genirq: Fix chained interrupt data ordering

KAGA-KOKO · gregkh · commit e07db0d720d3 · 2017-05-25T14:30:17.000+02:00
commit 2c4569ca26986d18243f282dd727da27e9adae4c upstream.

irq_set_chained_handler_and_data() sets up the chained interrupt and then
stores the handler data.

That's racy against an immediate interrupt which gets handled before the
store of the handler data happened. The handler will dereference a NULL
pointer and crash.

Cure it by storing handler data before installing the chained handler.

Reported-by: Borislav Petkov &lt;bp@alien8.de&gt;
Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
diff --git a/kernel/irq/chip.c b/kernel/irq/chip.c
@@ -810,8 +810,8 @@ irq_set_chained_handler_and_data(unsigned int irq, irq_flow_handler_t handle,
 	if (!desc)
 		return;
 
-	__irq_do_set_handler(desc, handle, 1, NULL);
 	desc->irq_common_data.handler_data = data;
+	__irq_do_set_handler(desc, handle, 1, NULL);
 
 	irq_put_desc_busunlock(desc, flags);
 }

Original file line number	Diff line number	Diff line change
`@@ -810,8 +810,8 @@ irq_set_chained_handler_and_data(unsigned int irq, irq_flow_handler_t handle,`
`810`	`810`	`if (!desc)`
`811`	`811`	`return;`
`812`	`812`
`813`		`- __irq_do_set_handler(desc, handle, 1, NULL);`
`814`	`813`	`desc->irq_common_data.handler_data = data;`
	`814`	`+ __irq_do_set_handler(desc, handle, 1, NULL);`
`815`	`815`
`816`	`816`	`irq_put_desc_busunlock(desc, flags);`
`817`	`817`	`}`