From: Johan Hovold <johan@kernel.org>
To: Lars-Peter Clausen <lars@metafoo.de>
Cc: Johan Hovold <johan@kernel.org>, Mark Brown <broonie@kernel.org>,
linux-spi@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 3/3] spi: spi-axi: take extra controller reference before deregistration
Date: Mon, 30 Oct 2017 10:57:26 +0100 [thread overview]
Message-ID: <20171030095726.GA7223@localhost> (raw)
In-Reply-To: <2a83c1f1-9203-eb97-5595-7a8da7261128@metafoo.de>
On Mon, Oct 30, 2017 at 10:48:23AM +0100, Lars-Peter Clausen wrote:
> On 10/29/2017 12:56 PM, Johan Hovold wrote:
> > Take an extra reference to the controller to avoid use-after-free in
> > free_irq() which is called only after the controller has been
> > deregistered and freed.
> >
> > Note that this is not an issue for this particular driver which does not
> > use shared interrupts, but free_irq() could otherwise end up accessing
> > the freed controller when CONFIG_DEBUG_SHIRQ is set.
>
> Strictly speaking there is no guarantee that the IRQ handler does not run
> until free_irq() has been called. And since the SPI master is referenced in
> the IRQ handler there could be an use-after-free condition. So there is kind
> of a real issue here as well. But it should be really really hard to trigger
> it unless the hardware misbehaves.
You're right of course. Let me update the commit message in a v2 of the
series.
> > Defer controller release until free_irq() returns to prevent this
> > from ever becoming an issue should this code be replicated in other
> > drivers.
> >
> > Cc: Lars-Peter Clausen <lars@metafoo.de>
> > Signed-off-by: Johan Hovold <johan@kernel.org>
>
> Acked-by: Lars-Peter Clausen <lars@metafoo.de>
Thanks,
Johan
next prev parent reply other threads:[~2017-10-30 9:57 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-29 11:56 [PATCH 1/3] spi: fix use-after-free at controller deregistration Johan Hovold
[not found] ` <20171029115625.32385-1-johan-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2017-10-29 11:56 ` [PATCH 2/3] spi: document odd controller reference handling Johan Hovold
2017-10-29 11:56 ` Johan Hovold
2017-10-31 11:22 ` Applied "spi: document odd controller reference handling" to the spi tree Mark Brown
2017-10-29 11:56 ` [PATCH 3/3] spi: spi-axi: take extra controller reference before deregistration Johan Hovold
2017-10-30 9:48 ` Lars-Peter Clausen
2017-10-30 9:57 ` Johan Hovold [this message]
[not found] ` <20171029115625.32385-3-johan-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2017-10-31 11:22 ` Applied "spi: spi-axi: fix potential use-after-free after deregistration" to the spi tree Mark Brown
2017-10-31 11:22 ` Mark Brown
2017-10-31 11:22 ` Applied "spi: fix use-after-free at controller " Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171030095726.GA7223@localhost \
--to=johan@kernel.org \
--cc=broonie@kernel.org \
--cc=lars@metafoo.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-spi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.