rtc: msc313: fix NULL deref in shared IRQ handler at probe

msc313_rtc_probe() calls devm_request_irq() with IRQF_SHARED and
&pdev->dev as the cookie, but platform_set_drvdata() is only called
later after the clock setup. With a shared IRQ line, another device
on the same line can trigger the handler in that window. The
handler does dev_get_drvdata() on the cookie, gets NULL, and
dereferences priv->rtc_base in interrupt context.

Pass priv as the cookie directly so the handler reads it from
dev_id without the lookup, removing the dependency on probe order.

Fixes: be7d9c9161b9 ("rtc: Add support for the MSTAR MSC313 RTC")
Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
Link: https://patch.msgid.link/20260511032703.48262-1-sozdayvek@gmail.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>

diff --git a/drivers/rtc/rtc-msc313.c b/drivers/rtc/rtc-msc313.c
index 8d7737e0e2e02cfd303187ade872922cc3993458..6ef9c4efd7c92e4c9471ed5221f3d6ce08b21672 100644 (file)
--- a/drivers/rtc/rtc-msc313.c
+++ b/drivers/rtc/rtc-msc313.c
@@ -160,7 +160,7 @@ static const struct rtc_class_ops msc313_rtc_ops = {
 
 static irqreturn_t msc313_rtc_interrupt(s32 irq, void *dev_id)
 {
-       struct msc313_rtc *priv = dev_get_drvdata(dev_id);
+       struct msc313_rtc *priv = dev_id;
        u16 reg;
 
        reg = readw(priv->rtc_base + REG_RTC_STATUS_INT);
@@ -206,7 +206,7 @@ static int msc313_rtc_probe(struct platform_device *pdev)
        priv->rtc_dev->range_max = U32_MAX;
 
        ret = devm_request_irq(dev, irq, msc313_rtc_interrupt, IRQF_SHARED,
-                              dev_name(&pdev->dev), &pdev->dev);
+                              dev_name(&pdev->dev), priv);
        if (ret) {
                dev_err(dev, "Could not request IRQ\n");
                return ret;