Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp2407636img; Sun, 24 Mar 2019 07:59:19 -0700 (PDT) X-Google-Smtp-Source: APXvYqxHBd7qc9XneYeU8XzQHT25UO4jFNrxDnDJcw4iWOeNoQsE5FU8ETgP1w7Fd2uoa6/67205 X-Received: by 2002:a17:902:9683:: with SMTP id n3mr20467851plp.333.1553439559818; Sun, 24 Mar 2019 07:59:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553439559; cv=none; d=google.com; s=arc-20160816; b=vbgUQKjdR8yJx7rl0VI4XKxVwPQsCxQ3JqYnhTBZqOzcE6xDI21x6N7jKMxZP1d7xz oz4i/P4uV71ocxc5e16hIq84IxAXtFcUoHyhWhnUKOpZIDZaRppadlisEvFwhV8gNT26 qnkDciSyijHBNO7ey8+1DzCVq+H2EZ1iID61vDdS/YaMf4A6ekIDv7ceHWqK0dNuSont oZWQQm5uiLdBb1suMk6DGgyskA4GdNZ+k/sytYpBr+tqGEzYF04HO45JV2kN3AcsmC2F sNx6CY2Owvx7Yo5Z+lcQVc72gfMbZ0WrauBTLqJjIdGBKPiJB6P2oSWVGcQ4a6gHoXmJ UqJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dmarc-filter:dkim-signature:dkim-signature; bh=O1gEjIpFXa9VDJj8H95ehXY9srdygHPTWzxh5sbvZGE=; b=v7wjSkO9lT63hTnjYFnqlxgVld7tsXLPDYLVlCLIJKv4RhfdUoEFwrNbmVYuWZhTPo cbjeLllItb9DwCR/1aEw2NjrAy+oSbDWQaPm0qu3BuK3fodmSSsNJpriAvaFgycXKHVh 9RreEemgU2oa14JCx11vPKw8YOZn/D88smILzNRR8ZPhyP245PZsCGvEo7SqoCTPtU/v qhhn/VnrdXn8w4NrNGdKahRhHNuNoDsql++PHia77L+VyXSKZUsO73c95Sr9dUOzov0F Pux0eUXs+Wh+cf9g3Zji/oLca1H7QrGgqkv/VGVh5u/IWEtxp0/wr53/ZDK/o38bS5Bq JPlQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=jZ+YeB95; dkim=pass header.i=@codeaurora.org header.s=default header.b=Cz3JEDjr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t17si3747280pfe.250.2019.03.24.07.59.05; Sun, 24 Mar 2019 07:59:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=jZ+YeB95; dkim=pass header.i=@codeaurora.org header.s=default header.b=Cz3JEDjr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728727AbfCXO5M (ORCPT + 99 others); Sun, 24 Mar 2019 10:57:12 -0400 Received: from smtp.codeaurora.org ([198.145.29.96]:36488 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726603AbfCXO5M (ORCPT ); Sun, 24 Mar 2019 10:57:12 -0400 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id 642D1606AC; Sun, 24 Mar 2019 14:57:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1553439431; bh=M2kgVvCxxFln7pcAf/y6C2AajYo0qfzCTQF0TEAPzww=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jZ+YeB95XSLtx+Nn3e6J7+Qp/87qd1ueySm1NF6nUenXITv8ciXw1u0WHtVjVAWwM XyHIWDtlnUd4hbqydl5GbEJyTopXqxRWozWklhz/eHIR2WZaBlFB4snDEKc8Ick6bd WfYFeT7bQvi2EV2yo9UYyeIPGewpQYa1zn7D0XT8= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on pdx-caf-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.7 required=2.0 tests=ALL_TRUSTED,BAYES_00, DKIM_INVALID,DKIM_SIGNED autolearn=no autolearn_force=no version=3.4.0 Received: from psodagud-linux1.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: psodagud@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 6B50C6083E; Sun, 24 Mar 2019 14:57:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1553439430; bh=M2kgVvCxxFln7pcAf/y6C2AajYo0qfzCTQF0TEAPzww=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Cz3JEDjr964JJBt6zervgw0ipCPMf+q0GbUeexiPH+MrLeuRH6WyH+lC7lu8drnhu aHgwB6ZOSkIpGZET/dJNNuVNhg2pMaEs6+1M1DOzeLpuVYX74l7XqtPvXya3TDRGQj Z1BedAkR7uvLc/AHAdc1G9zgcz/Y5aFsDaKq6Sb0= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 6B50C6083E Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=psodagud@codeaurora.org From: Prasad Sodagudi To: tglx@linutronix.de, marc.zyngier@arm.com Cc: linux-kernel@vger.kernel.org, psodagud@codeaurora.org Subject: [PATCH v2] genirq: Prevent use-after-free and work list corruption Date: Sun, 24 Mar 2019 07:57:04 -0700 Message-Id: <1553439424-6529-1-git-send-email-psodagud@codeaurora.org> X-Mailer: git-send-email 1.9.1 In-Reply-To: References: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When irq_set_affinity_notifier() replaces the notifier, then the reference count on the old notifier is dropped which causes it to be freed. But nothing ensures that the old notifier is not longer queued in the work list. If it is queued this results in a use after free and possibly in work list corruption. Ensure that the work is canceled before the reference is dropped. Signed-off-by: Prasad Sodagudi --- kernel/irq/manage.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c index 9ec34a2..1a1ac84 100644 --- a/kernel/irq/manage.c +++ b/kernel/irq/manage.c @@ -356,8 +356,10 @@ static void irq_affinity_notify(struct work_struct *work) desc->affinity_notify = notify; raw_spin_unlock_irqrestore(&desc->lock, flags); - if (old_notify) + if (old_notify) { + cancel_work_sync(&old_notify->work); kref_put(&old_notify->kref, old_notify->release); + } return 0; } -- The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,\na Linux Foundation Collaborative Project