alarmtimer: Check return value of class_find_device()

alarmtimer_late_init() uses class_find_device() to find a alarm capable rtc device. The match callback stores a pointer to the name in the char pointer handed in from the call site. alarmtimer_late_init() checks the char pointer for NULL, but the pointer is on the stack and not initialized to NULL before the call. So it can have random content when the match function did not identify a device, which leads to random access in the following rtc_open() call where the pointer is dereferenced Instead of relying on the char pointer, check the return value of class_find_device. If a device is found then the name pointer is valid as well. Reported-by: Ingo Molnar <mingo@elte.hu> Cc: John Stultz <john.stultz@linaro.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
git-mirror · May 4, 2011 · ce788f9 · ce788f9
1 parent 99ee531
commit ce788f9
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c
@@ -669,11 +669,13 @@ static int __init has_wakealarm(struct device *dev, void *name_ptr)
  */
 static int __init alarmtimer_init_late(void)
 {
+	struct device *dev;
 	char *str;
 
 	/* Find an rtc device and init the rtc_timer */
-	class_find_device(rtc_class, NULL, &str, has_wakealarm);
-	if (str)
+	dev = class_find_device(rtc_class, NULL, &str, has_wakealarm);
+	/* If we have a device then str is valid. See has_wakealarm() */
+	if (dev)
 		rtcdev = rtc_class_open(str);
 	if (!rtcdev) {
 		printk(KERN_WARNING "No RTC device found, ALARM timers will"