linux-pm.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v2] cpufreq: brcmstb-avs-cpufreq: avoid potential stuck and UAF risk
@ 2020-01-05 12:50 qiwuchen55
  2020-01-06  5:56 ` Viresh Kumar
  0 siblings, 1 reply; 6+ messages in thread
From: qiwuchen55 @ 2020-01-05 12:50 UTC (permalink / raw)
  To: mmayer, rjw, viresh.kumar, f.fainelli
  Cc: bcm-kernel-feedback-list, linux-pm, linux-arm-kernel, chenqiwu

From: chenqiwu <chenqiwu@xiaomi.com>

brcm_avs_cpufreq_get() calls cpufreq_cpu_get() to get cpufreq policy,
meanwhile, it also increments the kobject reference count of policy to
mark it busy. However, a corresponding call of cpufreq_cpu_put() is
ignored to decrement the kobject reference count back, which may lead
to a potential stuck risk that percpu cpuhp thread deadly waits for
dropping of kobject refcount when percpu cpufreq policy free.

The call trace of stuck risk could be:
cpufreq_online()  //If cpufreq online failed, goto out_free_policy.
    ->cpufreq_policy_free()     //Do cpufreq_policy free.
        ->cpufreq_policy_put_kobj()
            ->kobject_put()       //Skip if policy kfref count is not 1.
                ->cpufreq_sysfs_release()
                    ->complete()  //Complete policy->kobj_unregister.
                ->wait_for_completion() //Wait for policy->kobj_unregister.

A simple way to avoid this stuck risk is use cpufreq_cpu_get_raw()
instead of cpufreq_cpu_get(), since this can be easily exercised by
attempting to force an unbind of the CPUfreq driver.

Signed-off-by: chenqiwu <chenqiwu@xiaomi.com>
---
 drivers/cpufreq/brcmstb-avs-cpufreq.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/drivers/cpufreq/brcmstb-avs-cpufreq.c b/drivers/cpufreq/brcmstb-avs-cpufreq.c
index 77b0e5d..6d2bf5c 100644
--- a/drivers/cpufreq/brcmstb-avs-cpufreq.c
+++ b/drivers/cpufreq/brcmstb-avs-cpufreq.c
@@ -452,8 +452,15 @@ static bool brcm_avs_is_firmware_loaded(struct private_data *priv)
 
 static unsigned int brcm_avs_cpufreq_get(unsigned int cpu)
 {
-	struct cpufreq_policy *policy = cpufreq_cpu_get(cpu);
-	struct private_data *priv = policy->driver_data;
+	struct cpufreq_policy *policy = cpufreq_cpu_get_raw(cpu);
+	struct private_data *priv;
+
+	if (!policy)
+		return 0;
+
+	priv = policy->driver_data;
+	if (!priv || !priv->base)
+		return 0;
 
 	return brcm_avs_get_frequency(priv->base);
 }
-- 
1.9.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH v2] cpufreq: brcmstb-avs-cpufreq: avoid potential stuck and UAF risk
  2020-01-05 12:50 [PATCH v2] cpufreq: brcmstb-avs-cpufreq: avoid potential stuck and UAF risk qiwuchen55
@ 2020-01-06  5:56 ` Viresh Kumar
  2020-01-06  7:09   ` chenqiwu
  0 siblings, 1 reply; 6+ messages in thread
From: Viresh Kumar @ 2020-01-06  5:56 UTC (permalink / raw)
  To: qiwuchen55
  Cc: mmayer, rjw, f.fainelli, bcm-kernel-feedback-list, linux-pm,
	linux-arm-kernel, chenqiwu

On 05-01-20, 20:50, qiwuchen55@gmail.com wrote:
> From: chenqiwu <chenqiwu@xiaomi.com>
> 
> brcm_avs_cpufreq_get() calls cpufreq_cpu_get() to get cpufreq policy,
> meanwhile, it also increments the kobject reference count of policy to
> mark it busy. However, a corresponding call of cpufreq_cpu_put() is
> ignored to decrement the kobject reference count back, which may lead
> to a potential stuck risk that percpu cpuhp thread deadly waits for
> dropping of kobject refcount when percpu cpufreq policy free.
> 
> The call trace of stuck risk could be:
> cpufreq_online()  //If cpufreq online failed, goto out_free_policy.
>     ->cpufreq_policy_free()     //Do cpufreq_policy free.
>         ->cpufreq_policy_put_kobj()
>             ->kobject_put()       //Skip if policy kfref count is not 1.
>                 ->cpufreq_sysfs_release()
>                     ->complete()  //Complete policy->kobj_unregister.
>                 ->wait_for_completion() //Wait for policy->kobj_unregister.
> 
> A simple way to avoid this stuck risk is use cpufreq_cpu_get_raw()
> instead of cpufreq_cpu_get(), since this can be easily exercised by
> attempting to force an unbind of the CPUfreq driver.
> 
> Signed-off-by: chenqiwu <chenqiwu@xiaomi.com>
> ---
>  drivers/cpufreq/brcmstb-avs-cpufreq.c | 11 +++++++++--
>  1 file changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/cpufreq/brcmstb-avs-cpufreq.c b/drivers/cpufreq/brcmstb-avs-cpufreq.c
> index 77b0e5d..6d2bf5c 100644
> --- a/drivers/cpufreq/brcmstb-avs-cpufreq.c
> +++ b/drivers/cpufreq/brcmstb-avs-cpufreq.c
> @@ -452,8 +452,15 @@ static bool brcm_avs_is_firmware_loaded(struct private_data *priv)
>  
>  static unsigned int brcm_avs_cpufreq_get(unsigned int cpu)
>  {
> -	struct cpufreq_policy *policy = cpufreq_cpu_get(cpu);
> -	struct private_data *priv = policy->driver_data;
> +	struct cpufreq_policy *policy = cpufreq_cpu_get_raw(cpu);
> +	struct private_data *priv;
> +
> +	if (!policy)
> +		return 0;
> +

Since we always reach here after the cpufreq driver is registered, we
may not need to check the policy pointer at all.

> +	priv = policy->driver_data;
> +	if (!priv || !priv->base)
> +		return 0;

Can there be a case where priv or priv->base be set to NULL for this
driver ? I don't think so and so this may not be required.

>  
>  	return brcm_avs_get_frequency(priv->base);
>  }
> -- 
> 1.9.1

-- 
viresh

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH v2] cpufreq: brcmstb-avs-cpufreq: avoid potential stuck and UAF risk
  2020-01-06  5:56 ` Viresh Kumar
@ 2020-01-06  7:09   ` chenqiwu
  2020-01-06  7:31     ` Viresh Kumar
  0 siblings, 1 reply; 6+ messages in thread
From: chenqiwu @ 2020-01-06  7:09 UTC (permalink / raw)
  To: Viresh Kumar
  Cc: mmayer, bcm-kernel-feedback-list, rjw, f.fainelli, linux-pm,
	linux-arm-kernel

On Mon, Jan 06, 2020 at 11:26:37AM +0530, Viresh Kumar wrote:
> On 05-01-20, 20:50, qiwuchen55@gmail.com wrote:
> > From: chenqiwu <chenqiwu@xiaomi.com>
> > 
> > brcm_avs_cpufreq_get() calls cpufreq_cpu_get() to get cpufreq policy,
> > meanwhile, it also increments the kobject reference count of policy to
> > mark it busy. However, a corresponding call of cpufreq_cpu_put() is
> > ignored to decrement the kobject reference count back, which may lead
> > to a potential stuck risk that percpu cpuhp thread deadly waits for
> > dropping of kobject refcount when percpu cpufreq policy free.
> > 
> > The call trace of stuck risk could be:
> > cpufreq_online()  //If cpufreq online failed, goto out_free_policy.
> >     ->cpufreq_policy_free()     //Do cpufreq_policy free.
> >         ->cpufreq_policy_put_kobj()
> >             ->kobject_put()       //Skip if policy kfref count is not 1.
> >                 ->cpufreq_sysfs_release()
> >                     ->complete()  //Complete policy->kobj_unregister.
> >                 ->wait_for_completion() //Wait for policy->kobj_unregister.
> > 
> > A simple way to avoid this stuck risk is use cpufreq_cpu_get_raw()
> > instead of cpufreq_cpu_get(), since this can be easily exercised by
> > attempting to force an unbind of the CPUfreq driver.
> > 
> > Signed-off-by: chenqiwu <chenqiwu@xiaomi.com>
> > ---
> >  drivers/cpufreq/brcmstb-avs-cpufreq.c | 11 +++++++++--
> >  1 file changed, 9 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/cpufreq/brcmstb-avs-cpufreq.c b/drivers/cpufreq/brcmstb-avs-cpufreq.c
> > index 77b0e5d..6d2bf5c 100644
> > --- a/drivers/cpufreq/brcmstb-avs-cpufreq.c
> > +++ b/drivers/cpufreq/brcmstb-avs-cpufreq.c
> > @@ -452,8 +452,15 @@ static bool brcm_avs_is_firmware_loaded(struct private_data *priv)
> >  
> >  static unsigned int brcm_avs_cpufreq_get(unsigned int cpu)
> >  {
> > -	struct cpufreq_policy *policy = cpufreq_cpu_get(cpu);
> > -	struct private_data *priv = policy->driver_data;
> > +	struct cpufreq_policy *policy = cpufreq_cpu_get_raw(cpu);
> > +	struct private_data *priv;
> > +
> > +	if (!policy)
> > +		return 0;
> > +
> 
> Since we always reach here after the cpufreq driver is registered, we
> may not need to check the policy pointer at all.
> 
> > +	priv = policy->driver_data;
> > +	if (!priv || !priv->base)
> > +		return 0;
> 
> Can there be a case where priv or priv->base be set to NULL for this
> driver ? I don't think so and so this may not be required.
>

Hi viresh,
There could be a case as the description of this patch besides
brcm_avs_driver unloads. Since cpufreq_policy_free() will free
the mm of cpufreq_policy at the last moment.

Thanks!
Qiwu

> >  
> >  	return brcm_avs_get_frequency(priv->base);
> >  }
> > -- 
> > 1.9.1
> 
> -- 
> viresh


^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH v2] cpufreq: brcmstb-avs-cpufreq: avoid potential stuck and UAF risk
  2020-01-06  7:09   ` chenqiwu
@ 2020-01-06  7:31     ` Viresh Kumar
  2020-01-19  2:25       ` chenqiwu
  0 siblings, 1 reply; 6+ messages in thread
From: Viresh Kumar @ 2020-01-06  7:31 UTC (permalink / raw)
  To: chenqiwu
  Cc: mmayer, bcm-kernel-feedback-list, rjw, f.fainelli, linux-pm,
	linux-arm-kernel

On 06-01-20, 15:09, chenqiwu wrote:
> There could be a case as the description of this patch besides
> brcm_avs_driver unloads. Since cpufreq_policy_free() will free
> the mm of cpufreq_policy at the last moment.

Ahh, right. Please fix the other "policy" thing I reported and resend
the patch then.

-- 
viresh

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH v2] cpufreq: brcmstb-avs-cpufreq: avoid potential stuck and UAF risk
  2020-01-06  7:31     ` Viresh Kumar
@ 2020-01-19  2:25       ` chenqiwu
  2020-01-19  4:12         ` Florian Fainelli
  0 siblings, 1 reply; 6+ messages in thread
From: chenqiwu @ 2020-01-19  2:25 UTC (permalink / raw)
  To: Viresh Kumar
  Cc: mmayer, bcm-kernel-feedback-list, rjw, f.fainelli, linux-pm,
	linux-arm-kernel

On Mon, Jan 06, 2020 at 01:01:09PM +0530, Viresh Kumar wrote:
> On 06-01-20, 15:09, chenqiwu wrote:
> > There could be a case as the description of this patch besides
> > brcm_avs_driver unloads. Since cpufreq_policy_free() will free
> > the mm of cpufreq_policy at the last moment.
> 
> Ahh, right. Please fix the other "policy" thing I reported and resend
> the patch then.
> 
> -- 
> viresh
Hi,
Any progress about this patch?

Qiwu

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH v2] cpufreq: brcmstb-avs-cpufreq: avoid potential stuck and UAF risk
  2020-01-19  2:25       ` chenqiwu
@ 2020-01-19  4:12         ` Florian Fainelli
  0 siblings, 0 replies; 6+ messages in thread
From: Florian Fainelli @ 2020-01-19  4:12 UTC (permalink / raw)
  To: chenqiwu, Viresh Kumar
  Cc: mmayer, bcm-kernel-feedback-list, rjw, linux-pm, linux-arm-kernel



On 1/18/2020 6:25 PM, chenqiwu wrote:
> On Mon, Jan 06, 2020 at 01:01:09PM +0530, Viresh Kumar wrote:
>> On 06-01-20, 15:09, chenqiwu wrote:
>>> There could be a case as the description of this patch besides
>>> brcm_avs_driver unloads. Since cpufreq_policy_free() will free
>>> the mm of cpufreq_policy at the last moment.
>>
>> Ahh, right. Please fix the other "policy" thing I reported and resend
>> the patch then.
>>
>> -- 
>> viresh
> Hi,
> Any progress about this patch?

Viresh gave you some feedback to address, so my understanding is that we
should see a v3.
-- 
Florian

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-01-19  4:12 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-05 12:50 [PATCH v2] cpufreq: brcmstb-avs-cpufreq: avoid potential stuck and UAF risk qiwuchen55
2020-01-06  5:56 ` Viresh Kumar
2020-01-06  7:09   ` chenqiwu
2020-01-06  7:31     ` Viresh Kumar
2020-01-19  2:25       ` chenqiwu
2020-01-19  4:12         ` Florian Fainelli

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).