From: Dean Nelson <dcn@sgi.com>
Date: Sat, 18 Oct 2008 23:06:56 +0000 (-0700)
Subject: genirq: NULL struct irq_desc's member 'name' in dynamic_irq_cleanup()
X-Git-Tag: v2.6.27.16~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3b0ff5e98a8a987c657cb21ba206ffe8c359866b;p=thirdparty%2Fkernel%2Fstable.git

genirq: NULL struct irq_desc's member 'name' in dynamic_irq_cleanup()

commit b6f3b7803a9231eddc36d0a2a6d2d8105ef89344 upstream.

If the member 'name' of the irq_desc structure happens to point to a
character string that is resident within a kernel module, problems ensue
if that module is rmmod'd (at which time dynamic_irq_cleanup() is called)
and then later show_interrupts() is called by someone.

It is also not a good thing if the character string resided in kmalloc'd
space that has been kfree'd (after having called dynamic_irq_cleanup()).
dynamic_irq_cleanup() fails to NULL the 'name' member and
show_interrupts() references it on a few architectures (like h8300, sh and
x86).

Signed-off-by: Dean Nelson <dcn@sgi.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/kernel/irq/chip.c b/kernel/irq/chip.c
index 3cd441ebf5d21..48c58fed6985a 100644
--- a/kernel/irq/chip.c
+++ b/kernel/irq/chip.c
@@ -78,6 +78,7 @@ void dynamic_irq_cleanup(unsigned int irq)
 	desc->chip_data = NULL;
 	desc->handle_irq = handle_bad_irq;
 	desc->chip = &no_irq_chip;
+	desc->name = NULL;
 	spin_unlock_irqrestore(&desc->lock, flags);
 }