diff mbox series

[-next] scsi: hisi_sas: drop free_irq of devm_request_irq allocated irq

Message ID 20210518130902.1307494-1-yangyingliang@huawei.com (mailing list archive)
State Superseded
Headers show
Series [-next] scsi: hisi_sas: drop free_irq of devm_request_irq allocated irq | expand

Commit Message

Yang Yingliang May 18, 2021, 1:09 p.m. UTC 
irq allocated with devm_request_irq should not be freed using
free_irq, because doing so causes a dangling pointer, and a
subsequent double free.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Comments

John Garry May 18, 2021, 3:34 p.m. UTC | #1 
On 18/05/2021 14:09, Yang Yingliang wrote:
> irq allocated with devm_request_irq should not be freed using
> free_irq, because doing so causes a dangling pointer, and a
> subsequent double free.
> 
> Reported-by: Hulk Robot <hulkci@huawei.com>
> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
> ---
>   drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
> index 499c770d405c..684f762bcfb3 100644
> --- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
> +++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
> @@ -4811,9 +4811,9 @@ hisi_sas_v3_destroy_irqs(struct pci_dev *pdev, struct hisi_hba *hisi_hba)
>   {
>   	int i;
>   
> -	free_irq(pci_irq_vector(pdev, 1), hisi_hba);
> -	free_irq(pci_irq_vector(pdev, 2), hisi_hba);
> -	free_irq(pci_irq_vector(pdev, 11), hisi_hba);
> +	devm_free_irq(&pdev->dev, pci_irq_vector(pdev, 1), hisi_hba);
> +	devm_free_irq(&pdev->dev, pci_irq_vector(pdev, 2), hisi_hba);
> +	devm_free_irq(&pdev->dev, pci_irq_vector(pdev, 11), hisi_hba);
>   	for (i = 0; i < hisi_hba->cq_nvecs; i++) {
>   		struct hisi_sas_cq *cq = &hisi_hba->cq[i];
>   		int nr = hisi_sas_intr_conv ? 16 : 16 + i;
> 

Does the free_irq(pci_irq_vector(pdev, nr, cq)) call also need to change 
(not shown)?

Having said that, why have these at all if we use devm_request_irq()? 
devm_irq_release() calls free_irq().

