[BUG: kernel/irq/proc.c] unprotected iteration over the IRQ action list in name_unique()

Wed, 14 Mar 2007 08:29:03 -0800 

Hi,

1-st issue:  unprotected iteration over the IRQ action list in name_unique()


the racing sequences:

[ 1 ]  request_irq() -> setup_irq() -> register_handler_proc() ->
name_unique() -> iterate over the action list (*)

setup_irq() releases a desc->lock before calling register_handler_proc().

[ 2 ]  free_irq() -> delete some element while (*) is still in progress -> bum!

something like this should make it safe :

--- kernel/irq/proc-old.c       2007-03-14 16:34:52.828981000 +0100
+++ kernel/irq/proc.c   2007-03-14 16:59:47.236950000 +0100
@@ -66,11 +66,18 @@ static int name_unique(unsigned int irq,
{
       struct irq_desc *desc = irq_desc + irq;
       struct irqaction *action;
+       unsigned long flags;
+
+       spin_lock_irqsave(&desc->lock, flags);

       for (action = desc->action ; action; action = action->next)
               if ((action != new_action) && action->name &&
-                               !strcmp(new_action->name, action->name))
+                               !strcmp(new_action->name, action->name)) {
+                       spin_unlock_irqrestore(&desc->lock, flags);
                       return 0;
+               }
+
+       spin_unlock_irqrestore(&desc->lock, flags);
       return 1;
}


2-nd issue:  now it's about register_irq_proc() which is also called
by setup_irq().

register_irq_proc() is called for all descriptors for which

(irq_desc[irq].chip == &no_irq_chip) != 0           (*)

at startup time from init_irq_proc().

Let's suppose (*) is not true for some desc at startup and changes at
some point later.

If so, register_irq_proc() takes effect being called from setup_irq().

Now let's suppose request_irq() is called on 2 cpus for the same
interrupt line and both end up in (%) below

[ request_irq() -> setup_irq() -> register_irq_proc() ]

void register_irq_proc(unsigned int irq)
{
       char name [MAX_NAMELEN];

       if (!root_irq_dir ||
               (irq_desc[irq].chip == &no_irq_chip) ||
                       irq_desc[irq].dir)
               return;

           (%)  <=== both are here

       memset(name, 0, MAX_NAMELEN);
       sprintf(name, "%d", irq);

       /* create /proc/irq/1234 */
       irq_desc[irq].dir = proc_mkdir(name, root_irq_dir);
...

Both will try to initialize "irq_desc[irq].dir" and "smp_affinity"
entry... Not bum, but a possible leak indeed.


TIA,

--
Best regards,
Dmitry Adamushko
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Reply via email to