Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp809016img; Thu, 21 Mar 2019 09:21:18 -0700 (PDT) X-Google-Smtp-Source: APXvYqx54AwVnsmIEjryo1VH1H1mTjQalJkUntSItb+tWc55Ht2t3H6rq8UIzTdqJrGrLhWJkksC X-Received: by 2002:a17:902:8697:: with SMTP id g23mr4542813plo.30.1553185278033; Thu, 21 Mar 2019 09:21:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553185278; cv=none; d=google.com; s=arc-20160816; b=xZ3HOhlz7+Jmta8xnpuJZVjaXiPhYc5cWplhoPKctoILi4w/gBafAh7G+HpMlwckW3 yi8HqXWfR0I6vsizOPe11LfL2ZsWlwEZztNcML7KXJlwnxwU8Uani56uO1DIuWSv7akj dHe9028FL0J5HH2bsr/Peou+SbFg0k3xsbpVo8RRgqOgbY1k/73syhtIqWil6fjTTKRP dPV4sku9CWhgDSGcJIOpFRh14hwJYHzMFE4M8zYiiaNTL/qB1VW2YdEJMtw2K+FRCHlq aRk4Mh65gQkHFW83Sh0mhvf85Sq4TmvVo3azFx4SD0jf+7t61ExDT+ihbMUux0Wbpgak 2GgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=eAKuNVYYFwlY/JACN7mxAOaSOVdDEoOfB8TF7DinWXA=; b=T2BvXysRFGMQdMIr/dVlgjIElJrOcKDjUR+O0oh+4ZGtJmj4aLtT6DS7aDNqUtTzpm TEDSUjl2ntpRw2bpFAzYWaRar5HOVKJNeIKx26iFGoCDTRACyNqIobja9E7yp8/nalFR MrL6CYM6MhMNepwJk42tKRfUA9QsDAwRYi1A260mSe6jQl66zjiAwevDN2KBWGn4u7ip 8+hztTvLK751efZE6K+KMgTyQvLbFoDh1QDYfQzlse+odsU2lOrvVuxR+KIreJONzEqa 09543UQVPTuRj7B3caaAxD9w0vYts30E+q2O8UqR4u/xWypKLZ1qWffVN91ebHVnmh1B U35w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m3si4333281pgq.343.2019.03.21.09.20.59; Thu, 21 Mar 2019 09:21:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728231AbfCUQTn (ORCPT + 99 others); Thu, 21 Mar 2019 12:19:43 -0400 Received: from Galois.linutronix.de ([146.0.238.70]:38689 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727138AbfCUQTn (ORCPT ); Thu, 21 Mar 2019 12:19:43 -0400 Received: from p5492e2fc.dip0.t-ipconnect.de ([84.146.226.252] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1h70Ps-0000Uj-0a; Thu, 21 Mar 2019 17:19:40 +0100 Date: Thu, 21 Mar 2019 17:19:39 +0100 (CET) From: Thomas Gleixner To: Prasad Sodagudi cc: LKML , Marc Zyngier Subject: Re: [PATCH] genirq: call cancel_work_sync from irq_set_affinity_notifier In-Reply-To: <1553119211-29761-1-git-send-email-psodagud@codeaurora.org> Message-ID: References: <1553119211-29761-1-git-send-email-psodagud@codeaurora.org> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Prasad, On Wed, 20 Mar 2019, Prasad Sodagudi wrote: > Subject: [PATCH] genirq: call cancel_work_sync from irq_set_affinity_notifier Please do not decribe WHAT the code change is. Give a consice explanation WHY this change is done. The above is like '[PATCH] foo: Increment bar by 5'. [PATCH] genirq: Prevent UAF and work list corruption > When ever notification of IRQ affinity changes, call > cancel_work_sync from irq_set_affinity_notifier to cancel > all pending works to avoid work list corruption. Again, you describe first WHAT you are doing instead of telling WHY. When irq_set_affinity_notifier() replaces the notifier, then the reference count on the old notifier is dropped which causes it to be freed. But nothing ensures that the old notifier is not longer queued in the work list. If it is queued this results in a use after free and possibly in work list corruption. Ensure that the work is canceled before the reference is dropped. See? This gives precise context first and then describes the cure. Also it is completely irrelevant whether this is achieved by calling cancel_work_sync() or by something else. What matters is that it's canceled. Changelogs describe context and concepts not implementation details. The implementation details are in the patch itself. > Signed-off-by: Prasad Sodagudi > --- > kernel/irq/manage.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c > index 9ec34a2..da8b2ee 100644 > --- a/kernel/irq/manage.c > +++ b/kernel/irq/manage.c > @@ -356,6 +356,9 @@ static void irq_affinity_notify(struct work_struct *work) > desc->affinity_notify = notify; > raw_spin_unlock_irqrestore(&desc->lock, flags); > > + if (!notify && old_notify) > + cancel_work_sync(&old_notify->work); That '!notify' doesn't make any sense. Thanks, tglx