aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Gleixner <tglx@linutronix.de>2011-05-04 02:00:47 -0400
committerThomas Gleixner <tglx@linutronix.de>2011-05-04 02:18:17 -0400
commitce788f930b0cdf821de7ee8f84cfe8cf7fcb6311 (patch)
tree4f4d451b4e81d6693199fcfb405f6133e6cae61c
parent99ee5315dac6211e972fa3f23bcc9a0343ff58c4 (diff)
alarmtimer: Check return value of class_find_device()
alarmtimer_late_init() uses class_find_device() to find a alarm capable rtc device. The match callback stores a pointer to the name in the char pointer handed in from the call site. alarmtimer_late_init() checks the char pointer for NULL, but the pointer is on the stack and not initialized to NULL before the call. So it can have random content when the match function did not identify a device, which leads to random access in the following rtc_open() call where the pointer is dereferenced Instead of relying on the char pointer, check the return value of class_find_device. If a device is found then the name pointer is valid as well. Reported-by: Ingo Molnar <mingo@elte.hu> Cc: John Stultz <john.stultz@linaro.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-rw-r--r--kernel/time/alarmtimer.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c
index 9265014cb4db..e5db9b00751b 100644
--- a/kernel/time/alarmtimer.c
+++ b/kernel/time/alarmtimer.c
@@ -669,11 +669,13 @@ static int __init has_wakealarm(struct device *dev, void *name_ptr)
669 */ 669 */
670static int __init alarmtimer_init_late(void) 670static int __init alarmtimer_init_late(void)
671{ 671{
672 struct device *dev;
672 char *str; 673 char *str;
673 674
674 /* Find an rtc device and init the rtc_timer */ 675 /* Find an rtc device and init the rtc_timer */
675 class_find_device(rtc_class, NULL, &str, has_wakealarm); 676 dev = class_find_device(rtc_class, NULL, &str, has_wakealarm);
676 if (str) 677 /* If we have a device then str is valid. See has_wakealarm() */
678 if (dev)
677 rtcdev = rtc_class_open(str); 679 rtcdev = rtc_class_open(str);
678 if (!rtcdev) { 680 if (!rtcdev) {
679 printk(KERN_WARNING "No RTC device found, ALARM timers will" 681 printk(KERN_WARNING "No RTC device found, ALARM timers will"