From: David Fries <david@fries.net>
To: Thorsten Bschorr <thorsten@bschorr.de>
Cc: Evgeniy Polyakov <zbr@ioremap.net>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Avoid null-pointer access in w1/slaves/w1_therm
Date: Sun, 1 Mar 2015 18:17:13 -0600 [thread overview]
Message-ID: <20150302001713.GA6151@spacedout.fries.net> (raw)
In-Reply-To: <CA+1k2cGtXOZeEPsLtvfowe7XBskXDYgVM-GKUTacYi47971ffw@mail.gmail.com>
On Sun, Mar 01, 2015 at 02:04:53PM +0100, Thorsten Bschorr wrote:
> Hi David,
>
> thanks for your feedback on my first patch, I wasn't aware of checkpatch.pl.
>
> Initially, I had just if-ed the usage of family-data, which did not
> look that nice. I was referring to this proof-of-concept workaround in
> my initial bug report.
>
> The patch I've submitted is different from my proof-of-concept
> workaround. Not unlocking the bus before returning clearly is an
> error, I did not extensively test this patch.
>
>
> > or just increment it while sleeping, which is when it's needed, which
> > also looks simpler.
> >
> > if (external_power) {
> > + int refcnt;
> > mutex_unlock(&dev->bus_mutex);
> >
> > + /* prevent the slave from going away */
> > + atomic_inc(&sl->refcnt);
> > sleep_rem = msleep_interruptible(tm);
> > + refcnt = w1_unref_slave(sl);
> > - if (sleep_rem != 0)
> > + if (sleep_rem != 0 || !refcnt)
> > return -EINTR;
> >
> > i = mutex_lock_interruptible(&dev->bus_mutex);
> > if (i != 0)
> > return i;
> > } else if (!w1_strong_pullup) {
>
>
> I like this better than my workaround-patch.
>
> One thought occurred to me when looking at this proposal: wouldn't it
> be even better to increase sl->refcnt before unlocking the mutex?
> I was asking myself if it is possible that the current thread gets
> suspended between mutex_unlock(&dev->bus_mutex); and
> atomic_inc(&sl->refcnt); thus leaving another thread the change to
> unref the device?
> (I'm not that familiar with linux scheduling, so my assumption might be void.)
You are correct, it would be a race condition if it doesn't increment
the refcnt before unlocking the mutex, and it should get the mutex
before unref. Here's an updated version, I haven't even tried to
compile it.
What do you think Evgeniy?
if (external_power) {
int refcnt;
/* prevent the slave from going away in sleep */
atomic_inc(&sl->refcnt);
mutex_unlock(&dev->bus_mutex);
sleep_rem = msleep_interruptible(tm);
if (sleep_rem != 0) {
w1_unref_slave(sl);
return -EINTR;
}
i = mutex_lock_interruptible(&dev->bus_mutex);
refcnt = w1_unref_slave(sl);
if (i != 0) {
/* failed to lock */
return i;
}
if (!refcnt)
/* got lock, but slave went away */
mutex_unlock(&dev->bus_mutex);
return -EINTR;
}
} else if (!w1_strong_pullup) {
--
David Fries <david@fries.net> PGP pub CB1EE8F0
http://fries.net/~david/
next prev parent reply other threads:[~2015-03-02 0:17 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CA+1k2cH5Y+RngvEbgE3CW5g+bO3V1ytDJC=u6DLVDZvbEOhu5A@mail.gmail.com>
[not found] ` <CA+1k2cF1frcEUu-L_cSJxTp=GKExn6Vt2rdCeY=zrhM62FUggw@mail.gmail.com>
[not found] ` <CA+1k2cEwtY+U7TS3rpmMp5nEBokO8vwhcOiD0ExVQnuoB=XVLQ@mail.gmail.com>
2015-02-23 17:09 ` Fwd: w1/slaves/w1_therm: null-ptr access of sl->family_data Thorsten Bschorr
2015-02-24 1:37 ` David Fries
2015-02-25 9:28 ` Thorsten Bschorr
2015-02-27 8:43 ` [PATCH] Avoid null-pointer access in w1/slaves/w1_therm Thorsten.Bschorr
2015-02-28 20:17 ` David Fries
[not found] ` <369891425174502@web4m.yandex.ru>
2015-03-01 2:17 ` David Fries
2015-03-01 13:04 ` Thorsten Bschorr
2015-03-02 0:17 ` David Fries [this message]
2015-03-04 15:36 ` Евгений Поляков
2015-03-08 21:14 ` David Fries
2015-03-09 22:47 ` Thorsten Bschorr
2015-03-09 23:09 ` David Fries
2015-03-10 0:05 ` Thorsten Bschorr
2015-03-10 0:34 ` Thorsten Bschorr
2015-03-12 0:44 ` David Fries
2015-03-10 13:52 ` Evgeniy Polyakov
2015-03-12 0:54 ` David Fries
2015-03-14 20:55 ` Evgeniy Polyakov
2015-03-18 4:20 ` David Fries
2015-03-18 15:18 ` Evgeniy Polyakov
2015-03-19 0:09 ` David Fries
[not found] ` <CADq11+-tZmQEVUL=sHC64i4auC_5i=+y2yBcMTaJMdD5Z0dE6w@mail.gmail.com>
2015-04-16 3:51 ` David Fries
2015-04-16 11:57 ` Evgeniy Polyakov
[not found] ` <CA+1k2cFw+2NTOtbSaJ1S=kBAn2Mj62DTeZo68V9t1Wk-7m7GyA@mail.gmail.com>
2015-04-17 12:55 ` Evgeniy Polyakov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150302001713.GA6151@spacedout.fries.net \
--to=david@fries.net \
--cc=linux-kernel@vger.kernel.org \
--cc=thorsten@bschorr.de \
--cc=zbr@ioremap.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.