From: Robert Jarzmik <robert.jarzmik@free.fr>
To: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Cc: Julia Lawall <Julia.Lawall@lip6.fr>,
kernel-janitors@vger.kernel.org,
Mauro Carvalho Chehab <mchehab@redhat.com>,
Linux Media Mailing List <linux-media@vger.kernel.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] drivers/media/platform/soc_camera/pxa_camera.c: reposition free_irq to avoid access to invalid data
Date: Mon, 07 Jan 2013 21:08:46 +0100 [thread overview]
Message-ID: <874nisbvsh.fsf@free.fr> (raw)
In-Reply-To: <Pine.LNX.4.64.1301071111420.23972@axis700.grange> (Guennadi Liakhovetski's message of "Mon, 7 Jan 2013 12:09:36 +0100 (CET)")
Guennadi Liakhovetski <g.liakhovetski@gmx.de> writes:
> (adding Robert to CC)
> I don't think any data is freed by pxa_free_dma(), it only disables DMA on
> a certain channel. Theoretically there could be a different problem:
> pxa_free_dma() deactivates DMA, whereas pxa_dma_start_channels() activates
> it. But I think we're also protected against that: by the time
> pxa_camera_remove() is called, and operation on the interface has been
> stopped, client devices have been detached, pxa_camera_remove_device() has
> been called, which has also stopped the interface clock. And with clock
> stopped no interrupts can be generated. And the case of interrupt having
> been generated before clk_disabled() and only delivered to the driver so
> much later, that we're already unloading the module, seems really
> impossible to me. Robert, you agree?
Agreed that pxa_free_dma() doesn't free anything, that one is easy :)
And agreed too for the second part, with a slighly different explanation :
- pxa_camera_remove_device() has been called as you said
- inside this function, check comment
"/* disable capture, disable interrupts */"
=> this ensures no interrupt can be generated anymore
So after pxa_camera_remove_device() has been called, no interrupts can be
generated.
Yet as you said, it leaves the "almost impossible" scenario :
- a user begins a capture
- the user closes the capture device and unloads pxa-camera.ko:
soc_camera_close()
pxa_camera_remove_device()
the IRQ line is asserted but doesn't trigger yet the interrupt handler
(yes I know, improbable)
meanwhile, IRQs are disabled, DMA channels are stopped
switch_to(rmmod)
=> yes I know, impossible, the interrupt handler must be run before, but
let's continue for love of discussion ...
rmmod pxa-camera
pxa_camera_remove()
pxa_free_dma() * 3
----> here the IRQ handler kicks in !!!
=> pxa_camera_irq()
pxa_dma_start_channels()
----> it hurts !
My call is that this is impossible because the switch_to() should run the IRQ
handler before pxa_camera_remove() is called.
So all this to say that I think we're safe, unless a heavy ion or a cosmic ray
strikes the PXA :)
Cheers.
--
Robert
next prev parent reply other threads:[~2013-01-07 20:09 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-07 10:00 [PATCH 0/2] reposition free_irq to avoid access to invalid data Julia Lawall
2013-01-07 10:00 ` [PATCH 1/2] drivers/media/platform/soc_camera/pxa_camera.c: " Julia Lawall
2013-01-07 11:09 ` Guennadi Liakhovetski
2013-01-07 11:18 ` Julia Lawall
2013-01-07 11:33 ` Guennadi Liakhovetski
2013-01-07 20:08 ` Robert Jarzmik [this message]
2013-01-07 21:09 ` Julia Lawall
2013-01-07 10:00 ` [PATCH 2/2] drivers/crypto/bfin_crc.c: " Julia Lawall
2013-01-20 0:12 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874nisbvsh.fsf@free.fr \
--to=robert.jarzmik@free.fr \
--cc=Julia.Lawall@lip6.fr \
--cc=g.liakhovetski@gmx.de \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox