Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1191717imm;
        Mon, 9 Jul 2018 19:41:26 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpeVFzGZYNmF4IjVEVwjpawszfjS4QYJpJIeMm+fv3rZBQ/V0zKmkNIzfyb/rYIO2xBf4zby
X-Received: by 2002:a63:7a43:: with SMTP id j3-v6mr20762742pgn.363.1531190486549;
        Mon, 09 Jul 2018 19:41:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1531190486; cv=none;
        d=google.com; s=arc-20160816;
        b=hyBGaBVkv8wwNcKkDrDXDAOYIajkMar3Tkh1MhxDSr/2jWOF5CrGQzgs8XOEJkzKiG
         FTHfOsVjneFHqlSlYbSdByostyoZSwMxkXNs18OXGrXDvxJY7Ci0u13jRYY8b6szcyRr
         xvGmZp8eGDCrTrOINfHpzZjQyNAP7QiWjLEKqyWPF/e5NHFVOGWcCvoC8ukkTY4b6ekD
         GCNmaiDDGZUUfDhXiAvJqEFMUgesR2H5Xc2bwe6C1OrBmG8juPAj1CtrntW6nrdqXXoM
         ujYiPPUXV9LeQgo/ZqoS4u0/GfR6S6/g67kw2on7+nsfXDHueOPE/N0XmoqfX5kuzVSi
         glrA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-language
         :content-transfer-encoding:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:arc-authentication-results;
        bh=Vo27509ezijNdlTsHjN6bVkqSUXknTNCOFQR8WGerOo=;
        b=yzhc937DJeJrXZlkwKT7hnmMyeP6Bns+QB/2lKCDNT1pvy1W2fIzXa9T9LZuMUsI3E
         zbWIMPHmKawRXWJAz1tXRqGtXpJ8QYEs6f0p9XVvX9oA9kwBOs6OEX68PaV+7KZ0TZ34
         G2bjrSColKNIPQbswp9r88M2/mbgF1x3HhSCqNseR97NbjKFfTtCLf6yBuhpIJ1+DyIe
         UJHpyQTS0UqOP8aJOm54FwG/Hlesc7DIR7srgqEXipAc5tUvgaGdQONNbGHfG+4bZ7CK
         uA/uEwf7IiGpBCGtcYSt4IUSxhdpzJ3hoPDo23grkJxPivO4WJKamPdWS3WgTMYBnX7I
         nQEg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w8-v6si2650618plk.79.2018.07.09.19.41.12;
        Mon, 09 Jul 2018 19:41:26 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932966AbeGJCkb (ORCPT <rfc822;yingkeliu@gmail.com> + 99 others);
        Mon, 9 Jul 2018 22:40:31 -0400
Received: from mx3-rdu2.redhat.com ([66.187.233.73]:35348 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S932797AbeGJCk0 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 9 Jul 2018 22:40:26 -0400
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id D0240402347E;
        Tue, 10 Jul 2018 02:40:25 +0000 (UTC)
Received: from [10.72.12.18] (ovpn-12-18.pek2.redhat.com [10.72.12.18])
        by smtp.corp.redhat.com (Postfix) with ESMTPS id 6FA912156889;
        Tue, 10 Jul 2018 02:40:21 +0000 (UTC)
Subject: Re: [PATCH v3 3/3] uio: fix crash after the device is unregistered
To:     Mike Christie <mchristi@redhat.com>, gregkh@linuxfoundation.org,
        linux-kernel@vger.kernel.org
Cc:     hamish.martin@alliedtelesis.co.nz, jannh@google.com,
        pkalever@redhat.com, pkarampu@redhat.com, atumball@redhat.com,
        sabose@redhat.com
References: <1530845836-49101-1-git-send-email-xiubli@redhat.com>
 <1530845836-49101-4-git-send-email-xiubli@redhat.com>
 <5B3FB3B0.7010105@redhat.com>
 <1d3a72f6-2d48-1e36-82e4-c764c5359765@redhat.com>
 <5B439618.5060800@redhat.com>
From:   Xiubo Li <xiubli@redhat.com>
Message-ID: <4f39f032-6ab4-2dff-346a-9c752aa16ed5@redhat.com>
Date:   Tue, 10 Jul 2018 10:40:17 +0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.0
MIME-Version: 1.0
In-Reply-To: <5B439618.5060800@redhat.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Tue, 10 Jul 2018 02:40:25 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Tue, 10 Jul 2018 02:40:25 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'xiubli@redhat.com' RCPT:''
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2018/7/10 1:06, Mike Christie wrote:
> On 07/06/2018 08:28 PM, Xiubo Li wrote:
>> On 2018/7/7 2:23, Mike Christie wrote:
>>> On 07/05/2018 09:57 PM, xiubli@redhat.com wrote:
>>>>    static irqreturn_t uio_interrupt(int irq, void *dev_id)
>>>>    {
>>>>        struct uio_device *idev = (struct uio_device *)dev_id;
>>>> -    irqreturn_t ret = idev->info->handler(irq, idev->info);
>>>> +    irqreturn_t ret;
>>>> +
>>>> +    mutex_lock(&idev->info_lock);
>>>> +    if (!idev->info) {
>>>> +        ret = IRQ_NONE;
>>>> +        goto out;
>>>> +    }
>>>>    +    ret = idev->info->handler(irq, idev->info);
>>>>        if (ret == IRQ_HANDLED)
>>>>            uio_event_notify(idev->info);
>>>>    +out:
>>>> +    mutex_unlock(&idev->info_lock);
>>>>        return ret;
>>>>    }
>>> Do you need the interrupt related changes in this patch and the first
>>> one?
>> Actually, the NULL checking is not a must, we can remove this. But the
>> lock/unlock is needed.
>>>    When we do uio_unregister_device -> free_irq does free_irq return
>>> when there are no longer running interrupt handlers that we requested?
>>>
>>> If that is not the case then I think we can hit a similar bug. We do:
>>>
>>> __uio_register_device -> device_register -> device's refcount goes to
>>> zero so we do -> uio_device_release -> kfree(idev)
>>>
>>> and if it is possible the interrupt handler could still run after
>>> free_irq then we would end up doing:
>>>
>>> uio_interrupt -> mutex_lock(&idev->info_lock) -> idev access freed
>>> memory.
>> I think this shouldn't happen. Because the free_irq function does not
>> return until any executing interrupts for this IRQ have completed.
>>
> If free_irq returns after executing interrupts and does not allow new
> executions what is the lock protecting in uio_interrupt?
>
I meant idev->info->handler(irq, idev->info), it may should be protected 
by the related lock in each driver.

Thanks，