From: Pan Xinhui <xinhuix.pan@intel.com>
To: linux-kernel@vger.kernel.org
Cc: dmitry.torokhov@gmail.com, nick.dyer@itdev.co.uk, mnipxh@163.com,
yanmin_zhang@linux.intel.com
Subject: [PATCH V3] atmel: fix a race between fw_load and data free
Date: Fri, 15 May 2015 20:32:45 +0800 [thread overview]
Message-ID: <5555E76D.50706@intel.com> (raw)
mxt_probe() may fail at last step, or we jsut unload mxt module soon.
the queue_work scheduled by request_firmware_nowait may run later,
and then access some data which is freed.
To handle this issue, add fw_load_completion field in mxt_data.
then we wait for it complete both in probe error path and mxt_remove().
here is the detail in probe, similar in remove.
module load: worker_thread:
mxt_probe -> mxt_initialize -> request_firmware_nowait (schedule_work)
|
sysfs_create_group (fails) mxt_config_cb -> mxt_configure_objects (may access data freed)
|
err_free_object: some cleanup work, like free(data).
Signed-off-by: xinhui.pan <xinhuix.pan@intel.com>
---
change in v3:
use wait_for_completion, avoid timeout side effect.
change in V2:
use fw_load_completion instead of statics.
fix a race both in mxt_remove and mxt_probe.
drivers/input/touchscreen/atmel_mxt_ts.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/input/touchscreen/atmel_mxt_ts.c b/drivers/input/touchscreen/atmel_mxt_ts.c
index 40b98dd..bea69da 100644
--- a/drivers/input/touchscreen/atmel_mxt_ts.c
+++ b/drivers/input/touchscreen/atmel_mxt_ts.c
@@ -313,6 +313,9 @@ struct mxt_data {
/* for config update handling */
struct completion crc_completion;
+
+ /* for fw load handling */
+ struct completion fw_load_completion;
};
static size_t mxt_obj_size(const struct mxt_object *obj)
@@ -1982,8 +1985,10 @@ static int mxt_configure_objects(struct mxt_data *data,
static void mxt_config_cb(const struct firmware *cfg, void *ctx)
{
+ struct mxt_data *data = ctx;
mxt_configure_objects(ctx, cfg);
release_firmware(cfg);
+ complete(&data->fw_load_completion);
}
static int mxt_initialize(struct mxt_data *data)
@@ -2556,6 +2561,7 @@ static int mxt_probe(struct i2c_client *client, const struct i2c_device_id *id)
init_completion(&data->bl_completion);
init_completion(&data->reset_completion);
init_completion(&data->crc_completion);
+ init_completion(&data->fw_load_completion);
error = request_threaded_irq(client->irq, NULL, mxt_interrupt,
pdata->irqflags | IRQF_ONESHOT,
@@ -2581,6 +2587,7 @@ static int mxt_probe(struct i2c_client *client, const struct i2c_device_id *id)
return 0;
err_free_object:
+ wait_for_completion(&data->fw_load_completion);
mxt_free_input_device(data);
mxt_free_object_table(data);
err_free_irq:
@@ -2594,6 +2601,7 @@ static int mxt_remove(struct i2c_client *client)
{
struct mxt_data *data = i2c_get_clientdata(client);
+ wait_for_completion(&data->fw_load_completion);
sysfs_remove_group(&client->dev.kobj, &mxt_attr_group);
free_irq(data->irq, data);
mxt_free_input_device(data);
--
1.9.1
reply other threads:[~2015-05-14 12:34 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5555E76D.50706@intel.com \
--to=xinhuix.pan@intel.com \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mnipxh@163.com \
--cc=nick.dyer@itdev.co.uk \
--cc=yanmin_zhang@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox