tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

kernel/irq/proc.c: unprotected iteration over the IRQ action list in name_unique()

setup_irq() releases a desc->lock before calling register_handler_proc(), so
the iteration over the IRQ action list is not protected.

(akpm: the check itself is still racy, but at least it probably won't oops
now).

Cc: Ingo Molnar <mingo@elte.hu>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Dmitry Adamushko and committed by
Linus Torvalds d2d9433a c467a388

+11 -4
+11 -4
kernel/irq/proc.c
··· 66 66 { 67 67 struct irq_desc *desc = irq_desc + irq; 68 68 struct irqaction *action; 69 + unsigned long flags; 70 + int ret = 1; 69 71 70 - for (action = desc->action ; action; action = action->next) 72 + spin_lock_irqsave(&desc->lock, flags); 73 + for (action = desc->action ; action; action = action->next) { 71 74 if ((action != new_action) && action->name && 72 - !strcmp(new_action->name, action->name)) 73 - return 0; 74 - return 1; 75 + !strcmp(new_action->name, action->name)) { 76 + ret = 0; 77 + break; 78 + } 79 + } 80 + spin_unlock_irqrestore(&desc->lock, flags); 81 + return ret; 75 82 } 76 83 77 84 void register_handler_proc(unsigned int irq, struct irqaction *action)