[PATCH] devres: Freeing the drs after all release() are called

Chuansheng Liu Tue, 05 Nov 2013 22:41:51 -0800

In release_nodes(), it will call dr->node.release() and kfree
dr one by one.


But sometimes the previous dr maybe be used by next .release(),
such as:
[50314.855534]  [<c12b172f>] ? synchronize_irq+0x3f/0xb0
[50314.861193]  [<c12b18e9>] __free_irq+0x149/0x200
[50314.866367]  [<c12b19e3>] free_irq+0x43/0xa0
[50314.871152]  [<c12b4864>] devm_irq_release+0x14/0x20
[50314.876713]  [<c169e806>] release_nodes+0x136/0x1b0
[50314.882178]  [<c169ee79>] devres_release_all+0x39/0x60
[50314.887935]  [<c169b411>] __device_release_driver+0x71/0xd0

the free_irq() will sync the last irq handling, which maybe use
freed dr, then it will cause memory corruption.

Here split the dr kfreeing actions after all dr->node.release().

Signed-off-by: Liu, Chuansheng <chuansheng....@intel.com>
---
 drivers/base/devres.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/base/devres.c b/drivers/base/devres.c
index 507379e..66ff0be 100644
--- a/drivers/base/devres.c
+++ b/drivers/base/devres.c
@@ -490,9 +490,11 @@ static int release_nodes(struct device *dev, struct 
list_head *first,
        list_for_each_entry_safe_reverse(dr, tmp, &todo, node.entry) {
                devres_log(dev, &dr->node, "REL");
                dr->node.release(dev, dr->data);
-               kfree(dr);
        }
 
+       list_for_each_entry_safe_reverse(dr, tmp, &todo, node.entry)
+               kfree(dr);
+
        return cnt;
 }
 
-- 
1.7.9.5



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[PATCH] devres: Freeing the drs after all release() are called

Reply via email to