From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9DD40C7618A for ; Mon, 20 Mar 2023 09:36:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Content-Type: Content-Transfer-Encoding:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:From:References:CC:To:Subject: MIME-Version:Date:Message-ID:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=hBDkEjpEt/t6ftD8Dr3JeqP+z0t0YPAtWBfzvhZqavU=; b=wwaeohACRDMMUy sOCElPYxCx2iUvfM4WAQ407gZdST5zSs1qN+RBEDNn6IFoM7WPo5koN/ZSsVF68/MmPAlYK8X7ujJ wxeEb/zYDrZAKA6L3NcK242ipKZ5aY4Sy9V6PLb00zRSR0jRyhF20vwPyzO7JX9IpJ0s20GFGx1IK Ed+OnxjUhux2efTZKJveRbqsBP9Rx2Xl2imQNkZui4MyYwjFEXYEMgfCIOUqXqzekc3w7CY/+1Rdy d5yQKfubjVMJxEYNP3kMQLBIkcw0I1Rhy9vDps9KAyu8WW3VvRmMA8jRNRLHe8Xa96UBxeS0NzLNL lQQr7l/rExgdepwjqepg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1peBvU-008VRI-13; Mon, 20 Mar 2023 09:35:36 +0000 Received: from esa.microchip.iphmx.com ([68.232.154.123]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1peBvR-008VQe-2c for linux-arm-kernel@lists.infradead.org; Mon, 20 Mar 2023 09:35:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=microchip.com; i=@microchip.com; q=dns/txt; s=mchp; t=1679304933; x=1710840933; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=dyi9itZ2EsM0QbXbELyjxRO6wIIBtI+33DE19QI5xqM=; b=WZdSeWoCX0f32YiMjUpeKLu1GXeaBIaaf6BgIc4vjNyqxIswbP1sAlYy Sj/b0un15fdDBVWVGmbmcZVDnoGisxaond8OeO/eJ+s/5msUJWc/qvBAA Dw/sacXc1Ig2jusOzzxBaHtDKOLcXHkke259Z5JvubK//pGQI37dTNYUr CeNZnxsD0ALWn+hED3B2+cC53odQPhklU/P95UlEKbQpWzIVHYNz1AwlK udIuRQE0rEPx2JlSDjXDS+lS/SoSlsB74ylJu7i8A2gu3Y+mqavNXUBZt 54l0WKpb1FfwRGq7rMuLsIAATzCJFQd/Sqt6QBC1ban94erGBdlviYdsg A==; X-IronPort-AV: E=Sophos;i="5.98,274,1673938800"; d="scan'208";a="142894619" Received: from unknown (HELO email.microchip.com) ([170.129.1.10]) by esa6.microchip.iphmx.com with ESMTP/TLS/AES256-SHA256; 20 Mar 2023 02:35:32 -0700 Received: from chn-vm-ex04.mchp-main.com (10.10.85.152) by chn-vm-ex04.mchp-main.com (10.10.85.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21; Mon, 20 Mar 2023 02:35:32 -0700 Received: from [10.159.245.112] (10.10.115.15) by chn-vm-ex04.mchp-main.com (10.10.85.152) with Microsoft SMTP Server id 15.1.2507.21 via Frontend Transport; Mon, 20 Mar 2023 02:35:30 -0700 Message-ID: <954acc8c-0df3-23a4-7237-ecbc31811a56@microchip.com> Date: Mon, 20 Mar 2023 10:35:24 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Subject: Re: [PATCH] iio: at91-sama5d2_adc: Fix use after free bug in at91_adc_remove due to race condition Content-Language: en-US To: Zheng Wang , CC: , , , , , , References: <20230310091239.1440279-1-zyytlz.wz@163.com> From: Nicolas Ferre Organization: microchip In-Reply-To: <20230310091239.1440279-1-zyytlz.wz@163.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230320_023533_915700_7D7EF0EE X-CRM114-Status: GOOD ( 21.34 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 10/03/2023 at 10:12, Zheng Wang wrote: > In at91_adc_probe, &st->touch_st.workq is bound with > at91_adc_workq_handler. Then it will be started by irq > handler at91_adc_touch_data_handler > > If we remove the driver which will call at91_adc_remove > to make cleanup, there may be a unfinished work. > > The possible sequence is as follows: > > Fix it by finishing the work before cleanup in the at91_adc_remove > > CPU0 CPU1 > > |at91_adc_workq_handler > at91_adc_remove | > iio_device_unregister| > iio_dev_release | > kfree(iio_dev_opaque);| > | > |iio_push_to_buffers > |&iio_dev_opaque->buffer_list > |//use There is no such thing as a SMP platform using this driver (yet?), so we agree that this fix is purely theoretical, cannot be reproduced nor its fix validated. That being said, I'm happy that enhancements are provided to this driver, no doubt about that. > Fixes: 23ec2774f1cc ("iio: adc: at91-sama5d2_adc: add support for position and pressure channels") > Signed-off-by: Zheng Wang > --- > drivers/iio/adc/at91-sama5d2_adc.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c > index 50d02e5fc6fc..1b95d18d9e0b 100644 > --- a/drivers/iio/adc/at91-sama5d2_adc.c > +++ b/drivers/iio/adc/at91-sama5d2_adc.c > @@ -2495,6 +2495,8 @@ static int at91_adc_remove(struct platform_device *pdev) > struct iio_dev *indio_dev = platform_get_drvdata(pdev); > struct at91_adc_state *st = iio_priv(indio_dev); > > + disable_irq_nosync(st->irq); > + cancel_work_sync(&st->touch_st.workq); About stopping the source of interrupt, I would recommend using a sequence already exposed in at91_adc_hw_init (and possibly make it common), like: if (st->soc_info.platform->layout->EOC_IDR) at91_adc_writel(st, EOC_IDR, 0xffffffff); at91_adc_writel(st, IDR, 0xffffffff); Regards, Nicolas > iio_device_unregister(indio_dev); > > at91_adc_dma_disable(st); > -- > 2.25.1 > -- Nicolas Ferre _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel