diff options
| author | Jiang Liu <[email protected]> | 2015-12-31 16:30:44 +0000 |
|---|---|---|
| committer | Thomas Gleixner <[email protected]> | 2016-01-15 13:43:58 +0100 |
| commit | 111abeba67e0dbdc26537429de9155e4f1d807d8 (patch) | |
| tree | e286d31b727f6f13d12ea3c7625f8adde1e06fbb /lib/netdev-notifier-error-inject.c | |
| parent | e23b257c293ce4bcc8cabb2aa3097b6ed8a8261a (diff) | |
x86/irq: Fix a race in x86_vector_free_irqs()
There's a race condition between
x86_vector_free_irqs()
{
free_apic_chip_data(irq_data->chip_data);
xxxxx //irq_data->chip_data has been freed, but the pointer
//hasn't been reset yet
irq_domain_reset_irq_data(irq_data);
}
and
smp_irq_move_cleanup_interrupt()
{
raw_spin_lock(&vector_lock);
data = apic_chip_data(irq_desc_get_irq_data(desc));
access data->xxxx // may access freed memory
raw_spin_unlock(&desc->lock);
}
which may cause smp_irq_move_cleanup_interrupt() to access freed memory.
Call irq_domain_reset_irq_data(), which clears the pointer with vector lock
held.
[ tglx: Free memory outside of lock held region. ]
Signed-off-by: Jiang Liu <[email protected]>
Tested-by: Borislav Petkov <[email protected]>
Tested-by: Joe Lawrence <[email protected]>
Cc: Jeremiah Mahler <[email protected]>
Cc: [email protected]
Cc: Guenter Roeck <[email protected]>
Cc: [email protected] #4.3+
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Thomas Gleixner <[email protected]>
Diffstat (limited to 'lib/netdev-notifier-error-inject.c')
0 files changed, 0 insertions, 0 deletions