mailbox: call request_irq after mbox queues are allocated

The mailbox startup code is enabling the interrupt even before
any of the associated mailbox queues are allocated. Any pending
received mailbox message could cause a kernel panic as soon as
the interrupt is enabled due to the dereferencing of non-existing
mailbox queues within the ISR.

Signed-off-by: Fernando Guzman Lugo <lugo.fernando@gmail.com>
Signed-off-by: Suman Anna <s-anna@ti.com>

diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c
index c38241a8b44adf1c9024a4a11155d982aae712b5..5fea5c276a615815fe8e03fe61643cf5b01eee67 100644 (file)
--- a/drivers/mailbox/mailbox.c
+++ b/drivers/mailbox/mailbox.c
@@ -377,14 +377,6 @@ static int mailbox_startup(struct mailbox *mbox)
        }
 
        if (!mbox->use_count++) {
-               ret = request_irq(mbox->irq, mbox_interrupt,
-                               IRQF_SHARED | IRQF_NO_SUSPEND,
-                               mbox->name, mbox);
-               if (unlikely(ret)) {
-                       pr_err("failed to register mailbox interrupt:%d\n",
-                                       ret);
-                       goto fail_request_irq;
-               }
                mq = mbox_queue_alloc(mbox, NULL, mbox_tx_tasklet);
                if (!mq) {
                        ret = -ENOMEM;
@@ -399,17 +391,25 @@ static int mailbox_startup(struct mailbox *mbox)
                }
                mbox->rxq = mq;
                mq->mbox = mbox;
+               ret = request_irq(mbox->irq, mbox_interrupt,
+                               IRQF_SHARED | IRQF_NO_SUSPEND,
+                               mbox->name, mbox);
+               if (unlikely(ret)) {
+                       pr_err("failed to register mailbox interrupt:%d\n",
+                                       ret);
+                       goto fail_request_irq;
+               }
 
                mailbox_enable_irq(mbox, IRQ_RX);
        }
        mutex_unlock(&mbox_configured_lock);
        return 0;
 
+fail_request_irq:
+       mbox_queue_free(mbox->rxq);
 fail_alloc_rxq:
        mbox_queue_free(mbox->txq);
 fail_alloc_txq:
-       free_irq(mbox->irq, mbox);
-fail_request_irq:
        if (mbox->ops->shutdown)
                mbox->ops->shutdown(mbox);
        mbox->use_count--;