From: Viresh Kumar <viresh.kumar@linaro.org>
To: Schspa Shi <schspa@gmail.com>
Cc: rafael@kernel.org, linux-pm@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] cpufreq: fix race on cpufreq online
Date: Mon, 9 May 2022 09:27:46 +0530 [thread overview]
Message-ID: <20220509035746.aeggm4cut2ewcmmk@vireshk-i7> (raw)
In-Reply-To: <20220420191541.99528-1-schspa@gmail.com>
I had to dig the old patch first before starting to review what your
next one does.
On 21-04-22, 03:15, Schspa Shi wrote:
> When cpufreq online failed, policy->cpus are not empty while
> cpufreq sysfs file available, we may access some data freed.
>
> Take policy->clk as an example:
>
> static int cpufreq_online(unsigned int cpu)
> {
> ...
> // policy->cpus != 0 at this time
> down_write(&policy->rwsem);
> ret = cpufreq_add_dev_interface(policy);
Please keep some code to help understand where we went from here. I am
sure you meant that we will error out in this case, but you removed
the relevant code.
> up_write(&policy->rwsem);
>
> return 0;
>
> out_destroy_policy:
> for_each_cpu(j, policy->real_cpus)
> remove_cpu_dev_symlink(policy, get_cpu_device(j));
> up_write(&policy->rwsem);
> ...
> out_exit_policy:
> if (cpufreq_driver->exit)
> cpufreq_driver->exit(policy);
> clk_put(policy->clk);
> // policy->clk is a wild pointer
> ...
> ^
> |
> Another process access
> __cpufreq_get
> cpufreq_verify_current_freq
> cpufreq_generic_get
> // acces wild pointer of policy->clk;
> |
> |
> out_offline_policy: |
> cpufreq_policy_free(policy); |
> // deleted here, and will wait for no body reference
> cpufreq_policy_put_kobj(policy);
> }
>
> Signed-off-by: Schspa Shi <schspa@gmail.com>
> ---
> drivers/cpufreq/cpufreq.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
> index 80f535cc8a75..0d58b0f8f3af 100644
> --- a/drivers/cpufreq/cpufreq.c
> +++ b/drivers/cpufreq/cpufreq.c
> @@ -1533,8 +1533,6 @@ static int cpufreq_online(unsigned int cpu)
> for_each_cpu(j, policy->real_cpus)
> remove_cpu_dev_symlink(policy, get_cpu_device(j));
>
> - up_write(&policy->rwsem);
> -
> out_offline_policy:
> if (cpufreq_driver->offline)
> cpufreq_driver->offline(policy);
> @@ -1543,6 +1541,9 @@ static int cpufreq_online(unsigned int cpu)
> if (cpufreq_driver->exit)
> cpufreq_driver->exit(policy);
>
> + cpumask_clear(policy->cpus);
> + up_write(&policy->rwsem);
This is simply buggy as now an error out to out_offline_policy or
out_exit_policy will try to release a semaphore which was never taken
in the first place. This works fine only if we failed late, i.e. via
out_destroy_policy.
The very first thing we need to do now is revert this patch. Lemme
send a patch for that and you can send a fresh fix over that once you
have a stable fix.
--
viresh
next prev parent reply other threads:[~2022-05-09 4:07 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-20 19:15 [PATCH] cpufreq: fix race on cpufreq online Schspa Shi
2022-04-22 14:38 ` Rafael J. Wysocki
2022-04-22 15:10 ` Schspa Shi
2022-04-22 15:59 ` Rafael J. Wysocki
2022-05-09 3:57 ` Viresh Kumar [this message]
2022-05-09 15:06 ` Schspa Shi
2022-05-10 3:52 ` Viresh Kumar
2022-05-10 15:28 ` [PATCH v2] " Schspa Shi
2022-05-10 15:34 ` Rafael J. Wysocki
2022-05-10 15:43 ` Schspa Shi
2022-05-10 15:42 ` [PATCH v3] " Schspa Shi
2022-05-11 4:35 ` Viresh Kumar
2022-05-11 8:10 ` Schspa Shi
2022-05-11 12:21 ` Viresh Kumar
2022-05-11 12:59 ` Rafael J. Wysocki
2022-05-11 13:19 ` Rafael J. Wysocki
2022-05-11 13:42 ` Rafael J. Wysocki
2022-05-11 13:42 ` Schspa Shi
2022-05-11 13:50 ` Rafael J. Wysocki
2022-05-12 6:56 ` Viresh Kumar
2022-05-12 10:49 ` Rafael J. Wysocki
2022-05-13 4:27 ` Viresh Kumar
2022-05-24 11:14 ` Viresh Kumar
2022-05-24 11:22 ` Rafael J. Wysocki
2022-05-24 11:29 ` Viresh Kumar
2022-05-24 11:48 ` Rafael J. Wysocki
2022-05-24 11:53 ` Rafael J. Wysocki
2022-05-25 5:32 ` Viresh Kumar
2022-05-12 5:56 ` Viresh Kumar
2022-05-11 13:12 ` Schspa Shi
2022-05-11 14:15 ` Rafael J. Wysocki
2022-05-12 5:51 ` Schspa Shi
2022-05-12 10:37 ` Rafael J. Wysocki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220509035746.aeggm4cut2ewcmmk@vireshk-i7 \
--to=viresh.kumar@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=schspa@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.