On 14/03/07, Dmitry Adamushko <[EMAIL PROTECTED]> wrote:
1-st issue: unprotected iteration over the IRQ action list in name_unique() the racing sequences: [ 1 ] request_irq() -> setup_irq() -> register_handler_proc() -> name_unique() -> iterate over the action list (*) setup_irq() releases a desc->lock before calling register_handler_proc(). [ 2 ] free_irq() -> delete some element while (*) is still in progress -> bum!
"delete" == remove from the list + kfree() as synchronize_irq() is not going to prevent it for obvious reasons. Of course, request_irq() and free_irq() are called for the same /shared/ irq line but for /different/ handlers. Looks too obvious to be true. I already expected someone prooving me wrong, at the very least by pointing out a special option of vim to activate some hidden synchronization code :o) -- Best regards, Dmitry Adamushko - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
