gunyah: arm64: Fix possible irq_data use-after-free
Access to irq_data is maintained using RCU. In irq_dispose_mapping(), unmapping and freeing of the irq data is done asynchronously using call_rcu() API when the conditions are met. In the next instruction, the same irq_data which is passed on for freeing is used to retrieve virq number. This creates use-after-free case if the task gets preempted out after the call to irq_dispose_mapping() and irq_data gets freed asynchronously before it gets scheduled back. As a fix, this patch introduces a variable to store virq number beforehand so that no access to irq_data is made after irq_dispose_mapping() is called. Change-Id: I2f6b4d98d953e0ce1ff55455453965d8c942c942 Signed-off-by: Hrishabh Rajput <quic_hrishabh@quicinc.com>
This commit is contained in:
Hrishabh Rajput
Srinivasarao Pathipati
parent
7ef0bdc2d1
commit
69060d4cfb
@ -112,6 +112,7 @@ EXPORT_SYMBOL(gh_put_virq);
|
||||
int gh_put_irq(int irq)
|
||||
{
|
||||
struct irq_data *irq_data;
|
||||
unsigned long virq;
|
||||
|
||||
if (irq <= 0)
|
||||
return -EINVAL;
|
||||
@ -120,8 +121,10 @@ int gh_put_irq(int irq)
|
||||
if (!irq_data)
|
||||
return -EINVAL;
|
||||
|
||||
virq = irq_data->hwirq;
|
||||
|
||||
irq_dispose_mapping(irq);
|
||||
|
||||
return gh_put_virq(irq_data->hwirq);
|
||||
return gh_put_virq(virq);
|
||||
}
|
||||
EXPORT_SYMBOL(gh_put_irq);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user