From: Stephen Boyd <swboyd@chromium.org>
To: Andy Gross <agross@kernel.org>,
Matthias Kaehlcke <mka@chromium.org>,
Ohad Ben-Cohen <ohad@wizery.com>
Cc: linux-kernel@vger.kernel.org, linux-remoteproc@vger.kernel.org,
Sibi Sankar <sibis@codeaurora.org>,
Sujit Kautkar <sujitka@chromium.org>,
Bjorn Andersson <bjorn.andersson@linaro.org>,
Mathieu Poirier <mathieu.poirier@linaro.org>
Subject: Re: [PATCH v6 1/2] rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev
Date: Mon, 10 Jan 2022 13:09:09 -0800 [thread overview]
Message-ID: <CAE-0n51jie8FsYmU-6uf4EU1oqVQv4siT9dWFu2E-6dw_BHUCw@mail.gmail.com> (raw)
In-Reply-To: <20220110104706.v6.1.Iaac908f3e3149a89190ce006ba166e2d3fd247a3@changeid>
Quoting Matthias Kaehlcke (2022-01-10 10:47:36)
> From: Sujit Kautkar <sujitka@chromium.org>
>
> struct rpmsg_ctrldev contains a struct cdev. The current code frees
> the rpmsg_ctrldev struct in rpmsg_ctrldev_release_device(), but the
> cdev is a managed object, therefore its release is not predictable
> and the rpmsg_ctrldev could be freed before the cdev is entirely
> released, as in the backtrace below.
>
> [ 93.625603] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x7c
> [ 93.636115] WARNING: CPU: 0 PID: 12 at lib/debugobjects.c:488 debug_print_object+0x13c/0x1b0
> [ 93.644799] Modules linked in: veth xt_cgroup xt_MASQUERADE rfcomm algif_hash algif_skcipher af_alg uinput ip6table_nat fuse uvcvideo videobuf2_vmalloc venus_enc venus_dec videobuf2_dma_contig hci_uart btandroid btqca snd_soc_rt5682_i2c bluetooth qcom_spmi_temp_alarm snd_soc_rt5682v
> [ 93.715175] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.4.163-lockdep #26
> [ 93.723855] Hardware name: Google Lazor (rev3 - 8) with LTE (DT)
> [ 93.730055] Workqueue: events kobject_delayed_cleanup
> [ 93.735271] pstate: 60c00009 (nZCv daif +PAN +UAO)
> [ 93.740216] pc : debug_print_object+0x13c/0x1b0
> [ 93.744890] lr : debug_print_object+0x13c/0x1b0
> [ 93.749555] sp : ffffffacf5bc7940
> [ 93.752978] x29: ffffffacf5bc7940 x28: dfffffd000000000
> [ 93.758448] x27: ffffffacdb11a800 x26: dfffffd000000000
> [ 93.763916] x25: ffffffd0734f856c x24: dfffffd000000000
> [ 93.769389] x23: 0000000000000000 x22: ffffffd0733c35b0
> [ 93.774860] x21: ffffffd0751994a0 x20: ffffffd075ec27c0
> [ 93.780338] x19: ffffffd075199100 x18: 00000000000276e0
> [ 93.785814] x17: 0000000000000000 x16: dfffffd000000000
> [ 93.791291] x15: ffffffffffffffff x14: 6e6968207473696c
> [ 93.796768] x13: 0000000000000000 x12: ffffffd075e2b000
> [ 93.802244] x11: 0000000000000001 x10: 0000000000000000
> [ 93.807723] x9 : d13400dff1921900 x8 : d13400dff1921900
> [ 93.813200] x7 : 0000000000000000 x6 : 0000000000000000
> [ 93.818676] x5 : 0000000000000080 x4 : 0000000000000000
> [ 93.824152] x3 : ffffffd0732a0fa4 x2 : 0000000000000001
> [ 93.829628] x1 : ffffffacf5bc7580 x0 : 0000000000000061
> [ 93.835104] Call trace:
> [ 93.837644] debug_print_object+0x13c/0x1b0
> [ 93.841963] __debug_check_no_obj_freed+0x25c/0x3c0
> [ 93.846987] debug_check_no_obj_freed+0x18/0x20
> [ 93.851669] slab_free_freelist_hook+0xbc/0x1e4
> [ 93.856346] kfree+0xfc/0x2f4
> [ 93.859416] rpmsg_ctrldev_release_device+0x78/0xb8
> [ 93.864445] device_release+0x84/0x168
> [ 93.868310] kobject_cleanup+0x12c/0x298
> [ 93.872356] kobject_delayed_cleanup+0x10/0x18
> [ 93.876948] process_one_work+0x578/0x92c
> [ 93.881086] worker_thread+0x804/0xcf8
> [ 93.884963] kthread+0x2a8/0x314
> [ 93.888303] ret_from_fork+0x10/0x18
>
> The cdev_device_add/del() API was created to address this issue
> (see commit 233ed09d7fda), use it instead of cdev add/del().
>
> Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface")
> Signed-off-by: Sujit Kautkar <sujitka@chromium.org>
> Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
> Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org>
> Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
> ---
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
next prev parent reply other threads:[~2022-01-10 21:09 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-10 18:47 [PATCH v6 1/2] rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev Matthias Kaehlcke
2022-01-10 18:47 ` [PATCH v6 2/2] rpmsg: char: Fix race between the release of rpmsg_eptdev " Matthias Kaehlcke
2022-01-10 18:56 ` Bjorn Andersson
2022-01-10 21:09 ` Stephen Boyd
2022-01-10 21:09 ` Stephen Boyd [this message]
2022-01-17 22:46 ` [PATCH v6 1/2] rpmsg: char: Fix race between the release of rpmsg_ctrldev " Bjorn Andersson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAE-0n51jie8FsYmU-6uf4EU1oqVQv4siT9dWFu2E-6dw_BHUCw@mail.gmail.com \
--to=swboyd@chromium.org \
--cc=agross@kernel.org \
--cc=bjorn.andersson@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-remoteproc@vger.kernel.org \
--cc=mathieu.poirier@linaro.org \
--cc=mka@chromium.org \
--cc=ohad@wizery.com \
--cc=sibis@codeaurora.org \
--cc=sujitka@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.