Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp762333imm; Mon, 9 Jul 2018 10:08:08 -0700 (PDT) X-Google-Smtp-Source: AAOMgpdOtILkXWz42IDBfIYTjXJKi8UqVokijxLSeuT2aNAziQnHGpmdUXc6G1n8+Srs5dmATXkS X-Received: by 2002:a63:67c3:: with SMTP id b186-v6mr19735149pgc.5.1531156088458; Mon, 09 Jul 2018 10:08:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531156088; cv=none; d=google.com; s=arc-20160816; b=P5MOnBC/sVdLbc/G4cz70xRDy3UtaVXaRFxhDKIBIrMKgeUCk8t2Enu7eDZzxc+fbq IjSyXoEnlM+D2ecvtuzN0c/wzadpx06JaTTI/9pCR5m0ao59DRfEyanQPehMU8LCKRZS TqvLJsX8KaQ0NfUk6+i+7EVZiDlMu/p0Y36gBWGxlYpdTkpZVVR8XrZdayKLxm6QaT9Y xjA0dbTiuMLH2kb8JPHPBFfchqp9NhHG5kf1wX9MlwYn4jIX/47szPWEgNOvuFXlyKGV 5nygCcGB2/PuFsy9p1mMyZ4+1WeoGuAb6W+1GwZMpv4KotVBPkHvk5YiCHBvIET4cPgv YnpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:cc:references:to :subject:arc-authentication-results; bh=3kL16I9w5JgbSKzHMm8EskmsAr+3SMZzsrzl9F5GFp4=; b=yHqY07BoOW4fhpz35K13pIQ4RYuDCSAtrpHiCIn6F04caiuuh0CwYv8vgG7cybqhW6 is+c3YUYiuiY+PYnboikmtKEHDgBT570z8WuHmDYPB+7BJAuYQaWjg37wol6HWVtRmok 1JZ+LE90ezWnZ3rBeGjDKvZ1H1tOTZFwKkWx3diZ0fYqv2/yhiYiZFUl8e8uJ6L7gXZR QtKzltcAXG0XoNuG9HhoPw3JNM0AsOw7FDvcGSIIP2doW4bZkLYW8ohptYP18+fB7CMX n8ARNTWOeTdAg1I82VbPcIG8bbHbaQpkyF5WmmO3Sn1nh1iwy014PTKfdcRYKNlIoeh8 zx3Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r1-v6si15060460plb.172.2018.07.09.10.07.53; Mon, 09 Jul 2018 10:08:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933674AbeGIRGf (ORCPT + 99 others); Mon, 9 Jul 2018 13:06:35 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:58586 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S933287AbeGIRGe (ORCPT ); Mon, 9 Jul 2018 13:06:34 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 10B41406DE36; Mon, 9 Jul 2018 17:06:34 +0000 (UTC) Received: from [10.10.122.164] (ovpn-122-164.rdu2.redhat.com [10.10.122.164]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8CB162156891; Mon, 9 Jul 2018 17:06:32 +0000 (UTC) Subject: Re: [PATCH v3 3/3] uio: fix crash after the device is unregistered To: Xiubo Li , gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org References: <1530845836-49101-1-git-send-email-xiubli@redhat.com> <1530845836-49101-4-git-send-email-xiubli@redhat.com> <5B3FB3B0.7010105@redhat.com> <1d3a72f6-2d48-1e36-82e4-c764c5359765@redhat.com> Cc: hamish.martin@alliedtelesis.co.nz, jannh@google.com, pkalever@redhat.com, pkarampu@redhat.com, atumball@redhat.com, sabose@redhat.com From: Mike Christie Message-ID: <5B439618.5060800@redhat.com> Date: Mon, 9 Jul 2018 12:06:32 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: <1d3a72f6-2d48-1e36-82e4-c764c5359765@redhat.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Mon, 09 Jul 2018 17:06:34 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Mon, 09 Jul 2018 17:06:34 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'mchristi@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 07/06/2018 08:28 PM, Xiubo Li wrote: > On 2018/7/7 2:23, Mike Christie wrote: >> On 07/05/2018 09:57 PM, xiubli@redhat.com wrote: >>> static irqreturn_t uio_interrupt(int irq, void *dev_id) >>> { >>> struct uio_device *idev = (struct uio_device *)dev_id; >>> - irqreturn_t ret = idev->info->handler(irq, idev->info); >>> + irqreturn_t ret; >>> + >>> + mutex_lock(&idev->info_lock); >>> + if (!idev->info) { >>> + ret = IRQ_NONE; >>> + goto out; >>> + } >>> + ret = idev->info->handler(irq, idev->info); >>> if (ret == IRQ_HANDLED) >>> uio_event_notify(idev->info); >>> +out: >>> + mutex_unlock(&idev->info_lock); >>> return ret; >>> } >> >> Do you need the interrupt related changes in this patch and the first >> one? > Actually, the NULL checking is not a must, we can remove this. But the > lock/unlock is needed. >> When we do uio_unregister_device -> free_irq does free_irq return >> when there are no longer running interrupt handlers that we requested? >> >> If that is not the case then I think we can hit a similar bug. We do: >> >> __uio_register_device -> device_register -> device's refcount goes to >> zero so we do -> uio_device_release -> kfree(idev) >> >> and if it is possible the interrupt handler could still run after >> free_irq then we would end up doing: >> >> uio_interrupt -> mutex_lock(&idev->info_lock) -> idev access freed >> memory. > > I think this shouldn't happen. Because the free_irq function does not > return until any executing interrupts for this IRQ have completed. > If free_irq returns after executing interrupts and does not allow new executions what is the lock protecting in uio_interrupt?