On Tue, 31 Jul 2012, Lars-Peter Clausen wrote:
> Hi,
>
> On 07/31/2012 12:09 PM, Julia Lawall wrote:
> > From: Julia Lawall <Julia.Lawall@xxxxxxx>
> > @@ -720,20 +698,14 @@ error_ret:
> > static int __devexit at91_adc_remove(struct platform_device *pdev)
> > {
> > struct iio_dev *idev = platform_get_drvdata(pdev);
> > - struct resource *res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
> > struct at91_adc_state *st = iio_priv(idev);
> >
> > iio_device_unregister(idev);
> > [...]
> > - free_irq(st->irq, idev);
> > [...]
> > iio_device_free(idev);
>
> I think we have to be careful here. The interrupted is now freed after the
> device has been freed, which means that it could trigger after the device
> has been freed. And since we use the device in the interrupt handler we'll
> get a use after free.
Perhaps the same would be true in the following code, from the file
drivers/edac/highbank_l2_edac.c:
res = devm_request_irq(&pdev->dev, drvdata->sb_irq,
highbank_l2_err_handler,
0, dev_name(&pdev->dev), dci);
if (res < 0)
goto err;
dci->mod_name = dev_name(&pdev->dev);
dci->dev_name = dev_name(&pdev->dev);
if (edac_device_add_device(dci))
goto err;
devres_close_group(&pdev->dev, NULL);
return 0;
err:
devres_release_group(&pdev->dev, NULL);
edac_device_free_ctl_info(dci);
Is devm_request_irq perhaps not a very good idea?
julia
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
