From: Deren Wu (武德仁) <Deren.Wu@xxxxxxxxxxxx>
Sent: Monday, January 15, 2024 8:18 PM
To: nbd@xxxxxxxx; Ping-Ke Shih <pkshih@xxxxxxxxxxx>; lorenzo@xxxxxxxxxx
Cc: Mingyen Hsieh (謝明諺) <Mingyen.Hsieh@xxxxxxxxxxxx>; linux-mediatek@xxxxxxxxxxxxxxxxxxx; Leon Yen (顏良儒) <Leon.Yen@xxxxxxxxxxxx>; Shayne Chen (陳軒丞) <Shayne.Chen@xxxxxxxxxxxx>; Quan Zhou (周全) <Quan.Zhou@xxxxxxxxxxxx>; Sean Wang <Sean.Wang@xxxxxxxxxxxx>; KM Lin (林昆民) <km.lin@xxxxxxxxxxxx>; Soul Huang (黃至昶) <Soul.Huang@xxxxxxxxxxxx>; Posh Sun (孫瑞廷) <posh.sun@xxxxxxxxxxxx>; Eric-SY Chang (張書源) <Eric-SY.Chang@xxxxxxxxxxxx>; CH Yeh (葉志豪) <ch.yeh@xxxxxxxxxxxx>; Robin Chiu (邱國濱) <robin.chiu@xxxxxxxxxxxx>; Ryder Lee <Ryder.Lee@xxxxxxxxxxxx>; linux-wireless@xxxxxxxxxxxxxxx
Subject: Re: [PATCH 1/2] wifi: mt76: mt7921e: fix use-after-free in free_irq()
>
> Here is the snapshot. The code is trying to direct access this irq
> handler after deregisering, for IRQF_SHARED case. synchronize_irq() and
> tasklet_kill() are all done in previous steps. We need to stop the
> extra call here. If there are any alternative, that would be
> appreciated.
>
> /*
> * It's a shared IRQ -- the driver ought to be prepared for an IRQ
> * event to happen even now it's being freed, so let's make sure that
> * is so by doing an extra call to the handler ....
> *
> * ( We do this after actually deregistering it, to make sure that a
> * 'real' IRQ doesn't run in parallel with our fake. )
> */
> if (action->flags & IRQF_SHARED) {
> local_irq_save(flags);
> action->handler(irq, dev_id);
> local_irq_restore(flags);
> }
>
I missed this point. Sorry for the noise.
