Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp32572imu; Thu, 10 Jan 2019 16:27:25 -0800 (PST) X-Google-Smtp-Source: ALg8bN7uHpbC/4RfD/j1VP+EmG91ynPHNQfzQF/kmKH5zfB5X51/7iajnEu/ZmJ5KC5SsGO825iA X-Received: by 2002:a62:1c0a:: with SMTP id c10mr12298308pfc.213.1547166444998; Thu, 10 Jan 2019 16:27:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547166444; cv=none; d=google.com; s=arc-20160816; b=VpJwsIXnSCdw/J6nPR2L3yX6d48p6cYQPFWTCYd0TE0f9lLep6jjvvcUo9XM3yP6NW fQmgIOtDWgui100FHmYb27KMn09k/YrsAQ27AI0abX92oRYvad/OMzAdxmFvxXayQICo 4X6IB3krI+XeHr07l6TzNv6MubJ79+AgGJDxjovCLYKwc3A4L+PAMC6knbCjzbU/otfL Aeobn/cUKk3ZU5RATaPCyo1pUP1GdNoj/MmOkEvwZaRElx559ubkB62QdNYL2wAcLRFC ykr1XhlLTMtKFuF0hDIUwrGEGYlmfox323tLzt7JRfzcie/WmbcT6IDxFSxT9w5xmYI+ cvKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=8aPgpQf/029qmSrOYEJdbqVoX46TFR0Xv3F5SVK06h4=; b=A9qOa/KwbJ6hYKP+MEbEkUWN+oTYuZYnpujXxTwpV2DMmKrusEcjBT0FW/9jYa3VZr P6TeadVc3MutcTlEyHpW9DlSkav238NOCmuuP8ynlsHYVn/CZtTD256HttC9VC1n9ckX iGWxOeIXg92at2CpMjZTEjVdwk1FrRrsoN4DCyzEu5KtWaHj+eVX52bxNXeS1vNxpetx TALz2Gw7jNwDE2M5k9nPQtmFR18DekB64gprnPZLm971oN2vfQ1SM4rKRWw5UKrba/r8 Lp4S8MwxC8yT7ikODbykPJZ84UyFRVcqUEFYGJl9vybk5HMUeY5Rb6ByG3wryjUVBC/P VhBw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k6si18279507pgr.500.2019.01.10.16.27.04; Thu, 10 Jan 2019 16:27:24 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729798AbfAJWxT (ORCPT + 99 others); Thu, 10 Jan 2019 17:53:19 -0500 Received: from mslow2.mail.gandi.net ([217.70.178.242]:49376 "EHLO mslow2.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727634AbfAJWxT (ORCPT ); Thu, 10 Jan 2019 17:53:19 -0500 Received: from relay9-d.mail.gandi.net (unknown [217.70.183.199]) by mslow2.mail.gandi.net (Postfix) with ESMTP id A59123A4021; Thu, 10 Jan 2019 23:42:46 +0100 (CET) X-Originating-IP: 88.190.179.123 Received: from localhost (unknown [88.190.179.123]) (Authenticated sender: repk@triplefau.lt) by relay9-d.mail.gandi.net (Postfix) with ESMTPSA id AF1EBFF804; Thu, 10 Jan 2019 22:42:43 +0000 (UTC) Date: Thu, 10 Jan 2019 23:52:00 +0100 From: Remi Pommarel To: Ulf Hansson , Kevin Hilman Cc: Elie Roudninski , linux-mmc@vger.kernel.org, linux-amlogic@lists.infradead.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] mmc: meson-gx: Free irq in release() callback Message-ID: <20190110225200.GC982@voidbox.localdomain> References: <20190110184908.27413-1-repk@triplefau.lt> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190110184908.27413-1-repk@triplefau.lt> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 10, 2019 at 07:49:08PM +0100, Remi Pommarel wrote: > Because the irq was requested through device managed resources API > (devm_request_threaded_irq()) it was freed after meson_mmc_remove() > completion, thus after mmc_free_host() has reclaimed meson_host memory. > As this irq is IRQF_SHARED, while using CONFIG_DEBUG_SHIRQ, its handler > get called by free_irq(). So meson_mmc_irq() was called after the > meson_host memory reclamation and was using invalid memory. > > We ended up with the following scenario: > device_release_driver() > meson_mmc_remove() > mmc_free_host() /* Freeing host memory */ > ... > devres_release_all() > devm_irq_release() > __free_irq() > meson_mmc_irq() /* Uses freed memory */ > > To avoid this, the irq is released in meson_mmc_remove() before > mmc_free_host() gets called. > Oups, I missed the fact that the same can happen if probe() callback fails after allocating the irq. I will send a V2 for that. -- Remi