Re: [BUG: kernel/irq/proc.c] unprotected iteration over the IRQ action list in name_unique()

From: Dmitry Adamushko
Date: Thu Mar 15 2007 - 05:53:31 EST

Next message: Nilshar: "Re: [Bug 8040] Hang before INIT when CONFIG_HIGHMEM4G=y"
Previous message: Dmitriy Monakhov: "Re: [patch 2/5] fs: introduce new aops and infrastructure"
In reply to: Dmitry Adamushko: "[BUG: kernel/irq/proc.c] unprotected iteration over the IRQ action list in name_unique()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 14/03/07, Dmitry Adamushko <dmitry.adamushko@xxxxxxxxx> wrote:

1-st issue: unprotected iteration over the IRQ action list in name_unique()

the racing sequences:

[ 1 ] request_irq() -> setup_irq() -> register_handler_proc() ->
name_unique() -> iterate over the action list (*)

setup_irq() releases a desc->lock before calling register_handler_proc().

[ 2 ] free_irq() -> delete some element while (*) is still in progress -> bum!

"delete" == remove from the list + kfree() as synchronize_irq() is not
going to prevent it for obvious reasons.

Of course, request_irq() and free_irq() are called for the same
/shared/ irq line but for /different/ handlers.

Looks too obvious to be true. I already expected someone prooving me
wrong, at the very least by pointing out a special option of vim to
activate some hidden synchronization code :o)

--
Best regards,
Dmitry Adamushko
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Nilshar: "Re: [Bug 8040] Hang before INIT when CONFIG_HIGHMEM4G=y"
Previous message: Dmitriy Monakhov: "Re: [patch 2/5] fs: introduce new aops and infrastructure"
In reply to: Dmitry Adamushko: "[BUG: kernel/irq/proc.c] unprotected iteration over the IRQ action list in name_unique()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]