diff options
author | Roberto Sassu <roberto.sassu@huawei.com> | 2024-03-07 13:49:26 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-06-12 12:12:38 +0300 |
commit | 434a06c38ee1217a8baa0dd7c37cc85d50138fb0 (patch) | |
tree | 3e305ebae6ae0655940ffbc76279760f1fcdc7bd /arch/um | |
parent | e98f29bf0b5f62362d4f4b2ca1785aa7a61cbeff (diff) | |
download | linux-434a06c38ee1217a8baa0dd7c37cc85d50138fb0.tar.xz |
um: Add winch to winch_handlers before registering winch IRQ
[ Upstream commit a0fbbd36c156b9f7b2276871d499c9943dfe5101 ]
Registering a winch IRQ is racy, an interrupt may occur before the winch is
added to the winch_handlers list.
If that happens, register_winch_irq() adds to that list a winch that is
scheduled to be (or has already been) freed, causing a panic later in
winch_cleanup().
Avoid the race by adding the winch to the winch_handlers list before
registering the IRQ, and rolling back if um_request_irq() fails.
Fixes: 42a359e31a0e ("uml: SIGIO support cleanup")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'arch/um')
-rw-r--r-- | arch/um/drivers/line.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/arch/um/drivers/line.c b/arch/um/drivers/line.c index b98545f3edb5..375200e9aba9 100644 --- a/arch/um/drivers/line.c +++ b/arch/um/drivers/line.c @@ -673,24 +673,26 @@ void register_winch_irq(int fd, int tty_fd, int pid, struct tty_port *port, goto cleanup; } - *winch = ((struct winch) { .list = LIST_HEAD_INIT(winch->list), - .fd = fd, + *winch = ((struct winch) { .fd = fd, .tty_fd = tty_fd, .pid = pid, .port = port, .stack = stack }); + spin_lock(&winch_handler_lock); + list_add(&winch->list, &winch_handlers); + spin_unlock(&winch_handler_lock); + if (um_request_irq(WINCH_IRQ, fd, IRQ_READ, winch_interrupt, IRQF_SHARED, "winch", winch) < 0) { printk(KERN_ERR "register_winch_irq - failed to register " "IRQ\n"); + spin_lock(&winch_handler_lock); + list_del(&winch->list); + spin_unlock(&winch_handler_lock); goto out_free; } - spin_lock(&winch_handler_lock); - list_add(&winch->list, &winch_handlers); - spin_unlock(&winch_handler_lock); - return; out_free: |