rtc: pl030: fix possible race condition

The IRQ is requested before the struct rtc is allocated and registered, but
this struct is used in the IRQ handler. This may lead to a NULL pointer
dereference.

Switch to devm_rtc_allocate_device/rtc_register_device to allocate the rtc
before requesting the IRQ.

Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>

diff --git a/drivers/rtc/rtc-pl030.c b/drivers/rtc/rtc-pl030.c
index f85a1a9..343bb6e 100644 (file)
--- a/drivers/rtc/rtc-pl030.c
+++ b/drivers/rtc/rtc-pl030.c
@@ -112,6 +112,13 @@ static int pl030_probe(struct amba_device *dev, const struct amba_id *id)
                goto err_rtc;
        }
 
+       rtc->rtc = devm_rtc_allocate_device(&dev->dev);
+       if (IS_ERR(rtc->rtc)) {
+               ret = PTR_ERR(rtc->rtc);
+               goto err_rtc;
+       }
+
+       rtc->rtc->ops = &pl030_ops;
        rtc->base = ioremap(dev->res.start, resource_size(&dev->res));
        if (!rtc->base) {
                ret = -ENOMEM;
@@ -128,12 +135,9 @@ static int pl030_probe(struct amba_device *dev, const struct amba_id *id)
        if (ret)
                goto err_irq;
 
-       rtc->rtc = rtc_device_register("pl030", &dev->dev, &pl030_ops,
-                                      THIS_MODULE);
-       if (IS_ERR(rtc->rtc)) {
-               ret = PTR_ERR(rtc->rtc);
+       ret = rtc_register_device(rtc->rtc);
+       if (ret)
                goto err_reg;
-       }
 
        return 0;
 
@@ -154,7 +158,6 @@ static int pl030_remove(struct amba_device *dev)
        writel(0, rtc->base + RTC_CR);
 
        free_irq(dev->irq[0], rtc);
-       rtc_device_unregister(rtc->rtc);
        iounmap(rtc->base);
        amba_release_regions(dev);