From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id D019AC74A5B for ; Sat, 18 Mar 2023 17:25:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Subject:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=uCmJfR05RVZ5dIlSMRD7jmpDuQz4Gl/QWF/zT7NKPiU=; b=PhBxr1gcMz3w+p j5HpuvYZPQRnOoobnwwv8dLcYk5mZ33S8dbPDuokRZNVXGPguTyE4P4MUx2O4vklOjfcyicb9iiU0 sdSzoi97pZ/ssKcEoOC0UVHxrXv8I/0dar8H43GotUa6Aw9dmeRxa3xtZ3IYofS3gHyN12E0S5dqB tYg1DX/ABnYKo864lUUE3pjBNYguA5pJ7OI5/BB1J9GtE/cG6w+S+2+f/zD6sv9fVBbeXiEomuK4I jDQHF9km8qfIxA5yMVpnb536yyDNmvjoSAX4BGNJD1v4qCHq6qCRXBOzPXqeLYbtk8vDsUJolpfi8 RYkn9rGhyZfMUODUb8wg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1pdaI7-0054VN-0N; Sat, 18 Mar 2023 17:24:27 +0000 Received: from dfw.source.kernel.org ([2604:1380:4641:c500::1]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1pdaI4-0054Um-0K for linux-arm-kernel@lists.infradead.org; Sat, 18 Mar 2023 17:24:25 +0000 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E21EF60ECB; Sat, 18 Mar 2023 17:24:20 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 91B0FC433D2; Sat, 18 Mar 2023 17:24:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1679160260; bh=km80eU5RmvZRE3qaaPVThX2oqEMEuAb2kMX8o2Jo2zI=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=iohfQk6S4zqFwANk01KYfDsBtZ1Xg+EoSIuNGoO8bptSs74tcq63nexZk8yBYuLFF HL1HTkXUTxJ8fBT/12h58OCJzOl7iD81KrQcIgaBJOw0LXk7Fa8jFKbXIsqpWJQHXA cp9ZESyC+8f9CVfCmZgpSiEbwi1PnMCqlGRp3jWcgVusck2z5npVNfeYmOKM4e+5qv OIqdkxe6ExoBnjDdbJk4KiCI2HSbzLX052+S8F3urSmxzhRhveMyiEhqyXP+ys1hHp 2nWO0kws2XIXwhc25nMJmQopPXm8nsA35vGQGCCyPRos9n9BPOceYtz8/KVCdE6kiT 9iuyedohiwvhg== Date: Sat, 18 Mar 2023 17:39:13 +0000 From: Jonathan Cameron To: Zheng Wang Subject: Re: [PATCH] iio: at91-sama5d2_adc: Fix use after free bug in at91_adc_remove due to race condition Message-ID: <20230318173913.19e8a1b1@jic23-huawei> In-Reply-To: <20230310091239.1440279-1-zyytlz.wz@163.com> References: <20230310091239.1440279-1-zyytlz.wz@163.com> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.37; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230318_102424_176675_68608A71 X-CRM114-Status: GOOD ( 24.81 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: alexandre.belloni@bootlin.com, lars@metafoo.de, linux-iio@vger.kernel.org, eugen.hristev@collabora.com, linux-kernel@vger.kernel.org, claudiu.beznea@microchip.com, linux-arm-kernel@lists.infradead.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Fri, 10 Mar 2023 17:12:39 +0800 Zheng Wang wrote: > In at91_adc_probe, &st->touch_st.workq is bound with > at91_adc_workq_handler. Then it will be started by irq > handler at91_adc_touch_data_handler > > If we remove the driver which will call at91_adc_remove > to make cleanup, there may be a unfinished work. > > The possible sequence is as follows: > > Fix it by finishing the work before cleanup in the at91_adc_remove > > CPU0 CPU1 > > |at91_adc_workq_handler > at91_adc_remove | > iio_device_unregister| > iio_dev_release | > kfree(iio_dev_opaque);| > | > |iio_push_to_buffers > |&iio_dev_opaque->buffer_list > |//use > Fixes: 23ec2774f1cc ("iio: adc: at91-sama5d2_adc: add support for position and pressure channels") > Signed-off-by: Zheng Wang > --- > drivers/iio/adc/at91-sama5d2_adc.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c > index 50d02e5fc6fc..1b95d18d9e0b 100644 > --- a/drivers/iio/adc/at91-sama5d2_adc.c > +++ b/drivers/iio/adc/at91-sama5d2_adc.c > @@ -2495,6 +2495,8 @@ static int at91_adc_remove(struct platform_device *pdev) > struct iio_dev *indio_dev = platform_get_drvdata(pdev); > struct at91_adc_state *st = iio_priv(indio_dev); > > + disable_irq_nosync(st->irq); > + cancel_work_sync(&st->touch_st.workq); I'd like some input form someone more familiar with this driver than I am. In particular, whilst it fixes the bug seen I'm not sure what the most logical ordering for the disable is or the best way to do it. I'd prefer to see the irq cut off at source by disabling it at the device feature that is generating the irq followed by cancelling or waiting for completion of any in flight work. > iio_device_unregister(indio_dev); > > at91_adc_dma_disable(st); _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel