genirq: Protect access to irq_desc->action in can_request_irq()

can_request_irq() accesses and dereferences irq_desc->action w/o holding irq_desc->lock. So action can be freed on another CPU before it's dereferenced. Unlikely, but ... Protect it with desc->lock. Signed-off-by: N Thomas Gleixner <tglx@linutronix.de>

genirq: Protect access to irq_desc->action in can_request_irq()
can_request_irq() accesses and dereferences irq_desc->action w/o holding irq_desc->lock. So action can be freed on another CPU before it's dereferenced. Unlikely, but ... Protect it with desc->lock. Signed-off-by: N Thomas Gleixner <tglx@linutronix.de>
cc8c3b78 · Thomas Gleixner · 0b1adaa0 · cc8c3b78
显示空白变更内容
内联并排

Showing with 4 addition and 0 deletion

kernel/irq/manage.c kernel/irq/manage.c +4 -0

未找到文件。
--- a/kernel/irq/manage.c
+++ b/kernel/irq/manage.c
@@ -382,6 +382,7 @@ int can_request_irq(unsigned int irq, unsigned long irqflags)
 {
 	struct irq_desc *desc = irq_to_desc(irq);
 	struct irqaction *action;
+	unsigned long flags;

 	if (!desc)
 		return 0;
@@ -389,11 +390,14 @@ int can_request_irq(unsigned int irq, unsigned long irqflags)
 	if (desc->status & IRQ_NOREQUEST)
 		return 0;

+	raw_spin_lock_irqsave(&desc->lock, flags);
 	action = desc->action;
 	if (action)
 		if (irqflags & action->flags & IRQF_SHARED)
 			action = NULL;

+	raw_spin_unlock_irqrestore(&desc->lock, flags);
+
 	return !action;
 }