From: Lars-Peter Clausen <lars@metafoo.de>
To: Julia Lawall <julia.lawall@lip6.fr>
Cc: Jonathan Cameron <jic23@cam.ac.uk>,
kernel-janitors@vger.kernel.org, linux-iio@vger.kernel.org,
linux-kernel@vger.kernel.org, rob.herring@calxeda.com
Subject: Re: [PATCH] drivers/iio/adc/at91_adc.c: use devm_ functions
Date: Tue, 31 Jul 2012 14:23:46 +0000 [thread overview]
Message-ID: <5017EA72.8030003@metafoo.de> (raw)
In-Reply-To: <alpine.DEB.2.02.1207311552440.1894@hadrien>
On 07/31/2012 03:54 PM, Julia Lawall wrote:
>
>
> On Tue, 31 Jul 2012, Lars-Peter Clausen wrote:
>
>> Hi,
>>
>> On 07/31/2012 12:09 PM, Julia Lawall wrote:
>>> From: Julia Lawall <Julia.Lawall@lip6.fr>
>>> @@ -720,20 +698,14 @@ error_ret:
>>> static int __devexit at91_adc_remove(struct platform_device *pdev)
>>> {
>>> struct iio_dev *idev = platform_get_drvdata(pdev);
>>> - struct resource *res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
>>> struct at91_adc_state *st = iio_priv(idev);
>>>
>>> iio_device_unregister(idev);
>>> [...]
>>> - free_irq(st->irq, idev);
>>> [...]
>>> iio_device_free(idev);
>>
>> I think we have to be careful here. The interrupted is now freed after the
>> device has been freed, which means that it could trigger after the device
>> has been freed. And since we use the device in the interrupt handler we'll
>> get a use after free.
>
> Perhaps the same would be true in the following code, from the file
> drivers/edac/highbank_l2_edac.c:
>
> res = devm_request_irq(&pdev->dev, drvdata->sb_irq,
> highbank_l2_err_handler,
> 0, dev_name(&pdev->dev), dci);
> if (res < 0)
> goto err;
>
> dci->mod_name = dev_name(&pdev->dev);
> dci->dev_name = dev_name(&pdev->dev);
>
> if (edac_device_add_device(dci))
> goto err;
>
> devres_close_group(&pdev->dev, NULL);
> return 0;
> err:
> devres_release_group(&pdev->dev, NULL);
> edac_device_free_ctl_info(dci);
Yes looks like this has the same issue.
>
> Is devm_request_irq perhaps not a very good idea?
>
devm_request_irq has to be used carefully. It is ok to use it if the objects
which are accessed in the interrupt handler are also devres managed. devres
will free objects in the reverse order of which they are allocated.
E.g. if you do
obj = dev_kzalloc(...);
...
devm_request_irq(..., obj);
it is save to use, because 'obj' will be freed after the IRQ has been freed.
- Lars
prev parent reply other threads:[~2012-07-31 14:23 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-31 10:09 [PATCH] drivers/iio/adc/at91_adc.c: use devm_ functions Julia Lawall
2012-07-31 12:36 ` Lars-Peter Clausen
2012-07-31 12:41 ` Julia Lawall
2012-07-31 13:09 ` Julia Lawall
2012-08-14 20:32 ` Jonathan Cameron
2012-08-15 9:02 ` Lars-Peter Clausen
2012-08-15 9:20 ` Julia Lawall
2012-08-16 19:04 ` Jonathan Cameron
2012-07-31 13:54 ` Julia Lawall
2012-07-31 14:23 ` Lars-Peter Clausen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5017EA72.8030003@metafoo.de \
--to=lars@metafoo.de \
--cc=jic23@cam.ac.uk \
--cc=julia.lawall@lip6.fr \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rob.herring@calxeda.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).