RE: [PATCH 1/2] wifi: mt76: mt7921e: fix use-after-free in free_irq()

[Ping-Ke Shih <pkshih@realtek.com>]

From: Deren Wu (武德仁) <Deren.Wu@mediatek.com> 
Sent: Monday, January 15, 2024 8:18 PM
To: nbd@nbd.name; Ping-Ke Shih <pkshih@realtek.com>; lorenzo@kernel.org
Cc: Mingyen Hsieh (謝明諺) <Mingyen.Hsieh@mediatek.com>; linux-mediatek@lists.infradead.org; Leon Yen (顏良儒) <Leon.Yen@mediatek.com>; Shayne Chen (陳軒丞) <Shayne.Chen@mediatek.com>; Quan Zhou (周全) <Quan.Zhou@mediatek.com>; Sean Wang <Sean.Wang@mediatek.com>; KM Lin (林昆民) <km.lin@mediatek.com>; Soul Huang (黃至昶) <Soul.Huang@mediatek.com>; Posh Sun (孫瑞廷) <posh.sun@mediatek.com>; Eric-SY Chang (張書源) <Eric-SY.Chang@mediatek.com>; CH Yeh (葉志豪) <ch.yeh@mediatek.com>; Robin Chiu (邱國濱) <robin.chiu@mediatek.com>; Ryder Lee <Ryder.Lee@mediatek.com>; linux-wireless@vger.kernel.org
Subject: Re: [PATCH 1/2] wifi: mt76: mt7921e: fix use-after-free in free_irq()

> 
> Here is the snapshot. The code is trying to direct access this irq
> handler after deregisering, for IRQF_SHARED case. synchronize_irq() and
> tasklet_kill() are all done in previous steps. We need to stop the
> extra call here. If there are any alternative, that would be
> appreciated.
> 
> /*
>  * It's a shared IRQ -- the driver ought to be prepared for an IRQ
>  * event to happen even now it's being freed, so let's make sure that
>  * is so by doing an extra call to the handler ....
>  *
>  * ( We do this after actually deregistering it, to make sure that a
>  *   'real' IRQ doesn't run in parallel with our fake. )
>  */
> if (action->flags & IRQF_SHARED) {
>         local_irq_save(flags);
>         action->handler(irq, dev_id);
>         local_irq_restore(flags);
> }
> 

I missed this point. Sorry for the noise.