lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <tip-84b277af44cadb263d8d588b0c0b7d5d85f5bc2a@git.kernel.org>
Date:	Wed, 12 Aug 2009 15:51:58 GMT
From:	tip-bot for Thomas Gleixner <tglx@...utronix.de>
To:	linux-tip-commits@...r.kernel.org
Cc:	linux-kernel@...r.kernel.org, hpa@...or.com, mingo@...hat.com,
	tglx@...utronix.de
Subject: [tip:irq/urgent] genirq: Prevent race between free_irq() and handle_IRQ_event()

Commit-ID:  84b277af44cadb263d8d588b0c0b7d5d85f5bc2a
Gitweb:     http://git.kernel.org/tip/84b277af44cadb263d8d588b0c0b7d5d85f5bc2a
Author:     Thomas Gleixner <tglx@...utronix.de>
AuthorDate: Wed, 12 Aug 2009 17:22:02 +0200
Committer:  Thomas Gleixner <tglx@...utronix.de>
CommitDate: Wed, 12 Aug 2009 17:24:16 +0200

genirq: Prevent race between free_irq() and handle_IRQ_event()

If an interrupt is freed we do not check whether the interrupt is in
progress when we remove the action from the action chain. With
threaded handlers this can race against wake_up_process(action->thread)
in handle_IRQ_event and wake_up_process() might dereference a NULL
pointer.

Check action->thread before we call wake_up_process()

LKML-Reference: <new-submission>
Signed-off-by: Thomas Gleixner <tglx@...utronix.de>


---
 kernel/irq/handle.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

diff --git a/kernel/irq/handle.c b/kernel/irq/handle.c
index 065205b..4e7f17a 100644
--- a/kernel/irq/handle.c
+++ b/kernel/irq/handle.c
@@ -403,8 +403,16 @@ irqreturn_t handle_IRQ_event(unsigned int irq, struct irqaction *action)
 			 */
 			if (likely(!test_bit(IRQTF_DIED,
 					     &action->thread_flags))) {
+				struct task_struct *tsk = action->thread;
+
 				set_bit(IRQTF_RUNTHREAD, &action->thread_flags);
-				wake_up_process(action->thread);
+				/*
+				 * Check tsk as we might race against
+				 * free_irq which sets action->thread
+				 * to NULL
+				 */
+				if (tsk)
+					wake_up_process(tsk);
 			}
 
 			/* Fall through to add to randomness */
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