| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <64886460-b8b2-4ad7-bf87-b3b98971e355@enneenne.com>
Date: Tue, 27 May 2025 10:00:50 +0200
From: Rodolfo Giometti <giometti@...eenne.com>
To: Eliav Farber <farbere@...zon.com>
Cc: jonnyc@...zon.com, gregkh@...uxfoundation.org, mschmidt@...hat.com,
calvin@...nvd.org, u.kleine-koenig@...gutronix.de, tglx@...utronix.de,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] pps: clients: gpio: fix interrupt handling order in
remove path
On 27/05/25 07:33, Eliav Farber wrote:
> The interrupt handler in pps_gpio_probe() is registered after calling
> pps_register_source() using devm_request_irq(). However, in the
> corresponding remove function, pps_unregister_source() is called before
> the IRQ is freed, since devm-managed resources are released after the
> remove function completes.
>
> This creates a potential race condition where an interrupt may occur
> after the PPS source is unregistered but before the handler is removed,
> possibly leading to a kernel panic.
>
> To prevent this, switch from devm-managed IRQ registration to manual
> management by using request_irq() and calling free_irq() explicitly in
> the remove path before unregistering the PPS source. This ensures the
> interrupt handler is safely removed before deactivating the PPS source.
>
> Signed-off-by: Eliav Farber <farbere@...zon.com>
> ---
> drivers/pps/clients/pps-gpio.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/pps/clients/pps-gpio.c b/drivers/pps/clients/pps-gpio.c
> index 374ceefd6f2a..2866636b0554 100644
> --- a/drivers/pps/clients/pps-gpio.c
> +++ b/drivers/pps/clients/pps-gpio.c
> @@ -210,8 +210,8 @@ static int pps_gpio_probe(struct platform_device *pdev)
> }
>
> /* register IRQ interrupt handler */
> - ret = devm_request_irq(dev, data->irq, pps_gpio_irq_handler,
> - get_irqf_trigger_flags(data), data->info.name, data);
> + ret = request_irq(data->irq, pps_gpio_irq_handler,
> + get_irqf_trigger_flags(data), data->info.name, data);
> if (ret) {
> pps_unregister_source(data->pps);
> dev_err(dev, "failed to acquire IRQ %d\n", data->irq);
> @@ -228,6 +228,7 @@ static void pps_gpio_remove(struct platform_device *pdev)
> {
> struct pps_gpio_device_data *data = platform_get_drvdata(pdev);
>
> + free_irq(data->irq, data);
Why not just use devm_free_irq()?
> pps_unregister_source(data->pps);
> timer_delete_sync(&data->echo_timer);
> /* reset echo pin in any case */
Ciao,
Rodolfo
--
GNU/Linux Solutions e-mail: giometti@...eenne.com
Linux Device Driver giometti@...ux.it
Embedded Systems phone: +39 349 2432127
UNIX programming
Powered by blists - more mailing lists