genirq: Fix chained interrupt data ordering

commit 2c4569ca26986d18243f282dd727da27e9adae4c upstream. irq_set_chained_handler_and_data() sets up the chained interrupt and then stores the handler data. That's racy against an immediate interrupt which gets handled before the store of the handler data happened. The handler will dereference a NULL pointer and crash. Cure it by storing handler data before installing the chained handler. Reported-by: Borislav Petkov <bp@alien8.de> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Thomas Gleixner <tglx@linutronix.de> 2017-05-11 11:54:11 (GMT)
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-05-25 13:44:46 (GMT)
commit: 423f1752a0283b3f54f175be893f610f51b3aaf5 (patch)
tree: 33d6ad60b7e1ee45149b96d87bbac0a9e8fe7a80
parent: 3fe116563d5ddc2e3a506eb4b227164e5ccaed23 (diff)
download: linux-423f1752a0283b3f54f175be893f610f51b3aaf5.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/irq/chip.c b/kernel/irq/chip.c
index be3c34e..077c87f 100644
--- a/kernel/irq/chip.c
+++ b/kernel/irq/chip.c
@@ -877,8 +877,8 @@ irq_set_chained_handler_and_data(unsigned int irq, irq_flow_handler_t handle,
 	if (!desc)
 		return;
 
-	__irq_do_set_handler(desc, handle, 1, NULL);
 	desc->irq_common_data.handler_data = data;
+	__irq_do_set_handler(desc, handle, 1, NULL);
 
 	irq_put_desc_busunlock(desc, flags);
 }
author	Thomas Gleixner <tglx@linutronix.de>	2017-05-11 11:54:11 (GMT)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-05-25 13:44:46 (GMT)
commit	423f1752a0283b3f54f175be893f610f51b3aaf5 (patch)
tree	33d6ad60b7e1ee45149b96d87bbac0a9e8fe7a80
parent	3fe116563d5ddc2e3a506eb4b227164e5ccaed23 (diff)
download	linux-423f1752a0283b3f54f175be893f610f51b3aaf5.tar.xz