From: "Rafael J. Wysocki" <rafael@kernel.org>
To: Viresh Kumar <viresh.kumar@linaro.org>
Cc: Dmitry Osipenko <digetx@gmail.com>,
Rafael Wysocki <rjw@rjwysocki.net>,
Linux PM <linux-pm@vger.kernel.org>,
Vincent Guittot <vincent.guittot@linaro.org>,
Matthias Kaehlcke <mka@chromium.org>,
Ulf Hansson <ulf.hansson@linaro.org>,
Stephen Rothwell <sfr@canb.auug.org.au>,
Pavel Machek <pavel@ucw.cz>,
"Rafael J . Wysocki" <rafael.j.wysocki@intel.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-tegra <linux-tegra@vger.kernel.org>
Subject: Re: [PATCH V7 5/7] cpufreq: Register notifiers with the PM QoS framework
Date: Tue, 15 Oct 2019 17:53:04 +0200 [thread overview]
Message-ID: <CAJZ5v0g3kRfa2WXy=xz3Mj15Pwb5tm1xg=uPODoifnv70O1ORA@mail.gmail.com> (raw)
In-Reply-To: <20191015114637.pcdbs2ctxl4xoxdo@vireshk-i7>
On Tue, Oct 15, 2019 at 1:46 PM Viresh Kumar <viresh.kumar@linaro.org> wrote:
>
> On 22-09-19, 23:12, Dmitry Osipenko wrote:
> > Hello Viresh,
> >
> > This patch causes use-after-free on a cpufreq driver module reload. Please take a look, thanks in advance.
> >
> >
> > [ 87.952369] ==================================================================
> > [ 87.953259] BUG: KASAN: use-after-free in notifier_chain_register+0x4f/0x9c
> > [ 87.954031] Read of size 4 at addr e6abbd0c by task modprobe/243
> >
> > [ 87.954901] CPU: 1 PID: 243 Comm: modprobe Tainted: G W
> > 5.3.0-next-20190920-00185-gf61698eab956-dirty #2408
> > [ 87.956077] Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
> > [ 87.956807] [<c0110aad>] (unwind_backtrace) from [<c010bb71>] (show_stack+0x11/0x14)
> > [ 87.957709] [<c010bb71>] (show_stack) from [<c0d37b25>] (dump_stack+0x89/0x98)
> > [ 87.958616] [<c0d37b25>] (dump_stack) from [<c02937e1>]
> > (print_address_description.constprop.0+0x3d/0x340)
> > [ 87.959785] [<c02937e1>] (print_address_description.constprop.0) from [<c0293c6b>]
> > (__kasan_report+0xe3/0x12c)
> > [ 87.960907] [<c0293c6b>] (__kasan_report) from [<c014988f>] (notifier_chain_register+0x4f/0x9c)
> > [ 87.962001] [<c014988f>] (notifier_chain_register) from [<c01499b5>]
> > (blocking_notifier_chain_register+0x29/0x3c)
> > [ 87.963180] [<c01499b5>] (blocking_notifier_chain_register) from [<c06f7ee9>]
> > (dev_pm_qos_add_notifier+0x79/0xf8)
> > [ 87.964339] [<c06f7ee9>] (dev_pm_qos_add_notifier) from [<c092927d>] (cpufreq_online+0x5e1/0x8a4)
> > [ 87.965351] [<c092927d>] (cpufreq_online) from [<c09295c9>] (cpufreq_add_dev+0x79/0x80)
> > [ 87.966247] [<c09295c9>] (cpufreq_add_dev) from [<c06eb9d3>] (subsys_interface_register+0xc3/0x100)
> > [ 87.967297] [<c06eb9d3>] (subsys_interface_register) from [<c0926e53>]
> > (cpufreq_register_driver+0x13b/0x1ec)
> > [ 87.968476] [<c0926e53>] (cpufreq_register_driver) from [<bf800435>]
> > (tegra20_cpufreq_probe+0x165/0x1a8 [tegra20_cpufreq])
>
> Hi Dmitry,
>
> Thanks for the bug report and I was finally able to reproduce it at my end and
> this was quite an interesting debugging exercise :)
>
> When a cpufreq driver gets registered, we register with the subsys interface and
> it calls cpufreq_add_dev() for each CPU, starting from CPU0. And so the QoS
> notifiers get added to the first CPU of the policy, i.e. CPU0 in common cases.
>
> When the cpufreq driver gets unregistered, we unregister with the subsys
> interface and it calls cpufreq_remove_dev() for each CPU, starting from CPU0
> (should have been in reverse order I feel). We remove the QoS notifier only when
> cpufreq_remove_dev() gets called for the last CPU of the policy, lets call it
> CPUx. Now this has a different notifier list as compared to CPU0.
The same problem will appear if the original policy CPU goes offline, won't it?
> In short, we are adding the cpufreq notifiers to CPU0 and removing them from
> CPUx. When we try to add it again by inserting the module for second time, we
> find a node in the notifier list which is already freed but still in the list as
> we removed it from CPUx's list (which doesn't do anything as the node wasn't
> there in the first place).
>
> @Rafael: How do you see we solve this problem ? Here are the options I could
> think of:
>
> - Update subsys layer to reverse the order of devices while unregistering (this
> will fix the current problem, but we will still have corner cases hanging
> around, like if the CPU0 is hotplugged out, etc).
This isn't sufficient for the offline case.
> - Update QoS framework with the knowledge of related CPUs, this has been pending
> until now from my side. And this is the thing we really need to do. Eventually
> we shall have only a single notifier list for all CPUs of a policy, at least
> for MIN/MAX frequencies.
- Move the PM QoS requests and notifiers to the new policy CPU on all
changes of that. That is, when cpufreq_offline() nominates the new
"leader", all of the QoS stuff for the policy needs to go to this one.
Of course, the reverse order of unregistration in the subsys layer
would help to avoid some useless churn related to that.
next prev parent reply other threads:[~2019-10-15 15:53 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-04 7:36 [PATCH V6 0/7] cpufreq: Use QoS layer to manage freq-constraints Viresh Kumar
2019-07-04 7:36 ` [PATCH V6 1/7] PM / QOS: Pass request type to dev_pm_qos_{add|remove}_notifier() Viresh Kumar
2019-07-04 7:36 ` [PATCH V6 2/7] PM / QOS: Rename __dev_pm_qos_read_value() and dev_pm_qos_raw_read_value() Viresh Kumar
2019-07-04 7:36 ` [PATCH V6 3/7] PM / QOS: Pass request type to dev_pm_qos_read_value() Viresh Kumar
2019-07-04 7:36 ` [PATCH V6 4/7] PM / QoS: Add support for MIN/MAX frequency constraints Viresh Kumar
2019-07-04 7:36 ` [PATCH V6 5/7] cpufreq: Register notifiers with the PM QoS framework Viresh Kumar
2019-07-08 10:57 ` [PATCH V7 " Viresh Kumar
2019-09-22 20:12 ` Dmitry Osipenko
2019-09-23 13:56 ` Viresh Kumar
2019-09-23 17:27 ` Dmitry Osipenko
2019-10-14 9:42 ` Viresh Kumar
2019-10-14 13:01 ` Dmitry Osipenko
2019-10-15 11:46 ` Viresh Kumar
2019-10-15 13:45 ` Dmitry Osipenko
2019-10-15 15:53 ` Rafael J. Wysocki [this message]
2019-10-15 21:50 ` Rafael J. Wysocki
2019-10-16 8:27 ` Viresh Kumar
2019-10-16 8:43 ` Rafael J. Wysocki
2019-07-04 7:36 ` [PATCH V6 6/7] cpufreq: intel_pstate: Reuse refresh_frequency_limits() Viresh Kumar
2019-07-04 7:36 ` [PATCH V6 7/7] cpufreq: Add QoS requests for userspace constraints Viresh Kumar
2019-07-05 10:51 ` [PATCH V7 " Viresh Kumar
2019-07-05 11:17 ` Rafael J. Wysocki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJZ5v0g3kRfa2WXy=xz3Mj15Pwb5tm1xg=uPODoifnv70O1ORA@mail.gmail.com' \
--to=rafael@kernel.org \
--cc=digetx@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=linux-tegra@vger.kernel.org \
--cc=mka@chromium.org \
--cc=pavel@ucw.cz \
--cc=rafael.j.wysocki@intel.com \
--cc=rjw@rjwysocki.net \
--cc=sfr@canb.auug.org.au \
--cc=ulf.hansson@linaro.org \
--cc=vincent.guittot@linaro.org \
--cc=viresh.kumar@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).