* [PATCH] driver core: fix race between creating/querying glue dir and its cleanup
@ 2016-03-28 8:27 Ming Lei
2016-04-26 17:27 ` Chandra Sekhar Lingutla
0 siblings, 1 reply; 4+ messages in thread
From: Ming Lei @ 2016-03-28 8:27 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-kernel, Yijing Wang, Chandra Sekhar Lingutla, Ming Lei
The global mutex of 'gdp_mutex' is used to serialize creating/querying
glue dir and its cleanup. Turns out it isn't a perfect way because
part(kobj_kset_leave()) of the actual cleanup action() is done inside
the release handler of the glue dir kobject. That means gdp_mutex has
to be held before releasing the last reference count of the glue dir
kobject.
This patch moves glue dir's cleanup after kobject_del() in device_del()
for avoiding the race.
Cc: Yijing Wang <wangyijing@huawei.com>
Reported-by: Chandra Sekhar Lingutla <clingutla@codeaurora.org>
Signed-off-by: Ming Lei <ming.lei@canonical.com>
---
drivers/base/core.c | 41 +++++++++++++++++++++++++++++++----------
1 file changed, 31 insertions(+), 10 deletions(-)
diff --git a/drivers/base/core.c b/drivers/base/core.c
index 0a8bdad..3f2e1f8 100644
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -836,11 +836,31 @@ static struct kobject *get_device_parent(struct device *dev,
return NULL;
}
+static inline bool live_in_glue_dir(struct kobject *kobj,
+ struct device *dev)
+{
+ if (!kobj || !dev->class ||
+ kobj->kset != &dev->class->p->glue_dirs)
+ return true;
+ return false;
+}
+
+static inline struct kobject *get_glue_dir(struct device *dev)
+{
+ if (live_in_glue_dir(&dev->kobj, dev))
+ return dev->kobj.parent;
+ return NULL;
+}
+
+/*
+ * make sure cleaning up dir as the last step, we need to make
+ * sure .release handler of kobject is run with holding the
+ * global lock
+ */
static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
{
/* see if we live in a "glue" directory */
- if (!glue_dir || !dev->class ||
- glue_dir->kset != &dev->class->p->glue_dirs)
+ if (!live_in_glue_dir(glue_dir, dev))
return;
mutex_lock(&gdp_mutex);
@@ -848,11 +868,6 @@ static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
mutex_unlock(&gdp_mutex);
}
-static void cleanup_device_parent(struct device *dev)
-{
- cleanup_glue_dir(dev, dev->kobj.parent);
-}
-
static int device_add_class_symlinks(struct device *dev)
{
struct device_node *of_node = dev_of_node(dev);
@@ -1028,6 +1043,7 @@ int device_add(struct device *dev)
struct kobject *kobj;
struct class_interface *class_intf;
int error = -EINVAL;
+ struct kobject *glue_dir = NULL;
dev = get_device(dev);
if (!dev)
@@ -1072,8 +1088,10 @@ int device_add(struct device *dev)
/* first, register with generic layer. */
/* we require the name to be set before, and pass NULL */
error = kobject_add(&dev->kobj, dev->kobj.parent, NULL);
- if (error)
+ if (error) {
+ glue_dir = get_glue_dir(dev);
goto Error;
+ }
/* notify platform of device entry */
if (platform_notify)
@@ -1154,9 +1172,10 @@ done:
device_remove_file(dev, &dev_attr_uevent);
attrError:
kobject_uevent(&dev->kobj, KOBJ_REMOVE);
+ glue_dir = get_glue_dir(dev);
kobject_del(&dev->kobj);
Error:
- cleanup_device_parent(dev);
+ cleanup_glue_dir(dev, glue_dir);
put_device(parent);
name_error:
kfree(dev->p);
@@ -1232,6 +1251,7 @@ EXPORT_SYMBOL_GPL(put_device);
void device_del(struct device *dev)
{
struct device *parent = dev->parent;
+ struct kobject *glue_dir = NULL;
struct class_interface *class_intf;
/* Notify clients of device removal. This call must come
@@ -1276,8 +1296,9 @@ void device_del(struct device *dev)
blocking_notifier_call_chain(&dev->bus->p->bus_notifier,
BUS_NOTIFY_REMOVED_DEVICE, dev);
kobject_uevent(&dev->kobj, KOBJ_REMOVE);
- cleanup_device_parent(dev);
+ glue_dir = get_glue_dir(dev);
kobject_del(&dev->kobj);
+ cleanup_glue_dir(dev, glue_dir);
put_device(parent);
}
EXPORT_SYMBOL_GPL(device_del);
--
1.9.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] driver core: fix race between creating/querying glue dir and its cleanup
2016-03-28 8:27 [PATCH] driver core: fix race between creating/querying glue dir and its cleanup Ming Lei
@ 2016-04-26 17:27 ` Chandra Sekhar Lingutla
2016-05-10 6:00 ` Chandra Sekhar Lingutla
2016-06-21 15:46 ` Jason Hrycay
0 siblings, 2 replies; 4+ messages in thread
From: Chandra Sekhar Lingutla @ 2016-04-26 17:27 UTC (permalink / raw)
To: Ming Lei, Greg Kroah-Hartman; +Cc: linux-kernel, Yijing Wang
Hi Ming,
On 03/28/2016 01:57 PM, Ming Lei wrote:
> The global mutex of 'gdp_mutex' is used to serialize creating/querying
> glue dir and its cleanup. Turns out it isn't a perfect way because
> part(kobj_kset_leave()) of the actual cleanup action() is done inside
> the release handler of the glue dir kobject. That means gdp_mutex has
> to be held before releasing the last reference count of the glue dir
> kobject.
>
> This patch moves glue dir's cleanup after kobject_del() in device_del()
> for avoiding the race.
>
> Cc: Yijing Wang <wangyijing@huawei.com>
> Reported-by: Chandra Sekhar Lingutla <clingutla@codeaurora.org>
> Signed-off-by: Ming Lei <ming.lei@canonical.com>
> ---
> drivers/base/core.c | 41 +++++++++++++++++++++++++++++++----------
> 1 file changed, 31 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/base/core.c b/drivers/base/core.c
> index 0a8bdad..3f2e1f8 100644
> --- a/drivers/base/core.c
> +++ b/drivers/base/core.c
> @@ -836,11 +836,31 @@ static struct kobject *get_device_parent(struct device *dev,
> return NULL;
> }
>
> +static inline bool live_in_glue_dir(struct kobject *kobj,
> + struct device *dev)
> +{
> + if (!kobj || !dev->class ||
> + kobj->kset != &dev->class->p->glue_dirs)
> + return true;
> + return false;
> +}
I think we should return false if kobj->kset != &dev->class->p->glue_dirs.
If kboj->kset points to dev->class->p->glue_dirs, then we live in glue dir.
So logic should be:
if (!kobj || !dev->class ||
kobj->kset != &dev->class->p->glue_dirs)
return false;
return true;
> +
> +static inline struct kobject *get_glue_dir(struct device *dev)
> +{
> + if (live_in_glue_dir(&dev->kobj, dev))
> + return dev->kobj.parent;
> + return NULL;
> +}
> +
> +/*
> + * make sure cleaning up dir as the last step, we need to make
> + * sure .release handler of kobject is run with holding the
> + * global lock
> + */
> static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
> {
> /* see if we live in a "glue" directory */
> - if (!glue_dir || !dev->class ||
> - glue_dir->kset != &dev->class->p->glue_dirs)
> + if (!live_in_glue_dir(glue_dir, dev))
> return;
>
> mutex_lock(&gdp_mutex);
> @@ -848,11 +868,6 @@ static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
> mutex_unlock(&gdp_mutex);
> }
>
> -static void cleanup_device_parent(struct device *dev)
> -{
> - cleanup_glue_dir(dev, dev->kobj.parent);
> -}
> -
> static int device_add_class_symlinks(struct device *dev)
> {
> struct device_node *of_node = dev_of_node(dev);
> @@ -1028,6 +1043,7 @@ int device_add(struct device *dev)
> struct kobject *kobj;
> struct class_interface *class_intf;
> int error = -EINVAL;
> + struct kobject *glue_dir = NULL;
>
> dev = get_device(dev);
> if (!dev)
> @@ -1072,8 +1088,10 @@ int device_add(struct device *dev)
> /* first, register with generic layer. */
> /* we require the name to be set before, and pass NULL */
> error = kobject_add(&dev->kobj, dev->kobj.parent, NULL);
> - if (error)
> + if (error) {
> + glue_dir = get_glue_dir(dev);
> goto Error;
> + }
>
> /* notify platform of device entry */
> if (platform_notify)
> @@ -1154,9 +1172,10 @@ done:
> device_remove_file(dev, &dev_attr_uevent);
> attrError:
> kobject_uevent(&dev->kobj, KOBJ_REMOVE);
> + glue_dir = get_glue_dir(dev);
> kobject_del(&dev->kobj);
> Error:
> - cleanup_device_parent(dev);
> + cleanup_glue_dir(dev, glue_dir);
> put_device(parent);
> name_error:
> kfree(dev->p);
> @@ -1232,6 +1251,7 @@ EXPORT_SYMBOL_GPL(put_device);
> void device_del(struct device *dev)
> {
> struct device *parent = dev->parent;
> + struct kobject *glue_dir = NULL;
> struct class_interface *class_intf;
>
> /* Notify clients of device removal. This call must come
> @@ -1276,8 +1296,9 @@ void device_del(struct device *dev)
> blocking_notifier_call_chain(&dev->bus->p->bus_notifier,
> BUS_NOTIFY_REMOVED_DEVICE, dev);
> kobject_uevent(&dev->kobj, KOBJ_REMOVE);
> - cleanup_device_parent(dev);
> + glue_dir = get_glue_dir(dev);
> kobject_del(&dev->kobj);
> + cleanup_glue_dir(dev, glue_dir);
> put_device(parent);
> }
> EXPORT_SYMBOL_GPL(device_del);
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] driver core: fix race between creating/querying glue dir and its cleanup
2016-04-26 17:27 ` Chandra Sekhar Lingutla
@ 2016-05-10 6:00 ` Chandra Sekhar Lingutla
2016-06-21 15:46 ` Jason Hrycay
1 sibling, 0 replies; 4+ messages in thread
From: Chandra Sekhar Lingutla @ 2016-05-10 6:00 UTC (permalink / raw)
To: Ming Lei, Greg Kroah-Hartman; +Cc: linux-kernel, Yijing Wang
Hi Ming/ Greg
Curious to know your comments on this patch.
On 04/26/2016 10:57 PM, Chandra Sekhar Lingutla wrote:
> Hi Ming,
>
> On 03/28/2016 01:57 PM, Ming Lei wrote:
>> The global mutex of 'gdp_mutex' is used to serialize creating/querying
>> glue dir and its cleanup. Turns out it isn't a perfect way because
>> part(kobj_kset_leave()) of the actual cleanup action() is done inside
>> the release handler of the glue dir kobject. That means gdp_mutex has
>> to be held before releasing the last reference count of the glue dir
>> kobject.
>>
>> This patch moves glue dir's cleanup after kobject_del() in device_del()
>> for avoiding the race.
>>
>> Cc: Yijing Wang <wangyijing@huawei.com>
>> Reported-by: Chandra Sekhar Lingutla <clingutla@codeaurora.org>
>> Signed-off-by: Ming Lei <ming.lei@canonical.com>
>> ---
>> drivers/base/core.c | 41 +++++++++++++++++++++++++++++++----------
>> 1 file changed, 31 insertions(+), 10 deletions(-)
>>
>> diff --git a/drivers/base/core.c b/drivers/base/core.c
>> index 0a8bdad..3f2e1f8 100644
>> --- a/drivers/base/core.c
>> +++ b/drivers/base/core.c
>> @@ -836,11 +836,31 @@ static struct kobject *get_device_parent(struct device *dev,
>> return NULL;
>> }
>>
>> +static inline bool live_in_glue_dir(struct kobject *kobj,
>> + struct device *dev)
>> +{
>> + if (!kobj || !dev->class ||
>> + kobj->kset != &dev->class->p->glue_dirs)
>> + return true;
>> + return false;
>> +}
> I think we should return false if kobj->kset != &dev->class->p->glue_dirs.
> If kboj->kset points to dev->class->p->glue_dirs, then we live in glue dir.
