genirq: Fix chained interrupt data ordering
authorThomas Gleixner <tglx@linutronix.de>
Thu, 11 May 2017 11:54:11 +0000 (13:54 +0200)
committerThomas Gleixner <tglx@linutronix.de>
Tue, 16 May 2017 13:03:26 +0000 (15:03 +0200)
irq_set_chained_handler_and_data() sets up the chained interrupt and then
stores the handler data.

That's racy against an immediate interrupt which gets handled before the
store of the handler data happened. The handler will dereference a NULL
pointer and crash.

Cure it by storing handler data before installing the chained handler.

Reported-by: Borislav Petkov <bp@alien8.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
kernel/irq/chip.c

index 686be4b73018886d5b676d99cc5f5645cf408259..c94da688ee9b30ff9e746372b20a0c30f4c8cf5f 100644 (file)
@@ -880,8 +880,8 @@ irq_set_chained_handler_and_data(unsigned int irq, irq_flow_handler_t handle,
        if (!desc)
                return;
 
-       __irq_do_set_handler(desc, handle, 1, NULL);
        desc->irq_common_data.handler_data = data;
+       __irq_do_set_handler(desc, handle, 1, NULL);
 
        irq_put_desc_busunlock(desc, flags);
 }