS_ERR(rtc->rtc_dev)) {
> + rtc->rtc_dev->ops = &mtk_rtc_ops;
> +
> + ret = rtc_register_device(rtc->rtc_dev);
> + if (ret) {
> dev_err(&pdev->dev, "register rtc device failed\n");
> - ret = PTR_ERR(rtc->rtc_dev);
> goto out_free_irq;
> }
>
> @@ -365,7 +369,6 @@ static int mtk_rtc_remove(struct platform_device *pdev)
> {
> struct mt6397_rtc *rtc = platform_get_drvdata(pdev);
>
> - rtc_device_unregister(rtc->rtc_dev);
> free_irq(rtc->irq, rtc->rtc_dev);
> irq_dispose_mapping(rtc->irq);
>
Thanks
Acked-by: Eddie Huang <eddie.huang@xxxxxxxxxxxx>
