Re: [PATCH] drivers: core: Make dev->driver usage safe in dev_uevent()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eugeniu Rosca <erosca@de.adit-jv.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Dirk Behme <dirk.behme@de.bosch.com>,
	<linux-kernel@vger.kernel.org>,
	Rafael J Wysocki <rafael@kernel.org>,
	<syzbot+ffa8143439596313a85a@syzkaller.appspotmail.com>,
	Eugeniu Rosca <eugeniu.rosca@bosch.com>,
	Eugeniu Rosca <erosca@de.adit-jv.com>,
	Eugeniu Rosca <roscaeugeniu@gmail.com>
Subject: Re: [PATCH] drivers: core: Make dev->driver usage safe in dev_uevent()
Date: Tue, 30 Apr 2024 10:17:54 +0200	[thread overview]
Message-ID: <20240430081754.GA1927@mypc> (raw)
In-Reply-To: <2024043030-remnant-plenty-1eeb@gregkh>

Hi Greg,

On Tue, Apr 30, 2024 at 09:20:10AM +0200, Greg Kroah-Hartman wrote:
> On Tue, Apr 30, 2024 at 06:55:31AM +0200, Dirk Behme wrote:
> > Inspired by the function dev_driver_string() in the same file make sure
> > in case of uninitialization dev->driver is used safely in dev_uevent(),
> > as well.
> 
> I think you are racing and just getting "lucky" with your change here,
> just like dev_driver_string() is doing there (that READ_ONCE() really
> isn't doing much to protect you...)

I hope below details shed more details on the repro:
https://gist.github.com/erosca/1e8a87fbcc9e5ad0fecd32ebcb6266c3

To improve the occurrence rate:
 - a dummy ds90ux9xx-dummy driver was used
 - a dummy i2c node was added to DTS
 - a dummy pr_alert() was added to dev_uevent() @ drivers/base/core.c
 - UBSAN + KASAN enabled in .config

> > This change is based on the observation of the following race condition:
> > 
> > Thread #1:
> > ==========
> > 
> > really_probe() {
> > ...
> > probe_failed:
> > ...
> > device_unbind_cleanup(dev) {
> >       ...
> >       dev->driver = NULL;   // <= Failed probe sets dev->driver to NULL
> >       ...
> >       }
> > ...
> > }
> > 
> > Thread #2:
> > ==========
> > 
> > dev_uevent() {
> 
> Wait, how can dev_uevent() be called if probe fails?  Who is calling
> that?

dev_uevent() is called by reading /sys/bus/i2c/devices/<dev>/uevent.
Not directly triggered by the probe failure.
Please, kindly check the above gist/notes.

[--- cut ---]

> > -	if (dev->driver)
> > -		add_uevent_var(env, "DRIVER=%s", dev->driver->name);
> > +	/* dev->driver can change to NULL underneath us because of unbinding
> > +	 * or failing probe(), so be careful about accessing it.
> > +	 */
> > +	drv = READ_ONCE(dev->driver);
> > +	if (drv)
> > +		add_uevent_var(env, "DRIVER=%s", drv->name);
> 
> Again, you are just reducing the window here.  Maybe a bit, but not all
> that much overall as there is no real lock present.

The main objective of the patch is to "cache" dev->driver, such
that it is not cleared asynchronously from a parallel thread.
A refined/minimal locking alternative (if feasible) is welcome.

> 
> So how is this actually solving anything?  And who is calling a uevent
> on a device that is not probed properly?  Userspace?  Within the kernel?
> Something else?

Repro details provided in the gist/notes above.

BR, Eugeniu

next prev parent reply	other threads:[~2024-04-30  8:24 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-30  4:55 [PATCH] drivers: core: Make dev->driver usage safe in dev_uevent() Dirk Behme
2024-04-30  7:20 ` Greg Kroah-Hartman
2024-04-30  8:17   ` Eugeniu Rosca [this message]
2024-04-30  8:27     ` Greg Kroah-Hartman
2024-04-30 13:18       ` Eugeniu Rosca
2024-04-30  8:23   ` Dirk Behme
2024-04-30  8:41     ` Greg Kroah-Hartman
2024-04-30  8:50       ` Dirk Behme
2024-04-30  8:57         ` Greg Kroah-Hartman
2024-05-06  6:04           ` Dirk Behme

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240430081754.GA1927@mypc \
    --to=erosca@de.adit-jv.com \
    --cc=dirk.behme@de.bosch.com \
    --cc=eugeniu.rosca@bosch.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rafael@kernel.org \
    --cc=roscaeugeniu@gmail.com \
    --cc=syzbot+ffa8143439596313a85a@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.