* [PATCH v2] cpufreq: brcmstb-avs-cpufreq: avoid potential stuck and UAF risk
@ 2020-01-05 12:50 qiwuchen55
2020-01-06 5:56 ` Viresh Kumar
0 siblings, 1 reply; 6+ messages in thread
From: qiwuchen55 @ 2020-01-05 12:50 UTC (permalink / raw)
To: mmayer, rjw, viresh.kumar, f.fainelli
Cc: bcm-kernel-feedback-list, linux-pm, linux-arm-kernel, chenqiwu
From: chenqiwu <chenqiwu@xiaomi.com>
brcm_avs_cpufreq_get() calls cpufreq_cpu_get() to get cpufreq policy,
meanwhile, it also increments the kobject reference count of policy to
mark it busy. However, a corresponding call of cpufreq_cpu_put() is
ignored to decrement the kobject reference count back, which may lead
to a potential stuck risk that percpu cpuhp thread deadly waits for
dropping of kobject refcount when percpu cpufreq policy free.
The call trace of stuck risk could be:
cpufreq_online() //If cpufreq online failed, goto out_free_policy.
->cpufreq_policy_free() //Do cpufreq_policy free.
->cpufreq_policy_put_kobj()
->kobject_put() //Skip if policy kfref count is not 1.
->cpufreq_sysfs_release()
->complete() //Complete policy->kobj_unregister.
->wait_for_completion() //Wait for policy->kobj_unregister.
A simple way to avoid this stuck risk is use cpufreq_cpu_get_raw()
instead of cpufreq_cpu_get(), since this can be easily exercised by
attempting to force an unbind of the CPUfreq driver.
Signed-off-by: chenqiwu <chenqiwu@xiaomi.com>
---
drivers/cpufreq/brcmstb-avs-cpufreq.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/cpufreq/brcmstb-avs-cpufreq.c b/drivers/cpufreq/brcmstb-avs-cpufreq.c
index 77b0e5d..6d2bf5c 100644
--- a/drivers/cpufreq/brcmstb-avs-cpufreq.c
+++ b/drivers/cpufreq/brcmstb-avs-cpufreq.c
@@ -452,8 +452,15 @@ static bool brcm_avs_is_firmware_loaded(struct private_data *priv)
static unsigned int brcm_avs_cpufreq_get(unsigned int cpu)
{
- struct cpufreq_policy *policy = cpufreq_cpu_get(cpu);
- struct private_data *priv = policy->driver_data;
+ struct cpufreq_policy *policy = cpufreq_cpu_get_raw(cpu);
+ struct private_data *priv;
+
+ if (!policy)
+ return 0;
+
+ priv = policy->driver_data;
+ if (!priv || !priv->base)
+ return 0;
return brcm_avs_get_frequency(priv->base);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v2] cpufreq: brcmstb-avs-cpufreq: avoid potential stuck and UAF risk
2020-01-05 12:50 [PATCH v2] cpufreq: brcmstb-avs-cpufreq: avoid potential stuck and UAF risk qiwuchen55
@ 2020-01-06 5:56 ` Viresh Kumar
2020-01-06 7:09 ` chenqiwu
0 siblings, 1 reply; 6+ messages in thread
From: Viresh Kumar @ 2020-01-06 5:56 UTC (permalink / raw)
To: qiwuchen55
Cc: mmayer, rjw, f.fainelli, bcm-kernel-feedback-list, linux-pm,
linux-arm-kernel, chenqiwu
On 05-01-20, 20:50, qiwuchen55@gmail.com wrote:
> From: chenqiwu <chenqiwu@xiaomi.com>
>
> brcm_avs_cpufreq_get() calls cpufreq_cpu_get() to get cpufreq policy,
> meanwhile, it also increments the kobject reference count of policy to
> mark it busy. However, a corresponding call of cpufreq_cpu_put() is
> ignored to decrement the kobject reference count back, which may lead
> to a potential stuck risk that percpu cpuhp thread deadly waits for
> dropping of kobject refcount when percpu cpufreq policy free.
>
> The call trace of stuck risk could be:
> cpufreq_online() //If cpufreq online failed, goto out_free_policy.
> ->cpufreq_policy_free() //Do cpufreq_policy free.
> ->cpufreq_policy_put_kobj()
> ->kobject_put() //Skip if policy kfref count is not 1.
> ->cpufreq_sysfs_release()
> ->complete() //Complete policy->kobj_unregister.
> ->wait_for_completion() //Wait for policy->kobj_unregister.
>
> A simple way to avoid this stuck risk is use cpufreq_cpu_get_raw()
> instead of cpufreq_cpu_get(), since this can be easily exercised by
> attempting to force an unbind of the CPUfreq driver.
>
> Signed-off-by: chenqiwu <chenqiwu@xiaomi.com>
> ---
> drivers/cpufreq/brcmstb-avs-cpufreq.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/cpufreq/brcmstb-avs-cpufreq.c b/drivers/cpufreq/brcmstb-avs-cpufreq.c
> index 77b0e5d..6d2bf5c 100644
> --- a/drivers/cpufreq/brcmstb-avs-cpufreq.c
> +++ b/drivers/cpufreq/brcmstb-avs-cpufreq.c
> @@ -452,8 +452,15 @@ static bool brcm_avs_is_firmware_loaded(struct private_data *priv)
>
> static unsigned int brcm_avs_cpufreq_get(unsigned int cpu)
> {
> - struct cpufreq_policy *policy = cpufreq_cpu_get(cpu);
> - struct private_data *priv = policy->driver_data;
> + struct cpufreq_policy *policy = cpufreq_cpu_get_raw(cpu);
> + struct private_data *priv;
> +
> + if (!policy)
> + return 0;
> +
Since we always reach here after the cpufreq driver is registered, we
may not need to check the policy pointer at all.
> + priv = policy->driver_data;
> + if (!priv || !priv->base)
> + return 0;
Can there be a case where priv or priv->base be set to NULL for this
driver ? I don't think so and so this may not be required.
>
> return brcm_avs_get_frequency(priv->base);
> }
> --
> 1.9.1
--
viresh
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] cpufreq: brcmstb-avs-cpufreq: avoid potential stuck and UAF risk
2020-01-06 5:56 ` Viresh Kumar
@ 2020-01-06 7:09 ` chenqiwu
2020-01-06 7:31 ` Viresh Kumar
0 siblings, 1 reply; 6+ messages in thread
From: chenqiwu @ 2020-01-06 7:09 UTC (permalink / raw)
To: Viresh Kumar
Cc: mmayer, bcm-kernel-feedback-list, rjw, f.fainelli, linux-pm,
linux-arm-kernel
On Mon, Jan 06, 2020 at 11:26:37AM +0530, Viresh Kumar wrote:
> On 05-01-20, 20:50, qiwuchen55@gmail.com wrote:
> > From: chenqiwu <chenqiwu@xiaomi.com>
> >
> > brcm_avs_cpufreq_get() calls cpufreq_cpu_get() to get cpufreq policy,
> > meanwhile, it also increments the kobject reference count of policy to
> > mark it busy. However, a corresponding call of cpufreq_cpu_put() is
> > ignored to decrement the kobject reference count back, which may lead
> > to a potential stuck risk that percpu cpuhp thread deadly waits for
> > dropping of kobject refcount when percpu cpufreq policy free.
> >
> > The call trace of stuck risk could be:
> > cpufreq_online() //If cpufreq online failed, goto out_free_policy.
> > ->cpufreq_policy_free() //Do cpufreq_policy free.
> > ->cpufreq_policy_put_kobj()
> > ->kobject_put() //Skip if policy kfref count is not 1.
> > ->cpufreq_sysfs_release()
> > ->complete() //Complete policy->kobj_unregister.
> > ->wait_for_completion() //Wait for policy->kobj_unregister.
> >
> > A simple way to avoid this stuck risk is use cpufreq_cpu_get_raw()
> > instead of cpufreq_cpu_get(), since this can be easily exercised by
> > attempting to force an unbind of the CPUfreq driver.
> >
> > Signed-off-by: chenqiwu <chenqiwu@xiaomi.com>
> > ---
> > drivers/cpufreq/brcmstb-avs-cpufreq.c | 11 +++++++++--
> > 1 file changed, 9 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/cpufreq/brcmstb-avs-cpufreq.c b/drivers/cpufreq/brcmstb-avs-cpufreq.c
> > index 77b0e5d..6d2bf5c 100644
> > --- a/drivers/cpufreq/brcmstb-avs-cpufreq.c
> > +++ b/drivers/cpufreq/brcmstb-avs-cpufreq.c
> > @@ -452,8 +452,15 @@ static bool brcm_avs_is_firmware_loaded(struct private_data *priv)
> >
> > static unsigned int brcm_avs_cpufreq_get(unsigned int cpu)
> > {
> > - struct cpufreq_policy *policy = cpufreq_cpu_get(cpu);
> > - struct private_data *priv = policy->driver_data;
> > + struct cpufreq_policy *policy = cpufreq_cpu_get_raw(cpu);
> > + struct private_data *priv;
> > +
> > + if (!policy)
> > + return 0;
> > +
>
> Since we always reach here after the cpufreq driver is registered, we
> may not need to check the policy pointer at all.
>
> > + priv = policy->driver_data;
> > + if (!priv || !priv->base)
> > + return 0;
>
> Can there be a case where priv or priv->base be set to NULL for this
> driver ? I don't think so and so this may not be required.
>
Hi viresh,
There could be a case as the description of this patch besides
brcm_avs_driver unloads. Since cpufreq_policy_free() will free
the mm of cpufreq_policy at the last moment.
Thanks!
Qiwu
> >
> > return brcm_avs_get_frequency(priv->base);
> > }
> > --
> > 1.9.1
>
> --
> viresh
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] cpufreq: brcmstb-avs-cpufreq: avoid potential stuck and UAF risk
2020-01-06 7:09 ` chenqiwu
@ 2020-01-06 7:31 ` Viresh Kumar
2020-01-19 2:25 ` chenqiwu
0 siblings, 1 reply; 6+ messages in thread
From: Viresh Kumar @ 2020-01-06 7:31 UTC (permalink / raw)
To: chenqiwu
Cc: mmayer, bcm-kernel-feedback-list, rjw, f.fainelli, linux-pm,
linux-arm-kernel
On 06-01-20, 15:09, chenqiwu wrote:
> There could be a case as the description of this patch besides
> brcm_avs_driver unloads. Since cpufreq_policy_free() will free
> the mm of cpufreq_policy at the last moment.
Ahh, right. Please fix the other "policy" thing I reported and resend
the patch then.
--
viresh
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] cpufreq: brcmstb-avs-cpufreq: avoid potential stuck and UAF risk
2020-01-06 7:31 ` Viresh Kumar
@ 2020-01-19 2:25 ` chenqiwu
2020-01-19 4:12 ` Florian Fainelli
0 siblings, 1 reply; 6+ messages in thread
From: chenqiwu @ 2020-01-19 2:25 UTC (permalink / raw)
To: Viresh Kumar
Cc: mmayer, bcm-kernel-feedback-list, rjw, f.fainelli, linux-pm,
linux-arm-kernel
On Mon, Jan 06, 2020 at 01:01:09PM +0530, Viresh Kumar wrote:
> On 06-01-20, 15:09, chenqiwu wrote:
> > There could be a case as the description of this patch besides
> > brcm_avs_driver unloads. Since cpufreq_policy_free() will free
> > the mm of cpufreq_policy at the last moment.
>
> Ahh, right. Please fix the other "policy" thing I reported and resend
> the patch then.
>
> --
> viresh
Hi,
Any progress about this patch?
Qiwu
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] cpufreq: brcmstb-avs-cpufreq: avoid potential stuck and UAF risk
2020-01-19 2:25 ` chenqiwu
@ 2020-01-19 4:12 ` Florian Fainelli
0 siblings, 0 replies; 6+ messages in thread
From: Florian Fainelli @ 2020-01-19 4:12 UTC (permalink / raw)
To: chenqiwu, Viresh Kumar
Cc: mmayer, bcm-kernel-feedback-list, rjw, linux-pm, linux-arm-kernel
On 1/18/2020 6:25 PM, chenqiwu wrote:
> On Mon, Jan 06, 2020 at 01:01:09PM +0530, Viresh Kumar wrote:
>> On 06-01-20, 15:09, chenqiwu wrote:
>>> There could be a case as the description of this patch besides
>>> brcm_avs_driver unloads. Since cpufreq_policy_free() will free
>>> the mm of cpufreq_policy at the last moment.
>>
>> Ahh, right. Please fix the other "policy" thing I reported and resend
>> the patch then.
>>
>> --
>> viresh
> Hi,
> Any progress about this patch?
Viresh gave you some feedback to address, so my understanding is that we
should see a v3.
--
Florian
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-01-19 4:12 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-05 12:50 [PATCH v2] cpufreq: brcmstb-avs-cpufreq: avoid potential stuck and UAF risk qiwuchen55
2020-01-06 5:56 ` Viresh Kumar
2020-01-06 7:09 ` chenqiwu
2020-01-06 7:31 ` Viresh Kumar
2020-01-19 2:25 ` chenqiwu
2020-01-19 4:12 ` Florian Fainelli
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).