From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S936286AbcA0WyA (ORCPT ); Wed, 27 Jan 2016 17:54:00 -0500 Received: from v094114.home.net.pl ([79.96.170.134]:50655 "HELO v094114.home.net.pl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S932399AbcA0Wxz (ORCPT ); Wed, 27 Jan 2016 17:53:55 -0500 From: "Rafael J. Wysocki" To: Viresh Kumar Cc: linaro-kernel@lists.linaro.org, linux-pm@vger.kernel.org, "# v4 . 2+" , Juri Lelli , open list Subject: Re: [PATCH] cpufreq: Fix NULL reference crash while accessing policy->governor_data Date: Wed, 27 Jan 2016 23:54:49 +0100 Message-ID: <3004241.yqvZmcL5vE@vostro.rjw.lan> User-Agent: KMail/4.11.5 (Linux/4.5.0-rc1+; KDE/4.11.5; x86_64; ; ) In-Reply-To: <1297c8fc8135f8b5359f9c49d220a939c0ee640e.1453741314.git.viresh.kumar@linaro.org> References: <1297c8fc8135f8b5359f9c49d220a939c0ee640e.1453741314.git.viresh.kumar@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="utf-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Monday, January 25, 2016 10:33:46 PM Viresh Kumar wrote: > There is a little race discovered by Juri, where we are able to: > - create and read a sysfs file before policy->governor_data is being set > to a non NULL value. > OR > - set policy->governor_data to NULL, and reading a file before being > destroyed. > > And so such a crash is reported: > > Unable to handle kernel NULL pointer dereference at virtual address 0000000c > pgd = edfc8000 > [0000000c] *pgd=bfc8c835 > Internal error: Oops: 17 [#1] SMP ARM > Modules linked in: > CPU: 4 PID: 1730 Comm: cat Not tainted 4.5.0-rc1+ #463 > Hardware name: ARM-Versatile Express > task: ee8e8480 ti: ee930000 task.ti: ee930000 > PC is at show_ignore_nice_load_gov_pol+0x24/0x34 > LR is at show+0x4c/0x60 > pc : [] lr : [] psr: a0070013 > sp : ee931dd0 ip : ee931de0 fp : ee931ddc > r10: ee4bc290 r9 : 00001000 r8 : ef2cb000 > r7 : ee4bc200 r6 : ef2cb000 r5 : c0af57b0 r4 : ee4bc2e0 > r3 : 00000000 r2 : 00000000 r1 : c0928df4 r0 : ef2cb000 > Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none > Control: 10c5387d Table: adfc806a DAC: 00000051 > Process cat (pid: 1730, stack limit = 0xee930210) > Stack: (0xee931dd0 to 0xee932000) > 1dc0: ee931dfc ee931de0 c058ae88 c058f1a4 > 1de0: edce3bc0 c07bfca4 edce3ac0 00001000 ee931e24 ee931e00 c01fcb90 c058ae48 > 1e00: 00000001 edce3bc0 00000000 00000001 ee931e50 ee8ff480 ee931e34 ee931e28 > 1e20: c01fb33c c01fcb0c ee931e8c ee931e38 c01a5210 c01fb314 ee931e9c ee931e48 > 1e40: 00000000 edce3bf0 befe4a00 ee931f78 00000000 00000000 000001e4 00000000 > 1e60: c00545a8 edce3ac0 00001000 00001000 befe4a00 ee931f78 00000000 00001000 > 1e80: ee931ed4 ee931e90 c01fbed8 c01a5038 ed085a58 00020000 00000000 00000000 > 1ea0: c0ad72e4 ee931f78 ee8ff488 ee8ff480 c077f3fc 00001000 befe4a00 ee931f78 > 1ec0: 00000000 00001000 ee931f44 ee931ed8 c017c328 c01fbdc4 00001000 00000000 > 1ee0: ee8ff480 00001000 ee931f44 ee931ef8 c017c65c c03deb10 ee931fac ee931f08 > 1f00: c0009270 c001f290 c0a8d968 ef2cb000 ef2cb000 ee8ff480 00000020 ee8ff480 > 1f20: ee8ff480 befe4a00 00001000 ee931f78 00000000 00000000 ee931f74 ee931f48 > 1f40: c017d1ec c017c2f8 c019c724 c019c684 ee8ff480 ee8ff480 00001000 befe4a00 > 1f60: 00000000 00000000 ee931fa4 ee931f78 c017d2a8 c017d160 00000000 00000000 > 1f80: 000a9f20 00001000 befe4a00 00000003 c000ffe4 ee930000 00000000 ee931fa8 > 1fa0: c000fe40 c017d264 000a9f20 00001000 00000003 befe4a00 00001000 00000000 > Unable to handle kernel NULL pointer dereference at virtual address 0000000c > 1fc0: 000a9f20 00001000 befe4a00 00000003 00000000 00000000 00000003 00000001 > pgd = edfc4000 > [0000000c] *pgd=bfcac835 > 1fe0: 00000000 befe49dc 000197f8 b6e35dfc 60070010 00000003 3065b49d 134ac2c9 > > [] (show_ignore_nice_load_gov_pol) from [] (show+0x4c/0x60) > [] (show) from [] (sysfs_kf_seq_show+0x90/0xfc) > [] (sysfs_kf_seq_show) from [] (kernfs_seq_show+0x34/0x38) > [] (kernfs_seq_show) from [] (seq_read+0x1e4/0x4e4) > [] (seq_read) from [] (kernfs_fop_read+0x120/0x1a0) > [] (kernfs_fop_read) from [] (__vfs_read+0x3c/0xe0) > [] (__vfs_read) from [] (vfs_read+0x98/0x104) > [] (vfs_read) from [] (SyS_read+0x50/0x90) > [] (SyS_read) from [] (ret_fast_syscall+0x0/0x1c) > Code: e5903044 e1a00001 e3081df4 e34c1092 (e593300c) > ---[ end trace 5994b9a5111f35ee ]--- > > Fix that by making sure, policy->governor_data is updated at the right > places only. > > Cc: # v4.2+ > Reported-by: Juri Lelli > Signed-off-by: Viresh Kumar So I've applied this, but I'm not sure it is sufficient yet. Have you double checked whether or not stuff cannot be reordered by the CPU and/or the compiler and no additional memory barriers are needed? Rafael