lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <52E12224.9060506@metafoo.de>
Date:	Thu, 23 Jan 2014 15:07:32 +0100
From:	Lars-Peter Clausen <lars@...afoo.de>
To:	Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
CC:	Srikanth Thokala <sthokal@...inx.com>,
	"Williams, Dan J" <dan.j.williams@...el.com>,
	"Koul, Vinod" <vinod.koul@...el.com>,
	"michal.simek@...inx.com" <michal.simek@...inx.com>,
	"grant.likely@...aro.org" <grant.likely@...aro.org>,
	"robh+dt@...nel.org" <robh+dt@...nel.org>,
	"linux-arm-kernel@...ts.infradead.org" 
	<linux-arm-kernel@...ts.infradead.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"devicetree@...r.kernel.org" <devicetree@...r.kernel.org>,
	"dmaengine@...r.kernel.org" <dmaengine@...r.kernel.org>
Subject: Re: [PATCH v2] dma: Add Xilinx AXI Video Direct Memory Access Engine
 driver support

On 01/23/2014 03:00 PM, Andy Shevchenko wrote:
> On Thu, 2014-01-23 at 14:50 +0100, Lars-Peter Clausen wrote:
>> On 01/23/2014 02:38 PM, Shevchenko, Andriy wrote:
>>> On Thu, 2014-01-23 at 12:25 +0100, Lars-Peter Clausen wrote:
>>>> On 01/22/2014 05:52 PM, Srikanth Thokala wrote:
>>>
>>> [...]
>>>
>>>>> +	/* Request the interrupt */
>>>>> +	chan->irq = irq_of_parse_and_map(node, 0);
>>>>> +	err = devm_request_irq(xdev->dev, chan->irq, xilinx_vdma_irq_handler,
>>>>> +			       IRQF_SHARED, "xilinx-vdma-controller", chan);
>>>>
>>>> This is a clasic example of where to not use devm_request_irq. 'chan' is
>>>> accessed in the interrupt handler, but if you use devm_request_irq 'chan'
>>>> will be freed before the interrupt handler has been released, which means
>>>> there is now a race condition where the interrupt handler can access already
>>>> freed memory.ta
>>>
>>> Could you elaborate this case? As far as I understood managed resources
>>> are a kind of stack pile. In this case you have no such condition. Where
>>> am I wrong?
>>
>> The stacked stuff is only ran after the remove() function. Which means that
>> you call dma_async_device_unregister() before the interrupt handler is
>> freed. Another issue with the interrupt handler is a bit hidden. The driver
>> does not call tasklet_kill in the remove function. Which it should though to
>> make sure that the tasklet does not race against the freeing of the memory.
>> And in order to make sure that the tasklet is not rescheduled you need to
>> free the irq before killing the tasklet, since the interrupt handler
>> schedules the tasklet.
> 
> So, you mean devm_request_irq() will race in any DMA driver?

Most likely yes. devm_request_irq() is race condition prone for the majority
of device driver. You have to be really careful if you want to use it.

> 
> I think the proper solution is to disable all device work in
> the .remove() and devm will care about resources.

As long as the interrupt handler is registered it can be called, the only
proper solution is to make sure that the order in which resources are torn
down is correct.

- Lars
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