> So logic should be:
> if (!kobj || !dev->class ||
> kobj->kset != &dev->class->p->glue_dirs)
> return false;
> return true;
>
>> +
>> +static inline struct kobject *get_glue_dir(struct device *dev)
>> +{
>> + if (live_in_glue_dir(&dev->kobj, dev))
>> + return dev->kobj.parent;
>> + return NULL;
>> +}
>> +
>> +/*
>> + * make sure cleaning up dir as the last step, we need to make
>> + * sure .release handler of kobject is run with holding the
>> + * global lock
>> + */
>> static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
>> {
>> /* see if we live in a "glue" directory */
>> - if (!glue_dir || !dev->class ||
>> - glue_dir->kset != &dev->class->p->glue_dirs)
>> + if (!live_in_glue_dir(glue_dir, dev))
>> return;
>>
>> mutex_lock(&gdp_mutex);
>> @@ -848,11 +868,6 @@ static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
>> mutex_unlock(&gdp_mutex);
>> }
>>
>> -static void cleanup_device_parent(struct device *dev)
>> -{
>> - cleanup_glue_dir(dev, dev->kobj.parent);
>> -}
>> -
>> static int device_add_class_symlinks(struct device *dev)
>> {
>> struct device_node *of_node = dev_of_node(dev);
>> @@ -1028,6 +1043,7 @@ int device_add(struct device *dev)
>> struct kobject *kobj;
>> struct class_interface *class_intf;
>> int error = -EINVAL;
>> + struct kobject *glue_dir = NULL;
>>
>> dev = get_device(dev);
>> if (!dev)
>> @@ -1072,8 +1088,10 @@ int device_add(struct device *dev)
>> /* first, register with generic layer. */
>> /* we require the name to be set before, and pass NULL */
>> error = kobject_add(&dev->kobj, dev->kobj.parent, NULL);
>> - if (error)
>> + if (error) {
>> + glue_dir = get_glue_dir(dev);
>> goto Error;
>> + }
>>
>> /* notify platform of device entry */
>> if (platform_notify)
>> @@ -1154,9 +1172,10 @@ done:
>> device_remove_file(dev, &dev_attr_uevent);
>> attrError:
>> kobject_uevent(&dev->kobj, KOBJ_REMOVE);
>> + glue_dir = get_glue_dir(dev);
>> kobject_del(&dev->kobj);
>> Error:
>> - cleanup_device_parent(dev);
>> + cleanup_glue_dir(dev, glue_dir);
>> put_device(parent);
>> name_error:
>> kfree(dev->p);
>> @@ -1232,6 +1251,7 @@ EXPORT_SYMBOL_GPL(put_device);
>> void device_del(struct device *dev)
>> {
>> struct device *parent = dev->parent;
>> + struct kobject *glue_dir = NULL;
>> struct class_interface *class_intf;
>>
>> /* Notify clients of device removal. This call must come
>> @@ -1276,8 +1296,9 @@ void device_del(struct device *dev)
>> blocking_notifier_call_chain(&dev->bus->p->bus_notifier,
>> BUS_NOTIFY_REMOVED_DEVICE, dev);
>> kobject_uevent(&dev->kobj, KOBJ_REMOVE);
>> - cleanup_device_parent(dev);
>> + glue_dir = get_glue_dir(dev);
>> kobject_del(&dev->kobj);
>> + cleanup_glue_dir(dev, glue_dir);
>> put_device(parent);
>> }
>> EXPORT_SYMBOL_GPL(device_del);
>>
--
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,\na Linux Foundation Collaborative Project
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] driver core: fix race between creating/querying glue dir and its cleanup
2016-04-26 17:27 ` Chandra Sekhar Lingutla
2016-05-10 6:00 ` Chandra Sekhar Lingutla
@ 2016-06-21 15:46 ` Jason Hrycay
1 sibling, 0 replies; 4+ messages in thread
From: Jason Hrycay @ 2016-06-21 15:46 UTC (permalink / raw)
To: linux-kernel
Hi Ming/Chandrasekhar,
Chandra Sekhar Lingutla <clingutla <at> codeaurora.org> writes:
>
> Hi Ming,
>
> [...]
> > +static inline bool live_in_glue_dir(struct kobject *kobj,
> > + struct device *dev)
> > +{
> > + if (!kobj || !dev->class ||
> > + kobj->kset != &dev->class->p->glue_dirs)
> > + return true;
> > + return false;
> > +}
> I think we should return false if kobj->kset != &dev->class->p->glue_dirs.
> If kboj->kset points to dev->class->p->glue_dirs, then we live in glue dir.
> So logic should be:
> if (!kobj || !dev->class ||
> kobj->kset != &dev->class->p->glue_dirs)
> return false;
> return true;
>
> > +
> > +static inline struct kobject *get_glue_dir(struct device *dev)
> > +{
> > + if (live_in_glue_dir(&dev->kobj, dev))
> > + return dev->kobj.parent;
> > + return NULL;
> > +}
I don't think we should be checking the live_in_glue_dir on dev->kobj above,
but rather, dev->kobj.parent. That being said, I don't think the check is
even needed as it's going to be re-checked in the cleanup_glue_dir.
The issue is, if we fail the 'live_in_glue_dir' check on the dev->kobj, we'll
return NULL and subsequently fail to kobject_put the dev->kobj.parent in the
cleanup_glue_dir function, leaking a reference.
> [snip]
Regards,
Jason Hrycay
jason.hrycay@motorola.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-06-21 16:55 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-03-28 8:27 [PATCH] driver core: fix race between creating/querying glue dir and its cleanup Ming Lei
2016-04-26 17:27 ` Chandra Sekhar Lingutla
2016-05-10 6:00 ` Chandra Sekhar Lingutla
2016-06-21 15:46 ` Jason Hrycay
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.