From nobody Fri Dec 19 14:33:23 2025 Received: from frasgout11.his.huawei.com (frasgout11.his.huawei.com [14.137.139.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A0DA5125DC for ; Thu, 7 Mar 2024 10:49:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=14.137.139.23 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709808591; cv=none; b=XJGED7TmiW6kfIfVx9gxSrYjXLS0EresFtVTi/N+sVc0vj7qCgGu3pgGPBgHHpO0xxcFB6s1RgcEGEmWndSwaD9m0vZpZ80lbGp4GSu40rlGq3bPQgR0ow1HcQzf0+glRTJXHXuUOYad81XCDYE1mXrJ6mtXfab8wPj4Kr6E3Zo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709808591; c=relaxed/simple; bh=NxaE3RqmW0HWVwdmI1fnGs9N5WB1NDMp4jTHTSwWQbI=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=oOg+SzB+CmKfRfRWbTPTbyC998XVr6JAnCpxchbAmo3qjP6wQr65TUNPA7xCH2k8J5nzBMH947JQruO+0ZE5VPUDIa4rihJlwfy8vsKvwnnSY/EW3n8pBIzKnVZ9HE5orbE5q8dZVGJRUbJOaJ5U3bPWa5M/M4Hl9OqjexPPTik= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=14.137.139.23 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.18.186.51]) by frasgout11.his.huawei.com (SkyGuard) with ESMTP id 4Tr5J6347cz9y4yR for ; Thu, 7 Mar 2024 18:33:58 +0800 (CST) Received: from mail02.huawei.com (unknown [7.182.16.47]) by mail.maildlp.com (Postfix) with ESMTP id D68CE140517 for ; Thu, 7 Mar 2024 18:49:40 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP1 (Coremail) with SMTP id LxC2BwCnnhe+m+llPgDiAw--.18628S2; Thu, 07 Mar 2024 11:49:40 +0100 (CET) From: Roberto Sassu To: richard@nod.at, anton.ivanov@cambridgegreys.com, johannes@sipsolutions.net Cc: linux-kernel@vger.kernel.org, linux-um@lists.infradead.org, Roberto Sassu Subject: [PATCH] um: Add winch to winch_handlers before registering winch IRQ Date: Thu, 7 Mar 2024 11:49:26 +0100 Message-Id: <20240307104926.3531358-1-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: LxC2BwCnnhe+m+llPgDiAw--.18628S2 X-Coremail-Antispam: 1UD129KBjvJXoW7tw1fZr1rCF4UZr48CFWruFg_yoW8Ww47pF nIgasavrW7Xa1j9a9rGa1qyFW3Cws29r1Uur4kK395Z3W5AryaqF1rGa42qr1DAry7XF93 Xr4Fya43u3y5AwUanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUyEb4IE77IF4wAFF20E14v26r4j6ryUM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4 vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Jr0_JF4l84ACjcxK6xIIjxv20xvEc7Cj xVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv67AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIEc7CjxV AFwI0_Gr0_Gr1UM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40E x7xfMcIj6xIIjxv20xvE14v26r106r15McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x 0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lc7CjxVAaw2AFwI0_GFv_Wryl42xK82IYc2Ij 64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x 8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r126r1DMIIYrxkI7VAKI48JMIIF0xvE 2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42 xK8VAvwI8IcIk0rVW3JVWrJr1lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY 1x0267AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7IU8imRUUUUUU== X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgAPBF1jj5cTWQAEsh Content-Type: text/plain; charset="utf-8" From: Roberto Sassu Registering a winch IRQ is racy, an interrupt may occur before the winch is added to the winch_handlers list. If that happens, register_winch_irq() adds to that list a winch that is scheduled to be (or has already been) freed, causing a panic later in winch_cleanup(). Avoid the race by adding the winch to the winch_handlers list before registering the IRQ, and rolling back if um_request_irq() fails. Signed-off-by: Roberto Sassu Reviewed-by: Johannes Berg --- arch/um/drivers/line.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/arch/um/drivers/line.c b/arch/um/drivers/line.c index ffc5cb92fa36..d82bc3fdb86e 100644 --- a/arch/um/drivers/line.c +++ b/arch/um/drivers/line.c @@ -676,24 +676,26 @@ void register_winch_irq(int fd, int tty_fd, int pid, = struct tty_port *port, goto cleanup; } =20 - *winch =3D ((struct winch) { .list =3D LIST_HEAD_INIT(winch->list), - .fd =3D fd, + *winch =3D ((struct winch) { .fd =3D fd, .tty_fd =3D tty_fd, .pid =3D pid, .port =3D port, .stack =3D stack }); =20 + spin_lock(&winch_handler_lock); + list_add(&winch->list, &winch_handlers); + spin_unlock(&winch_handler_lock); + if (um_request_irq(WINCH_IRQ, fd, IRQ_READ, winch_interrupt, IRQF_SHARED, "winch", winch) < 0) { printk(KERN_ERR "register_winch_irq - failed to register " "IRQ\n"); + spin_lock(&winch_handler_lock); + list_del(&winch->list); + spin_unlock(&winch_handler_lock); goto out_free; } =20 - spin_lock(&winch_handler_lock); - list_add(&winch->list, &winch_handlers); - spin_unlock(&winch_handler_lock); - return; =20 out_free: --=20 2.34.1