Thanks,
John
Yang Yingliang May 19, 2021, 3:36 a.m. UTC | #2 
On 2021/5/18 23:34, John Garry wrote:
> On 18/05/2021 14:09, Yang Yingliang wrote:
>> irq allocated with devm_request_irq should not be freed using
>> free_irq, because doing so causes a dangling pointer, and a
>> subsequent double free.
>>
>> Reported-by: Hulk Robot <hulkci@huawei.com>
>> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
>> ---
>>   drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 6 +++---
>>   1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c 
>> b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
>> index 499c770d405c..684f762bcfb3 100644
>> --- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
>> +++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
>> @@ -4811,9 +4811,9 @@ hisi_sas_v3_destroy_irqs(struct pci_dev *pdev, 
>> struct hisi_hba *hisi_hba)
>>   {
>>       int i;
>>   -    free_irq(pci_irq_vector(pdev, 1), hisi_hba);
>> -    free_irq(pci_irq_vector(pdev, 2), hisi_hba);
>> -    free_irq(pci_irq_vector(pdev, 11), hisi_hba);
>> +    devm_free_irq(&pdev->dev, pci_irq_vector(pdev, 1), hisi_hba);
>> +    devm_free_irq(&pdev->dev, pci_irq_vector(pdev, 2), hisi_hba);
>> +    devm_free_irq(&pdev->dev, pci_irq_vector(pdev, 11), hisi_hba);
>>       for (i = 0; i < hisi_hba->cq_nvecs; i++) {
>>           struct hisi_sas_cq *cq = &hisi_hba->cq[i];
>>           int nr = hisi_sas_intr_conv ? 16 : 16 + i;
>>
>
> Does the free_irq(pci_irq_vector(pdev, nr, cq)) call also need to 
> change (not shown)?
Yes, I missed that, it should be changed too.
>
> Having said that, why have these at all if we use devm_request_irq()? 
> devm_irq_release() calls free_irq().
I keep the original logic here, only avoid double free.
>
> Thanks,
> John
>
> .
John Garry May 19, 2021, 11:19 a.m. UTC | #3 
On 19/05/2021 04:36, Yang Yingliang wrote:
> 
> On 2021/5/18 23:34, John Garry wrote:
>> On 18/05/2021 14:09, Yang Yingliang wrote:
>>> irq allocated with devm_request_irq should not be freed using
>>> free_irq, because doing so causes a dangling pointer, and a
>>> subsequent double free.
>>>
>>> Reported-by: Hulk Robot <hulkci@huawei.com>
>>> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
>>> ---
>>>   drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 6 +++---
>>>   1 file changed, 3 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c 
>>> b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
>>> index 499c770d405c..684f762bcfb3 100644
>>> --- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
>>> +++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
>>> @@ -4811,9 +4811,9 @@ hisi_sas_v3_destroy_irqs(struct pci_dev *pdev, 
>>> struct hisi_hba *hisi_hba)
>>>   {
>>>       int i;
>>>   -    free_irq(pci_irq_vector(pdev, 1), hisi_hba);
>>> -    free_irq(pci_irq_vector(pdev, 2), hisi_hba);
>>> -    free_irq(pci_irq_vector(pdev, 11), hisi_hba);
>>> +    devm_free_irq(&pdev->dev, pci_irq_vector(pdev, 1), hisi_hba);
>>> +    devm_free_irq(&pdev->dev, pci_irq_vector(pdev, 2), hisi_hba);
>>> +    devm_free_irq(&pdev->dev, pci_irq_vector(pdev, 11), hisi_hba);
>>>       for (i = 0; i < hisi_hba->cq_nvecs; i++) {
>>>           struct hisi_sas_cq *cq = &hisi_hba->cq[i];
>>>           int nr = hisi_sas_intr_conv ? 16 : 16 + i;
>>>
>>
>> Does the free_irq(pci_irq_vector(pdev, nr, cq)) call also need to 
>> change (not shown)?
> Yes, I missed that, it should be changed too.

So I think that we need this addition:
  devm_free_irq(&pdev->dev, pci_irq_vector(pdev, nr), cq);

>>
>> Having said that, why have these at all if we use devm_request_irq()? 
>> devm_irq_release() calls free_irq().
> I keep the original logic here, only avoid double free.

Kasan doesn't complain. Anyway, I think we can't rely on device-managed 
method (for calling free_irq()) as it conflicts with pci free vectors 
call. I thought that someone was developed a device-managed version of 
that (pci_alloc_irq_vectors()).

Anyway, please proceed with your change, but with the suggested addition.

Thanks
diff mbox series

Patch

diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
index 499c770d405c..684f762bcfb3 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
@@ -4811,9 +4811,9 @@  hisi_sas_v3_destroy_irqs(struct pci_dev *pdev, struct hisi_hba *hisi_hba)
 {
 	int i;
 
-	free_irq(pci_irq_vector(pdev, 1), hisi_hba);
-	free_irq(pci_irq_vector(pdev, 2), hisi_hba);
-	free_irq(pci_irq_vector(pdev, 11), hisi_hba);
+	devm_free_irq(&pdev->dev, pci_irq_vector(pdev, 1), hisi_hba);
+	devm_free_irq(&pdev->dev, pci_irq_vector(pdev, 2), hisi_hba);
+	devm_free_irq(&pdev->dev, pci_irq_vector(pdev, 11), hisi_hba);
 	for (i = 0; i < hisi_hba->cq_nvecs; i++) {
 		struct hisi_sas_cq *cq = &hisi_hba->cq[i];
 		int nr = hisi_sas_intr_conv ? 16 : 16 + i;