On 07/31/2012 03:54 PM, Julia Lawall wrote: > > > On Tue, 31 Jul 2012, Lars-Peter Clausen wrote: > >> Hi, >> >> On 07/31/2012 12:09 PM, Julia Lawall wrote: >>> From: Julia Lawall <Julia.Lawall@xxxxxxx> >>> @@ -720,20 +698,14 @@ error_ret: >>> static int __devexit at91_adc_remove(struct platform_device *pdev) >>> { >>> struct iio_dev *idev = platform_get_drvdata(pdev); >>> - struct resource *res = platform_get_resource(pdev, IORESOURCE_MEM, 0); >>> struct at91_adc_state *st = iio_priv(idev); >>> >>> iio_device_unregister(idev); >>> [...] >>> - free_irq(st->irq, idev); >>> [...] >>> iio_device_free(idev); >> >> I think we have to be careful here. The interrupted is now freed after the >> device has been freed, which means that it could trigger after the device >> has been freed. And since we use the device in the interrupt handler we'll >> get a use after free. > > Perhaps the same would be true in the following code, from the file > drivers/edac/highbank_l2_edac.c: > > res = devm_request_irq(&pdev->dev, drvdata->sb_irq, > highbank_l2_err_handler, > 0, dev_name(&pdev->dev), dci); > if (res < 0) > goto err; > > dci->mod_name = dev_name(&pdev->dev); > dci->dev_name = dev_name(&pdev->dev); > > if (edac_device_add_device(dci)) > goto err; > > devres_close_group(&pdev->dev, NULL); > return 0; > err: > devres_release_group(&pdev->dev, NULL); > edac_device_free_ctl_info(dci); Yes looks like this has the same issue. > > Is devm_request_irq perhaps not a very good idea? > devm_request_irq has to be used carefully. It is ok to use it if the objects which are accessed in the interrupt handler are also devres managed. devres will free objects in the reverse order of which they are allocated. E.g. if you do obj = dev_kzalloc(...); ... devm_request_irq(..., obj); it is save to use, because 'obj' will be freed after the IRQ has been freed. - Lars -- To unsubscribe from this list: send the line "unsubscribe linux-iio" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html