[BUG] Deferred probing in driver model is racy, resulting in lost probes

All of lore.kernel.org
 help / color / mirror / Atom feed

From: gregkh@linuxfoundation.org (Greg Kroah-Hartman)
To: linux-arm-kernel@lists.infradead.org
Subject: [BUG] Deferred probing in driver model is racy, resulting in lost probes
Date: Wed, 26 Sep 2012 13:36:26 -0700	[thread overview]
Message-ID: <20120926203626.GA23766@kroah.com> (raw)
In-Reply-To: <20120926202321.GD30938@n2100.arm.linux.org.uk>

On Wed, Sep 26, 2012 at 09:23:21PM +0100, Russell King - ARM Linux wrote:
> On Wed, Sep 26, 2012 at 01:08:33PM -0700, Greg Kroah-Hartman wrote:
> > On Sun, Sep 16, 2012 at 09:24:43PM +0800, Ming Lei wrote:
> > > diff --git a/drivers/base/bus.c b/drivers/base/bus.c
> > > index 181ed26..17d7437 100644
> > > --- a/drivers/base/bus.c
> > > +++ b/drivers/base/bus.c
> > > @@ -714,12 +714,12 @@ int bus_add_driver(struct device_driver *drv)
> > >  	if (error)
> > >  		goto out_unregister;
> > > 
> > > +	klist_add_tail(&priv->knode_bus, &bus->p->klist_drivers);
> > >  	if (drv->bus->p->drivers_autoprobe) {
> > >  		error = driver_attach(drv);
> > >  		if (error)
> > >  			goto out_unregister;
> > >  	}
> > > -	klist_add_tail(&priv->knode_bus, &bus->p->klist_drivers);
> > >  	module_add_driver(drv->owner, drv);
> > > 
> > >  	error = driver_create_file(drv, &driver_attr_uevent);
> > > 
> > > 
> > > 
> > 
> > Did the above patch ever prove to solve the issue or not?
> 
> To be honest, I've not bothered to test the above patch, and now when I
> look at it, I notice it's broken - in that on error it will corrupt the
> driver list.  Take a look at the error path.
> 
> priv is drv->p.  We add priv->knode_bus to the driver list.  If
> driver_attach() returns an error, then we go to out_unregister, which
> does:
> 
> out_unregister:
>         kobject_put(&priv->kobj);
>         kfree(drv->p);
>         drv->p = NULL;
> 
> thereby freeing the node we just added to the driver list without first
> removing it.
> 
> I suspect it will fix the problem, but let's get the patch to be correct
> before it gets tested...

Good catch.  Ming, care to redo this?

greg k-h

WARNING: multiple messages have this Message-ID (diff)

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Russell King - ARM Linux <linux@arm.linux.org.uk>
Cc: Ming Lei <tom.leiming@gmail.com>,
	linux-arm-kernel@lists.infradead.org,
	linux-kernel@vger.kernel.org,
	Grant Likely <grant.likely@secretlab.ca>,
	Arnd Bergmann <arnd@arndb.de>,
	Mark Brown <broonie@opensource.wolfsonmicro.com>
Subject: Re: [BUG] Deferred probing in driver model is racy, resulting in lost probes
Date: Wed, 26 Sep 2012 13:36:26 -0700	[thread overview]
Message-ID: <20120926203626.GA23766@kroah.com> (raw)
In-Reply-To: <20120926202321.GD30938@n2100.arm.linux.org.uk>

On Wed, Sep 26, 2012 at 09:23:21PM +0100, Russell King - ARM Linux wrote:
> On Wed, Sep 26, 2012 at 01:08:33PM -0700, Greg Kroah-Hartman wrote:
> > On Sun, Sep 16, 2012 at 09:24:43PM +0800, Ming Lei wrote:
> > > diff --git a/drivers/base/bus.c b/drivers/base/bus.c
> > > index 181ed26..17d7437 100644
> > > --- a/drivers/base/bus.c
> > > +++ b/drivers/base/bus.c
> > > @@ -714,12 +714,12 @@ int bus_add_driver(struct device_driver *drv)
> > >  	if (error)
> > >  		goto out_unregister;
> > > 
> > > +	klist_add_tail(&priv->knode_bus, &bus->p->klist_drivers);
> > >  	if (drv->bus->p->drivers_autoprobe) {
> > >  		error = driver_attach(drv);
> > >  		if (error)
> > >  			goto out_unregister;
> > >  	}
> > > -	klist_add_tail(&priv->knode_bus, &bus->p->klist_drivers);
> > >  	module_add_driver(drv->owner, drv);
> > > 
> > >  	error = driver_create_file(drv, &driver_attr_uevent);
> > > 
> > > 
> > > 
> > 
> > Did the above patch ever prove to solve the issue or not?
> 
> To be honest, I've not bothered to test the above patch, and now when I
> look at it, I notice it's broken - in that on error it will corrupt the
> driver list.  Take a look at the error path.
> 
> priv is drv->p.  We add priv->knode_bus to the driver list.  If
> driver_attach() returns an error, then we go to out_unregister, which
> does:
> 
> out_unregister:
>         kobject_put(&priv->kobj);
>         kfree(drv->p);
>         drv->p = NULL;
> 
> thereby freeing the node we just added to the driver list without first
> removing it.
> 
> I suspect it will fix the problem, but let's get the patch to be correct
> before it gets tested...

Good catch.  Ming, care to redo this?

greg k-h

next prev parent reply	other threads:[~2012-09-26 20:36 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-08-18 14:58 [BUG] Deferred probing in driver model is racy, resulting in lost probes Russell King - ARM Linux
2012-08-18 14:58 ` Russell King - ARM Linux
2012-09-15 16:03 ` Greg Kroah-Hartman
2012-09-15 16:03   ` Greg Kroah-Hartman
2012-09-15 18:32   ` Russell King - ARM Linux
2012-09-15 18:32     ` Russell King - ARM Linux
2012-09-16  6:41 ` Ming Lei
2012-09-16  6:41   ` Ming Lei
2012-09-16  8:25   ` Russell King - ARM Linux
2012-09-16  8:25     ` Russell King - ARM Linux
2012-09-16 13:24     ` Ming Lei
2012-09-16 13:24       ` Ming Lei
2012-09-26 20:08       ` Greg Kroah-Hartman
2012-09-26 20:08         ` Greg Kroah-Hartman
2012-09-26 20:23         ` Russell King - ARM Linux
2012-09-26 20:23           ` Russell King - ARM Linux
2012-09-26 20:36           ` Greg Kroah-Hartman [this message]
2012-09-26 20:36             ` Greg Kroah-Hartman
2012-09-26 23:47           ` Ming Lei
2012-09-26 23:47             ` Ming Lei
2012-09-27 13:58             ` Russell King - ARM Linux
2012-09-27 13:58               ` Russell King - ARM Linux
2012-09-27 14:03               ` Russell King - ARM Linux
2012-09-27 14:03                 ` Russell King - ARM Linux
2012-09-27 14:15                 ` Ming Lei
2012-09-27 14:15                   ` Ming Lei
2012-09-27 17:22                 ` Joachim Eastwood
2012-09-27 17:22                   ` Joachim Eastwood
2012-09-27 17:26                   ` Mark Brown
2012-09-27 17:26                     ` Mark Brown
2012-09-28  0:30                   ` Ming Lei
2012-09-28  0:30                     ` Ming Lei

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120926203626.GA23766@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.