From: Bartosz Golaszewski <brgl@bgdev.pl>
To: Yury Norov <yury.norov@gmail.com>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org,
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Subject: [PATCH 1/4] genirq/irq_sim: dispose of remaining mappings before removing the domain
Date: Sat, 12 Aug 2023 21:44:54 +0200 [thread overview]
Message-ID: <20230812194457.6432-2-brgl@bgdev.pl> (raw)
In-Reply-To: <20230812194457.6432-1-brgl@bgdev.pl>
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
If the device providing simulated interrupts is unbound (real life
example: gpio-sim is disabled with users that didn't free their irqs)
and removes the simulated domain while interrupts are still requested,
we will hit memory issues when they are eventually freed and the
mappings destroyed in the process.
Specifically we'll access freed memory in __irq_domain_deactivate_irq().
Dispose of all mappings before removing the simulator domain.
Fixes: b19af510e67e ("genirq/irq_sim: Add a simple interrupt simulator framework")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
---
kernel/irq/irq_sim.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/kernel/irq/irq_sim.c b/kernel/irq/irq_sim.c
index dd76323ea3fd..2c8a9cc1faa6 100644
--- a/kernel/irq/irq_sim.c
+++ b/kernel/irq/irq_sim.c
@@ -4,6 +4,7 @@
* Copyright (C) 2020 Bartosz Golaszewski <bgolaszewski@baylibre.com>
*/
+#include <linux/list.h>
#include <linux/irq.h>
#include <linux/irq_sim.h>
#include <linux/irq_work.h>
@@ -16,12 +17,14 @@ struct irq_sim_work_ctx {
unsigned int irq_count;
unsigned long *pending;
struct irq_domain *domain;
+ struct list_head irqs;
};
struct irq_sim_irq_ctx {
int irqnum;
bool enabled;
struct irq_sim_work_ctx *work_ctx;
+ struct list_head siblings;
};
static void irq_sim_irqmask(struct irq_data *data)
@@ -129,6 +132,8 @@ static int irq_sim_domain_map(struct irq_domain *domain,
irq_set_handler(virq, handle_simple_irq);
irq_modify_status(virq, IRQ_NOREQUEST | IRQ_NOAUTOEN, IRQ_NOPROBE);
irq_ctx->work_ctx = work_ctx;
+ irq_ctx->irqnum = virq;
+ list_add_tail(&irq_ctx->siblings, &work_ctx->irqs);
return 0;
}
@@ -141,6 +146,7 @@ static void irq_sim_domain_unmap(struct irq_domain *domain, unsigned int virq)
irqd = irq_domain_get_irq_data(domain, virq);
irq_ctx = irq_data_get_irq_chip_data(irqd);
+ list_del(&irq_ctx->siblings);
irq_set_handler(virq, NULL);
irq_domain_reset_irq_data(irqd);
kfree(irq_ctx);
@@ -182,6 +188,7 @@ struct irq_domain *irq_domain_create_sim(struct fwnode_handle *fwnode,
work_ctx->irq_count = num_irqs;
work_ctx->work = IRQ_WORK_INIT_HARD(irq_sim_handle_irq);
+ INIT_LIST_HEAD(&work_ctx->irqs);
return work_ctx->domain;
@@ -203,8 +210,13 @@ EXPORT_SYMBOL_GPL(irq_domain_create_sim);
void irq_domain_remove_sim(struct irq_domain *domain)
{
struct irq_sim_work_ctx *work_ctx = domain->host_data;
+ struct irq_sim_irq_ctx *irq_ctx, *aux;
irq_work_sync(&work_ctx->work);
+
+ list_for_each_entry_safe(irq_ctx, aux, &work_ctx->irqs, siblings)
+ irq_dispose_mapping(irq_ctx->irqnum);
+
bitmap_free(work_ctx->pending);
kfree(work_ctx);
--
2.39.2
next prev parent reply other threads:[~2023-08-12 19:45 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-12 19:44 [PATCH 0/4] genirq/irq_sim: fix a use-after-free bug + some Bartosz Golaszewski
2023-08-12 19:44 ` Bartosz Golaszewski [this message]
2023-08-15 10:38 ` [PATCH 1/4] genirq/irq_sim: dispose of remaining mappings before removing the domain Andy Shevchenko
2023-08-15 16:09 ` Yury Norov
2023-08-15 16:53 ` Andy Shevchenko
2023-08-15 18:42 ` Bartosz Golaszewski
2023-08-15 18:38 ` Bartosz Golaszewski
2023-08-17 9:17 ` Andy Shevchenko
2023-08-21 21:15 ` Bartosz Golaszewski
2023-08-12 19:44 ` [PATCH 2/4] genirq/irq_sim: order includes alphabetically Bartosz Golaszewski
2023-08-15 10:39 ` Andy Shevchenko
2023-08-12 19:44 ` [PATCH 3/4] bitmap: define a cleanup function for bitmaps Bartosz Golaszewski
2023-08-14 1:02 ` Yury Norov
2023-08-14 7:13 ` Bartosz Golaszewski
2023-08-12 19:44 ` [PATCH 4/4] genirq/irq_sim: shrink code by using cleanup helpers Bartosz Golaszewski
2023-08-14 1:09 ` Yury Norov
2023-08-14 6:58 ` Bartosz Golaszewski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230812194457.6432-2-brgl@bgdev.pl \
--to=brgl@bgdev.pl \
--cc=andriy.shevchenko@linux.intel.com \
--cc=bartosz.golaszewski@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=tglx@linutronix.de \
--cc=yury.norov@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox