linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] tty: serial: owl: Fix data race in owl_uart_remove
@ 2021-06-17 11:04 Saubhik Mukherjee
  2021-06-17 11:22 ` Greg KH
  0 siblings, 1 reply; 7+ messages in thread
From: Saubhik Mukherjee @ 2021-06-17 11:04 UTC (permalink / raw)
  To: gregkh, jirislaby
  Cc: Saubhik Mukherjee, linux-serial, linux-kernel, ldv-project, andrianov

Suppose the driver is registered and a UART port is added. Once an
application opens the port, owl_uart_startup is called which registers
the interrupt handler owl_uart_irq.

We could have the following race condition:

When device is removed, owl_uart_remove is called, which calls
uart_remove_one_port, which calls owl_uart_release_port, which writes
NULL to port->membase. At this point parallely, an interrupt could be
handled by owl_uart_irq which reads port->membase.

This is because it is possible to remove device without closing a port.
Thus, we need to check it and call owl_uart_shutdown in owl_uart_remove.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Saubhik Mukherjee <saubhik.mukherjee@gmail.com>
---
 drivers/tty/serial/owl-uart.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/tty/serial/owl-uart.c b/drivers/tty/serial/owl-uart.c
index 91f1eb0058d7..ac4e3aae2719 100644
--- a/drivers/tty/serial/owl-uart.c
+++ b/drivers/tty/serial/owl-uart.c
@@ -751,8 +751,15 @@ static int owl_uart_probe(struct platform_device *pdev)
 static int owl_uart_remove(struct platform_device *pdev)
 {
 	struct owl_uart_port *owl_port = platform_get_drvdata(pdev);
+	struct uart_port *port = &owl_port->port;
 
-	uart_remove_one_port(&owl_uart_driver, &owl_port->port);
+	/* It is possible to release device without closing a port.
+	 * Thus, need to check it and call shutdown.
+	 */
+	if (owl_uart_read(port, OWL_UART_CTL) & OWL_UART_CTL_EN)
+		owl_uart_shutdown(port);
+
+	uart_remove_one_port(&owl_uart_driver, port);
 	owl_uart_ports[pdev->id] = NULL;
 	clk_disable_unprepare(owl_port->clk);
 
-- 
2.30.2


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] tty: serial: owl: Fix data race in owl_uart_remove
  2021-06-17 11:04 [PATCH] tty: serial: owl: Fix data race in owl_uart_remove Saubhik Mukherjee
@ 2021-06-17 11:22 ` Greg KH
  2021-06-23  5:36   ` Saubhik Mukherjee
  0 siblings, 1 reply; 7+ messages in thread
From: Greg KH @ 2021-06-17 11:22 UTC (permalink / raw)
  To: Saubhik Mukherjee
  Cc: jirislaby, linux-serial, linux-kernel, ldv-project, andrianov

On Thu, Jun 17, 2021 at 04:34:43PM +0530, Saubhik Mukherjee wrote:
> Suppose the driver is registered and a UART port is added. Once an
> application opens the port, owl_uart_startup is called which registers
> the interrupt handler owl_uart_irq.
> 
> We could have the following race condition:
> 
> When device is removed, owl_uart_remove is called, which calls
> uart_remove_one_port, which calls owl_uart_release_port, which writes
> NULL to port->membase. At this point parallely, an interrupt could be
> handled by owl_uart_irq which reads port->membase.
> 
> This is because it is possible to remove device without closing a port.
> Thus, we need to check it and call owl_uart_shutdown in owl_uart_remove.
> 
> Found by Linux Driver Verification project (linuxtesting.org).
> 
> Signed-off-by: Saubhik Mukherjee <saubhik.mukherjee@gmail.com>
> ---
>  drivers/tty/serial/owl-uart.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/tty/serial/owl-uart.c b/drivers/tty/serial/owl-uart.c
> index 91f1eb0058d7..ac4e3aae2719 100644
> --- a/drivers/tty/serial/owl-uart.c
> +++ b/drivers/tty/serial/owl-uart.c
> @@ -751,8 +751,15 @@ static int owl_uart_probe(struct platform_device *pdev)
>  static int owl_uart_remove(struct platform_device *pdev)
>  {
>  	struct owl_uart_port *owl_port = platform_get_drvdata(pdev);
> +	struct uart_port *port = &owl_port->port;
>  
> -	uart_remove_one_port(&owl_uart_driver, &owl_port->port);
> +	/* It is possible to release device without closing a port.
> +	 * Thus, need to check it and call shutdown.
> +	 */
> +	if (owl_uart_read(port, OWL_UART_CTL) & OWL_UART_CTL_EN)
> +		owl_uart_shutdown(port);

How is this read determining if the device is here or not?  And what
happens if the state change happens right _after_ the check?

Also, your comment style is for networking, not the rest of the kernel
:)

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] tty: serial: owl: Fix data race in owl_uart_remove
  2021-06-17 11:22 ` Greg KH
@ 2021-06-23  5:36   ` Saubhik Mukherjee
  2021-06-23  7:16     ` Johan Hovold
  0 siblings, 1 reply; 7+ messages in thread
From: Saubhik Mukherjee @ 2021-06-23  5:36 UTC (permalink / raw)
  To: Greg KH; +Cc: jirislaby, linux-serial, linux-kernel, ldv-project, andrianov

On 6/17/21 4:52 PM, Greg KH wrote:
> On Thu, Jun 17, 2021 at 04:34:43PM +0530, Saubhik Mukherjee wrote:
>> Suppose the driver is registered and a UART port is added. Once an
>> application opens the port, owl_uart_startup is called which registers
>> the interrupt handler owl_uart_irq.
>>
>> We could have the following race condition:
>>
>> When device is removed, owl_uart_remove is called, which calls
>> uart_remove_one_port, which calls owl_uart_release_port, which writes
>> NULL to port->membase. At this point parallely, an interrupt could be
>> handled by owl_uart_irq which reads port->membase.
>>
>> This is because it is possible to remove device without closing a port.
>> Thus, we need to check it and call owl_uart_shutdown in owl_uart_remove.
>>
>> Found by Linux Driver Verification project (linuxtesting.org).
>>
>> Signed-off-by: Saubhik Mukherjee <saubhik.mukherjee@gmail.com>
>> ---
>>   drivers/tty/serial/owl-uart.c | 9 ++++++++-
>>   1 file changed, 8 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/tty/serial/owl-uart.c b/drivers/tty/serial/owl-uart.c
>> index 91f1eb0058d7..ac4e3aae2719 100644
>> --- a/drivers/tty/serial/owl-uart.c
>> +++ b/drivers/tty/serial/owl-uart.c
>> @@ -751,8 +751,15 @@ static int owl_uart_probe(struct platform_device *pdev)
>>   static int owl_uart_remove(struct platform_device *pdev)
>>   {
>>   	struct owl_uart_port *owl_port = platform_get_drvdata(pdev);
>> +	struct uart_port *port = &owl_port->port;
>>   
>> -	uart_remove_one_port(&owl_uart_driver, &owl_port->port);
>> +	/* It is possible to release device without closing a port.
>> +	 * Thus, need to check it and call shutdown.
>> +	 */
>> +	if (owl_uart_read(port, OWL_UART_CTL) & OWL_UART_CTL_EN)
>> +		owl_uart_shutdown(port);
> 
> How is this read determining if the device is here or not?  And what
> happens if the state change happens right _after_ the check?
> 
> Also, your comment style is for networking, not the rest of the kernel
> :)
Thank you for your comments. OWL_UART_CTL_EN is set during startup and 
cleared during shutdown. It is not used anywhere else. So, it is used to 
determine if the port is opened.

To avoid issue due to state change right after check, the patch is 
updated. A global mutex is used to avoid race between owl_uart_startup 
and owl_uart_remove. The port opened check is done inside owl_uart_shutdown.

Signed-off-by: Saubhik Mukherjee <saubhik.mukherjee@gmail.com>
---
  drivers/tty/serial/owl-uart.c | 27 ++++++++++++++++++++++-----
  1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/drivers/tty/serial/owl-uart.c b/drivers/tty/serial/owl-uart.c
index 91f1eb0058d7..7a17f4637ea2 100644
--- a/drivers/tty/serial/owl-uart.c
+++ b/drivers/tty/serial/owl-uart.c
@@ -68,6 +68,8 @@

  static struct uart_driver owl_uart_driver;

+static DEFINE_MUTEX(owl_uart_mutex);  /* race between startup & remove */
+
  struct owl_uart_info {
  	unsigned int tx_fifosize;
  };
@@ -283,13 +285,19 @@ static void owl_uart_shutdown(struct uart_port *port)
  	spin_lock_irqsave(&port->lock, flags);

  	val = owl_uart_read(port, OWL_UART_CTL);
-	val &= ~(OWL_UART_CTL_TXIE | OWL_UART_CTL_RXIE
-		| OWL_UART_CTL_TXDE | OWL_UART_CTL_RXDE | OWL_UART_CTL_EN);
-	owl_uart_write(port, val, OWL_UART_CTL);

-	spin_unlock_irqrestore(&port->lock, flags);
+	/* Check if port is opened */
+	if (val & OWL_UART_CTL_EN) {
+		val &= ~(OWL_UART_CTL_TXIE | OWL_UART_CTL_RXIE
+			| OWL_UART_CTL_TXDE | OWL_UART_CTL_RXDE | OWL_UART_CTL_EN);
+		owl_uart_write(port, val, OWL_UART_CTL);
+
+		spin_unlock_irqrestore(&port->lock, flags);

-	free_irq(port->irq, port);
+		free_irq(port->irq, port);
+	} else {
+		spin_unlock_irqrestore(&port->lock, flags);
+	}
  }

  static int owl_uart_startup(struct uart_port *port)
@@ -298,6 +306,8 @@ static int owl_uart_startup(struct uart_port *port)
  	unsigned long flags;
  	int ret;

+	mutex_lock(&owl_uart_mutex);
+
  	ret = request_irq(port->irq, owl_uart_irq, IRQF_TRIGGER_HIGH,
  			"owl-uart", port);
  	if (ret)
@@ -317,6 +327,7 @@ static int owl_uart_startup(struct uart_port *port)

  	spin_unlock_irqrestore(&port->lock, flags);

+	mutex_unlock(&owl_uart_mutex);
  	return 0;
  }

@@ -752,10 +763,16 @@ static int owl_uart_remove(struct platform_device 
*pdev)
  {
  	struct owl_uart_port *owl_port = platform_get_drvdata(pdev);

+	mutex_lock(&owl_uart_mutex);
+
+	/* Avoid removing port without closing */
+	owl_uart_shutdown(&owl_port->port);
+
  	uart_remove_one_port(&owl_uart_driver, &owl_port->port);
  	owl_uart_ports[pdev->id] = NULL;
  	clk_disable_unprepare(owl_port->clk);

+	mutex_unlock(&owl_uart_mutex);
  	return 0;
  }

-- 
2.30.2

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] tty: serial: owl: Fix data race in owl_uart_remove
  2021-06-23  5:36   ` Saubhik Mukherjee
@ 2021-06-23  7:16     ` Johan Hovold
  2021-06-24 12:07       ` Saubhik Mukherjee
  0 siblings, 1 reply; 7+ messages in thread
From: Johan Hovold @ 2021-06-23  7:16 UTC (permalink / raw)
  To: Saubhik Mukherjee
  Cc: Greg KH, jirislaby, linux-serial, linux-kernel, ldv-project, andrianov

On Wed, Jun 23, 2021 at 11:06:53AM +0530, Saubhik Mukherjee wrote:
> On 6/17/21 4:52 PM, Greg KH wrote:
> > On Thu, Jun 17, 2021 at 04:34:43PM +0530, Saubhik Mukherjee wrote:
> >> Suppose the driver is registered and a UART port is added. Once an
> >> application opens the port, owl_uart_startup is called which registers
> >> the interrupt handler owl_uart_irq.
> >>
> >> We could have the following race condition:
> >>
> >> When device is removed, owl_uart_remove is called, which calls
> >> uart_remove_one_port, which calls owl_uart_release_port, which writes
> >> NULL to port->membase. At this point parallely, an interrupt could be
> >> handled by owl_uart_irq which reads port->membase.
> >>
> >> This is because it is possible to remove device without closing a port.
> >> Thus, we need to check it and call owl_uart_shutdown in owl_uart_remove.

No, this makes no sense at all. The port is deregistered and hung up by
uart_remove_one_port() (and the interrupt line is consequently disabled
by the driver) before it is released so this can never happen.

> >> Found by Linux Driver Verification project (linuxtesting.org).

And you clearly did not test this, which you should mention.

Johan

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] tty: serial: owl: Fix data race in owl_uart_remove
  2021-06-23  7:16     ` Johan Hovold
@ 2021-06-24 12:07       ` Saubhik Mukherjee
  2021-06-24 12:29         ` Johan Hovold
  0 siblings, 1 reply; 7+ messages in thread
From: Saubhik Mukherjee @ 2021-06-24 12:07 UTC (permalink / raw)
  To: Johan Hovold
  Cc: Greg KH, jirislaby, linux-serial, linux-kernel, ldv-project, andrianov

On 6/23/21 12:46 PM, Johan Hovold wrote:
> On Wed, Jun 23, 2021 at 11:06:53AM +0530, Saubhik Mukherjee wrote:
>> On 6/17/21 4:52 PM, Greg KH wrote:
>>> On Thu, Jun 17, 2021 at 04:34:43PM +0530, Saubhik Mukherjee wrote:
>>>> Suppose the driver is registered and a UART port is added. Once an
>>>> application opens the port, owl_uart_startup is called which registers
>>>> the interrupt handler owl_uart_irq.
>>>>
>>>> We could have the following race condition:
>>>>
>>>> When device is removed, owl_uart_remove is called, which calls
>>>> uart_remove_one_port, which calls owl_uart_release_port, which writes
>>>> NULL to port->membase. At this point parallely, an interrupt could be
>>>> handled by owl_uart_irq which reads port->membase.
>>>>
>>>> This is because it is possible to remove device without closing a port.
>>>> Thus, we need to check it and call owl_uart_shutdown in owl_uart_remove.
> 
> No, this makes no sense at all. The port is deregistered and hung up by
> uart_remove_one_port() (and the interrupt line is consequently disabled
> by the driver) before it is released so this can never happen.

Thanks for the reply. I am not sure I understand. I could not find any 
interrupt disabling in owl_uart_remove. Could you point out where/how is 
the interrupt line is disabled before releasing the port?

A related question question was asked in 
https://lore.kernel.org/linux-serial/YMcpBXd1vtipueQi@kroah.com/.

>>>> Found by Linux Driver Verification project (linuxtesting.org).
> 
> And you clearly did not test this, which you should mention.

This race warning was found by a static analysis tool. The code changes 
are untested.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] tty: serial: owl: Fix data race in owl_uart_remove
  2021-06-24 12:07       ` Saubhik Mukherjee
@ 2021-06-24 12:29         ` Johan Hovold
  2021-06-25  7:52           ` Saubhik Mukherjee
  0 siblings, 1 reply; 7+ messages in thread
From: Johan Hovold @ 2021-06-24 12:29 UTC (permalink / raw)
  To: Saubhik Mukherjee
  Cc: Greg KH, jirislaby, linux-serial, linux-kernel, ldv-project, andrianov

On Thu, Jun 24, 2021 at 05:37:38PM +0530, Saubhik Mukherjee wrote:
> On 6/23/21 12:46 PM, Johan Hovold wrote:
> > On Wed, Jun 23, 2021 at 11:06:53AM +0530, Saubhik Mukherjee wrote:
> >> On 6/17/21 4:52 PM, Greg KH wrote:
> >>> On Thu, Jun 17, 2021 at 04:34:43PM +0530, Saubhik Mukherjee wrote:
> >>>> Suppose the driver is registered and a UART port is added. Once an
> >>>> application opens the port, owl_uart_startup is called which registers
> >>>> the interrupt handler owl_uart_irq.
> >>>>
> >>>> We could have the following race condition:
> >>>>
> >>>> When device is removed, owl_uart_remove is called, which calls
> >>>> uart_remove_one_port, which calls owl_uart_release_port, which writes
> >>>> NULL to port->membase. At this point parallely, an interrupt could be
> >>>> handled by owl_uart_irq which reads port->membase.
> >>>>
> >>>> This is because it is possible to remove device without closing a port.
> >>>> Thus, we need to check it and call owl_uart_shutdown in owl_uart_remove.
> > 
> > No, this makes no sense at all. The port is deregistered and hung up by
> > uart_remove_one_port() (and the interrupt line is consequently disabled
> > by the driver) before it is released so this can never happen.
> 
> Thanks for the reply. I am not sure I understand. I could not find any 
> interrupt disabling in owl_uart_remove. Could you point out where/how is 
> the interrupt line is disabled before releasing the port?

The interrupt line is disabled by owl_uart_shutdown(), which is called
when uart_remove_one_port() hangs up an open tty. And as I mentioned
this happens after deregistering the port (so no new opens) and before
releasing the port.

Johan

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] tty: serial: owl: Fix data race in owl_uart_remove
  2021-06-24 12:29         ` Johan Hovold
@ 2021-06-25  7:52           ` Saubhik Mukherjee
  0 siblings, 0 replies; 7+ messages in thread
From: Saubhik Mukherjee @ 2021-06-25  7:52 UTC (permalink / raw)
  To: Johan Hovold
  Cc: Greg KH, jirislaby, linux-serial, linux-kernel, ldv-project, andrianov

On 6/24/21 5:59 PM, Johan Hovold wrote:
> On Thu, Jun 24, 2021 at 05:37:38PM +0530, Saubhik Mukherjee wrote:
>> On 6/23/21 12:46 PM, Johan Hovold wrote:
>>> On Wed, Jun 23, 2021 at 11:06:53AM +0530, Saubhik Mukherjee wrote:
>>>> On 6/17/21 4:52 PM, Greg KH wrote:
>>>>> On Thu, Jun 17, 2021 at 04:34:43PM +0530, Saubhik Mukherjee wrote:
>>>>>> Suppose the driver is registered and a UART port is added. Once an
>>>>>> application opens the port, owl_uart_startup is called which registers
>>>>>> the interrupt handler owl_uart_irq.
>>>>>>
>>>>>> We could have the following race condition:
>>>>>>
>>>>>> When device is removed, owl_uart_remove is called, which calls
>>>>>> uart_remove_one_port, which calls owl_uart_release_port, which writes
>>>>>> NULL to port->membase. At this point parallely, an interrupt could be
>>>>>> handled by owl_uart_irq which reads port->membase.
>>>>>>
>>>>>> This is because it is possible to remove device without closing a port.
>>>>>> Thus, we need to check it and call owl_uart_shutdown in owl_uart_remove.
>>>
>>> No, this makes no sense at all. The port is deregistered and hung up by
>>> uart_remove_one_port() (and the interrupt line is consequently disabled
>>> by the driver) before it is released so this can never happen.
>>
>> Thanks for the reply. I am not sure I understand. I could not find any
>> interrupt disabling in owl_uart_remove. Could you point out where/how is
>> the interrupt line is disabled before releasing the port?
> 
> The interrupt line is disabled by owl_uart_shutdown(), which is called
> when uart_remove_one_port() hangs up an open tty. And as I mentioned
> this happens after deregistering the port (so no new opens) and before
> releasing the port.
> 
> Johan
> 

Thank you very much for the explanation. So, indeed shutdown is called 
before releasing port. There is no need for a patch.

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2021-06-25  7:52 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-17 11:04 [PATCH] tty: serial: owl: Fix data race in owl_uart_remove Saubhik Mukherjee
2021-06-17 11:22 ` Greg KH
2021-06-23  5:36   ` Saubhik Mukherjee
2021-06-23  7:16     ` Johan Hovold
2021-06-24 12:07       ` Saubhik Mukherjee
2021-06-24 12:29         ` Johan Hovold
2021-06-25  7:52           ` Saubhik Mukherjee

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).